Update the CVS_DATE. This brings in support for TIS authentication,

obsoleting a couple patches (it's the same code, though, except for
additions).

This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.

My patches have been almost entirely rewritten.  The places are the
same, but the code's rewritten.  It fits with the style (KNF) now,
and looks better.

I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs.  After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2.  Adding it to ssh/lib/ makes it work
yet again :)

19 files changed, 524 insertions, 244 deletions

diff --git a/security/openssh/files/patch-aa b/security/openssh/files/patch-aa
index ff267ded9258..4797fe4d70a2 100644
--- a/security/openssh/files/patch-aa
+++ b/security/openssh/files/patch-aa
@@ -1,5 +1,5 @@
---- Makefile.orig	Tue Oct 26 03:31:00 1999
-+++ Makefile	Mon Nov  8 00:28:19 1999
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/Makefile	Mon Oct 25 16:27:26 1999
++++ ./Makefile	Tue Nov 23 19:18:22 1999
 @@ -1,6 +1,7 @@
  #	$OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $
  
diff --git a/security/openssh/files/patch-ab b/security/openssh/files/patch-ab
index a65c47f7601c..277f63f225b6 100644
--- a/security/openssh/files/patch-ab
+++ b/security/openssh/files/patch-ab
@@ -1,11 +1,9 @@
---- Makefile.inc.orig	Tue Oct 26 03:31:00 1999
-+++ Makefile.inc	Tue Nov  9 06:45:18 1999
-@@ -1,11 +1,8 @@
--CFLAGS+=	-I${.CURDIR}/..
-+CFLAGS+=	-I${.CURDIR}/.. -I${PREFIX}/include
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/Makefile.inc	Mon Oct 25 16:27:26 1999
++++ ./Makefile.inc	Tue Nov 23 19:19:33 1999
+@@ -2,10 +2,9 @@
+ 
+ .include <bsd.obj.mk>
  
--.include <bsd.obj.mk>
--
 -.if exists(${.CURDIR}/../lib/${__objdir})
 -LDADD+=         -L${.CURDIR}/../lib/${__objdir} -lssh
 -DPADD+=         ${.CURDIR}/../lib/${__objdir}/libssh.a
diff --git a/security/openssh/files/patch-ac b/security/openssh/files/patch-ac
index f03c0f6c88c2..f6ad51c27c10 100644
--- a/security/openssh/files/patch-ac
+++ b/security/openssh/files/patch-ac
@@ -1,10 +1,24 @@
---- readconf.h.dist	Fri Nov 19 23:32:48 1999
-+++ readconf.h	Fri Nov 19 23:48:22 1999
-@@ -54,6 +54,7 @@
-   int compression;		/* Compress packets in both directions. */
-   int compression_level;	/* Compression level 1 (fast) to 9 (best). */
-   int keepalives;		/* Set SO_KEEPALIVE. */
-+  int tis_authentication;	/* TIS client-side authentication */
-   LogLevel log_level;		/* Level for logging. */
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/includes.h	Tue Nov  2 16:21:02 1999
++++ ./includes.h	Tue Nov 23 19:20:38 1999
+@@ -24,12 +24,12 @@
+ #include <sys/select.h>
+ #include <sys/param.h>
+ #include <sys/ioctl.h>
+-#include <sys/endian.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+ #include <sys/time.h>
+ #include <sys/un.h>
+ #include <sys/resource.h>
++#include <machine/endian.h>
  
-   int port;			/* Port to connect. */
+ #include <netinet/in.h>
+ #include <netinet/in_systm.h>
+@@ -38,7 +38,6 @@
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ 
+-#include <netgroup.h>
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <errno.h>
diff --git a/security/openssh/files/patch-ad b/security/openssh/files/patch-ad
index b99d16d2c0d1..fc17693d6e5e 100644
--- a/security/openssh/files/patch-ad
+++ b/security/openssh/files/patch-ad
@@ -1,35 +1,20 @@
---- readconf.c.dist	Fri Nov 19 23:32:48 1999
-+++ readconf.c	Fri Nov 19 23:41:27 1999
-@@ -369,13 +369,8 @@
-       goto parse_int;
-       
-     case oTISAuthentication:
--      cp = strtok(NULL, WHITESPACE);
--      if (cp != 0 && (strcmp(cp, "yes") == 0 || strcmp(cp, "true") == 0))
--	fprintf(stderr,
--		"%.99s line %d: Warning, TIS is not supported.\n",
--		filename,
--		linenum);
--      break;
-+      intptr = &options->tis_authentication;
-+      goto parse_flag;
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/lib/Makefile	Tue Nov 16 17:49:29 1999
++++ ./lib/Makefile	Tue Nov 23 19:21:19 1999
+@@ -5,6 +5,7 @@
+ 	cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \
+ 	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
+ 	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c
++SRCS+=	strlcat.c strlcpy.c
  
