'PermitRootLogin no' is the new default for the OpenSSH port.

This now matches the PermitRootLogin configuration of OpenSSH in
the base system.  Please be aware of this when upgrading your
OpenSSH port, and if truly necessary, re-enable remote root login
by readjusting this option in your sshd_config.

Users are encouraged to create single-purpose users with ssh keys
and very narrowly defined sudo privileges instead of using root
for automated tasks.

- PKGNAMESUFFIX for GSSAPI set.
- Merged some patches from current to improve PAM.
- Fix BATCH=yes for bento.

10 files changed, 728 insertions, 12 deletions

diff --git a/security/hpn-ssh/Makefile b/security/hpn-ssh/Makefile
index d960baeaf0ce..b6b67cabdd3e 100644
--- a/security/hpn-ssh/Makefile
+++ b/security/hpn-ssh/Makefile
@@ -7,12 +7,12 @@
 
 PORTNAME=	openssh
 PORTVERSION=	3.4p1
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	security ipv6
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://ftp.op.net/pub/OpenBSD/OpenSSH/portable/ \
 		ftp://carroll.cac.psu.edu/pub/OpenBSD/OpenSSH/portable/
-PKGNAMESUFFIX=	-portable
+PKGNAMESUFFIX?=	-portable
 
 MAINTAINER=	dinoex@FreeBSD.org
 
@@ -29,6 +29,7 @@ PRECIOUS=	ssh_config sshd_config \
 		ssh_host_rsa_key ssh_host_rsa_key.pub \
 		ssh_host_dsa_key ssh_host_dsa_key.pub
 ETCOLD=		${PREFIX}/etc
+ADDME+=		auth2-pam-freebsd.c
 
 .if exists(/usr/include/security/pam_modules.h)
 CONFIGURE_ARGS+=	--with-pam
@@ -71,7 +72,13 @@ CONFIGURE_ARGS+=	--with-privsep-path=${EMPTYDIR}
 EXTRA_PATCHES+=		${FILESDIR}/batch.patch
 .endif
 
