<pre style='margin:0'>
Zero King (l2dy) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/1eb03f4096a4d7ba6fe14607498997c909a81864">https://github.com/macports/macports-ports/commit/1eb03f4096a4d7ba6fe14607498997c909a81864</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 1eb03f4096a pkixssh: submission (#15398)
</span>1eb03f4096a is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 1eb03f4096a4d7ba6fe14607498997c909a81864
</span>Author: Steven Stallion <sstallion@gmail.com>
AuthorDate: Tue Jul 26 10:39:16 2022 -0500
<span style='display:block; white-space:pre;color:#404040;'> pkixssh: submission (#15398)
</span>---
net/lsh/Portfile | 2 +-
net/openssh/Portfile | 2 +-
net/pkixssh/Portfile | 205 +++++++++++++++++++++
net/pkixssh/files/agent.patch | 154 ++++++++++++++++
net/pkixssh/files/info.roumenpetrov.sshd.sb | 23 +++
net/pkixssh/files/launchd.patch | 72 ++++++++
net/pkixssh/files/macports-config.patch | 72 ++++++++
net/pkixssh/files/pam.patch | 13 ++
...dbox-darwin.c-apple-sandbox-named-external.diff | 21 +++
.../patch-sshd.c-apple-sandbox-named-external.diff | 84 +++++++++
10 files changed, 646 insertions(+), 2 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/lsh/Portfile b/net/lsh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 9112e693c6a..6144f7f8418 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/lsh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/lsh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -13,7 +13,7 @@ categories net
</span> license GPL-2+
maintainers nomaintainer
platforms darwin
<span style='display:block; white-space:pre;background:#ffe0e0;'>-conflicts openssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+conflicts openssh pkixssh
</span>
description A GNU implementation of the Secure Shell protocols
long_description \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/openssh/Portfile b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 1738162dbab..6144528dbbd 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/openssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -12,7 +12,7 @@ platforms darwin
</span> maintainers nomaintainer
license BSD
installs_libs no
<span style='display:block; white-space:pre;background:#ffe0e0;'>-conflicts lsh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+conflicts lsh pkixssh
</span>
description OpenSSH secure login server
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/Portfile b/net/pkixssh/Portfile
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..08eeb39c05d
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,205 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PortSystem 1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+PortGroup compiler_blacklist_versions 1.0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+name pkixssh
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 13.4.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+categories net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+platforms darwin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+maintainers {@sstallion gmail.com:sstallion} openmaintainer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+license BSD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+installs_libs no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+conflicts lsh openssh ssh-copy-id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+description PKIX-SSH - an advanced secure shell implementation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+long_description Implementation includes some of functionality provided by OpenSSH. OpenSSH \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ itself is derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Song removed many bugs, re-added newer features and created OpenSSH. Roumen \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Petrov adds X.509 certificate support, modernize use of cryptography library \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ including FIPS mode and creates PKIX-SSH.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+homepage https://roumenpetrov.info/secsh/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+checksums rmd160 1a5d09524567912f15877859d5e3885425e4851c \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 ff76f3c467512c6e83b908386beaffb6472fdfc0f877d1653404b8f13cdca8d8 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size 1711233
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+master_sites https://roumenpetrov.info/secsh/src/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+depends_lib path:lib/libssl.dylib:openssl \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:libedit \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:ncurses \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:zlib
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+platform darwin 10 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # /usr/bin/ranlib: object: libopenbsd-compat.a(base64.o) malformed object (unknown load command 2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_build-append port:cctools
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch.args -p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patchfiles launchd.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ agent.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pam.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-sandbox-darwin.c-apple-sandbox-named-external.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patch-sshd.c-apple-sandbox-named-external.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ macports-config.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# We need a couple of patches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - pam.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# getpwnam(3) on OS X always returns "*********" in the pw_passwd field even
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# when run as root, so it can't be used for authentication. This patch just
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forces the use of PAM regardless of the configuration.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - patch-*-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use Apple's sandbox_init(3) in addition to standard privilege separation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This requires a sandbox profile (which we provide) and the sandbox_init(3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# call before the chroot(2) to privsep-path (${prefix}/var/empty), or it will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fail to load the sandbox description and libsandbox.1.dylib.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - macports-config.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Changes the default configuration from the upstream-provided one by popular
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# - agent.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Adds -l flag to ssh-agent to work with launchd.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+post-patch {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # reinplace prefix in path to sandbox definition added by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace "s|@PREFIX@|${prefix}|g" ${worksrcpath}/sandbox-darwin.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+use_autoreconf yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# strnvis(3) isn't actually "broken". OpenBSD decided to be special and flip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the order of arguments to strnvis and considers everyone else to be broken.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+configure.cppflags-append -DBROKEN_STRNVIS=1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use Apple's sandboxing feature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+configure.cppflags-append -D__APPLE_SANDBOX_NAMED_EXTERNAL__ \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ -D__APPLE_API_STRICT_CONFORMANCE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Support Apple's launchd in ssh-agent