-     case oCompressionLevel:
-       intptr = &options->compression_level;
-@@ -655,6 +650,7 @@
-   options->num_local_forwards = 0;
-   options->num_remote_forwards = 0;
-   options->log_level = (LogLevel)-1;
-+  options->tis_authentication = -1;
- }
+ NOPROFILE= yes
+ NOPIC=	yes
+@@ -13,6 +14,7 @@
+ 	@echo -n
  
- /* Called after processing other sources of option data, this fills those
-@@ -727,6 +723,8 @@
-     options->user_hostfile = SSH_USER_HOSTFILE;
-   if (options->log_level == (LogLevel)-1)
-     options->log_level = SYSLOG_LEVEL_INFO;
-+  if (options->tis_authentication == -1)
-+    options->tis_authentication = 0;
-   /* options->proxy_command should not be set by default */
-   /* options->user will be set in the main program if appropriate */
-   /* options->hostname will be set in the main program if appropriate */
+ .include <bsd.own.mk>
++.include "../Makefile.inc"
+ 
+ .if (${KERBEROS} == "yes")
+ CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
+Only in ./lib: strlcat.c
+Only in ./lib: strlcpy.c
diff --git a/security/openssh/files/patch-ae b/security/openssh/files/patch-ae
index f0692ec9487c..33c57f42e6fc 100644
--- a/security/openssh/files/patch-ae
+++ b/security/openssh/files/patch-ae
@@ -1,43 +1,14 @@
---- sshconnect.c.orig	Fri Nov 19 23:54:54 1999
-+++ sshconnect.c	Fri Nov 19 23:56:22 1999
-@@ -1496,6 +1496,40 @@
- 	  return; /* Successful connection. */
-     }
-   
-+  /* Support for TIS authentication server obtained from
-+     Andre April <Andre.April@cediti.be>. */
-+  if ((supported_authentications & (1 << SSH_AUTH_TIS)) &&
-+      options.tis_authentication && !options.batch_mode)
-+    {
-+      char *prompt;
-+      debug("Doing TIS authentication.");
-+      if (options.cipher == SSH_CIPHER_NONE)
-+	log("WARNING: Encryption is disabled! Password will be transmitted in clear text.");
-+      packet_start(SSH_CMSG_AUTH_TIS);
-+      packet_send();
-+      packet_write_wait();
-+      type = packet_read(&payload_len);
-+      if (type == SSH_SMSG_FAILURE)
-+	debug("User cannot be identifier on authentication server.");
-+      else {
-+	if (type != SSH_SMSG_AUTH_TIS_CHALLENGE)
-+	  packet_disconnect("Protocol error: got %d in response to TIS auth request", type);
-+	prompt = packet_get_string(NULL);
-+	password = read_passphrase(prompt, 0);
-+	packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
-+	packet_put_string(password, strlen(password));
-+	memset(password, 0, strlen(password));
-+	xfree(password);
-+	packet_send();
-+	packet_write_wait();
-+        type = packet_read(&payload_len);
-+	if (type == SSH_SMSG_SUCCESS)
-+	  return;
-+	if (type != SSH_SMSG_FAILURE)
-+	  packet_disconnect("Protocol error: got %d in response to TIS auth", type);
-+      }
-+    }
-+
-   /* Try password authentication if the server supports it. */
-   if ((supported_authentications & (1 << SSH_AUTH_PASSWORD)) &&
-       options.password_authentication && !options.batch_mode)
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/login.c	Tue Nov 23 18:55:14 1999
++++ ./login.c	Tue Nov 23 19:35:08 1999
+@@ -20,7 +20,11 @@
+ #include "includes.h"
+ RCSID("$Id: login.c,v 1.8 1999/11/23 22:25:54 markus Exp $");
+ 
++#ifdef __FreeBSD__
++#include <libutil.h>
++#else
+ #include <util.h>
++#endif /* __FreeBSD__ */
+ #include <utmp.h>
+ #include "ssh.h"
+ 
diff --git a/security/openssh/files/patch-af b/security/openssh/files/patch-af
index 6eadf2eafb68..4e7ebf6d6cba 100644
--- a/security/openssh/files/patch-af
+++ b/security/openssh/files/patch-af
@@ -1,11 +1,22 @@
---- ssh.h.dist	Fri Nov 19 23:50:37 1999
-+++ ssh.h	Fri Nov 19 23:50:22 1999
-@@ -141,7 +141,7 @@
- #define SSH_AUTH_RSA		2
- #define SSH_AUTH_PASSWORD	3
- #define SSH_AUTH_RHOSTS_RSA	4
--				/* 5 is TIS */
-+#define SSH_AUTH_TIS		5
- #define SSH_AUTH_KERBEROS	6
- #define SSH_PASS_KERBEROS_TGT	7
- 				/* 8 to 15 are reserved */
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/scp/Makefile	Mon Oct 25 16:27:26 1999
++++ ./scp/Makefile	Tue Nov 23 19:23:58 1999
+@@ -2,16 +2,9 @@
+ 
+ PROG=	scp
+ BINOWN=	root
+-
+-.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+-	${MACHINE_ARCH} == "hppa")
+-BINMODE=0000
+-.else
+-BINMODE?=555
+-.endif
+-
+-BINDIR=	/usr/bin
+-MAN=	scp.1
++BINMODE=555
++BINDIR=	/bin
++MAN1=	scp.1
+ 
+ SRCS=	scp.c
+ 
diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ag
index db9c3f7d8a0a..09a17b96aa87 100644
--- a/security/openssh/files/patch-ap
+++ b/security/openssh/files/patch-ag
@@ -1,11 +1,10 @@
---- ssh/Makefile.orig	Tue Oct 26 03:31:00 1999
-+++ ssh/Makefile	Tue Nov  9 06:56:24 1999
-@@ -2,22 +2,17 @@
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh/Makefile	Wed Nov 17 20:52:33 1999
++++ ./ssh/Makefile	Tue Nov 23 19:26:08 1999
+@@ -2,22 +2,16 @@
  