+post-extract:
+.for i in ${ADDME}
+	@${CP} ${FILESDIR}/${i} ${WRKSRC}/
+.endfor
+
 .if defined(KRB5_HOME) && exists(${KRB5_HOME})
+PKGNAMESUFFIX=	-gssapi
 GSSAPI_PATCH=	${PORTNAME}-${PORTVERSION}-gssapi-20020627.diff
 GSSAPI_SITE=	http://www.sxw.org.uk/computing/patches/
 MASTER_SITES+=	${GSSAPI_SITE}
diff --git a/security/hpn-ssh/files/auth2-pam-freebsd.c b/security/hpn-ssh/files/auth2-pam-freebsd.c
new file mode 100644
index 000000000000..50652f6b28ec
--- /dev/null
+++ b/security/hpn-ssh/files/auth2-pam-freebsd.c
@@ -0,0 +1,374 @@
+/*-
+ * Copyright (c) 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by ThinkSec AS and
+ * NAI Labs, the Security Research Division of Network Associates, Inc.
+ * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+ * DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "includes.h"
+RCSID("$FreeBSD: /tmp/pcvs/ports/security/hpn-ssh/files/Attic/auth2-pam-freebsd.c,v 1.1 2002-07-04 18:29:18 dinoex Exp $");
+
+#ifdef USE_PAM
+#include <security/pam_appl.h>
+
+#include "auth.h"
+#include "log.h"
+#include "monitor_wrap.h"
+#include "packet.h"
+#include "ssh2.h"
+#include "xmalloc.h"
+
+struct pam_ctxt {
+	char		*pam_user;
+	pid_t		 pam_pid;
+	int		 pam_sock;
+	int		 pam_done;
+};
+
+static void pam_free_ctx(void *);
+
+/*
+ * Send message to parent or child.
+ */
+static int
+pam_send(struct pam_ctxt *ctxt, char *fmt, ...)
+{
+	va_list ap;
+	char *mstr;
+	size_t len;
+	int r;
+
+	va_start(ap, fmt);
+	len = vasprintf(&mstr, fmt, ap);
+	va_end(ap);
+	if (mstr == NULL)
+		exit(1);
+	if (ctxt->pam_pid != 0)
+		debug2("to child: %s", mstr);
+	r = send(ctxt->pam_sock, mstr, len + 1, MSG_EOR);
+	free(mstr);
+	return (r);
+}
+
+/*
+ * Peek at first byte of next message.
+ */
+static int
+pam_peek(struct pam_ctxt *ctxt)
+{
+	char ch;
+
+	if (recv(ctxt->pam_sock, &ch, 1, MSG_PEEK) < 1)
+		return (-1);
+	return (ch);
+}
+
+/*
+ * Receive a message from parent or child.
+ */
+static char *
+pam_receive(struct pam_ctxt *ctxt)
+{
+	char *buf;
+	size_t len;
+	ssize_t rlen;
+
+	len = 64;
+	buf = NULL;
+	do {
+		len *= 2;
+		buf = xrealloc(buf, len);
+		rlen = recv(ctxt->pam_sock, buf, len, MSG_PEEK);
+		if (rlen < 1) {
+			xfree(buf);
+			return (NULL);
+		}
+	} while (rlen == len);
+	if (recv(ctxt->pam_sock, buf, len, 0) != rlen) {
+		xfree(buf);
+		return (NULL);
+	}
+	if (ctxt->pam_pid != 0)
+		debug2("from child: %s", buf);
+	return (buf);
+}
+
+/*
+ * Conversation function for child process.
+ */
+static int
+pam_child_conv(int n,
+	 const struct pam_message **msg,
+	 struct pam_response **resp,
+	 void *data)
+{
+	struct pam_ctxt *ctxt;
+	int i;
+
+	ctxt = data;
+	if (n <= 0 || n > PAM_MAX_NUM_MSG)
+		return (PAM_CONV_ERR);