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+configure.cppflags-append -D__APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+configure.ldflags-append -Wl,-search_paths_first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+configure.args --with-ssl-dir=${prefix} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --sysconfdir=${prefix}/etc/ssh \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-privsep-path=/var/empty \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-md5-passwords \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-pid-dir=${prefix}/var/run \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-pam \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --mandir=${prefix}/share/man \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-zlib=${prefix} \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-kerberos5 \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-libedit \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-pie \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-xauth \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --without-ldns \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-audit=bsm \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ --with-keychain=apple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+use_parallel_build yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+platform macosx {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${os.major} < 10} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # See: https://trac.macports.org/ticket/60385
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.args-delete --with-keychain=apple
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } elseif {${os.major} <= 11} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # clang is required to build the new Apple Keychain integration due
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # to it using the Object Subscripting feature, c.f. #59397.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # We'll keep it simple and just blacklist any gcc version, cc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # (which could be anything), system clang versions prior to those
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # shipped with Xcode 4.4.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # Regarding the macports-clang versions, any version in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # MacPorts tree should suit our needs, since the clang
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # documentation lists FOSS clang/llvm 3.1 as the first version to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # support Object Subscripting and the oldest version in our tree is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # now 3.3.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compiler.blacklist-append *gcc* cc {clang < 421}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+destroot.target install-nokeys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+test.run yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+test.target tests
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+post-destroot {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ destroot.keepdirs ${destroot}${prefix}/var/run
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # switch default port to avoid conflict with system sshd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reinplace "s|#Port 22|Port 2222|g" ${destroot}${prefix}/etc/ssh/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # install sandbox definition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 755 -d ${destroot}${prefix}/share/${name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 644 ${filespath}/info.roumenpetrov.sshd.sb ${destroot}${prefix}/share/${name}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file rename "${destroot}${prefix}/etc/ssh/sshd_config" "${destroot}${prefix}/etc/ssh/sshd_config.example"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file rename "${destroot}${prefix}/etc/ssh/ssh_config" "${destroot}${prefix}/etc/ssh/ssh_config.example"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # install ssh-copy-id
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 755 ${worksrcpath}/contrib/ssh-copy-id ${destroot}${prefix}/bin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -m 644 ${worksrcpath}/contrib/ssh-copy-id.1 ${destroot}${prefix}/share/man/man1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+post-activate {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![file exists "${prefix}/etc/ssh/sshd_config"]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ copy "${prefix}/etc/ssh/sshd_config.example" "${prefix}/etc/ssh/sshd_config"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {![file exists "${prefix}/etc/ssh/ssh_config"]} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ copy "${prefix}/etc/ssh/ssh_config.example" "${prefix}/etc/ssh/ssh_config"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+platform darwin {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # create link to /usr/include/pam because 'security' was renamed to 'pam'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # in OS X.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # And then again back to security in 10.6.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if {${os.major} < 10} {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pre-configure {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ xinstall -d ${workpath}/include
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file delete ${workpath}/include/security
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ln -s /usr/include/pam ${workpath}/include/security
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-append "-I${workpath}/include"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+platform darwin 9 {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # 10.5/ppc doesn't like the sandbox file we supply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure.cppflags-delete -D__APPLE_SANDBOX_NAMED_EXTERNAL__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.create yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.name OpenSSH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.start \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "if \[ -x ${prefix}/sbin/sshd \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_dsa_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t dsa -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_dsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_rsa_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t rsa -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_rsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_ecdsa_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t ecdsa -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_ecdsa_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if \[ ! -f ${prefix}/etc/ssh/ssh_host_ed25519_key \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/bin/ssh-keygen -t ed25519 -f \\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/etc/ssh/ssh_host_ed25519_key -N \"\" -C `hostname`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ${prefix}/sbin/sshd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+startupitem.stop \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "if \[ -r ${prefix}/var/run/sshd.pid \]; then
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ kill `cat ${prefix}/var/run/sshd.pid`
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fi"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+livecheck.type regex
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+livecheck.url ${homepage}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+livecheck.regex "Official version x509-(\\d+(?:\\.\\d+)*)"
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/agent.patch b/net/pkixssh/files/agent.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..5c9a30230c4
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/agent.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,154 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh-agent.c b/ssh-agent.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 8bb4ee3..5a1cf2f 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh-agent.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh-agent.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -76,6 +76,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <time.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <string.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #include <unistd.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <launch.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#include <AvailabilityMacros.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef HAVE_UTIL_H