  PROG=	ssh
  BINOWN=	root
-+BINMODE=4555
- 
+-
 -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
 -	${MACHINE_ARCH} == "hppa")
 -BINMODE=0000
@@ -15,6 +14,7 @@
 -
 -BINDIR=	/usr/bin
 -MAN=	ssh.1
++BINMODE=4555
 +BINDIR=	/bin
 +MAN1=	ssh.1
  LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
@@ -27,7 +27,7 @@
  
  .if (${KERBEROS} == "yes")
  CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
-@@ -32,5 +27,5 @@
+@@ -32,5 +26,5 @@
  
  .include <bsd.prog.mk>
  
diff --git a/security/openssh/files/patch-ah b/security/openssh/files/patch-ah
new file mode 100644
index 000000000000..95b32a341276
--- /dev/null
+++ b/security/openssh/files/patch-ah
@@ -0,0 +1,27 @@
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh-add/Makefile	Wed Oct 27 12:54:48 1999
++++ ./ssh-add/Makefile	Tue Nov 23 19:26:48 1999
+@@ -2,20 +2,13 @@
+ 
+ PROG=	ssh-add
+ BINOWN=	root
+-
+-.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+-	${MACHINE_ARCH} == "hppa")
+-BINMODE=0000
+-.else
+-BINMODE?=555
+-.endif
+-
+-BINDIR=	/usr/bin
+-MAN=	ssh-add.1
++BINMODE=555
++BINDIR=	/bin
++MAN1=	ssh-add.1
+ 
+ SRCS=	ssh-add.c log-client.c
+ 
+ .include <bsd.prog.mk>
+ 
+-LDADD+=	-lcrypto -lutil -lz
++LDADD+=	${CRYPTOLIBS} -lutil -lz
+ DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/security/openssh/files/patch-ai b/security/openssh/files/patch-ai
index fd676782c3d2..519c4e727f15 100644
--- a/security/openssh/files/patch-ai
+++ b/security/openssh/files/patch-ai
@@ -1,21 +1,26 @@
-diff -ru /home/green/ssh/includes.h ./includes.h
---- /home/green/ssh/includes.h	Wed Nov  3 03:36:00 1999
-+++ ./includes.h	Mon Nov  8 00:06:40 1999
-@@ -24,7 +24,6 @@
- #include <sys/select.h>
- #include <sys/param.h>
- #include <sys/ioctl.h>
--#include <sys/endian.h>
- #include <sys/stat.h>
- #include <sys/wait.h>
- #include <sys/time.h>
-@@ -38,7 +37,8 @@
- #include <arpa/inet.h>
- #include <netdb.h>
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh-agent/Makefile	Wed Oct 27 12:54:49 1999
++++ ./ssh-agent/Makefile	Tue Nov 23 19:27:38 1999
+@@ -2,20 +2,13 @@
  
