summaryrefslogtreecommitdiff
path: root/net-misc
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2023-05-11 23:47:37 +0100
committerV3n3RiX <venerix@koprulu.sector>2023-05-11 23:47:37 +0100
commit02930d1eb5af78d32b1597af6af24163895d9e0f (patch)
tree7908188ca5a80d7ff557ebc70fe3bdcbf2875832 /net-misc
parent54654470d999265b5a0010be7190e8a9993b1840 (diff)
gentoo auto-resync : 11:05:2023 - 23:47:37
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/Manifest.gzbin53771 -> 53962 bytes
-rw-r--r--net-misc/autossh/Manifest2
-rw-r--r--net-misc/autossh/autossh-1.4g-r1.ebuild (renamed from net-misc/autossh/autossh-1.4g.ebuild)4
-rw-r--r--net-misc/electrum/Manifest2
-rw-r--r--net-misc/electrum/electrum-4.4.3.ebuild112
-rw-r--r--net-misc/openssh-contrib/Manifest30
-rw-r--r--net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch17
-rw-r--r--net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch20
-rw-r--r--net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch48
-rw-r--r--net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch57
-rw-r--r--net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch (renamed from net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch)0
-rw-r--r--net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch (renamed from net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch)0
-rw-r--r--net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch357
-rw-r--r--net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch14
-rw-r--r--net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch13
-rw-r--r--net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch (renamed from net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch)0
-rw-r--r--net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch20
-rw-r--r--net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch58
-rw-r--r--net-misc/openssh-contrib/files/sshd-r1.confd33
-rw-r--r--net-misc/openssh-contrib/files/sshd-r1.initd87
-rw-r--r--net-misc/openssh-contrib/files/sshd.pam_include.24
-rw-r--r--net-misc/openssh-contrib/files/sshd.service.115
-rw-r--r--net-misc/openssh-contrib/files/sshd.socket10
-rw-r--r--net-misc/openssh-contrib/files/sshd_at.service.18
-rw-r--r--net-misc/openssh-contrib/metadata.xml59
-rw-r--r--net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild (renamed from net-misc/openssh/openssh-9.3_p1.ebuild)111
-rw-r--r--net-misc/openssh/Manifest15
-rw-r--r--net-misc/openssh/metadata.xml3
-rw-r--r--net-misc/openssh/openssh-9.3_p1-r1.ebuild381
-rw-r--r--net-misc/pssh/Manifest2
-rw-r--r--net-misc/pssh/pssh-2.3.4-r3.ebuild (renamed from net-misc/pssh/pssh-2.3.4-r2.ebuild)2
-rw-r--r--net-misc/scponly/Manifest2
-rw-r--r--net-misc/scponly/scponly-4.8-r8.ebuild (renamed from net-misc/scponly/scponly-4.8-r7.ebuild)4
-rw-r--r--net-misc/sshpass/Manifest2
-rw-r--r--net-misc/sshpass/sshpass-1.09-r1.ebuild (renamed from net-misc/sshpass/sshpass-1.09.ebuild)4
-rw-r--r--net-misc/x2goserver/Manifest2
-rw-r--r--net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild (renamed from net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild)4
-rw-r--r--net-misc/zssh/Manifest2
-rw-r--r--net-misc/zssh/zssh-1.5c-r2.ebuild (renamed from net-misc/zssh/zssh-1.5c-r1.ebuild)4
39 files changed, 1426 insertions, 82 deletions
diff --git a/net-misc/Manifest.gz b/net-misc/Manifest.gz
index 821c401ea31f..a112a58552a9 100644
--- a/net-misc/Manifest.gz
+++ b/net-misc/Manifest.gz
Binary files differ
diff --git a/net-misc/autossh/Manifest b/net-misc/autossh/Manifest
index 288c2ddf9efd..227c3360dfd2 100644
--- a/net-misc/autossh/Manifest
+++ b/net-misc/autossh/Manifest
@@ -1,3 +1,3 @@
DIST autossh-1.4g.tgz 67599 BLAKE2B 179af97ee6f3b9c1c4fcbad1593118aa5d69dbd2b6215efd4a16ab7641f6f0194faaca3c3101b3a918d652988a06b5fa8ce6e52f85f81edd95b3d71d49aad076 SHA512 499b560d978736f4e764d5d828282fdaba1cbf94811ae6be0be5434d9c1cdc6ca5513d728b6372aa243843cb1b91e61cfc5fdeb77ddb0b6a7ce027218ba67466
-EBUILD autossh-1.4g.ebuild 509 BLAKE2B 509bbbe439478b442f003cd85f2269ade39eb08fd2ff689244fcb8e11114e66535961efa1d4d41ead706d2df2eddd6778b0fb0eb7aa4ce67be25ca01ab357fb7 SHA512 e7141ea8802a88c8147436819e084d12b8a60580c72e68c7efb0dae2c75ce83930e125cd5fee7e2d04d53d697e0f4a6325085bf98a8754b7fbad3476b676fa6d
+EBUILD autossh-1.4g-r1.ebuild 508 BLAKE2B 415ec316b485e2931effc4bf25ebf48a9dad4e0a4b72fc44d54a1bb40744504e56f82b12196812c878aae4ab9b1d0d18fd613acd03776071f67d39f3e01a3a28 SHA512 77ddc6fdd1c13d890b504fb91bb9716941705ef157d6677c7be8ebef3ca5e3b81132c89457d4df0c0ef443fc4de308a4ea010655994ae0a5bf55a3b9ca6a9cb6
MISC metadata.xml 247 BLAKE2B 6536db65878d9128a555200c64e8ff6a6992576c1563139308514c6da0908880f96f957d38b795f6e8de20c6318ddcdd40fd6d1b426bc54f823d9c5cf8e56e89 SHA512 74fe62941d0c26582e1cd28ca71bf6664c52361293c1150c3544c48f2bc812b6be88b13e92468f1e896e986a0369d7320453542653113735cca75fd0ceb20009
diff --git a/net-misc/autossh/autossh-1.4g.ebuild b/net-misc/autossh/autossh-1.4g-r1.ebuild
index 57c7452cb478..4a227c8620c6 100644
--- a/net-misc/autossh/autossh-1.4g.ebuild
+++ b/net-misc/autossh/autossh-1.4g-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -11,7 +11,7 @@ LICENSE="BSD"
KEYWORDS="amd64 ~arm ~arm64 ~hppa ppc ~ppc64 ~riscv ~sparc x86 ~amd64-linux ~x86-linux"
SLOT="0"
-RDEPEND="net-misc/openssh"
+RDEPEND="virtual/openssh"
src_install() {
dobin autossh
diff --git a/net-misc/electrum/Manifest b/net-misc/electrum/Manifest
index 8890f12f1b6a..ef9765c4ffbc 100644
--- a/net-misc/electrum/Manifest
+++ b/net-misc/electrum/Manifest
@@ -2,8 +2,10 @@ DIST electrum-4.3.4.gh.tar.gz 5512701 BLAKE2B a57e3ffddacfd5c63dc7f5cb59bbfe0632
DIST electrum-4.4.0.gh.tar.gz 5627801 BLAKE2B 27ed9fff7586f9efe18a76f3cfa6d0cc4df4d5bc542b68ce9cd78ac5d6b033114b9caea23edbbd2a531d6f877a8891a02fc321741d8ecf4eb473894f1d9c94a6 SHA512 dfa5020a2609b8faa21c1ae97e152b89cd235151c18bb2b6a0bb4b9cd5217697e3c6515d832c8f04291fb10e062c3a4d9a92c48874687ef99adfd7cf04f363f8
DIST electrum-4.4.1.gh.tar.gz 5631256 BLAKE2B cefa27c7b770429004a221143f4291285f2ad6f3ca6f1f58c5c98ce6b6efbc316ea6b857a6abf8ed899cf5feac1f3505fd83189849aab72f144af9e7ce4d546d SHA512 075253fc89063d8fa6adcdc9d3e4c7cbd5caa27efe9f5dca8ddf5ef3863ca25690f2a4280a4999d6d3da7d32ece10dd9faf2ba560d2b13a0c9887237daa6382e
DIST electrum-4.4.2.gh.tar.gz 5635869 BLAKE2B 7ba1941a59e5db7578d2b7fe26997c9bda92467362422fc3b3741eefc5c52b872cbb0c9c5caf7454ae4b6136a37b498ba2afd1b0f19ace0f566de68a9e40b3bb SHA512 50509a7890a9697dfb59ec6d8cb3f2d5243b37acbff2c322cb7a6f4b350dd18fc5a963a30af6cd4e918ea02306df4da7252158ddf268fc87762ff598e2eb33e8
+DIST electrum-4.4.3.gh.tar.gz 5629690 BLAKE2B 56f1bf2500500eb9fcd3b0397adee2f46865ab628004c62b2ffc36b7a019b1bd94b7c84576b35afda70116fb290476432fb1363eeb511d8cd4e6342c3a920975 SHA512 077742c404cce57fbf330b28a36c277dc22c10027c8f412ea192a7f7b917b37b22bbb85dc6cdc654daaacc28f98659dac406879a183448b20b0377a86697f486
EBUILD electrum-4.3.4-r1.ebuild 2896 BLAKE2B c5d42f5a55aab16022835b66633d77a156fe7c69b8ee3ee889a9609be5e824eebfafee27114776af6cfd03ac887fcb52c29f4cd44cd70faaeb58bbe33653a4c7 SHA512 11a88ece051a5107df2916717b7c0f5b08792a88d43f5d4d512ea91ad9683b01236fd9caa75d267a52888a01fccec63dffed51f1b66685749685b355dff262d3
EBUILD electrum-4.4.0.ebuild 2898 BLAKE2B a8ef6fc4fffef8e44732cd7e3f523357738db98da2907e361644df6c5da236f8e6989d3b9f2047a65538fb045d509cadb21af22a600ae99ec23f1a8e36e4d362 SHA512 1785c57717ec7cbb733cb3585d7a7f80a9c57a0e6427416b56a20a28d672f01fda7561a8df25305c886c3ba2b0b92c42c04c7aeb079054bc23c895d1c135714a
EBUILD electrum-4.4.1.ebuild 2898 BLAKE2B a8ef6fc4fffef8e44732cd7e3f523357738db98da2907e361644df6c5da236f8e6989d3b9f2047a65538fb045d509cadb21af22a600ae99ec23f1a8e36e4d362 SHA512 1785c57717ec7cbb733cb3585d7a7f80a9c57a0e6427416b56a20a28d672f01fda7561a8df25305c886c3ba2b0b92c42c04c7aeb079054bc23c895d1c135714a
EBUILD electrum-4.4.2-r1.ebuild 2898 BLAKE2B add50631480377c0e949a09c6177cdb01ab5fe5bba55c863c49bce88e929268985f8bdcdb82f1d7611c17ad72010712e4f6a551b63b47d9cdfebcfc360da5129 SHA512 e858b342327d8be65e74654287c360c65708e0d046f498c3ac1626db4af5ffa910eb33f8c6ae21063ba95b9755aa4728f65f156b5f06d9856252016dd7c0e4aa
+EBUILD electrum-4.4.3.ebuild 2898 BLAKE2B add50631480377c0e949a09c6177cdb01ab5fe5bba55c863c49bce88e929268985f8bdcdb82f1d7611c17ad72010712e4f6a551b63b47d9cdfebcfc360da5129 SHA512 e858b342327d8be65e74654287c360c65708e0d046f498c3ac1626db4af5ffa910eb33f8c6ae21063ba95b9755aa4728f65f156b5f06d9856252016dd7c0e4aa
MISC metadata.xml 637 BLAKE2B ec4a0e57a1a11fa3a430c40b317e9a857b4128c7815fcd9fabe44adf85c47985325f4df3da9476b19f687026a145c7abf16a6a1ef6c8e25dd217732cdf77a076 SHA512 599ade68d31da44232ab7f520f0b9c054e7a26757aa7eed4f06350487d6c7c1dfc12bf2ba3dbddeb8ef8e8f0b67d093b91999cec422b3a5ea6dfadc9acf2fbc1
diff --git a/net-misc/electrum/electrum-4.4.3.ebuild b/net-misc/electrum/electrum-4.4.3.ebuild
new file mode 100644
index 000000000000..151ffd5e2cfe
--- /dev/null
+++ b/net-misc/electrum/electrum-4.4.3.ebuild
@@ -0,0 +1,112 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_REQ_USE="ncurses?"