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # include <util.h>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1247,6 +1251,9 @@ int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ #ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int l_flag = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int sock, ch, result, saved_errno;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *shell, *format, *pidstr, *agentsocket = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extern int optind;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1292,7 +1299,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ seed_rng();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while ((ch = getopt(ac, av, "cDdklsE:a:P:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (ch) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 'E':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1312,6 +1323,11 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal("-P option already specified");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ allowed_providers = xstrdup(optarg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case 'l':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ l_flag++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 's':
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ usage();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1430,6 +1446,75 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Create socket early so it will exist before command gets run from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * the parent.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (l_flag) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int *fds = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t count = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ result = launch_activate_socket("Listeners", &fds, &count);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (result != 0 || fds == NULL || count < 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errno = result;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ perror("launch_activate_socket()");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (i = 0; i < count; i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ new_socket(AUTH_SOCKET, fds[i]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (fds)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(fds);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto skip2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ launch_data_t resp, msg, tmp;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t listeners_i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ msg = launch_data_new_string(LAUNCH_KEY_CHECKIN);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ resp = launch_msg(msg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (NULL == resp) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ perror("launch_msg");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ launch_data_free(msg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ switch (launch_data_get_type(resp)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case LAUNCH_DATA_ERRNO:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ errno = launch_data_get_errno(resp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ perror("launch_msg response");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ case LAUNCH_DATA_DICTIONARY:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "launch_msg unknown response");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ tmp = launch_data_dict_lookup(resp, LAUNCH_JOBKEY_SOCKETS);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (NULL == tmp) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "no sockets\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ tmp = launch_data_dict_lookup(tmp, "Listeners");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (NULL == tmp) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ fprintf(stderr, "no known listeners\n");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for (listeners_i = 0; listeners_i < launch_data_array_get_count(tmp); listeners_i++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ launch_data_t obj_at_ind = launch_data_array_get_index(tmp, listeners_i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ new_socket(AUTH_SOCKET, launch_data_get_fd(obj_at_ind));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ launch_data_free(resp);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((defined (MAC_OS_X_VERSION_10_11)) && (MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ prev_mask = umask(0177);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (sock < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1437,7 +1522,18 @@ main(int ac, char **av)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *socket_name = '\0'; /* Don't unlink any existing file */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ cleanup_exit(1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ umask(prev_mask);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if ((!(defined (MAC_OS_X_VERSION_10_11))) || (MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_11))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (l_flag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ goto skip2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* ((!(defined (MAC_OS_X_VERSION_10_11))) || (MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_11)) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* defined (__APPLE_LAUNCHD__) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Fork, and have the parent execute the command, if any, or present
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1512,6 +1608,9 @@ skip:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pkcs11_init(0);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ new_socket(AUTH_SOCKET, sock);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_LAUNCHD__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++skip2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ac > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ parent_alive_interval = 10;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ idtab_init();
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/info.roumenpetrov.sshd.sb b/net/pkixssh/files/info.roumenpetrov.sshd.sb
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..ad77284bfc5
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/info.roumenpetrov.sshd.sb
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,23 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;; Copyright (c) 2008 Apple Inc. All Rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;; sshd - profile for privilege separated children
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;; WARNING: The sandbox rules in this file currently constitute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;; Apple System Private Interface and are subject to change at any time and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;; without notice.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+;;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(version 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(deny default)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(allow file-chroot)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(allow file-read-metadata (literal "/var"))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(allow sysctl-read)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(allow mach-per-user-lookup)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+(allow mach-lookup
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (global-name "com.apple.system.notification_center")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (global-name "com.apple.system.opendirectoryd.libinfo")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (global-name "com.apple.system.opendirectoryd.libinfo") ;; duplicate name as a work-around for 19978803
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (global-name "com.apple.system.logger"))