--#include <netgroup.h>
-+#include <machine/endian.h>
-+
- #include <stdio.h>
- #include <ctype.h>
- #include <errno.h>
+ PROG=	ssh-agent
+ BINOWN=	root
+-
+-.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+-	${MACHINE_ARCH} == "hppa")
+-BINMODE=0000
+-.else
+-BINMODE?=555
+-.endif
+-
+-BINDIR=	/usr/bin
++BINMODE=555
++BINDIR=	/bin
+ MAN=	ssh-agent.1
+ 
+ SRCS=	ssh-agent.c log-client.c
+ 
+ .include <bsd.prog.mk>
+ 
+-LDADD+=	-lcrypto -lutil -lz
++LDADD+=	${CRYPTOLIBS} -lutil -lz
+ DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/security/openssh/files/patch-aj b/security/openssh/files/patch-aj
index 2b51018f9bc7..9f9c0fcd64da 100644
--- a/security/openssh/files/patch-aj
+++ b/security/openssh/files/patch-aj
@@ -1,19 +1,26 @@
---- ./lib/Makefile.orig	Tue Nov 16 16:50:53 1999
-+++ ./lib/Makefile	Tue Nov 16 16:52:01 1999
-@@ -4,7 +4,7 @@
- SRCS=   authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
- 	cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \
- 	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
--	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c
-+	rsa.c strlcpy.c tildexpand.c ttymodes.c uidswap.c xmalloc.c
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh-keygen/Makefile	Wed Oct 27 12:54:49 1999
++++ ./ssh-keygen/Makefile	Tue Nov 23 19:28:07 1999
+@@ -2,20 +2,13 @@
  
- NOPROFILE= yes
- NOPIC=	yes
-@@ -13,6 +13,7 @@
- 	@echo -n
+ PROG=	ssh-keygen
+ BINOWN=	root
+-
+-.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
+-	${MACHINE_ARCH} == "hppa")
+-BINMODE=0000
+-.else
+-BINMODE?=555
+-.endif
+-
+-BINDIR=	/usr/bin
++BINMODE=555
++BINDIR=	/bin
+ MAN=	ssh-keygen.1
  
- .include <bsd.own.mk>
-+.include "../Makefile.inc"
+ SRCS=	ssh-keygen.c log-client.c
  
