security/openssh-portable: Include ssh[d]_config.d/*.conf

security/openssh-portable: Update to 9.9p1

security/openssh-portable: Add KERB_GSSAPI patch for 9.8p1

This patch unbreaks the gssapi flavor.

- Update the distfile location.
- Remove files/extra-patch-gssapi-auth2-gss.c. The change is already
  present in the code so there is no need to carry this extra patch any
  further.
- Add -lgssapi_krb5 to CONFIGURE_LIBS. It fixes the following build errors:

      ld: error: undefined symbol: gss_indicate_mechs
      >>> referenced by sshd.c
      >>>               sshd.o:(main)
      ld: error: undefined symbol: gss_release_oid_set
      >>> referenced by sshd.c
      >>>               sshd.o:(main)

PR:		279437
Approved by:	maintainer timeout
Sponsored by:	Klara, Inc.

security/openssh-portable: fix missing include for sshd.c

This patch adds a missing include for `channels.h`. It is needed, as
later in the file there is a call to `channel_set_hpn`, which is
declared in `channels.h`.

Some ISO C99 compilers may complain about implicit function declaration.

security/openssh-portable: Remove blacklistd chunk for FreeBSD-SA-24:08.openssh

The blacklistd patch currently is broken. Remove the chunk from
FreeBSD-SA-24:08.openssh to be sure it does not linger once the
patch is fixed.

security/openssh-portable: Update to 9.8p1

Changes: https://www.openssh.com/txt/release-9.8

security/openssh-portable: Bring in patches for recent CVES

Source:	https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
PR:	280068

security/openssh-portable: Revert commit

 * Revert changes other than the PORTREVISION bump
 * See PR 280068

security/vuxml: Document OpenSSH vulnerability

security/openssh-portable: Update to 9.7p1

Changes: https://www.openssh.com/txt/release-9.7

security/openssh-portable: Move manpages to share/man

Approved by:	portmgr (blanket)

security/openssh-portable: Fix KERB_GSSAPI build

security/openssh-portable: Update HPN patch.

- Mark GSSAPI build as broken while here.

security/openssh-portable: Fix blacklistd patch

security/openssh-portable: Make HPN as BROKEN.

security/openssh-portable: Update to 9.6p1

Approved by:	bdrewery
Differential Revision:	https://reviews.freebsd.org/D43132

security/openssh-portable: fix build with zlib 1.3

PR:		ports/273578
Approved by:	maintainer timeout

www/vaultwarden-web_vault: Revert borked git add

This reverts commit 3a3fbae18157d39b68c43c590fa9e977fed9cef4.

www/vaultwarden-web_vault: Update to 2023.8.2

PR:		274304
Approved by:	maintainer time-out

security/openssh-portable: Fix build with KERB_GSSAPI set

PR:		273052
Reported by:	brd
Approved by:	maintainer timeout
Tested by:	wollman
Sponsored by:	Klara Inc.

security/openssh-portable: Update to 9.3p2.

Changes:	https://www.openssh.com/txt/release-9.3p2
Security:	CVE-2023-38408

security/openssh-portable: Update to 9.3p1.

Changes: https://www.openssh.com/txt/release-9.3

security/openssh-portable: Upgrade to 9.2p1

Changes: https://www.openssh.com/txt/release-9.2

security/openssh-portable: Fix GSSAPI build for 9.1

security/openssh-portable: Fix BLACKLISTD patch

Reported by:	Chad J. Milios

security/openssh-portable: Update to 9.1p1

Changes: https://www.openssh.com/txt/release-9.1

Remove WWW entries moved into port Makefiles

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)

Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

security: remove 'Created by' lines

A big Thank You to the original contributors of these ports:

  *  <ports@c0decafe.net>
  *  Aaron Dalton <aaron@FreeBSD.org>
  *  Adam Weinberger <adamw@FreeBSD.org>
  *  Ade Lovett <ade@FreeBSD.org>
  *  Aldis Berjoza <aldis@bsdroot.lv>
  *  Alex Dupre <ale@FreeBSD.org>
  *  Alex Kapranoff <kappa@rambler-co.ru>
  *  Alex Samorukov <samm@freebsd.org>
  *  Alexander Botero-Lowry <alex@foxybanana.com>
  *  Alexander Kriventsov <avk@vl.ru>
  *  Alexander Leidinger <netchild@FreeBSD.org>

security/openssh-portable: Update to 9.0p1

Changes:        https://www.openssh.com/txt/release-9.0
PR:		264211

security/openssh-portable: Fix some capsicum issues

- Brings in latest changes from base. See patches for details.
- Version 9.0 is being worked on but I wanted to fix this issue
  before proceeding with bigger changes.