+	if ((*resp = calloc(n, sizeof **resp)) == NULL)
+		return (PAM_BUF_ERR);
+	for (i = 0; i < n; ++i) {
+		resp[i]->resp_retcode = 0;
+		resp[i]->resp = NULL;
+		switch (msg[i]->msg_style) {
+		case PAM_PROMPT_ECHO_OFF:
+			pam_send(ctxt, "p%s", msg[i]->msg);
+			resp[i]->resp = pam_receive(ctxt);
+			break;
+		case PAM_PROMPT_ECHO_ON:
+			pam_send(ctxt, "P%s", msg[i]->msg);
+			resp[i]->resp = pam_receive(ctxt);
+			break;
+		case PAM_ERROR_MSG:
+			pam_send(ctxt, "e%s", msg[i]->msg);
+			break;
+		case PAM_TEXT_INFO:
+			pam_send(ctxt, "i%s", msg[i]->msg);
+			break;
+		default:
+			goto fail;
+		}
+	}
+	return (PAM_SUCCESS);
+ fail:
+	while (i)
+		free(resp[--i]);
+	free(*resp);
+	*resp = NULL;
+	return (PAM_CONV_ERR);
+}
+
+/*
+ * Child process.
+ */
+static void *
+pam_child(struct pam_ctxt *ctxt)
+{
+	struct pam_conv pam_conv;
+	pam_handle_t *pamh;
+	int pam_err;
+
+	pam_conv.conv = pam_child_conv;
+	pam_conv.appdata_ptr = ctxt;
+	pam_err = pam_start("sshd", ctxt->pam_user, &pam_conv, &pamh);
+	if (pam_err != PAM_SUCCESS)
+		goto auth_fail;
+	pam_err = pam_authenticate(pamh, 0);
+	if (pam_err != PAM_SUCCESS)
+		goto auth_fail;
+	pam_err = pam_acct_mgmt(pamh, 0);
+	if (pam_err != PAM_SUCCESS)
+		goto auth_fail;
+	pam_send(ctxt, "=OK");
+	pam_end(pamh, pam_err);
+	exit(0);
+ auth_fail:
+	pam_send(ctxt, "!%s", pam_strerror(pamh, pam_err));
+	pam_end(pamh, pam_err);
+	exit(0);
+}
+
+static void *
+pam_init_ctx(Authctxt *authctxt)
+{
+	struct pam_ctxt *ctxt;
+	int socks[2];
+	int i;
+
+	ctxt = xmalloc(sizeof *ctxt);
+	ctxt->pam_user = xstrdup(authctxt->user);
+	ctxt->pam_done = 0;
+	if (socketpair(AF_UNIX, SOCK_DGRAM, PF_UNSPEC, socks) == -1) {
+		error("%s: failed create sockets: %s",
+		    __func__, strerror(errno));
+		xfree(ctxt);
+		return (NULL);
+	}
+	if ((ctxt->pam_pid = fork()) == -1) {
+		error("%s: failed to fork auth-pam child: %s",
+		    __func__, strerror(errno));
+		close(socks[0]);
+		close(socks[1]);
+		xfree(ctxt);
+		return (NULL);
+	}
+	if (ctxt->pam_pid == 0) {
+		/* close everything except our end of the pipe */
+		ctxt->pam_sock = socks[1];
+		for (i = 0; i < getdtablesize(); ++i)
+			if (i != ctxt->pam_sock)
+				close(i);
+		pam_child(ctxt);
+		/* not reached */
+		exit(1);
+	}
+	ctxt->pam_sock = socks[0];
+	close(socks[1]);
+	return (ctxt);
+}
+
+static int
+pam_query(void *ctx, char **name, char **info,
+    u_int *num, char ***prompts, u_int **echo_on)
+{
+	struct pam_ctxt *ctxt = ctx;
+	size_t plen;
+	char *msg;
+
+	*name = xstrdup("");
+	*info = xstrdup("");
+	*prompts = xmalloc(sizeof(char *));
+	**prompts = NULL;
+	plen = 0;
+	*echo_on = xmalloc(sizeof(u_int));
+	while ((msg = pam_receive(ctxt)) != NULL) {
+		switch (*msg) {