- .if (${KERBEROS} == "yes")
- CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
+ .include <bsd.prog.mk>
+ 
+-LDADD+=	-lcrypto -lutil -lz
++LDADD+=	${CRYPTOLIBS} -lutil -lz
+ DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/security/openssh/files/patch-ak b/security/openssh/files/patch-ak
index 7248dbab9bed..f76d52056c2e 100644
--- a/security/openssh/files/patch-ak
+++ b/security/openssh/files/patch-ak
@@ -1,14 +1,12 @@
---- ./login.c.orig	Sat Nov 13 16:50:45 1999
-+++ ./login.c	Sat Nov 13 17:59:23 1999
-@@ -20,7 +20,11 @@
- #include "includes.h"
- RCSID("$Id: login.c,v 1.7 1999/09/30 16:55:06 deraadt Exp $");
- 
-+#if defined(__FreeBSD__)
-+#include <libutil.h>
-+#else
- #include <util.h>
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh.c	Tue Nov 23 18:57:50 1999
++++ ./ssh.c	Tue Nov 23 19:28:33 1999
+@@ -123,6 +123,9 @@
+ 	log("Using rsh.  WARNING: Connection will not be encrypted.");
+ 	/* Build argument list for rsh. */
+ 	i = 0;
++#ifndef	_PATH_RSH
++#define	_PATH_RSH	"/usr/bin/rsh"
 +#endif
- #include <utmp.h>
- #include "ssh.h"
- 
+ 	args[i++] = _PATH_RSH;
+ 	/* host may have to come after user on some systems */
+ 	args[i++] = host;
diff --git a/security/openssh/files/patch-al b/security/openssh/files/patch-al
new file mode 100644
index 000000000000..365a45928036
--- /dev/null
+++ b/security/openssh/files/patch-al
@@ -0,0 +1,27 @@
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh.h	Tue Nov 23 18:58:02 1999
++++ ./ssh.h	Tue Nov 23 19:31:00 1999
+@@ -51,7 +51,7 @@
+    port if present. */
+ #define SSH_SERVICE_NAME	"ssh"
+ 
+-#define ETCDIR			"/etc"
++#define ETCDIR			"__PREFIX__/etc"
+ #define PIDDIR			"/var/run"
+ 
+ /* System-wide file containing host keys of known hosts.  This file should be
+@@ -64,11 +64,11 @@
+ are all defined in Makefile.in.  Of these, ssh_host_key should be readable
+ only by root, whereas ssh_config should be world-readable. */
+ 
+-#define HOST_KEY_FILE		"/etc/ssh_host_key"
+-#define SERVER_CONFIG_FILE	"/etc/sshd_config"
+-#define HOST_CONFIG_FILE	"/etc/ssh_config"
++#define HOST_KEY_FILE		"__PREFIX__/etc/ssh_host_key"
++#define SERVER_CONFIG_FILE	"__PREFIX__/etc/sshd_config"
++#define HOST_CONFIG_FILE	"__PREFIX__/etc/ssh_config"
+ 
+-#define SSH_PROGRAM		"/usr/bin/ssh"
++#define SSH_PROGRAM		"__PREFIX__/usr/bin/ssh"
+ 
+ /* The process id of the daemon listening for connections is saved
+    here to make it easier to kill the correct daemon when necessary. */
diff --git a/security/openssh/files/patch-aw b/security/openssh/files/patch-am
index 946b865ec625..22106d6e39ef 100644
--- a/security/openssh/files/patch-aw
+++ b/security/openssh/files/patch-am
@@ -1,6 +1,5 @@
-diff -ru /home/green/ssh/sshd/Makefile ./sshd/Makefile
---- /home/green/ssh/sshd/Makefile	Tue Oct 26 03:31:00 1999
-+++ ./sshd/Makefile	Mon Nov  8 00:14:02 1999
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd/Makefile	Mon Oct 25 16:27:27 1999
++++ ./sshd/Makefile	Tue Nov 23 19:29:25 1999
 @@ -3,13 +3,14 @@
  PROG=	sshd
  BINOWN=	root
@@ -23,7 +22,7 @@ diff -ru /home/green/ssh/sshd/Makefile ./sshd/Makefile
  .include <bsd.prog.mk>
  
 -LDADD+=	-lcrypto -lutil -lz
-+LDADD+=	-lutil -lz -lcrypt ${CRYPTOLIBS}
++LDADD+=	${CRYPTOLIBS} -lcrypt -lutil -lz
  DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
  