PR:		263753

security/openssh-portable: Add comment in openssh.in about host keys

Commit ae66cffc19f added some rc vars to allow disabling host keys.
The naming caused some confusion. Attempt to address that with a
comment since these are not documented anywhere else.

PR:	        202169

security/openssh-portable: Again fix procctl(2) usage

The 8.9p1 update was supposed to have a fix for incorrect
use of procctl(2) but was left out for some reason. A wrong
assumption missed keeping it in ae66cffc19f357cbd5.

PR:          262352

security/openssh-portable: Fix fetching gssapi patch

- Mirror it
- Update to latest Debian location

security/openssh-portable: fix docs when built without PAM support

The defaults documented in sshd_config and sshd_config.5 are incorrect
if OpenSSH was built without PAM support and can be misleading to the
user whether or not password authentication is enabled.

- Moved PAM specific changes out of patch-sshd_config and into
  extra-patch-pam-sshd_config
- sshd_config.5 PasswordAuthentication: added a new line before the note
  to make it easier to read.
- sshd_config.5 UsePAM: noted the default value depends on whether
  sshd was built with or without PAM support.

PR:		261342

security/openssh-portable: Tweak new rc var names

Commit ae66cffc19f357cbd5 added new rc vars to control generating of
host keys [1].  Rename these to more closely match the base version
before it becomes widely adopted.

PR:	        202169 [1]
PR:	        209948 [FYI]

security/openssh-portable: Update to 8.9p1

- Unbreak GSSAPI [1]
- rc.d/openssh: Allow modifying host key generation [2]

Changes: https://www.openssh.com/txt/release-8.9
PR:     	259909 [1]
PR:		202169 [2]
Submitted by:	Rick Miller [1]
Submitted by:	Chad Jacob Milios [2]

security/openssh-portable: Fix subtle rc script problem.

Invoking 'run_rc_command' taints '$rc_var' with 'keygen' which blocks further
processing for something like openssh_oomprotect.  Note that openssh_oomprotect
is broken in rc.subr until it learns to read a pidfile.

*/*: Remove redundant '-*' from CONFLICTS definitions

The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").

Approved by: portmgr (blanket)

security/openssh-portable: libfido fix went in 505373243

security/openssh-portable: Fix sftp crash

This fixes an error trying to disabling process tracing.

It has been sent upstream.

PR:		259174
Submitted by:	mike at sentex dot net

security/openssh-portable: Fix build without LIBEDIT

This removes a patch that is no longer needed with 8.8p1.

Reported by:	leres

security/openssh-portable: Update to 8.8p1

Changelog:	https://www.openssh.com/txt/release-8.8
Security:	CVE-2021-41617

security/openssh-portable: Fix default ssh-askpass path

Reported by:	Piotr Smyrak

security/openssh-portable: Add CPE information

Approved by:	portmgr (blanket)

security/openssh-portable: Various build fixes

- Fix build with WITH_BLACKLISTD [1]
- Fix build with WITHOUT_LIBEDIT due to upstream bug [2]

Reported by:	emaste [1]
Reported by:	Ivan Rozhuk [2]
PR:		258402 [2]

security/openssh-portable: Update to 8.7p1.

Changes: https://www.openssh.com/txt/release-8.7

security/openssh-portable: Update to 8.6p1

- gssapi is disabled for now.

Changes:
 - https://www.openssh.com/txt/release-8.5
 - https://www.openssh.com/txt/release-8.6

Submitted by:	Yasuhiro Kimura [earlier version][1]
PR:		254389 [1]

all: Remove all other $FreeBSD keywords.

Remove # $FreeBSD$ from Makefiles.

Add limited patch for CVE-2021-28041 from upstream.

security/openssh-portable@gssapi: fix build on GCC architectures

gss-genr.c: In function 'ssh_gssapi_kex_mechs':
gss-genr.c:175:9: error: 'strncpy' specified bound depends on the length of the
source argument [-Werror=stringop-overflow=]
  175 |    cp = strncpy(s, kex, strlen(kex));
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

security/openssh-portable: fix build on GCC architectures

loginrec.c:763:2: error: 'strncpy' output may be truncated copying 32 bytes from
a string of length 511 [-Werror=stringop-truncation]
strncpy(utx->ut_user, li->username,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MIN_SIZEOF(utx->ut_user, li->username));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
loginrec.c: In function 'record_failed_login':
loginrec.c:1687:2: error: 'strncpy' specified bound 32 equals destination size
[-Werror=stringop-truncation]
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
loginrec.c:1696:2: error: 'strncpy' specified bound 256 equals destination size
[-Werror=stringop-truncation]
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));

- Fix KERB_GSSAPI build; missing prototypes for DH openssl-compat.