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/launchd.patch b/net/pkixssh/files/launchd.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..e9595c5a2b6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/launchd.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,72 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/channels.c b/channels.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 67369d1..401a70e 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4727,7 +4727,7 @@ connect_local_xsocket(u_int dnr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is_path_to_xsocket(const char *display, char *path, size_t pathlen)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct stat sbuf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/channels.h b/channels.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 606c8d7..c590ba9 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/channels.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/channels.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -348,6 +348,9 @@ int permitopen_port(const char *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* x11 forwarding */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void channel_set_x11_refuse_time(struct ssh *, u_int);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++int is_path_to_xsocket(const char *, char *, size_t);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int x11_connect_display(struct ssh *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void x11_request_forwarding_with_spoofing(struct ssh *, int,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/clientloop.c b/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 8414639..1f61d53 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/clientloop.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -289,6 +289,10 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct stat st;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int now, x11_timeout_real;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int is_path_to_socket = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *_proto = proto;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *_data = data;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -305,6 +309,19 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (xauth_path != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If using launchd socket, remove the screen number from the end
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * of $DISPLAY. is_path_to_socket is used later in this function
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * to determine if an error should be displayed.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char path[PATH_MAX];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ is_path_to_socket = is_path_to_xsocket(display, path, sizeof(path));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * Handle FamilyLocal case where $DISPLAY does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * not match an authorization entry. For this we
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -427,6 +444,9 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int8_t rnd[16];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ u_int i;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if __APPLE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!is_path_to_socket)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* __APPLE__ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ logit("Warning: No xauth data; "
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "using fake authentication data for X11 forwarding.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ strlcpy(proto, SSH_X11_PROTO, sizeof proto);
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/macports-config.patch b/net/pkixssh/files/macports-config.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..c9b2da02df0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/macports-config.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,72 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh_config b/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 664f8b8..f119762 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -17,7 +17,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # list of available options, their meanings and defaults, please see the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ssh_config(5) man page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-# Host *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Host *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ForwardAgent no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ForwardX11 no
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # PasswordAuthentication yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -55,3 +55,4 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # ProxyCommand ssh -q -W %h:%p gateway.example.com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # RekeyLimit 1G 1h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # UserKnownHostsFile ~/.ssh/known_hosts.d/%k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SendEnv LANG LC_*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/ssh_config.5 b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index dd0ef13..c7c9cf3 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/ssh_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -80,6 +80,15 @@ Since the first obtained value for each parameter is used, more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ host-specific declarations should be given near the beginning of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file, and general defaults at the end.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The MacPorts software distribution modifies the default example file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++with some options which are not the default in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Xr ssh 1 :
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Bl -bullet -offset indent -compact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm SendEnv No LANG LC_*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.El
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The file contains keyword-argument pairs, one per line.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Lines starting with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Ql #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd_config b/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 4776af9..0cdd598 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -179,6 +179,9 @@ AuthorizedKeysFile .ssh/authorized_keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # no default banner path
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #Banner none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# Allow client to pass locale environment variables
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++AcceptEnv LANG LC_*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # override default of no subsystems
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Subsystem sftp /usr/libexec/sftp-server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd_config.5 b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index d7dbe21..32031de 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd_config.5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -70,6 +70,15 @@ optional whitespace and exactly one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the latter format is useful to avoid the need to quote whitespace
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ when specifying configuration options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++The MacPorts software distribution modifies the default example file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++with some options which are not the default in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Xr sshd 8 :
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Bl -bullet -offset indent -compact
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.It
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Cm AcceptEnv No LANG LC_*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.El
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.Pp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The possible
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ keywords and their meanings are as follows (note that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ keywords are case-insensitive and arguments are case-sensitive):
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/pam.patch b/net/pkixssh/files/pam.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..2ac140bb410