  .if (${TCP_WRAPPERS} == "yes")
diff --git a/security/openssh/files/patch-an b/security/openssh/files/patch-an
new file mode 100644
index 000000000000..8dfdf115c932
--- /dev/null
+++ b/security/openssh/files/patch-an
@@ -0,0 +1,232 @@
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.c	Tue Nov 23 18:59:05 1999
++++ ./sshd.c	Tue Nov 23 20:33:18 1999
+@@ -39,6 +39,16 @@
+ int deny_severity = LOG_WARNING;
+ #endif /* LIBWRAP */
+ 
++#ifdef __FreeBSD__
++#include <libutil.h>
++#include <syslog.h>
++#define	LOGIN_CAP
++#endif /* __FreeBSD__ */
++
++#ifdef LOGIN_CAP
++#include <login_cap.h>
++#endif /* LOGIN_CAP */
++
+ #ifndef O_NOCTTY
+ #define O_NOCTTY	0
+ #endif
+@@ -1008,6 +1018,14 @@
+ 				return 0;
+ 		}
+ 	}
++	/* Fail if the account's expiration time has passed. */
++	if (pw->pw_expire != 0) {
++		struct timeval tv;
++
++	(void)gettimeofday(&tv, NULL);
++	if (tv.tv_sec >= pw->pw_expire)
++		return 0;
++	}
+ 	/* We found no reason not to let this user try to log on... */
+ 	return 1;
+ }
+@@ -1042,6 +1060,9 @@
+ 	pwcopy.pw_gid = pw->pw_gid;
+ 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
+ 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
++	pwcopy.pw_class = xstrdup(pw->pw_class);
++	pwcopy.pw_expire = pw->pw_expire;
++	pwcopy.pw_change = pw->pw_change;
+ 	pw = &pwcopy;
+ 
+ 	/* If we are not running as root, the user must have the same uid
+@@ -1790,6 +1811,10 @@
+ 	struct sockaddr_in from;
+ 	int fromlen;
+ 	struct pty_cleanup_context cleanup_context;
++#ifdef LOGIN_CAP
++	login_cap_t *lc;
++	char *fname;
++#endif /* LOGIN_CAP */
+ 
+ 	/* Get remote host name. */
+ 	hostname = get_canonical_hostname();
+@@ -1850,6 +1875,12 @@
+ 		/* Check if .hushlogin exists. */
+ 		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
+ 		quiet_login = stat(line, &st) >= 0;
++#ifdef LOGIN_CAP
++		lc = login_getpwclass(pw);
++		if (lc == NULL)
++			lc = login_getclassbyname(NULL, pw);
++		quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
++#endif /* LOGIN_CAP */
+ 
+ 		/* If the user has logged in before, display the time of
+ 		   last login. However, don't display anything extra if a
+@@ -1871,12 +1902,31 @@
+ 			else
+ 				printf("Last login: %s from %s\r\n", time_string, buf);
+ 		}
++#ifdef LOGIN_CAP
++		if (command == NULL && !quiet_login && !options.use_login) {
++			fname = login_getcapstr(lc, "copyright", NULL, NULL);
++			if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
++				while (fgets(line, sizeof(line), f))
++					fputs(line, stdout);
++				fclose(f);
++			} else
++				(void)printf("%s\n\t%s %s\n",
++		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
++		    "The Regents of the University of California. ",
++		    "All rights reserved.");
++		}
++#endif /* LOGIN_CAP */
+ 		/* Print /etc/motd unless a command was specified or
+ 		   printing it was disabled in server options or login(1)
+ 		   will be used.  Note that some machines appear to print
+ 		   it in /etc/profile or similar. */
+ 		if (command == NULL && options.print_motd && !quiet_login &&
+ 		    !options.use_login) {
++#ifdef LOGIN_CAP
++			fname = login_getcapstr(lc, "welcome", NULL, NULL);
++			login_close(lc);
++			if (fname == NULL || (f = fopen(fname, "r")) == NULL)
++#endif /* LOGIN_CAP */
+ 			/* Print /etc/motd if it exists. */
+ 			f = fopen("/etc/motd", "r");
+ 			if (f) {
+@@ -1885,6 +1935,7 @@
+ 				fclose(f);
+ 			}
+ 		}
++
+ 		/* Do common processing for the child, such as execing the command. */
+ 		do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
+ 		/* NOTREACHED */
+@@ -2030,17 +2081,38 @@
+ 	extern char **environ;
+ 	struct stat st;
+ 	char *argv[10];
++#ifdef LOGIN_CAP
++	login_cap_t *lc;
++
++	lc = login_getpwclass(pw);
++	if (lc == NULL)
++		lc = login_getclassbyname(NULL, pw);
++#endif /* LOGIN_CAP */
+ 
+ 	/* Check /etc/nologin. */
+ 	f = fopen("/etc/nologin", "r");
++#ifdef __FreeBSD__
++	if (f == NULL)
++		f = fopen("/var/run/nologin", "r");