+
+inherit distutils-r1 xdg-utils
+
+DESCRIPTION="User friendly Bitcoin client"
+HOMEPAGE="
+ https://electrum.org/
+ https://github.com/spesmilo/electrum/
+"
+SRC_URI="
+ https://github.com/spesmilo/electrum/archive/${PV}.tar.gz
+ -> ${P}.gh.tar.gz
+"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="cli ncurses qrcode +qt5"
+REQUIRED_USE="|| ( cli ncurses qt5 )"
+
+RDEPEND="
+ ${PYTHON_DEPS}
+ <dev-libs/libsecp256k1-0.4
+ >=dev-python/aiohttp-socks-0.3[${PYTHON_USEDEP}]
+ =dev-python/aiorpcX-0.22*[${PYTHON_USEDEP}]
+ >=dev-python/attrs-19.2.0[${PYTHON_USEDEP}]
+ dev-python/bitstring[${PYTHON_USEDEP}]
+ dev-python/cryptography[${PYTHON_USEDEP}]
+ >=dev-python/dnspython-2[${PYTHON_USEDEP}]
+ dev-python/pbkdf2[${PYTHON_USEDEP}]
+ dev-python/PySocks[${PYTHON_USEDEP}]
+ dev-python/qrcode[${PYTHON_USEDEP}]
+ dev-python/requests[${PYTHON_USEDEP}]
+ dev-python/setuptools[${PYTHON_USEDEP}]
+ dev-python/six[${PYTHON_USEDEP}]
+ >=dev-python/protobuf-python-3.20[${PYTHON_USEDEP}]
+ qrcode? ( media-gfx/zbar[v4l] )
+ qt5? (
+ dev-python/PyQt5[gui,widgets,${PYTHON_USEDEP}]
+ )
+ ncurses? ( $(python_gen_impl_dep 'ncurses') )
+"
+BDEPEND="
+ test? (
+ dev-python/pyaes[${PYTHON_USEDEP}]
+ dev-python/pycryptodome[${PYTHON_USEDEP}]
+ )
+"
+
+distutils_enable_tests pytest
+
+src_prepare() {
+ # use backwards-compatible cryptodome API
+ sed -i -e 's:Cryptodome:Crypto:' electrum/crypto.py || die
+
+ # make qdarkstyle dep optional
+ sed -i -e '/qdarkstyle/d' contrib/requirements/requirements.txt || die
+
+ # remove upper bounds from deps
+ sed -i -e 's:,<[0-9.]*::' contrib/requirements/requirements.txt || die
+
+ local bestgui
+ if use qt5; then
+ bestgui=qt
+ elif use ncurses; then
+ bestgui=text
+ else
+ bestgui=stdio
+ fi
+ sed -i 's/^\([[:space:]]*\)\(config_options\['\''cwd'\''\] = .*\)$/\1\2\n\1config_options.setdefault("gui", "'"${bestgui}"'")\n/' ${PN}/${PN} || die
+
+ eapply_user
+
+ xdg_environment_reset
+ distutils-r1_src_prepare
+}
+
+src_install() {
+ dodoc RELEASE-NOTES
+ distutils-r1_src_install
+}
+
+pkg_postinst() {
+ xdg_icon_cache_update
+ xdg_desktop_database_update
+
+ local v
+ for v in ${REPLACING_VERSIONS}; do
+ ver_test "${v}" -ge 4.3.4 && return
+ done
+
+ ewarn "If you are new to BitCoin, please be aware that:"
+ ewarn "1. Cryptocurrencies are volatile. BTC has been subject to rapid"
+ ewarn " changes of value in the past."
+ ewarn "2. Cryptocurrency ownership is determined solely by the access to"
+ ewarn " the private key. If the key is lost or stolen, BTC are unrevocably"
+ ewarn " lost."
+ ewarn "3. Proof-of-work based cryptocurrencies have negative environmental"
+ ewarn " impact. BTC mining is consuming huge amounts of electricity."
+}
+
+pkg_postrm() {
+ xdg_icon_cache_update
+ xdg_desktop_database_update
+}
diff --git a/net-misc/openssh-contrib/Manifest b/net-misc/openssh-contrib/Manifest
new file mode 100644
index 000000000000..04a027091998
--- /dev/null
+++ b/net-misc/openssh-contrib/Manifest
@@ -0,0 +1,30 @@
+AUX openssh-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb8f1fddac34048b94592e54f8e31dc11717fe872f3d66a7e6877d2449102fbe18a0ee2a35732991abe946b1fe10abfa48bbec6871b26 SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7
+AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f
+AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70
+AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310
+AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd
+AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02
+AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd
+AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155044328f89ee0573efa43da7cdf8511555e706b6bf66cae069ac95cca900779c6ce293eedec48450f786fd033375e9be17bfb2872 SHA512 9b88024e6a898fc85205fbc038274a3271f787276962150965ab8f599fa355ee73cb48e7e12e3f090034293f9dca94a1ce41dfce2aaeb140693545ff3bc391f0
+AUX openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch 419 BLAKE2B c5ef82ed92da96213c84d954541dc3d99040f95a3ce6d81ea585360200128154daaa7717a553a91e693ee11044f11b4a2c3f9f0137c4b92cb1aee01514ec7763 SHA512 cdc0894728e01b132346bf1358b2193d5349f281a086a784a4bbdf1a6ad736632cf4c4fbb900c4ebb6b31a13313ed8660dae95968f4e906d40b2aa0b7a7c2303
+AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5
+AUX openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 514 BLAKE2B d0dadfc57736cd4d2b04e46f5c0f6d5a1db1cfc7ee70d32afaa0f65269b82e66a72c46d33c9cbf7237f541a0485b25669cd2f4b34393e3a3ef0c9b4334092fe5 SHA512 f8badde54501340bde275951bc1cf653919bec02c760bf771308f10697b9ad2a483e30ae74ad124a737341f5c64657ab193a4d7fdf2baf24029b9447099da04b
+AUX openssh-9.3_p1-openssl-version-compat-check.patch 2588 BLAKE2B 635e9d4e0ca515d4da190075371b85b5c1885fd7d9b621d6f21399be0faf0be96e5e31875611392386b897f74087d75a00203a74c9f9ecf0be447bf354fcf4a2 SHA512 a27afa1b07a47f0ecf74d30ca85e7b4f8c79857c8019d274aeaed88b81149ce6241fd16f1023f14dbdc701e8c9d8671f6aadda2e21d620a47af8778b8531b991
+AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe
+AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27
+AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391af5769798e0b0185f0a588bc089d229c76138fd2db39fbe6bd33924f0d53e0513074d9c2d7abf88dcb78 SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c
+AUX sshd.service.1 298 BLAKE2B 7a4f2e2656096b09a8b435d393ea9b0a7bd10a2a9f0e9d9cf49b9ae9600cccfb19a64e09f4cf718e8054fc997f21656f609eb3af15ee2e3576531a88b5709842 SHA512 efc936ca412999e3b1acabe6cf4e87c033fe468cede1c3c499499e252cf7cdeca0841e5e1862ebe316ff3f4bf758fba674f08d081b403713e154b6bbc37da365
+AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42
+AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f
+DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
+DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
+DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
+DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
+DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
+DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
+DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
+DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
+DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
+DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
+EBUILD openssh-contrib-9.3_p1.ebuild 19020 BLAKE2B 65b72abbf8db1fd00dd8baf7e8695ab366e020e8509076fe02a587f499d5d997c470ed90c73104fa565eb00754cd9fd54cd85f06d0a11b639d251b66b634a7a1 SHA512 204a8c4e3ad06dcf6470b024372d4b84f4ed3c75fdb33a4124803fa8b3dfea1b75bb9fd8ff5a40a09fd626c455523d84d946c9cca5769533421e1670639569b2
+MISC metadata.xml 2975 BLAKE2B 068d52ba2e5de0b696e7fe995e4c2a041206a59258f24704ca3a72fe1d85323c2aad7899f055b48a4045d6303491822c59f2b86b85fc428a26f8259ea583796a SHA512 83fef701188c00af53382b5099fc2ebf83c903c3edefc3d2cf6deb0a667c0d0d9531c18728eef9b5b703903d31fbdb55a68e5b76890ea090bc1d79fef3ae6b89
diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 000000000000..fa33af39b6f8
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status. that is,
+whether it is a beta or release. when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+ * For versions >= 1.0.0, major,minor,status must match and library
+ * fix version must be equal to or newer than the header.
