---snip---

Improve Kerberos support in ssh2:
- Change the WITH_KERBEROS knob into a WITHOUT_KERBEROS knob so kerberized
  ssh2 automatically is built when MIT Kerberos is installed, unless the
  WITHOUT_KERBEROS knob is defined.
- Check for a library unique to MIT Kerberos to make sure it's not Heimdal
  that KRB5_HOME accidentally points to.
- Add dependency on security/krb5 when built with Kerberos support.
- When compiled with Kerberos support also turn it on by default in client
  and server config files and set "PermitRootLogin" to "nopwd" to only allow
  those with root tickets declared in ~root/.k5login" to login as root. [1]

Ssh2 now should work out of the box in an environment using MIT Kerberos.

Submitted by:	Peter Losher <Peter_Losher@isc.org> [1] (kerberos-patch-*)
Tested by:	Peter Losher <Peter_Losher@isc.org>
---snip---

Submitted by:					maintainer
Strange commit log formatting to prevent
ambiguous "Submitted by" lines by:		committer

3 files changed, 35 insertions, 2 deletions

diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile
index 9d246a4a26c3..2cf8bd18ec55 100644
--- a/security/ssh2/Makefile
+++ b/security/ssh2/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	ssh2
 PORTVERSION=	3.2.9.1
+PORTREVISION=	1
 CATEGORIES=	security ipv6
 # The list of official mirror sites is at:
 # http://www.ssh.com/support/downloads/secureshellserver/non-commercial.html
@@ -77,9 +78,12 @@ CONFIGURE_ARGS+=	--enable-group-writeability
 # Kerberos5 support in ssh2 is EXPERIMENTAL and requires MIT Kerberos,
 # Heimdal is unsupported.
 #
-.if defined(WITH_KERBEROS) && defined(KRB5_HOME) && \
-	exists(${KRB5_HOME}/lib/libkrb5.a)
+.if !defined(WITHOUT_KERBEROS) && defined(KRB5_HOME) && \
+	exists(${KRB5_HOME}/lib/libk5crypto.a)
+LIB_DEPENDS+=		krb5.3:${PORTSDIR}/security/krb5
 CONFIGURE_ARGS+=	--with-kerberos5=${KRB5_HOME} --disable-suid-ssh-signer
+EXTRA_PATCHES+=		${FILESDIR}/kerberos-patch-apps::ssh::ssh2_config \
+			${FILESDIR}/kerberos-patch-apps::ssh::sshd2_config
 .endif
 
 .if defined(WITH_X11) || (exists(${X11BASE}/lib/libX11.a) \
diff --git a/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config b/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config
new file mode 100644
index 000000000000..895d04dde0b6
--- /dev/null
+++ b/security/ssh2/files/kerberos-patch-apps::ssh::ssh2_config
@@ -0,0 +1,10 @@
+--- apps/ssh/ssh2_config.orig	Wed Jan 21 19:14:28 2004
++++ apps/ssh/ssh2_config	Wed Jan 21 19:26:01 2004
+@@ -76,6 +76,7 @@
+ 
+ #	AllowedAuthentications		publickey,keyboard-interactive,password
+ #	AllowedAuthentications		hostbased,publickey,keyboard-interactive,password
++	AllowedAuthentications		kerberos-tgt-2@ssh.com,kerberos-2@ssh.com,password
+ 
+ 
+ # For ssh-signer2 (only effective if set in the global configuration
diff --git a/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config b/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config
new file mode 100644
index 000000000000..089ccc5ba36f
--- /dev/null
+++ b/security/ssh2/files/kerberos-patch-apps::ssh::sshd2_config
@@ -0,0 +1,19 @@
+--- apps/ssh/sshd2_config.orig	Wed Jan 21 19:12:25 2004
++++ apps/ssh/sshd2_config	Wed Jan 21 19:24:11 2004
+@@ -101,6 +101,7 @@
+ #	AllowedAuthentications		publickey,password
+ #	AllowedAuthentications		hostbased,publickey,password
+ #	AllowedAuthentications		hostbased,publickey,keyboard-interactive
++	AllowedAuthentications		kerberos-tgt-2@ssh.com,kerberos-2@ssh.com,password
+ #	RequiredAuthentications		publickey,password
+ #	LoginGraceTime			600
+ #	AuthInteractiveFailureTimeout	2
+@@ -169,7 +170,7 @@
+ #	AllowGroups			staff,users
+ #	DenyGroups			guest,anonymous
+ #	PermitRootLogin			yes
+-#	PermitRootLogin			nopwd
++	PermitRootLogin			nopwd
+ 
+ ## Chrooted environment
+