PR:		212151 (maybe)

- Add pkg-config dependency which avoids some maintainer testing errors
  and also removes a few unneeded library links such as -lcurses.
- libfido2 package is broken with pkg-config and base ssl. Workaround this
  by not using pkg-config for that library for now.
- Add USES=localbase to simplify some options
- Make crypt(3) MD5 password support optional but still on-by-default.  The
  default in FreeBSD changed in 10.0 but that does not mean
- Enable -Werror
- Remove some old baggage from the port build
 o The zlib version check has not been needed for a while.
 o sshd.8 has not had %%PREFIX%% or %$RC_SCRIPT_NAME%% since 2011
   and is not worth more patches/complexity.
 o The strnvis(3) problem noted in r311891 was fixed in OpenSSH 7.4.
 o autoreconf is run so it makes no sense to patch configure for -ldes
 o --with-md5-passwords is not needed as our crypt(3) supports it
   natively.  This is only relevant without PAM.

- Add blacklistd(8) support.
  This differs slightly from base as it uses the current NetBSD
  hook points.
  This is off-by-default as it needs testing and has issues that may cause
  crashes.  One such issue is the use of private bl_create() symbol from
  libblacklist.  It is also unclear if the hook points are sufficient
  or proper after the libssh refactoring in 8.x.

PR:		223628 (patch rewritten as it no longer applied)

- Add and enable FIDO/U2F support for security keys by default.
  This feature came in 8.2, is enabled by default on OpenBSD,
  and suggested to be enabled by default for packages.

- Slightly reduce diff with base
- No functional changes.

PR:		223010
Submitted by:	brnrd (earlier patch)

- bindresvport support hasn't been used since 7.8

- Remove sctp patch missed in r466577

- Update to 8.4p1 (skipped 8.3)

 - https://www.openssh.com/txt/release-8.3
 - https://www.openssh.com/txt/release-8.4

PR:		239807, 250319
Sponsored by:	Dell EMC

security/openssh-portable: Set LICENSE

In the past, the ports framework did not support handling situations
where a port contained a multitude of licenses. In case of OpenSSH
the list is/was: BSD2, BSD3, MIT, public domain, BSD-Style, BEER-WARE,
"any purpose with notice intact", and ISC-Style.

Instead of having to keep track of all the involved licenses which all
are very similar, let's use LICENSE_PERMS.

I am not bumping PORTREVISION as it is not a vital change from the
perspective of package users.

Approved by:	bdrewery (maintainer)
Differential Revision:	https://reviews.freebsd.org/D27133

Install the moduli file as a @sample

PR:		250559
Submitted by:	Michal "rysiek" Wozniak <rysiek % isnic.is>
Approved by:	maintainer timeout

Fix a typo

Approved by:	portmgr blanket

Update WWW

Approved by:	portmgr (blanket)

- Simplify and refactor login.conf environment handling.

Fix build without PAM option

Remove long broken X509 patch.

Approved by:	portmgr (implicit)

Fix plist for 8.2p1

- Update to 8.2p1

Release notes: https://www.openssh.com/txt/release-8.2

Update to 8.1p1

Changes: https://www.openssh.com/txt/release-8.1

Sponsored by:	Dell EMC

Drop the ipv6 virtual category for s* category as it is not relevant anymore

Bump PORTREVISION on ldns consumers

Shared lib version changed in update

Reported by:	sunpoet

Convert to UCL & cleanup pkg-message (categories s)

- Update gssapi patch for 8.0
- Rework how the gssapi patch is fetched/mirrored so we can fetch
  directly from debian.

PR:		239290
Submitted by:	david@dcrosstech.com (based on)
Tested by:	vrwmiller@gmail.com

Fix BROKEN handling for x509/gssapi FLAVORS

Update to 8.0p1

Changes: https://www.openssh.com/txt/release-8.0

With help from:	Lee Prokowich
Sponsored by:	DellEMC

- Fix X509 build after r484765 openssl fix
- Fix patch URL for KERB_GSSAPI
- Add FLAVORs for x509 and gssapi since they are distinct types of
  OpenSSH rather than feature flags.

Approved by:	portmgr (implicit)

- Update KERB_GSSAPI for 7.9p1

- Fix HPN for 7.9p1
- DOCS is required for HPN but it's not exclusively a flavor so needs to be
  in the default list.
- Fix a build-time OpenSSL version comparison [1]

PR:		233157 [1]
Reported by:	Robert Schulze <rs@bytecamp.net> [1]
Obtained from:	upstream c0a35265907533be10ca151ac797f34ae0d68969 [1]

Update to 7.9p1.

- Fixes build on 12, head, and openssl-devel.
- GSSAPI and HPN are currently marked BROKEN as I don't want to block
  the main update for anyone.

  http://www.openssh.com/txt/release-7.8
  http://www.openssh.com/txt/release-7.9

MFH:	2018Q4 (due to being broken on 12+head)

security/openssl-devel was removed, but there is a security/openssl111 now.