+ */
+- mask = 0xfff0000fL; /* major,minor,status */
++ mask = 0xfff00000L; /* major,minor,status */
+ hfix = (headerver & 0x000ff000) >> 12;
+ lfix = (libver & 0x000ff000) >> 12;
+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
new file mode 100644
index 000000000000..a5647ce9d8d3
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
@@ -0,0 +1,20 @@
+Disable conch interop tests which are failing when called
+via portage for yet unknown reason and because using conch
+seems to be flaky (test is failing when using Python2 but
+passing when using Python3).
+
+Bug: https://bugs.gentoo.org/605446
+
+--- a/regress/conch-ciphers.sh
++++ b/regress/conch-ciphers.sh
+@@ -3,6 +3,10 @@
+
+ tid="conch ciphers"
+
++# https://bugs.gentoo.org/605446
++echo "conch interop tests skipped due to Gentoo bug #605446"
++exit 0
++
+ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
+ echo "conch interop tests not enabled"
+ exit 0
diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
new file mode 100644
index 000000000000..c5697c2b8bd1
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
@@ -0,0 +1,48 @@
+diff --git a/auth-options.c b/auth-options.c
+index b05d6d6f..d1f42f04 100644
+--- a/auth-options.c
++++ b/auth-options.c
+@@ -26,6 +26,7 @@
+ #include <stdarg.h>
+ #include <ctype.h>
+ #include <limits.h>
++#include <stdlib.h>
+
+ #include "openbsd-compat/sys-queue.h"
+
+diff --git a/hmac.c b/hmac.c
+index 1c879640..a29f32c5 100644
+--- a/hmac.c
++++ b/hmac.c
+@@ -19,6 +19,7 @@
+
+ #include <sys/types.h>
+ #include <string.h>
++#include <stdlib.h>
+
+ #include "sshbuf.h"
+ #include "digest.h"
+diff --git a/krl.c b/krl.c
+index 8e2d5d5d..c32e147a 100644
+--- a/krl.c
++++ b/krl.c
+@@ -28,6 +28,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+
+ #include "sshbuf.h"
+ #include "ssherr.h"
+diff --git a/mac.c b/mac.c
+index 51dc11d7..3d11eba6 100644
+--- a/mac.c
++++ b/mac.c
+@@ -29,6 +29,7 @@
+
+ #include <string.h>
+ #include <stdio.h>
++#include <stdlib.h>
+
+ #include "digest.h"
+ #include "hmac.h"
diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
new file mode 100644
index 000000000000..4310aa123fc8
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
@@ -0,0 +1,57 @@
+Make sure that host keys are already accepted before
+running tests.
+
+https://bugs.gentoo.org/493866
+
+--- a/regress/putty-ciphers.sh
++++ b/regress/putty-ciphers.sh
+@@ -10,11 +10,17 @@ fi
+
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
+ verbose "$tid: cipher $c"
++ rm -f ${COPY}
+ cp ${OBJ}/.putty/sessions/localhost_proxy \
+ ${OBJ}/.putty/sessions/cipher_$c
+ echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+
+- rm -f ${COPY}
++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
++ -i ${OBJ}/putty.rsa2 "exit"
++ if [ $? -ne 0 ]; then
++ fail "failed to pre-cache host key"
++ fi
++
+ env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
+ cat ${DATA} > ${COPY}
+ if [ $? -ne 0 ]; then
+--- a/regress/putty-kex.sh
++++ b/regress/putty-kex.sh
+@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
+ ${OBJ}/.putty/sessions/kex_$k
+ echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+
++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
++ -i ${OBJ}/putty.rsa2 "exit"
++ if [ $? -ne 0 ]; then
++ fail "failed to pre-cache host key"
++ fi
++
+ env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
+ if [ $? -ne 0 ]; then
+ fail "KEX $k failed"
+--- a/regress/putty-transfer.sh
++++ b/regress/putty-transfer.sh
+@@ -14,6 +14,13 @@ for c in 0 1 ; do
+ cp ${OBJ}/.putty/sessions/localhost_proxy \
+ ${OBJ}/.putty/sessions/compression_$c
+ echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
++
++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
++ -i ${OBJ}/putty.rsa2 "exit"
++ if [ $? -ne 0 ]; then
++ fail "failed to pre-cache host key"
++ fi
++
+ env HOME=$PWD ${PLINK} -load compression_$c -batch \
+ -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
+ if [ $? -ne 0 ]; then
diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
index 7199227589c6..7199227589c6 100644
--- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
index 6dc290d6737b..6dc290d6737b 100644
--- a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch
+++ b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
new file mode 100644
index 000000000000..ffc40b70ae3d
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,357 @@
+diff --git a/auth.c b/auth.c
+index 00b168b4..8ee93581 100644
+--- a/auth.c
++++ b/auth.c
+@@ -729,118 +729,6 @@ fakepw(void)
+ return (&fake);
+ }
+
+-/*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on based on conflation of hostnames and IP addresses.
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+- struct sockaddr_storage from;
+- socklen_t fromlen;
+- struct addrinfo hints, *ai, *aitop;
+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+- const char *ntop = ssh_remote_ipaddr(ssh);
+-
+- /* Get IP address of client. */
+- fromlen = sizeof(from);
+- memset(&from, 0, sizeof(from));
+- if (getpeername(ssh_packet_get_connection_in(ssh),
+- (struct sockaddr *)&from, &fromlen) == -1) {
+- debug("getpeername failed: %.100s", strerror(errno));
+- return xstrdup(ntop);
+- }
+-
+- ipv64_normalise_mapped(&from, &fromlen);
+- if (from.ss_family == AF_INET6)
+- fromlen = sizeof(struct sockaddr_in6);
+-
+- debug3("Trying to reverse map address %.100s.", ntop);
+- /* Map the IP address to a host name. */
+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+- NULL, 0, NI_NAMEREQD) != 0) {
+- /* Host name not found. Use ip address. */
+- return xstrdup(ntop);
+- }
+-
+- /*
+- * if reverse lookup result looks like a numeric hostname,
+- * someone is trying to trick us by PTR record like following:
+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+- hints.ai_flags = AI_NUMERICHOST;
+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+- name, ntop);
+- freeaddrinfo(ai);
+- return xstrdup(ntop);
+- }
+-
+- /* Names are stored in lowercase. */
+- lowercase(name);
+-
+- /*
+- * Map it back to an IP address and check that the given
+- * address actually is an address of this host. This is
+- * necessary because anyone with access to a name server can
+- * define arbitrary names for an IP address. Mapping from
+- * name to IP address can be trusted better (but can still be
+- * fooled if the intruder has access to the name server of
+- * the domain).
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = from.ss_family;
+- hints.ai_socktype = SOCK_STREAM;
+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+- logit("reverse mapping checking getaddrinfo for %.700s "
+- "[%s] failed.", name, ntop);
+- return xstrdup(ntop);
+- }
+- /* Look for the address from the list of addresses. */
+- for (ai = aitop; ai; ai = ai->ai_next) {
+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+- (strcmp(ntop, ntop2) == 0))
+- break;
+- }
+- freeaddrinfo(aitop);
+- /* If we reached the end of the list, the address was not there. */
+- if (ai == NULL) {
+- /* Address not found for the host name. */
+- logit("Address %.100s maps to %.600s, but this does not "
+- "map back to the address.", ntop, name);
+- return xstrdup(ntop);
+- }
+- return xstrdup(name);
+-}
+-
+-/*
+- * Return the canonical name of the host in the other side of the current
+- * connection. The host name is cached, so it is efficient to call this
+- * several times.