++#endif /* __FreeBSD__ */
+ 	if (f) {
+-		/* /etc/nologin exists.  Print its contents and exit. */
+-		while (fgets(buf, sizeof(buf), f))
+-			fputs(buf, stderr);
+-		fclose(f);
+-		if (pw->pw_uid != 0)
+-			exit(254);
+-	}
++		/* /etc/nologin exists. */
++#ifdef LOGIN_CAP
++		/*
++		 * If the user doesn't have "ignorenologin" set, print
++		 * its contents and exit.
++		 */
++		if (!login_getcapbool(lc, "ignorenologin", 0)) {
++#endif /* LOGIN_CAP */
++			while (fgets(buf, sizeof(buf), f))
++				fputs(buf, stderr);
++			fclose(f);
++			if (pw->pw_uid != 0)
++				exit(254);
++#ifdef LOGIN_CAP
++		}
++#endif /* LOGIN_CAP */
++		}
+ 	/* Set login name in the kernel. */
+ 	if (setlogin(pw->pw_name) < 0)
+ 		error("setlogin failed: %s", strerror(errno));
+@@ -2049,6 +2121,13 @@
+ 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
+ 	   switch, so we let login(1) to this for us. */
+ 	if (!options.use_login) {
++#ifdef LOGIN_CAP
++		if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY |
++		    LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) {
++			perror("setclasscontext");
++			exit(1);
++		}
++#endif /* LOGIN_CAP */
+ 		if (getuid() == 0 || geteuid() == 0) {
+ 			if (setgid(pw->pw_gid) < 0) {
+ 				perror("setgid");
+@@ -2069,7 +2148,13 @@
+ 	}
+ 	/* Get the shell from the password data.  An empty shell field is
+ 	   legal, and means /bin/sh. */
++#ifdef LOGIN_CAP
++	shell = login_getcapstr(lc, "shell", pw->pw_shell, pw->pw_shell);
++	if (shell[0] == '\0')
++		shell = _PATH_BSHELL;
++#else /* LOGIN_CAP */
+ 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
++#endif /* LOGIN_CAP */
+ 
+ #ifdef AFS
+ 	/* Try to get AFS tokens for the local cell. */
+@@ -2094,7 +2179,12 @@
+ 		child_set_env(&env, &envsize, "USER", pw->pw_name);
+ 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
+ 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
++#ifdef LOGIN_CAP
++		child_set_env(&env, &envsize, "PATH",
++		    login_getpath(lc, "path", _PATH_STDPATH));
++#else /* LOGIN_CAP */
+ 		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
++#endif /* LOGIN_CAP */
+ 
+ 		snprintf(buf, sizeof buf, "%.200s/%.50s",
+ 			 _PATH_MAILDIR, pw->pw_name);
+@@ -2189,13 +2279,35 @@
+ 	   later. */
+ 	endpwent();
+ 	endhostent();
++#ifdef LOGIN_CAP
++	login_close(lc);
++#endif /* LOGIN_CAP */
+ 
+ 	/* Close any extra open file descriptors so that we don\'t have
+ 	   them hanging around in clients.  Note that we want to do this
+ 	   after initgroups, because at least on Solaris 2.3 it leaves
+ 	   file descriptors open. */
+-	for (i = 3; i < 64; i++)
++	for (i = 3; i < getdtablesize(); i++)
+ 		close(i);
++
++#ifdef __FreeBSD__
++	/*
++	 * If the password change time is set and has passed, give the
++	 * user a password expiry notice and chance to change it.
++	 */
++	if (pw->pw_change != 0) {
++		struct timeval tv;
++
++		(void)gettimeofday(&tv, NULL);
++		if (tv.tv_sec >= pw->pw_change) {
++			(void)printf("Sorry -- your password has expired.\n");
++			syslog(LOG_INFO, "%s Password expired - forcing change",
++			    pw->pw_name);
++			if (system("/usr/bin/passwd") != 0)
++				perror("/usr/bin/passwd");
++		}
++	}
++#endif /* __FreeBSD__ */
+ 
+ 	/* Change current directory to the user\'s home directory. */
+ 	if (chdir(pw->pw_dir) < 0)
diff --git a/security/openssh/files/patch-ao b/security/openssh/files/patch-ao
index 21f9247a72e7..a728a10616d5 100644
--- a/security/openssh/files/patch-ao
+++ b/security/openssh/files/patch-ao
@@ -1,14 +1,16 @@
-diff -ru /home/green/ssh/scp/Makefile ./scp/Makefile
---- /home/green/ssh/scp/Makefile	Tue Oct 26 03:31:00 1999
-+++ ./scp/Makefile	Mon Nov  8 00:13:21 1999
-@@ -10,8 +10,8 @@
- BINMODE?=555
- .endif
- 
--BINDIR=	/usr/bin
--MAN=	scp.1
-+BINDIR=	/bin
-+MAN1=	scp.1
- 
- SRCS=	scp.c
+--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd_config	Thu Nov 11 17:58:39 1999
++++ ./sshd_config	Tue Nov 23 19:31:58 1999
+@@ -2,11 +2,11 @@
  