+		case 'P':
+		case 'p':
+			*num = 1;
+			**prompts = xrealloc(**prompts, plen + strlen(msg));
+			plen += sprintf(**prompts + plen, "%s", msg + 1);
+			**echo_on = (*msg == 'P');
+			xfree(msg);
+			return (0);
+		case 'e':
+		case 'i':
+			/* accumulate messages */
+			**prompts = xrealloc(**prompts, plen + strlen(msg));
+			plen += sprintf(**prompts + plen, "%s", msg + 1);
+			break;
+		case '=':
+		case '!':
+			if (**prompts != NULL) {
+				/* drain any accumulated messages */
+#if 0 /* not compatible with privsep */
+				packet_start(SSH2_MSG_USERAUTH_BANNER);
+				packet_put_cstring(**prompts);
+				packet_put_cstring("");
+				packet_send();
+				packet_write_wait();
+#endif
+				xfree(**prompts);
+				**prompts = NULL;
+			}
+			if (*msg == '=') {
+				*num = 0;
+				**echo_on = 0;
+				ctxt->pam_done = 1;
+				xfree(msg);
+				return (0);
+			}
+			error("%s", msg + 1);
+		default:
+			*num = 0;
+			**echo_on = 0;
+			xfree(msg);
+			ctxt->pam_done = -1;
+			return (-1);
+		}
+		xfree(msg);
+	}
+	return (-1);
+}
+
+static int
+pam_respond(void *ctx, u_int num, char **resp)
+{
+	struct pam_ctxt *ctxt = ctx;
+	char *msg;
+
+	debug2(__func__);
+	switch (ctxt->pam_done) {
+	case 1:
+		return (0);	
+	case 0:
+		break;
+	default:
+		return (-1);
+	}
+	if (num != 1) {
+		error("expected one response, got %u", num);
+		return (-1);
+	}
+	pam_send(ctxt, "%s", *resp);
+	switch (pam_peek(ctxt)) {
+	case 'P':
+	case 'p':
+	case 'e':
+	case 'i':
+		return (1);
+	case '=':
+		msg = pam_receive(ctxt);
+		xfree(msg);
+		ctxt->pam_done = 1;
+		return (0);
+	default:
+		msg = pam_receive(ctxt);
+		if (*msg == '!')
+			error("%s", msg + 1);
+		xfree(msg);
+		ctxt->pam_done = -1;
+		return (-1);
+	}
+}
+
+static void
+pam_free_ctx(void *ctxtp)
+{
+	struct pam_ctxt *ctxt = ctxtp;
+	int status;
+
+	close(ctxt->pam_sock);
+	kill(ctxt->pam_pid, SIGHUP);
+	waitpid(ctxt->pam_pid, &status, 0);
+	xfree(ctxt->pam_user);
+	xfree(ctxt);
+}
+
+KbdintDevice pam_device = {
+	"pam",
+	pam_init_ctx,
+	pam_query,
+	pam_respond,
+	pam_free_ctx
+};
+
+KbdintDevice mm_pam_device = {
+	"pam",
+	mm_pam_init_ctx,
+	mm_pam_query,
+	mm_pam_respond,
+	mm_pam_free_ctx
+};
+
+#endif /* USE_PAM */
diff --git a/security/hpn-ssh/files/batch.patch b/security/hpn-ssh/files/batch.patch
index eb91ab511340..3844d78d03d8 100644
--- a/security/hpn-ssh/files/batch.patch
+++ b/security/hpn-ssh/files/batch.patch
@@ -1,15 +1,14 @@
---- Makefile.in.orig	Tue Feb 26 20:24:22 2002
-+++ Makefile.in	Fri Mar  8 22:02:48 2002
-@@ -183,7 +183,7 @@
- 	autoreconf
+--- Makefile.in.orig	Wed Jun 26 01:45:42 2002
++++ Makefile.in	Thu Jul  4 20:23:43 2002
+@@ -199,6 +199,7 @@
  	(cd scard && $(MAKE) -f Makefile.in distprep)
  