+- */
+-
+-const char *
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+-{
+- static char *dnsname;
+-
+- if (!use_dns)
+- return ssh_remote_ipaddr(ssh);
+- else if (dnsname != NULL)
+- return dnsname;
+- else {
+- dnsname = remote_hostname(ssh);
+- return dnsname;
+- }
+-}
+-
+ /* These functions link key/cert options to the auth framework */
+
+ /* Log sshauthopt options locally and (optionally) for remote transmission */
+diff --git a/canohost.c b/canohost.c
+index a810da0e..18e9d8d4 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -202,3 +202,117 @@ get_local_port(int sock)
+ {
+ return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++static char *
++remote_hostname(struct ssh *ssh)
++{
++ struct sockaddr_storage from;
++ socklen_t fromlen;
++ struct addrinfo hints, *ai, *aitop;
++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++ const char *ntop = ssh_remote_ipaddr(ssh);
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getpeername(ssh_packet_get_connection_in(ssh),
++ (struct sockaddr *)&from, &fromlen) == -1) {
++ debug("getpeername failed: %.100s", strerror(errno));
++ return xstrdup(ntop);
++ }
++
++ ipv64_normalise_mapped(&from, &fromlen);
++ if (from.ss_family == AF_INET6)
++ fromlen = sizeof(struct sockaddr_in6);
++
++ debug3("Trying to reverse map address %.100s.", ntop);
++ /* Map the IP address to a host name. */
++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++ NULL, 0, NI_NAMEREQD) != 0) {
++ /* Host name not found. Use ip address. */
++ return xstrdup(ntop);
++ }
++
++ /*
++ * if reverse lookup result looks like a numeric hostname,
++ * someone is trying to trick us by PTR record like following:
++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++ name, ntop);
++ freeaddrinfo(ai);
++ return xstrdup(ntop);
++ }
++
++ /* Names are stored in lowercase. */
++ lowercase(name);
++
++ /*
++ * Map it back to an IP address and check that the given
++ * address actually is an address of this host. This is
++ * necessary because anyone with access to a name server can
++ * define arbitrary names for an IP address. Mapping from
++ * name to IP address can be trusted better (but can still be
++ * fooled if the intruder has access to the name server of
++ * the domain).
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = from.ss_family;
++ hints.ai_socktype = SOCK_STREAM;
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++ logit("reverse mapping checking getaddrinfo for %.700s "
++ "[%s] failed.", name, ntop);
++ return xstrdup(ntop);
++ }
++ /* Look for the address from the list of addresses. */
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++ (strcmp(ntop, ntop2) == 0))
++ break;
++ }
++ freeaddrinfo(aitop);
++ /* If we reached the end of the list, the address was not there. */
++ if (ai == NULL) {
++ /* Address not found for the host name. */
++ logit("Address %.100s maps to %.600s, but this does not "
++ "map back to the address.", ntop, name);
++ return xstrdup(ntop);
++ }
++ return xstrdup(name);
++}
++
++/*
++ * Return the canonical name of the host in the other side of the current
++ * connection. The host name is cached, so it is efficient to call this
++ * several times.
++ */
++
++const char *
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
++{
++ static char *dnsname;
++
++ if (!use_dns)
++ return ssh_remote_ipaddr(ssh);
++ else if (dnsname != NULL)
++ return dnsname;
++ else {
++ dnsname = remote_hostname(ssh);
++ return dnsname;
++ }
++}
+diff --git a/readconf.c b/readconf.c
+index 03369a08..b45898ce 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -161,6 +161,7 @@ typedef enum {
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
+ oHashKnownHosts,
+@@ -207,9 +208,11 @@ static struct {
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ # else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ #ifdef ENABLE_PKCS11
+ { "pkcs11provider", oPKCS11Provider },
+@@ -1117,6 +1120,10 @@ parse_time:
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
+ options->pubkey_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+diff --git a/readconf.h b/readconf.h
+index f7d53b06..c3a91898 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -40,6 +40,7 @@ typedef struct {
+ int hostbased_authentication; /* ssh2's rhosts_rsa */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff --git a/ssh_config.5 b/ssh_config.5
+index cd0eea86..27101943 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -832,6 +832,16 @@ The default is
+ Forward (delegate) credentials to the server.
+ The default is
+ .Cm no .
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshconnect2.c b/sshconnect2.c
+index fea50fab..aeff639b 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
+ OM_uint32 min;
+ int r, ok = 0;
+ gss_OID mech = NULL;
++ const char *gss_host;
++
++ if (options.gss_trust_dns) {
++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
++ gss_host = auth_get_canonical_hostname(ssh, 1);
++ } else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
+ elements[authctxt->mech_tried];
+ /* My DER encoding requires length<128 */
+ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
+- mech, authctxt->host)) {
++ mech, gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ authctxt->mech_tried++;
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
new file mode 100644
index 000000000000..8c46625aa29c
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2e065ba3..4ce80cb2 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_ppoll
+ SC_ALLOW(__NR_ppoll),
+ #endif
++#ifdef __NR_ppoll_time64
++ SC_ALLOW(__NR_ppoll_time64),
++#endif
+ #ifdef __NR_poll
+ SC_ALLOW(__NR_poll),
+ #endif
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
new file mode 100644
index 000000000000..9e08b2a553c2
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
@@ -0,0 +1,13 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index b5d4bb2d..00e3d118 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+- if (gethostname(lname, MAXHOSTNAMELEN)) {
++ if (gethostname(lname, HOST_NAME_MAX)) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch
index 2a83ed37d138..2a83ed37d138 100644
--- a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch
+++ b/net-misc/openssh-contrib/files/openssh-9.0_p1-X509-uninitialized-delay.patch
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
new file mode 100644
index 000000000000..4d098b2231c7
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
@@ -0,0 +1,20 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 23b40b643..d93a357c6 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_statx
+ SC_DENY(__NR_statx, EACCES),
+ #endif
++#ifdef __NR_shmget
++ SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++ SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++ SC_DENY(__NR_shmdt, EACCES),
++#endif
+
+ /* Syscalls to permit */
+ #ifdef __NR_brk
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
new file mode 100644
index 000000000000..b571ae253fff
--- /dev/null
+++ b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
@@ -0,0 +1,58 @@
+https://bugzilla.mindrot.org/show_bug.cgi?id=3548
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
+ if (headerver == libver)
+ return 1;
+
+- /* for versions < 1.0.0, major,minor,fix,status must match */
+- if (headerver < 0x1000000f) {
+- mask = 0xfffff00fL; /* major,minor,fix,status */
+- return (headerver & mask) == (libver & mask);
++ /*
++ * For versions < 3.0.0, major,minor,status must match and library
++ * fix version must be equal to or newer than the header.
++ */
++ if (headerver < 0x3000000f) {
++ mask = 0xfff0000fL; /* major,minor,status */
++ hfix = (headerver & 0x000ff000) >> 12;
++ lfix = (libver & 0x000ff000) >> 12;
++ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
++ return 1;
+ }
+
+ /*
+- * For versions >= 1.0.0, major,minor,status must match and library
+- * fix version must be equal to or newer than the header.
++ * For versions >= 3.0.0, major must match and minor,status must be
++ * equal to or greater than the header.
+ */
+- mask = 0xfff00000L; /* major,minor,status */
+- hfix = (headerver & 0x000ff000) >> 12;
+- lfix = (libver & 0x000ff000) >> 12;
++ mask = 0xf000000fL; /* major, status */
++ hfix = (headerver & 0x0ffffff0L) >> 12;
++ lfix = (libver & 0x0ffffff0L) >> 12;
+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+ return 1;
+ return 0;
+--- a/openbsd-compat/regress/opensslvertest.c
++++ b/openbsd-compat/regress/opensslvertest.c
+@@ -31,7 +31,7 @@ struct version_test {
+ { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
+ { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
+ { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
+- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
++ { 0x0090802fL, 0x0090902fL, 1}, /* newer library minor version: ok */
+ { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
+ { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
+
+@@ -41,7 +41,7 @@ struct version_test {
+ { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
+ { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
+ { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
+- { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
++ { 0x1000101fL, 0x1010101fL, 1}, /* newer library minor version: ok */
+ { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
+ { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
+ };
diff --git a/net-misc/openssh-contrib/files/sshd-r1.confd b/net-misc/openssh-contrib/files/sshd-r1.confd
new file mode 100644
index 000000000000..cf430371bf0f
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd-r1.confd
@@ -0,0 +1,33 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress.
+
+#SSHD_SSD_OPTS="--wait 1000"
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
+
+
+# Path to the ssh-keygen binary (needs to be absolute path).
+
+#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
diff --git a/net-misc/openssh-contrib/files/sshd-r1.initd b/net-misc/openssh-contrib/files/sshd-r1.initd
new file mode 100644
index 000000000000..e91cd0116cd4
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd-r1.initd
@@ -0,0 +1,87 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+ # Entropy can be used by ssh-keygen, among other things, but
+ # is not strictly required (bug 470020).
+ use logger dns entropy
+ if [ "${rc_need+set}" = "set" ] ; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ local x warn_addr
+ for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+ case "${x}" in
+ 0.0.0.0|0.0.0.0:*) ;;
+ ::|\[::\]*) ;;
+ *) warn_addr="${warn_addr} ${x}" ;;
+ esac
+ done
+ if [ -n "${warn_addr}" ] ; then
+ need net
+ ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+ ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+ ewarn "where FOO is the interface(s) providing the following address(es):"
+ ewarn "${warn_addr}"
+ fi
+ fi
+}
+
+checkconfig() {
+ checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+ if [ ! -e "${SSHD_CONFIG}" ] ; then
+ eerror "You need an ${SSHD_CONFIG} file to run sshd"
+ eerror "There is a sample file in /usr/share/doc/openssh"
+ return 1
+ fi
+
+ ${SSHD_KEYGEN_BINARY} -A || return 2
+
+ "${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+ # Make sure that the user's config isn't busted before we try
+ # to start the daemon (this will produce better error messages
+ # than if we just try to start it blindly).
+ #
+ # We always need to call checkconfig because this function will
+ # also generate any missing host key and you can start a
+ # non-running service with "restart" argument.
+ checkconfig || return $?
+}
+
+stop_pre() {
+ # If this is a restart, check to make sure the user's config
+ # isn't busted before we stop the running daemon.
+ if [ "${RC_CMD}" = "restart" ] ; then
+ checkconfig || return $?
+ fi
+}
+
+reload() {
+ checkconfig || return $?
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP --pidfile "${pidfile}"
+ eend $?