Add DOCS options to ports that should have one.

Also various fixes related to said option.

PR:		230864
Submitted by:	mat
exp-runs by:	antoine

Simplify CONFLICTS_INSTALL.

Reported by:	mat

- Fix and update HPN patch to latest from upstream but leave it off by
  default.
- Add an 'hpn' FLAVOR to produce a package for users with HPN and
  NONECIPHER enabled.

Approved by:	portmgr (implicit)

Update x509 patch to 11.3.2

Forgot PORTREVISION bump for r472797.

PR:		229147

Fix nologin check when PAM option is disabled in the port.

PR:		229147
Submitted by:	Robert Schulze <rs@bytecamp.net>

Add lost metadata on why this patch exists

- Add XMSS option to enable experimental key support added in 7.7 [1]
- Bring in upstream patches post 7.7 to fix various issues [2]:
  b81b2d120e9c8a83489e241620843687758925ad - Fix tunnel forwarding broken in
7.7p1
  341727df910e12e26ef161508ed76d91c40a61eb - don't kill ssh-agent's listening
socket entriely if we fail to accept a connection
  85fe48fd49f2e81fa30902841b362cfbb7f1933b - don't free the %C expansion, it's
used later for LocalCommand
  868afa68469de50d8a43e5daf867d7c624a34d20 - Disable SSH2_MSG_DEBUG messages for
Twisted Conch clients
  f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 - Omit 3des-cbc if OpenSSL built
without DES

PR:		227758 [1]
Submitted by:	IWAMOTO Kouichi <sue@iwmt.org> [1]
PR:		227551 [2]
Reported by:	rozhuk.im@gmail.com [2]
Obtained from:	upstream mirror https://github.com/openssh/openssh-portable [2]

Update the KERB_GSSAPI patch from debian.

https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch
is mirrored due to not being filename-unique and not gzipped.

PR:		226789
Submitted by:	Rick Miller <vmiller@verisign.com> (based on)
Tested by:	Rick Miller <vmiller@verisign.com>
Reported by:	david@dcrosstech.com

The block of code that canonicallizes the hostname supplied on
the command line added by patch-ssh.c misapplies to 7.7p1 and
moves from main() to to ssh_session2(). This breaks ssh SSHFP
support for non-canonical hostnames. For example, "ssh zinc"
correctly discovers the FQDN (zinc.ee.lbl.gov) and uses it to
look up A and AAAA records but the non-canonical version (zinc)
is used in the SSHFP record lookup which or course fails.

Regenerate the patch.

Reviewed by:	bdrewery, ler (mentor)
Approved by:	bdrewery, ler (mentor)
Differential Revision:	https://reviews.freebsd.org/D15053

Make BROKEN lines more clear

Update to 7.7p1

- Update x509 patch to 11.3
- Remove SCTP option as it has not had a patch available since 7.2.

Changes: https://www.openssh.com/txt/release-7.7

Notable changes:
 * ssh(1)/sshd(8): Drop compatibility support for some very old SSH
   implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These
   versions were all released in or before 2001 and predate the final
   SSH RFCs. The support in question isn't necessary for RFC-compliant
   SSH implementations.

libressl support was fixed in r452358

Mark some ports broken with openssl-devel.

Sponsored by:	Absolight

Remove OVERWRITE_BASE compat - it was marked IGNORE in 2015

LibreSSL + LDNS: Fix random crashes.

This happens due to ldns-config --libs adding in too many libraries
(overlinking), and -lcrypto again, which causes some strange
conflict/corruption.  By specifying the path to --with-ldns, configure only
adds in -ldns rather than every library ldns itself needs.

PR:		223000
Reported by:	many

security/openssh-portable: Remove groff dependency

An unconditional dependency on groff was added in ports r441907 [1] as part
of bug 213725 (groff removal from base). OpenSSH release-5.7 notes the
following:

 * Use mandoc as preferred manpage formatter if it is present, followed
   by nroff and groff respectively.

This change removes groff as an unconditional dependency allowing mandoc
to be used, and reduces many subsequence dependencies accordingly.

It additionally explicitly sets 'mantype', which ensures that man pages
are installed in the same location (LOCALBASE/man) independently from the
generator used. Without this, a packaging (pkg-plist) error is observed
(installing man pages into LOCALBASE/doc not LOCALBASE/man), which was
presumably the genesis of the groff dependency addition in the first place.

[1] http://svnweb.freebsd.org/changeset/ports/441907

Reviewed by:		bdrewery (maintainer), allanjude
Approved by:		bdrewery (maintainer)
Differential Revision:	D11793

Mark broken with libressl as it has several random crashses.

PR:		223000