--install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key
-+install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-user
++install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files check-user
  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
  
- scard-install:
-@@ -222,37 +222,6 @@
+ check-user:
+@@ -251,37 +252,6 @@
  	ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
  	ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
diff --git a/security/hpn-ssh/files/patch-Makefile.in b/security/hpn-ssh/files/patch-Makefile.in
new file mode 100644
index 000000000000..417599cccc87
--- /dev/null
+++ b/security/hpn-ssh/files/patch-Makefile.in
@@ -0,0 +1,11 @@
+--- Makefile.in.orig	Wed Jun 26 01:45:42 2002
++++ Makefile.in	Wed Jul  3 07:27:14 2002
+@@ -70,6 +70,8 @@
+ MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
+ MANTYPE		= @MANTYPE@
+ 
++SSHDOBJS+=	auth2-pam-freebsd.o
++
+ CONFIGFILES=sshd_config.out ssh_config.out moduli.out
+ CONFIGFILES_IN=sshd_config ssh_config moduli
+ 
diff --git a/security/hpn-ssh/files/patch-auth2-chall.c b/security/hpn-ssh/files/patch-auth2-chall.c
new file mode 100644
index 000000000000..77b5778ac6af
--- /dev/null
+++ b/security/hpn-ssh/files/patch-auth2-chall.c
@@ -0,0 +1,48 @@
+--- auth2-chall.c.orig	Wed Jun 26 15:58:40 2002
++++ auth2-chall.c	Sun Jun 30 07:12:43 2002
+@@ -41,6 +42,9 @@
+ #ifdef BSD_AUTH
+ extern KbdintDevice bsdauth_device;
+ #else
++#ifdef USE_PAM
++extern KbdintDevice pam_device;
++#endif
+ #ifdef SKEY
+ extern KbdintDevice skey_device;
+ #endif
+@@ -50,6 +54,9 @@
+ #ifdef BSD_AUTH
+ 	&bsdauth_device,
+ #else
++#ifdef USE_PAM
++	&pam_device,
++#endif
+ #ifdef SKEY
+ 	&skey_device,
+ #endif
+@@ -323,15 +330,22 @@
+ #ifdef BSD_AUTH
+ 	extern KbdintDevice mm_bsdauth_device;
+ #endif
++#ifdef USE_PAM
++	extern KbdintDevice mm_pam_device;
++#endif
+ #ifdef SKEY
+ 	extern KbdintDevice mm_skey_device;
+ #endif
+-	/* As long as SSHv1 has devices[0] hard coded this is fine */
++	int n = 0;
++
+ #ifdef BSD_AUTH
+-	devices[0] = &mm_bsdauth_device;
++	devices[n++] = &mm_bsdauth_device;
+ #else
++#ifdef USE_PAM
++	devices[n++] = &mm_pam_device;
++#endif
+ #ifdef SKEY
+-	devices[0] = &mm_skey_device;
++	devices[n++] = &mm_skey_device;
+ #endif
+ #endif
+ }
diff --git a/security/hpn-ssh/files/patch-monitor.c b/security/hpn-ssh/files/patch-monitor.c
new file mode 100644
index 000000000000..7671cf64e3b7
--- /dev/null
+++ b/security/hpn-ssh/files/patch-monitor.c
@@ -0,0 +1,136 @@
+--- monitor.c.orig	Wed Jun 26 15:27:11 2002
++++ monitor.c	Wed Jul  3 06:24:31 2002
+@@ -118,6 +127,10 @@
+ 
+ #ifdef USE_PAM
+ int mm_answer_pam_start(int, Buffer *);
++int mm_answer_pam_init_ctx(int, Buffer *);
++int mm_answer_pam_query(int, Buffer *);
++int mm_answer_pam_respond(int, Buffer *);
++int mm_answer_pam_free_ctx(int, Buffer *);
+ #endif
+ 
+ static Authctxt *authctxt;
+@@ -156,6 +169,10 @@
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
++    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
++    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
++    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
++    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
+ #endif
+ #ifdef BSD_AUTH
+     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
+@@ -198,6 +215,10 @@
+ #endif
+ #ifdef USE_PAM
+     {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
++    {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
++    {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
++    {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
++    {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
+ #endif
+     {0, 0, NULL}