+}
diff --git a/net-misc/openssh-contrib/files/sshd.pam_include.2 b/net-misc/openssh-contrib/files/sshd.pam_include.2
new file mode 100644
index 000000000000..b801aaafa0f9
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
diff --git a/net-misc/openssh-contrib/files/sshd.service.1 b/net-misc/openssh-contrib/files/sshd.service.1
new file mode 100644
index 000000000000..a541164cd7f2
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.service.1
@@ -0,0 +1,15 @@
+[Unit]
+Description=OpenSSH server daemon
+After=network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+OOMPolicy=continue
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh-contrib/files/sshd.socket b/net-misc/openssh-contrib/files/sshd.socket
new file mode 100644
index 000000000000..94b9533180da
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/net-misc/openssh-contrib/files/sshd_at.service.1 b/net-misc/openssh-contrib/files/sshd_at.service.1
new file mode 100644
index 000000000000..e43a457994f4
--- /dev/null
+++ b/net-misc/openssh-contrib/files/sshd_at.service.1
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=journal
diff --git a/net-misc/openssh-contrib/metadata.xml b/net-misc/openssh-contrib/metadata.xml
new file mode 100644
index 000000000000..2982a0304511
--- /dev/null
+++ b/net-misc/openssh-contrib/metadata.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>chutzpah@gentoo.org</email>
+ <name>Patrick McLean</name>
+ </maintainer>
+ <maintainer type="person">
+ <email>robbat2@gentoo.org</email>
+ <name>Robin H. Johnson</name>
+ </maintainer>
+ <longdescription>
+ OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
+ increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
+ rlogin, ftp, and other such programs might not realize that their password is transmitted
+ across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
+ to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
+ Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
+ of authentication methods.
+
+ The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
+ replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
+ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
+ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+
+ This package represents an effort to extend upstream OpenSSH with three big patchsets.
+
+ WARNING: These patches are of lower quality than vanilla upstream OpenSSH and often have
+ correctness issues.
+
+ The patches are:
+
+ * HPN (High performance SSH/SCP) adds custom ciphers that allow for more aggressive
+ buffering and/or multithreading, leading to better network throughput. Many of these
+ optimizations are not relevant anymore due to AEAD ciphers changing MAC nesting or
+ because more CPU performant ciphers are being used in this day and age (ChaCha20).
+
+ WARNING: HPN's multi-threaded AES CTR cipher is known to be broken and should not be relied upon.
+
+ * SCTP patches by Patrick McLean. These enable SSH over SCTP.
+
+ * X509 patches by Roumen Petrov. OpenSSH upstream will never support standard PKIs for
+ authenticating users. This patch series adds support for X509 certificates.
+ </longdescription>
+ <use>
+ <flag name="hpn">Enable high performance ssh</flag>
+ <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+ <flag name="livecd">Enable root password logins for live-cd environment.</flag>
+ <flag name="security-key">Include builtin U2F/FIDO support</flag>
+ <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
+ <flag name="X509">Adds support for X.509 certificate authentication</flag>
+ <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
+ </use>
+ <upstream>
+ <remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
+ <remote-id type="github">openssh/openssh-portable</remote-id>
+ <remote-id type="sourceforge">hpnssh</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-misc/openssh/openssh-9.3_p1.ebuild b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
index c3084f573734..8fa1eabcaa5c 100644
--- a/net-misc/openssh/openssh-9.3_p1.ebuild
+++ b/net-misc/openssh-contrib/openssh-contrib-9.3_p1.ebuild
@@ -7,7 +7,8 @@ inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
# Make it more portable between straight releases
# and _p? releases.
-PARCH=${P/_}
+MY_P=${P/-contrib/}
+PARCH=${MY_P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
@@ -15,11 +16,11 @@ HPN_PV="8.5_P1"
HPN_VER="15.2"
HPN_PATCHES=(
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
+ openssh-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
+ openssh-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+ openssh-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
-HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch"
+HPN_GLUE_PATCH="openssh-9.3_p1-hpn-${HPN_VER}-glue.patch"
HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}"
SCTP_VER="1.2"
@@ -27,10 +28,10 @@ SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="14.1.1"
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
-X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
+X509_GLUE_PATCH="openssh-${PV}-X509-glue-${X509_VER}.patch"
+X509_HPN_GLUE_PATCH="openssh-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
-DESCRIPTION="Port of OpenBSD's free SSH release"
+DESCRIPTION="Port of OpenBSD's free SSH release with HPN/SCTP/X509 patches"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
@@ -50,7 +51,7 @@ S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~amd64"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
@@ -69,9 +70,7 @@ REQUIRED_USE="
# tests currently fail with XMSS
REQUIRED_USE+="test? ( !xmss )"
-# Blocker on older gcc-config for bug #872416
LIB_DEPEND="
- !<sys-devel/gcc-config-2.6
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
@@ -86,6 +85,7 @@ LIB_DEPEND="
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
+ !net-misc/openssh
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
@@ -116,15 +116,15 @@ BDEPEND="
"
PATCHES=(
- "${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
- "${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
- "${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
- "${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
- "${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
- "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
- "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
- "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
- "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+ "${FILESDIR}/openssh-7.9_p1-include-stdlib.patch"
+ "${FILESDIR}/openssh-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+ "${FILESDIR}/openssh-6.7_p1-openssl-ignore-status.patch"
+ "${FILESDIR}/openssh-7.5_p1-disable-conch-interop-tests.patch"
+ "${FILESDIR}/openssh-8.0_p1-fix-putty-tests.patch"
+ "${FILESDIR}/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+ "${FILESDIR}/openssh-8.9_p1-allow-ppoll_time64.patch" #834019
+ "${FILESDIR}/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+ "${FILESDIR}/openssh-9.3_p1-openssl-version-compat-check.patch"
)
pkg_pretend() {
@@ -177,7 +177,7 @@ src_prepare() {
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
- eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
+ eapply "${FILESDIR}/openssh-9.0_p1-X509-uninitialized-delay.patch"
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@@ -210,13 +210,13 @@ src_prepare() {
fi
if use hpn ; then
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
+ local hpn_patchdir="${T}/openssh-${PV}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
- use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
+ use sctp && eapply "${FILESDIR}"/openssh-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
@@ -235,6 +235,8 @@ src_prepare() {
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
+ # Before re-enabling, check https://bugs.gentoo.org/354113#c6
+ # and be sure to have tested it.
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
@@ -283,11 +285,6 @@ src_prepare() {
-e 's:-D_FORTIFY_SOURCE=2::'
)
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
@@ -380,39 +377,55 @@ tweak_ssh_configs() {
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
- # First the server config.
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+ dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+ Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+ Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+ EOF
- # Allow client to pass locale environment variables. #367017
- AcceptEnv ${locale_vars[*]}
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
+ # Send locale environment variables (bug #367017)
+ SendEnv ${locale_vars[*]}
- # Allow client to pass COLORTERM to match TERM. #658540
- AcceptEnv COLORTERM
+ # Send COLORTERM to match TERM (bug #658540)
+ SendEnv COLORTERM
+ EOF
+
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
+ RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
- # Then the client config.
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+ # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+ EOF
- # Send locale environment variables. #367017
- SendEnv ${locale_vars[*]}
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
+ # Allow client to pass locale environment variables (bug #367017)
+ AcceptEnv ${locale_vars[*]}
- # Send COLORTERM to match TERM. #658540
- SendEnv COLORTERM
+ # Allow client to pass COLORTERM to match TERM (bug #658540)
+ AcceptEnv COLORTERM
EOF
if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
+ UsePAM yes
+ # This interferes with PAM.
+ PasswordAuthentication no
+ # PAM can do its own handling of MOTD.
+ PrintMotd no
+ PrintLastLog no
+ EOF
fi
if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
+ # Allow root login with password on livecds.