+ Port 22
+ ListenAddress 0.0.0.0
+-HostKey /etc/ssh_host_key
++HostKey __PREFIX__/etc/ssh_host_key
+ ServerKeyBits 768
+ LoginGraceTime 600
+ KeyRegenerationInterval 3600
+-PermitRootLogin yes
++PermitRootLogin no 
+ #
+ # Don't read ~/.rhosts and ~/.shosts files
+ IgnoreRhosts yes
diff --git a/security/openssh/files/patch-ar b/security/openssh/files/patch-ar
deleted file mode 100644
index 0fca0fb71c85..000000000000
--- a/security/openssh/files/patch-ar
+++ /dev/null
@@ -1,27 +0,0 @@
---- ssh-agent/Makefile.orig	Thu Oct 28 03:32:00 1999
-+++ ssh-agent/Makefile	Tue Nov  9 06:41:50 1999
-@@ -2,20 +2,14 @@
- 
- PROG=	ssh-agent
- BINOWN=	root
-+BINMODE=555
- 
--.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
--	${MACHINE_ARCH} == "hppa")
--BINMODE=0000
--.else
--BINMODE?=555
--.endif
--
--BINDIR=	/usr/bin
--MAN=	ssh-agent.1
-+BINDIR=	/bin
-+MAN1=	ssh-agent.1
- 
- SRCS=	ssh-agent.c log-client.c
- 
- .include <bsd.prog.mk>
- 
--LDADD+=	-lcrypto -lutil -lz
-+LDADD+=	-lutil -lz ${CRYPTOLIBS}
- DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/security/openssh/files/patch-at b/security/openssh/files/patch-at
deleted file mode 100644
index 861e84136ae6..000000000000
--- a/security/openssh/files/patch-at
+++ /dev/null
@@ -1,27 +0,0 @@
---- ssh-keygen/Makefile.orig	Thu Oct 28 03:32:00 1999
-+++ ssh-keygen/Makefile	Tue Nov  9 06:42:34 1999
-@@ -2,20 +2,14 @@
- 
- PROG=	ssh-keygen
- BINOWN=	root
-+BINMODE=555
- 
--.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
--	${MACHINE_ARCH} == "hppa")
--BINMODE=0000
--.else
--BINMODE?=555
--.endif
--
--BINDIR=	/usr/bin
--MAN=	ssh-keygen.1
-+BINDIR=	/bin
-+MAN1=	ssh-keygen.1
- 
- SRCS=	ssh-keygen.c log-client.c
- 
- .include <bsd.prog.mk>
- 
--LDADD+=	-lcrypto -lutil -lz
-+LDADD+=	-lutil -lz ${CRYPTOLIBS}
- DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ}
diff --git a/security/openssh/files/patch-au b/security/openssh/files/patch-au
deleted file mode 100644
index 45b30014d990..000000000000
--- a/security/openssh/files/patch-au
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -ru /home/green/ssh/ssh.c ./ssh.c
---- /home/green/ssh/ssh.c	Sat Oct 30 03:43:00 1999
-+++ ./ssh.c	Mon Nov  8 00:06:40 1999
-@@ -128,6 +128,9 @@
-   log("Using rsh.  WARNING: Connection will not be encrypted.");
-   /* Build argument list for rsh. */
-   i = 0;
-+#ifndef	_PATH_RSH
-+#define	_PATH_RSH	"/usr/bin/rsh"
-+#endif
-   args[i++] = _PATH_RSH;
-   args[i++] = host;    /* may have to come after user on some systems */
-   if (user)
diff --git a/security/openssh/files/strlcat.c b/security/openssh/files/strlcat.c
new file mode 100644
index 000000000000..599994edf5af
--- /dev/null
+++ b/security/openssh/files/strlcat.c
@@ -0,0 +1,71 @@
+/*	$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $	*/
+
+/*
+ * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <sys/types.h>
+#include <string.h>
+
+/*
+ * Appends src to string dst of size siz (unlike strncat, siz is the
+ * full size of dst, not space left).  At most siz-1 characters
+ * will be copied.  Always NUL terminates (unless siz == 0).
+ * Returns strlen(src); if retval >= siz, truncation occurred.
+ */
+size_t strlcat(dst, src, siz)
+	char *dst;
+	const char *src;
+	size_t siz;
+{
+	register char *d = dst;
+	register const char *s = src;
+	register size_t n = siz;
+	size_t dlen;
+
+	/* Find the end of dst and adjust bytes left but don't go past end */
+	while (*d != '\0' && n-- != 0)
+		d++;
+	dlen = d - dst;
+	n = siz - dlen;
+
+	if (n == 0)
+		return(dlen + strlen(s));
+	while (*s != '\0') {
+		if (n != 1) {
+			*d++ = *s;
+			n--;
+		}
+		s++;
+	}
+	*d = '\0';
+
+	return(dlen + (s - src));	/* count does not include NUL */
+}