+ };
+@@ -732,6 +749,100 @@
+ 	xfree(user);
+ 
+ 	return (0);
++}
++
++static void *pam_ctxt, *pam_authok;
++extern KbdintDevice pam_device;
++
++int
++mm_answer_pam_init_ctx(int socket, Buffer *m)
++{
++
++	debug3("%s", __func__);
++	authctxt->user = buffer_get_string(m, NULL);
++	pam_ctxt = (pam_device.init_ctx)(authctxt);
++	pam_authok = NULL;
++	buffer_clear(m);
++	if (pam_ctxt != NULL) {
++		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
++		buffer_put_int(m, 1);
++	} else {
++		buffer_put_int(m, 0);
++	}
++	mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
++	return (0);
++}
++
++int
++mm_answer_pam_query(int socket, Buffer *m)
++{
++	char *name, *info, **prompts;
++	u_int num, *echo_on;
++	int i, ret;
++
++	debug3("%s", __func__);
++	pam_authok = NULL;
++	ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
++	if (num > 1 || name == NULL || info == NULL)
++		ret = -1;
++	buffer_put_int(m, ret);
++	buffer_put_cstring(m, name);
++	xfree(name);
++	buffer_put_cstring(m, info);
++	xfree(info);
++	buffer_put_int(m, num);
++	for (i = 0; i < num; ++i) {
++		buffer_put_cstring(m, prompts[i]);
++		xfree(prompts[i]);
++		buffer_put_int(m, echo_on[i]);
++	}
++	if (prompts != NULL)
++		xfree(prompts);
++	if (echo_on != NULL)
++		xfree(echo_on);
++	mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
++	return (0);
++}
++
++int
++mm_answer_pam_respond(int socket, Buffer *m)
++{
++	char **resp;
++	u_int num;
++	int i, ret;
++
++	debug3("%s", __func__);
++	pam_authok = NULL;
++	num = buffer_get_int(m);
++	if (num > 0) {
++		resp = xmalloc(num * sizeof(char *));
++		for (i = 0; i < num; ++i)
++			resp[i] = buffer_get_string(m, NULL);
++		ret = (pam_device.respond)(pam_ctxt, num, resp);
++		for (i = 0; i < num; ++i)
++			xfree(resp[i]);
++		xfree(resp);
++	} else {
++		ret = (pam_device.respond)(pam_ctxt, num, NULL);
++	}
++	buffer_clear(m);
++	buffer_put_int(m, ret);
++	mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
++	auth_method = "keyboard-interactive/pam";
++	if (ret == 0)
++		pam_authok = pam_ctxt;
++	return (0);
++}
++
++int
++mm_answer_pam_free_ctx(int socket, Buffer *m)
++{
++
++	debug3("%s", __func__);
++	(pam_device.free_ctx)(pam_ctxt);
++	buffer_clear(m);
++	mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
++	return (pam_authok == pam_ctxt);
+ }
+ #endif
+ 
diff --git a/security/hpn-ssh/files/patch-monitor.h b/security/hpn-ssh/files/patch-monitor.h
new file mode 100644
index 000000000000..2c42831b40ab
--- /dev/null
+++ b/security/hpn-ssh/files/patch-monitor.h
@@ -0,0 +1,13 @@
+--- monitor.h.orig	Tue Jun 11 18:42:49 2002
++++ monitor.h	Sun Jun 30 07:13:09 2002
+@@ -50,6 +51,10 @@
+ 	MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
+ 	MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
+ 	MONITOR_REQ_PAM_START,
++	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
++	MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
++	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
++	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
+ 	MONITOR_REQ_TERM
+ };
+ 
diff --git a/security/hpn-ssh/files/patch-monitor_wrap.c b/security/hpn-ssh/files/patch-monitor_wrap.c
new file mode 100644
index 000000000000..99ad633a6028
--- /dev/null
+++ b/security/hpn-ssh/files/patch-monitor_wrap.c
@@ -0,0 +1,107 @@
+--- monitor_wrap.c.orig	Fri Jun 21 02:43:43 2002
++++ monitor_wrap.c	Sun Jun 30 07:13:18 2002
+@@ -664,6 +665,88 @@
+ 
+ 	buffer_free(&m);
+ }
++
++void *
++mm_pam_init_ctx(Authctxt *authctxt)
++{
++	Buffer m;
++	int success;
++
++	debug3("%s", __func__);
++	buffer_init(&m);
++	buffer_put_cstring(&m, authctxt->user);
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