+ PermitRootLogin Yes
+ EOF
fi
}
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 6346e7741780..3472427f1673 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -2,12 +2,9 @@ AUX openssh-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb
AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f
AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70
AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310
-AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd
-AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02
AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd
AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155044328f89ee0573efa43da7cdf8511555e706b6bf66cae069ac95cca900779c6ce293eedec48450f786fd033375e9be17bfb2872 SHA512 9b88024e6a898fc85205fbc038274a3271f787276962150965ab8f599fa355ee73cb48e7e12e3f090034293f9dca94a1ce41dfce2aaeb140693545ff3bc391f0
AUX openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch 419 BLAKE2B c5ef82ed92da96213c84d954541dc3d99040f95a3ce6d81ea585360200128154daaa7717a553a91e693ee11044f11b4a2c3f9f0137c4b92cb1aee01514ec7763 SHA512 cdc0894728e01b132346bf1358b2193d5349f281a086a784a4bbdf1a6ad736632cf4c4fbb900c4ebb6b31a13313ed8660dae95968f4e906d40b2aa0b7a7c2303
-AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5
AUX openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 514 BLAKE2B d0dadfc57736cd4d2b04e46f5c0f6d5a1db1cfc7ee70d32afaa0f65269b82e66a72c46d33c9cbf7237f541a0485b25669cd2f4b34393e3a3ef0c9b4334092fe5 SHA512 f8badde54501340bde275951bc1cf653919bec02c760bf771308f10697b9ad2a483e30ae74ad124a737341f5c64657ab193a4d7fdf2baf24029b9447099da04b
AUX openssh-9.3_p1-openssl-version-compat-check.patch 2588 BLAKE2B 635e9d4e0ca515d4da190075371b85b5c1885fd7d9b621d6f21399be0faf0be96e5e31875611392386b897f74087d75a00203a74c9f9ecf0be447bf354fcf4a2 SHA512 a27afa1b07a47f0ecf74d30ca85e7b4f8c79857c8019d274aeaed88b81149ce6241fd16f1023f14dbdc701e8c9d8671f6aadda2e21d620a47af8778b8531b991
AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe
@@ -16,15 +13,7 @@ AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391a
AUX sshd.service.1 298 BLAKE2B 7a4f2e2656096b09a8b435d393ea9b0a7bd10a2a9f0e9d9cf49b9ae9600cccfb19a64e09f4cf718e8054fc997f21656f609eb3af15ee2e3576531a88b5709842 SHA512 efc936ca412999e3b1acabe6cf4e87c033fe468cede1c3c499499e252cf7cdeca0841e5e1862ebe316ff3f4bf758fba674f08d081b403713e154b6bbc37da365
AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42
AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f
-DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
-DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
-DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
-DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d
-DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387
-DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909
-DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d
-DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71
DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19
DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4
-EBUILD openssh-9.3_p1.ebuild 18303 BLAKE2B 008384b33dd35dbbf604abd51674146edd5a9766c247671d9080324c24a22a696373abfe1a44a1e4f309071b5388b729395d38efb81e38ff64083952ecc32df9 SHA512 0b2a3af3ba5b18bda746142129521ef012d6e3fa378f11f605c02dee4b8bc24c08e8169f4af32f6282456346e5dad997fa7e1c4f84ef54aef184866c2fbf91c6
-MISC metadata.xml 1970 BLAKE2B 3099c31852827b4f7b5dd82643a1388a0c1572bad3266f275b2b0de38e768e22cd2f9ff52982d03b418babca8a4ec2e62bc1fee47fba0a3df187e5a33d4e986a SHA512 1d9b54459c3ae78d0afea2b7632c2e27664d9033b6fa10f31d1a865326f495dce42a053cd77e930ca06467a61a80a096c58abbd10d9a0925d71452d173fe72de
+EBUILD openssh-9.3_p1-r1.ebuild 13585 BLAKE2B 10de35ae0eb44b677c7bca48c2282c7576853615086ff347b80b5ae6b50ae701f505e38472ba594fda193ea7f21a62f1f707ac8ae76d421598b9ee266b2dc361 SHA512 ae204df789e501ce619296a6b4aab010c905410a18a941cbf3910134f67369dc5e0d64286ec47069b10efc230bc4850a51adbbe0906b3f07615ccc79dce795bd
+MISC metadata.xml 1788 BLAKE2B d04d3030f70f3615522672fa56e684acaa67ddce8d16cce86ba8911fb8fc11ed152be012ecf560427d271868c4841a7422aaa644305947302d3ebab62bdb577d SHA512 bd328e3a33ce04b989149333db5f774f1b52540f12ef83b08b7fcf136ae2a3a9c83bef42c28991d3536249098ca0b9ffd21e583d93599580510d8619e9fd01ca
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 0ed696c82ad6..da1b4330c4d7 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -20,17 +20,14 @@
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
</longdescription>
<use>
- <flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="security-key">Include builtin U2F/FIDO support</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
- <flag name="X509">Adds support for X.509 certificate authentication</flag>
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
<remote-id type="github">openssh/openssh-portable</remote-id>
- <remote-id type="sourceforge">hpnssh</remote-id>
</upstream>
</pkgmetadata>
diff --git a/net-misc/openssh/openssh-9.3_p1-r1.ebuild b/net-misc/openssh/openssh-9.3_p1-r1.ebuild
new file mode 100644
index 000000000000..ea2cc9a83d0c
--- /dev/null
+++ b/net-misc/openssh/openssh-9.3_p1-r1.ebuild
@@ -0,0 +1,381 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="https://www.openssh.com/"
+SRC_URI="
+ mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )"
+VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
+S="${WORKDIR}/${PARCH}"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+# Probably want to drop ssl defaulting to on in a future version.
+IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="
+ ldns? ( ssl )
+ pie? ( !static )
+ static? ( !kerberos !pam )
+ xmss? ( ssl )
+ test? ( ssl )
+"
+
+# tests currently fail with XMSS
+REQUIRED_USE+="test? ( !xmss )"
+
+LIB_DEPEND="
+ audit? ( sys-process/audit[static-libs(+)] )
+ ldns? (
+ net-libs/ldns[static-libs(+)]
+ net-libs/ldns[ecdsa(+),ssl(+)]
+ )
+ libedit? ( dev-libs/libedit:=[static-libs(+)] )
+ security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
+ virtual/libcrypt:=[static-libs(+)]
+ >=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
+RDEPEND="
+ acct-group/sshd
+ acct-user/sshd
+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+ pam? ( sys-libs/pam )
+ kerberos? ( virtual/krb5 )
+"
+DEPEND="${RDEPEND}
+ virtual/os-headers
+ kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
+ static? ( ${LIB_DEPEND} )
+"
+RDEPEND="${RDEPEND}
+ !net-misc/openssh-contrib
+ pam? ( >=sys-auth/pambase-20081028 )
+ !prefix? ( sys-apps/shadow )
+ X? ( x11-apps/xauth )
+"
+# Weird dep construct for newer gcc-config for bug #872416
+BDEPEND="
+ sys-devel/autoconf
+ virtual/pkgconfig
+ || (
+ >=sys-devel/gcc-config-2.6
+ >=sys-devel/clang-toolchain-symlinks-14-r1:14
+ >=sys-devel/clang-toolchain-symlinks-15-r1:15
+ >=sys-devel/clang-toolchain-symlinks-16-r1:*
+ )
+ verify-sig? ( sec-keys/openpgp-keys-openssh )
+"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
+ "${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
+ "${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
+ "${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
+ "${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
+ "${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
+ "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
+ "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
+ "${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+)
+
+pkg_pretend() {
+ local i enabled_eol_flags disabled_eol_flags
+ for i in hpn sctp X509; do
+ if has_version "net-misc/openssh[${i}]"; then
+ enabled_eol_flags+="${i},"
+ disabled_eol_flags+="-${i},"
+ fi
+ done
+
+ if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
+ ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
+ ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
+ ewarn "since these USE flags required third-party patches that often trigger bugs"
+ ewarn "and are of questionable provenance."
+ ewarn
+ ewarn "If you must continue relying on this functionality, switch to"
+ ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
+ ewarn "world file first: 'emerge --deselect net-misc/openssh'"
+ ewarn
+ ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
+ ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
+ ewarn "variant, when re-emerging you will have to set"
+ ewarn
+ ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
+
+ die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
+ fi
+
+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
+ if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
+ ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
+ fi
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ eapply -- "${PATCHES[@]}"
+
+ [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
+
+ eapply_user #473004
+
+ # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
+ sed -e '/\t\tpercent \\/ d' \
+ -i regress/Makefile || die
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+
+ # _XOPEN_SOURCE causes header conflicts on Solaris
+ [[ ${CHOST} == *-solaris* ]] && sed_args+=(
+ -e 's/-D_XOPEN_SOURCE//'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
+
+ eautoreconf
+}
+
+src_configure() {
+ addwrite /dev/ptmx
+
+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
+ use static && append-ldflags -static
+ use xmss && append-cflags -DWITH_XMSS
+
+ if [[ ${CHOST} == *-solaris* ]] ; then
+ # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
+ # doesn't check for this, so force the replacement to be put in
+ # place
+ append-cppflags -DBROKEN_GLOB
+ fi
+
+ # use replacement, RPF_ECHO_ON doesn't exist here
+ [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
+
+ local myconf=(
+ --with-ldflags="${LDFLAGS}"
+ --disable-strip
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
+ --sysconfdir="${EPREFIX}"/etc/ssh
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
+ --datadir="${EPREFIX}"/usr/share/openssh
+ --with-privsep-path="${EPREFIX}"/var/empty
+ --with-privsep-user=sshd
+ $(use_with audit audit linux)
+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
+ $(use_with ldns)
+ $(use_with libedit)
+ $(use_with pam)
+ $(use_with pie)
+ $(use_with selinux)
+ $(use_with security-key security-key-builtin)
+ $(use_with ssl openssl)
+ $(use_with ssl ssl-engine)
+ $(use_with !elibc_Cygwin hardening) #659210
+ )
+
+ if use elibc_musl; then
+ # musl defines bogus values for UTMP_FILE and WTMP_FILE
+ # https://bugs.gentoo.org/753230
+ myconf+=( --disable-utmp --disable-wtmp )
+ fi
+
+ # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
+ # bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
+ tc-is-clang && myconf+=( --without-hardening )
+
+ econf "${myconf[@]}"
+}
+
+src_test() {
+ local tests=( compat-tests )
+ local shell=$(egetshell "${UID}")
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
+ ewarn "user, so we will run a subset only."
+ tests+=( interop-tests )
+ else
+ tests+=( tests )
+ fi
+
+ local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
+ mkdir -p "${HOME}"/.ssh || die
+ emake -j1 "${tests[@]}" </dev/null
+}
+
+# Gentoo tweaks to default config files.
+tweak_ssh_configs() {
+ local locale_vars=(
+ # These are language variables that POSIX defines.
+ # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
+ LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
+
+ # These are the GNU extensions.
+ # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
+ LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
+ )
+
+ dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+ Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+ Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+ EOF
+
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
+ # Send locale environment variables (bug #367017)
+ SendEnv ${locale_vars[*]}
+
+ # Send COLORTERM to match TERM (bug #658540)
+ SendEnv COLORTERM
+ EOF
+
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
+ RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
+ EOF
+
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die
+ # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
+ ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+ EOF
+
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
+ # Allow client to pass locale environment variables (bug #367017)
+ AcceptEnv ${locale_vars[*]}
+
+ # Allow client to pass COLORTERM to match TERM (bug #658540)
+ AcceptEnv COLORTERM
+ EOF
+
+ if use pam ; then
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
+ UsePAM yes
+ # This interferes with PAM.
+ PasswordAuthentication no
+ # PAM can do its own handling of MOTD.