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/pam.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/servconf.c b/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index 25cc28d..677a61b 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/servconf.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -311,7 +311,7 @@ fill_default_server_options(ServerOptions *options)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Portable-specific options */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (options->use_pam == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- options->use_pam = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ options->use_pam = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* X.509 Standard Options */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* options->hostbased_algorithms */
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff b/net/pkixssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..41e89162bab
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,21 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sandbox-darwin.c b/sandbox-darwin.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index b1206a0..3b5a9ff 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sandbox-darwin.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sandbox-darwin.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -63,8 +63,16 @@ ssh_sandbox_child(struct ssh_sandbox *box)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ struct rlimit rl_zero;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debug3_f("starting Darwin sandbox");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifndef SANDBOX_NAMED_EXTERNAL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define SANDBOX_NAMED_EXTERNAL (0x3)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sandbox_init("@PREFIX@/share/pkixssh/info.roumenpetrov.sshd.sb",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &errmsg) == -1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ fatal_f("sandbox_init: %s", errmsg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/pkixssh/files/patch-sshd.c-apple-sandbox-named-external.diff b/net/pkixssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 00000000000..757c3462649
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/pkixssh/files/patch-sshd.c-apple-sandbox-named-external.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,84 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+diff --git a/sshd.c b/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+index fab0d98..aa8a8bf 100644
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/sshd.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -592,10 +592,79 @@ privsep_preauth(struct ssh *ssh)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Arrange for logging to be sent to the monitor */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ set_log_handler(mm_log_handler, pmonitor);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ssh_sandbox_child() has the side-effect of disabling opening
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * new files. This is a security precaution to prevent the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * child process from leaking data or opening new sockets, but
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * clashes with newer OpenSSL implementations.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Generally, OpenSSL wants to read new entropy from the system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * for each reseeding operation (and, by extension, through any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * operation that might trigger an internal reseeding, like
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * requesting random bytes).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * The current OpenSSL port only enables the default set of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * system entropy - which means reading in data from crypto
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * devices like /dev/{,u,s}random and /dev/hwrng.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * To speed things up, OpenSSL tries to open file descriptors
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * to the listed devices and caches the result, i.e., the open
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * file descriptor. Those are normally kept open UNLESS a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * reading error occurred OR no random bytes were returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * In a quite scary move, OpenSSL versions prior to 1.1.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * didn't fail when getting system entropy wasn't successful
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and also added some "pseudo-random" data like the PID,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * user id and current time to the entropy pool, which was
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * often enough to seed the PRNG.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * More recent versions have a rewritten PRNG/DRBG core and,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * crucially, stricter rules when it comes to acquiring system
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * entropy - this is now strictly required and no other data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * is mixed into the pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * OpenSSH generally tries (or intends) to leave crypto devices
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (which should one of the earliest open devices) alone and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * not close their FD on re-exec, but that doesn't seem to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * work. Although OpenSSL is initialized very early in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * main() call chain, which SHOULD lead to open file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * descriptors to crypto devices, on a typical OS X/macOS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * system, /dev/urandom is opened as FD 6, which is above any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * FD that would be preserved after a re-exec operation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * This leads to the child process having no open file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * descriptors to /dev/urandom, activating the sandbox,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * setting the number of open files to zero and subsequently
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * effectively breaking OpenSSL 1.1.1+.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We'll work around that by reseeding the PRNGs before
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * enabling the sandbox, which has the side-effect of opening
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * a file descriptor to /dev/urandom and keeping it open.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * There is a slight catch: errors in reading from the FD or a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * read count of zero (i.e., the device not returning any data)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * will lead to the FD being closed again without a way to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * re-opened.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * We can take this risk, as this should realistically not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * happen. Even if it does, that only means that the child
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * process will fail to read random data and hence terminate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * with an error - showing the same symptoms the workaround
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * is intended to fix, but nothing worse.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ reseed_prngs();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* We need to do this before we chroot() so we can read sshd.sb and libsandbox.dylib */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (box != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ssh_sandbox_child(box);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ privsep_preauth_child();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ setproctitle("%s", "[net]");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (box != NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssh_sandbox_child(box);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span></pre><pre style='margin:0'>
</pre>