++	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
++	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
++	success = buffer_get_int(&m);
++	if (success == 0) {
++		debug3("%s: pam_init_ctx failed", __func__);
++		buffer_free(&m);
++		return (NULL);
++	}
++	buffer_free(&m);
++	return (authctxt);
++}
++
++int
++mm_pam_query(void *ctx, char **name, char **info,
++    u_int *num, char ***prompts, u_int **echo_on)
++{
++	Buffer m;
++	int i, ret;
++
++	debug3("%s", __func__);
++	buffer_init(&m);
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
++	debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
++	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
++	ret = buffer_get_int(&m);
++	debug3("%s: pam_query returned %d", __func__, ret);
++	*name = buffer_get_string(&m, NULL);
++	*info = buffer_get_string(&m, NULL);
++	*num = buffer_get_int(&m);
++	*prompts = xmalloc((*num + 1) * sizeof(char *));
++	*echo_on = xmalloc((*num + 1) * sizeof(u_int));
++	for (i = 0; i < *num; ++i) {
++		(*prompts)[i] = buffer_get_string(&m, NULL);
++		(*echo_on)[i] = buffer_get_int(&m);
++	}
++	buffer_free(&m);
++	return (ret);
++}
++
++int
++mm_pam_respond(void *ctx, u_int num, char **resp)
++{
++	Buffer m;
++	int i, ret;
++
++	debug3("%s", __func__);
++	buffer_init(&m);
++	buffer_put_int(&m, num);
++	for (i = 0; i < num; ++i)
++		buffer_put_cstring(&m, resp[i]);
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
++	debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
++	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
++	ret = buffer_get_int(&m);
++	debug3("%s: pam_respond returned %d", __func__, ret);
++	buffer_free(&m);
++	return (ret);
++}
++
++void
++mm_pam_free_ctx(void *ctxtp)
++{
++	Buffer m;
++
++	debug3("%s", __func__);
++	buffer_init(&m);
++	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
++	debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
++	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
++	buffer_free(&m);
++}
+ #endif /* USE_PAM */
+ 
+ /* Request process termination */
+@@ -767,6 +850,7 @@
+ 	return ((authok == 0) ? -1 : 0);
+ }
+ 
++#ifdef SKEY
+ int
+ mm_skey_query(void *ctx, char **name, char **infotxt,
+    u_int *numprompts, char ***prompts, u_int **echo_on)
+@@ -829,6 +913,7 @@
+ 
+ 	return ((authok == 0) ? -1 : 0);
+ }
++#endif
+ 
+ void
+ mm_ssh1_session_id(u_char session_id[16])
diff --git a/security/hpn-ssh/files/patch-monitor_wrap.h b/security/hpn-ssh/files/patch-monitor_wrap.h
new file mode 100644
index 000000000000..e4495c7ba12e
--- /dev/null
+++ b/security/hpn-ssh/files/patch-monitor_wrap.h
@@ -0,0 +1,13 @@
+--- monitor_wrap.h.orig	Mon May 13 03:07:42 2002
++++ monitor_wrap.h	Sun Jun 30 07:13:18 2002
+@@ -57,6 +58,10 @@
+ 
+ #ifdef USE_PAM
+ void mm_start_pam(char *);
++void *mm_pam_init_ctx(struct Authctxt *);
++int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
++int mm_pam_respond(void *, u_int, char **);
++void mm_pam_free_ctx(void *);
+ #endif
+ 
+ void mm_terminate(void);
diff --git a/security/hpn-ssh/files/patch-sshd_config b/security/hpn-ssh/files/patch-sshd_config
index ec7a106916ca..3d84a8c64d0f 100644
--- a/security/hpn-ssh/files/patch-sshd_config
+++ b/security/hpn-ssh/files/patch-sshd_config
@@ -1,6 +1,14 @@
 --- sshd_config.orig	Fri Jun 21 03:11:36 2002
-+++ sshd_config	Fri Jun 28 06:55:46 2002
-@@ -58,6 +58,7 @@
++++ sshd_config	Wed Jul  3 06:20:47 2002
+@@ -34,6 +34,7 @@
+ 
+ #LoginGraceTime 600
+ #PermitRootLogin yes
++PermitRootLogin no
+ #StrictModes yes
+ 
+ #RSAAuthentication yes
+@@ -58,6 +59,7 @@
  
  # Change to no to disable s/key passwords
  #ChallengeResponseAuthentication yes