+ PrintMotd no
+ PrintLastLog no
+ EOF
+ fi
+
+ if use livecd ; then
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
+ # Allow root login with password on livecds.
+ PermitRootLogin Yes
+ EOF
+ fi
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd-r1.initd sshd
+ newconfd "${FILESDIR}"/sshd-r1.confd sshd
+
+ if use pam; then
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ fi
+
+ tweak_ssh_configs
+
+ doman contrib/ssh-copy-id.1
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+ rmdir "${ED}"/var/empty || die
+
+ systemd_dounit "${FILESDIR}"/sshd.socket
+ systemd_newunit "${FILESDIR}"/sshd.service.1 sshd.service
+ systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
+}
+
+pkg_preinst() {
+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
+ show_ssl_warning=1
+ fi
+}
+
+pkg_postinst() {
+ local old_ver
+ for old_ver in ${REPLACING_VERSIONS}; do
+ if ver_test "${old_ver}" -lt "5.8_p1"; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ if ver_test "${old_ver}" -lt "7.0_p1"; then
+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
+ elog "Make sure to update any configs that you might have. Note that xinetd might"
+ elog "be an alternative for you as it supports USE=tcpd."
+ fi
+ if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
+ elog "adding to your sshd_config or ~/.ssh/config files:"
+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
+ elog "You should however generate new keys using rsa or ed25519."
+
+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
+ elog "out of the box. If you need this, please update your sshd_config explicitly."
+ fi
+ if ver_test "${old_ver}" -lt "7.6_p1"; then
+ elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
+ elog "Furthermore, rsa keys with less than 1024 bits will be refused."
+ fi
+ if ver_test "${old_ver}" -lt "7.7_p1"; then
+ elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
+ elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
+ elog "if you need to authenticate against LDAP."
+ elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
+ fi
+ if ver_test "${old_ver}" -lt "8.2_p1"; then
+ ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
+ ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
+ ewarn "connection is generally safe."
+ fi
+ if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then
+ ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
+ ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
+ ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
+ ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
+ ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
+ ewarn "set 'Restart=no' in your sshd unit file."
+ fi
+ done
+
+ if [[ -n ${show_ssl_warning} ]]; then
+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
+ elog "and update all clients/servers that utilize them."
+ fi
+}
diff --git a/net-misc/pssh/Manifest b/net-misc/pssh/Manifest
index 2b5621a26ad6..6c67736bf442 100644
--- a/net-misc/pssh/Manifest
+++ b/net-misc/pssh/Manifest
@@ -1,3 +1,3 @@
DIST pssh-2.3.4.tar.gz 51859 BLAKE2B 788f5239cd35e240cc1961e73b532c60e5221ede9de48878f9636339b18235dc67109948eeb4f64871985bb24e1a7f823b1718da3dbe2ea893af58fd45495c61 SHA512 7abf327ca53dda2402465254e447eb837babdd2b4d865abb5b52a1135bd234694b84c1148cb3e4ed0198271ed29333fc1b5d0d01dc653fcf6d3e5b9f170b9d4e
-EBUILD pssh-2.3.4-r2.ebuild 725 BLAKE2B 4f23897773a38711d92ff7f78b099e05c9939786986baf4011e8bef45df30669089308c4b0171098e0181fadd5e1d801447639fff1daf6eb2114f0221ffeeee1 SHA512 e35472cd4a3d1da32c7f4d301e736761789f501c4389c0a9cc57a27fa4f2befa7619e143038d1809cbd580aa57d07a121f5c089a5e49899adebf3ac166bb31b1
+EBUILD pssh-2.3.4-r3.ebuild 724 BLAKE2B f1ce371ccb35bde605fbbffd6c8138680e7818c5d0ce6244c7c49e82b9596ab86e8e8df25a437f3ae33ea6d8302fecc82465128b3cf108e7dcc6b7d72051d674 SHA512 2157c7cfb6cc1a7c1607374b2607855b27ac810e9c01ddf679b72a5c8a30aa9ea0f241f4e5f44fb3025a6ae85064b0d3e9549bfa7fc0189188ebdcaae2016884
MISC metadata.xml 415 BLAKE2B 86f4588a2dc1da92bbe426b844de02c18a87ff1b8f4566c63f48854e8b38ed014530e4d63b96a44feb6d1f41477ff9317a1b434eb74c83dc995f24ef2d7cfab3 SHA512 113cc042c12d46038f0a9f441cb9fd40f91d3c7b668bc9949786eb755754a45f17fcb478948fb21e7f669617a393939566c187ca06342e10017718384873bb04
diff --git a/net-misc/pssh/pssh-2.3.4-r2.ebuild b/net-misc/pssh/pssh-2.3.4-r3.ebuild
index 68c5f74fd4b4..7992ab01da29 100644
--- a/net-misc/pssh/pssh-2.3.4-r2.ebuild
+++ b/net-misc/pssh/pssh-2.3.4-r3.ebuild
@@ -18,7 +18,7 @@ KEYWORDS="~amd64 ~ppc ~x86 ~amd64-linux ~x86-linux"
RDEPEND="
!net-misc/putty
- net-misc/openssh
+ virtual/openssh
"
DEPEND="${RDEPEND}"
diff --git a/net-misc/scponly/Manifest b/net-misc/scponly/Manifest
index e34ae3b5918f..61cbd2d16a14 100644
--- a/net-misc/scponly/Manifest
+++ b/net-misc/scponly/Manifest
@@ -2,5 +2,5 @@ AUX scponly-4.8-gcc4.4.0.patch 555 BLAKE2B 0eff2d5cd94f60540dd1bbb6b6f9f1486abbb
AUX scponly-4.8-rsync.patch 7838 BLAKE2B 1d6191aee86b0e3e75e527dbb1f8dbf631940a34da3f29f36b0e55577555dc9ad02e2e787a8cd53aeab5a28d93da7dd528a486f1133fd7a04b91971774b4b2a1 SHA512 37885c9b46422ac034182f9c9f230b4e806ce8c894ebb6c621f0e2b3d5f46c91db902c2dae6aefe5471907025d400320e4eff37cc7c5cc4c6f7d8c88a38e53f8
AUX scponly-4.8-sftp-server-path.patch 2692 BLAKE2B ead282d46cb25a6d8606fa65e538142c15dd0be82956c2c8a48c7d46cc9ec59605a4f1c10fc5235acb584945b00ee4c187391d198571d841b45225c328765b49 SHA512 86171549d894426d12eb2f8d65959d1be2e137327c135be31c762820a55256f5c4ac90a01f989c8bffd2b46b275de408912306209b5aba9a94b81dbc06ff5a24
DIST scponly-4.8.tgz 101687 BLAKE2B aa7250464fa3b51a439d35418c64d49f8595eaac6ffe710137c7c53b96bcf66a5ead38e9520b2cead7a829b57520f988f873eb713d5f52045cba4ef02c8e9b61 SHA512 134c008a7377cef7b8e0be483df8413e162a515967147f561d23b72bdef3dfbe70a8313811dfff6372b88f15c1ac8a4385831fcf329261276993c64d5040f29b
-EBUILD scponly-4.8-r7.ebuild 6932 BLAKE2B 547c40d3b53c068fd61181fb50d7282daf9bee37c4807b4db692906a5e2198094c3755d88b1fa7be4cdba60b575d12ada4279407e7899721955f531b1b62b30b SHA512 04fa9b4f54a9827b599346a57587f515af7b427d4d93ce577fb31dfb8275c991a62b26d213b6f09c39eae915aa974f2488bcc719c600350756a8eec8bfbd2068
+EBUILD scponly-4.8-r8.ebuild 6931 BLAKE2B 55f735601eddda7ac58d4469ea01eb250509a9c2d6233bdd0e3edeead397eb03e2596e03664780313c239a5222edc07ab4e0998ba2e9330a096f5b0dea35adef SHA512 178d6bb61c755050bfa80b4332920631b7fbb14bf28287f796f97a8a2e442a66c66ead56105f1a3cc09f2760512c88274d80f8733be7f857c7092b5f37db7b96
MISC metadata.xml 1761 BLAKE2B a2fbdcc0e9b89e85180548a97a12eeb27a5d973673451972c32184dfc932d6634950e0620fa2a1e2962d8a08508c31439f9a3e29a6e2a3e4f76d53933ac425e5 SHA512 bdfe9ab129bc9c939850756b23510c91908c21aa417529501b2ada83a30335ce4446f5bbc6dcb728df09e1b27d4cf7ba4eee4f43b96a1b92c0ea476d05ca7592
diff --git a/net-misc/scponly/scponly-4.8-r7.ebuild b/net-misc/scponly/scponly-4.8-r8.ebuild
index db5e7ae99a4f..7a1600c22c27 100644
--- a/net-misc/scponly/scponly-4.8-r7.ebuild
+++ b/net-misc/scponly/scponly-4.8-r8.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -19,7 +19,7 @@ REQUIRED_USE="
RDEPEND="
sys-apps/sed
- net-misc/openssh
+ virtual/openssh
chroot? ( acct-user/scponly acct-group/scponly )
quota? ( sys-fs/quota )
rsync? ( net-misc/rsync )
diff --git a/net-misc/sshpass/Manifest b/net-misc/sshpass/Manifest
index cc6340517863..1cc04cf11854 100644
--- a/net-misc/sshpass/Manifest
+++ b/net-misc/sshpass/Manifest
@@ -1,3 +1,3 @@
DIST sshpass-1.09.tar.gz 112857 BLAKE2B b19e1b7d057e286a895312c62453b9aa5369efb3c617bb24fc7b6b0e521d4c65fad091c68b93cda17aef8350c243bdc2c22d5d58590f6359715159d9dca57bae SHA512 9b4ba83ca4d34364e7c43e29f98493dc3d595d24dc68c2fe3c244600d92a0f8bc0a6a7f8f43d64c0b4d714eb196516f297d904fa66035a76dae89a3726c0f2ff
-EBUILD sshpass-1.09.ebuild 416 BLAKE2B 7c94d8cab7415a5501d6fd635078844613268a705e68753326416494c4b508298831c34279332930a5ffd6c6db0ac99b44886b70cc0d5d5d88b2692b9841b497 SHA512 8c72ac293b39e6206c24a9a4ff14d3e29729cf9908ae7b483014ed6ec4a1cae10d1fc8081900e1ca2dcca911f50a2bdb78a2c85c93ec9f96859504549e1f23ae
+EBUILD sshpass-1.09-r1.ebuild 415 BLAKE2B 5e24c826e093e66f2f86e578b752521d450730b3641bbde7b51c8fea5f5421863bd4489d4ac5269274c667f9eadb9b0ac6506a2ae88b11f67b180e49610ea5a4 SHA512 d9a8d1d7c65a32eeb112bf8b2c2787c983445607dd02d241887a0c99a294c457f9a7c7c8f92c82456194d7345275c7461b2799947ce939b0beba90e042dbcdb1
MISC metadata.xml 245 BLAKE2B 742dd0549c543a09d1713679990f7aed20165c67c2ecca674c272200e3d4f64d7f1b663d4669792dd476eeb7fc8960e87429f702ee1db96563fb816d3ef8ccee SHA512 f88712849405e0e495d0b476eeeb43814f569db2ec6a24b36ef8065f166c2cc977fbc4c64cf3a7fadf145bedbaa25af2ae3a280e6abaa29a7ad4a010c08f19c5
diff --git a/net-misc/sshpass/sshpass-1.09.ebuild b/net-misc/sshpass/sshpass-1.09-r1.ebuild
index 96550de1476d..d9bb7d1c42f9 100644
--- a/net-misc/sshpass/sshpass-1.09.ebuild
+++ b/net-misc/sshpass/sshpass-1.09-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -11,4 +11,4 @@ LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~ppc64 ~riscv x86 ~x64-macos"
-RDEPEND="net-misc/openssh"
+RDEPEND="virtual/openssh"
diff --git a/net-misc/x2goserver/Manifest b/net-misc/x2goserver/Manifest
index de7f4d53e4ec..9ce8dc9e4fc1 100644
--- a/net-misc/x2goserver/Manifest
+++ b/net-misc/x2goserver/Manifest
@@ -3,5 +3,5 @@ AUX x2goserver-4.1.0.0-Xresources.patch 1139 BLAKE2B f48f329836a86958866836949a4
AUX x2goserver-4.1.0.0-skip_man2html.patch 2936 BLAKE2B 6b18439c5dc994c5a8ec073e2767047dcd94ebb61b0418ba5d55d55d2860530ab818b87192bdc85124be6a9d52d5c19872063555b7bdcd721429ccfa8593cabb SHA512 7b56c725c42f0813ecb88ed7f34feb0cecd1eaedd157c19068f3e6607bd8510fbba177079744f9e93fc83a4bcc65e7df40f8b1bb6acf4124fda847bc4fb86986
AUX x2goserver.init 442 BLAKE2B 11e29bed398d23cae9fccc29d2ccce6ef59422a3d258139f91dd100562bb3029202a0bb0174fcb71dd776b075a708558eeaf8b1d9914c671bd8e59799772be44 SHA512 4e5add80aedbfb732552158b8c2b97b711e333f45740b8e3dd37089e7a512bd145d64812ec651cd7b022065129cced5730e1b28ab3758fcd81bea5b84b46d93c
DIST x2goserver-4.1.0.3.tar.gz 141581 BLAKE2B 79401a146e8a18451d6521f4b9556b2f22746bd752f39dc45764bacca085f2bb66a92327aaeb292979ce43ffbde24541e492cec814f1f8a535614cbdc2dc3ebd SHA512 9d7257dd454bfedca9e3ef1b07bc38b540cb833fae4535f2225a1f0bfea93c0f04c638d411b57c50e7170106a5ae1d7f41c19f043832129a7a9460dcfd34c56a
-EBUILD x2goserver-4.1.0.3-r1.ebuild 2570 BLAKE2B 1a6a443cc0e99ceb32412fdcf50a1f663a57ce28b7829c46ac59f3fcfda3633c32d61591e94d95193a99d1924cfc340519927e5127905e2de16d900d3e4b51f0 SHA512 b0aaa74b25f77fbe7feb8d0a4c2fb72e7c1d315c02d82591e2215e7607cfa07741a3bee90d7a56f9ac4eb6a78e4a1bd574c36afde37c25425ad20b54cafce2db
+EBUILD x2goserver-4.1.0.3-r2.ebuild 2569 BLAKE2B 38c8444f3d247f0336175fe2476fa54ab582745e860f25b7ce854c6577e3ed1274a4a43da5173d043914c7fb698fcc26927698e5e80ca1879b5fa713bc212ede SHA512 b595b0acfff6a71a381b7660ab92c16b08d7688a346be150bad0c14f7c731fa32cdf2897dcf5a12dd0d05fd449231cc62c0a4e8ea6ae695aa5b820562fcd78bb
MISC metadata.xml 347 BLAKE2B 0049573365d07c584439ec94fc6e914a7de76325daf1ac951b765f4b2bff0968c1c0ef1320525d0912d2e09e45733ceaaf7d46da3778f7e5833e53a0c29b9588 SHA512 ad22f31dd176be856023516ee7c6c500567dbce33f534b094b60093f293a81a3a0a3c69f5b7d2c65efb671dffa223de3840bc23c47dd63f8deba242e349b1a79
diff --git a/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild b/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild
index 78bc8c8e9fb2..9fefa7ac2dc3 100644
--- a/net-misc/x2goserver/x2goserver-4.1.0.3-r1.ebuild
+++ b/net-misc/x2goserver/x2goserver-4.1.0.3-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -30,8 +30,8 @@ RDEPEND="acct-user/x2gouser
media-fonts/font-cursor-misc
media-fonts/font-misc-misc[nls]
>=net-misc/nx-3.5.99.14
- net-misc/openssh
>=sys-apps/iproute2-4.3.0
+ virtual/openssh
x11-apps/xauth
x11-apps/xhost
x11-apps/xwininfo
diff --git a/net-misc/zssh/Manifest b/net-misc/zssh/Manifest
index d13b95e23b0c..99b3f0af5145 100644
--- a/net-misc/zssh/Manifest
+++ b/net-misc/zssh/Manifest
@@ -1,4 +1,4 @@
AUX zssh-1.5a-gentoo-include.diff 320 BLAKE2B b5ba88091ba1804f22f735ef3d2229a70f24bdddb11a02c128d2c31cccf44a79b532e2455b4f03fc5e273889716e293c3dac2c7a33cf838b8350eed68e752f1d SHA512 447a1aeb095907473ef18a6b2bc6a1a4bfc9baf7ed532382a636ea044667c2f7cbd86c8d0e20ffea7c9751cb9c50249d3085bf65aee7ab7fab5362aae27d8ba5
DIST zssh-1.5c.tgz 344964 BLAKE2B 35b41125ec7a49cae741666516b17e3f0b22b159d0fc2b490565e8eaef366bb4b418895ad028822647a4b946577b2ef9dc588e9dbfe657ce7c1c8300207ca603 SHA512 799ce3bbea5e94a800f61e6c38879746a579992396304861b7584b6bad967214b811b6bf9aecb36d9d60a15857377cb2fee80b495ad69778903fc45593efeebd
-EBUILD zssh-1.5c-r1.ebuild 881 BLAKE2B 74bd997e30a849b6f8e796950dbdaf7fe946fb856f3f0b6b5796e4872d38adcecd50f5647528df83991bb1fc7b0c049ff693d4b3e11773af2b58d0209194ba57 SHA512 dd0d715e974142dda5ee086f2745c258d599db794755f273224d5aca24170ab43c8f6a6a845a06ea66ac00772e802ffdcac7708803470bc78dd93b548b19d38d
+EBUILD zssh-1.5c-r2.ebuild 880 BLAKE2B bf170ecfd554c989b4c37c8c2b660bc7ebc80d126c7c999727643f28ec9010c4606b1a6f668f6eb31f13db7857c011494b1675c92362880174e543bfe0ca0811 SHA512 cc5f237c5b09fa5e1d0122801f25924504a79349206a60fceb4f21e6d6d3718004f91197ad04552f8c01aa243f64c71dd4dfb372ced0749f1e1a462f57955344
MISC metadata.xml 242 BLAKE2B 0219a28d20cce3e716b2e6737277182560a5b292d94b89a3b57385d14393ab6b28a6aac667aac11ff744c6be8042a411c6aef63b2fddf60c40024d6a35e0f2ab SHA512 1214868537bf0006e32453e2962570693e6e18474c468ebe7bc00bf9fb2e6c60775644ebf02471af8fa8e326332ca51f05a2d47b04f7fdbe1d0ad63400b74211
diff --git a/net-misc/zssh/zssh-1.5c-r1.ebuild b/net-misc/zssh/zssh-1.5c-r2.ebuild
index 8f469edf927c..e63204a2c9bb 100644
--- a/net-misc/zssh/zssh-1.5c-r1.ebuild
+++ b/net-misc/zssh/zssh-1.5c-r2.ebuild
@@ -19,8 +19,8 @@ DEPEND="readline? (
sys-libs/readline:0
)"
RDEPEND="${DEPEND}
- net-misc/openssh
- net-dialup/lrzsz"
+ net-dialup/lrzsz
+ virtual/openssh"
src_prepare() {
eapply "${FILESDIR}/${PN}-1.5a-gentoo-include.diff"