pkgsrc-WIP-changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

openssh8: copy of security/openssh updated to 8.0p1.



Module Name:	pkgsrc-wip
Committed By:	Aleksej Lebedev <root%zta.lk@localhost>
Pushed By:	zhtw
Date:		Wed May 1 13:37:37 2019 +0000
Changeset:	4f800ff6286f83357b89ae964ca05f0f9c652f09

Added Files:
	openssh/DESCR
	openssh/INSTALL
	openssh/MESSAGE.Interix
	openssh/MESSAGE.pam
	openssh/Makefile
	openssh/PLIST
	openssh/distinfo
	openssh/files/org.openssh.sshd.sb.in
	openssh/files/smf/manifest.xml
	openssh/files/smf/sshd.sh
	openssh/files/sshd.sh
	openssh/options.mk
	openssh/patches/patch-Makefile.in
	openssh/patches/patch-auth-passwd.c
	openssh/patches/patch-auth-rhosts.c
	openssh/patches/patch-auth.c
	openssh/patches/patch-auth2.c
	openssh/patches/patch-clientloop.c
	openssh/patches/patch-config.h.in
	openssh/patches/patch-configure.ac
	openssh/patches/patch-defines.h
	openssh/patches/patch-includes.h
	openssh/patches/patch-loginrec.c
	openssh/patches/patch-openbsd-compat_bsd-openpty.c
	openssh/patches/patch-openbsd-compat_openbsd-compat.h
	openssh/patches/patch-openbsd-compat_port-tun.c
	openssh/patches/patch-platform.c
	openssh/patches/patch-sandbox-darwin.c
	openssh/patches/patch-scp.c
	openssh/patches/patch-session.c
	openssh/patches/patch-sftp-common.c
	openssh/patches/patch-sshd.8
	openssh/patches/patch-sshd.c
	openssh/patches/patch-sshpty.c
	openssh/patches/patch-uidswap.c
	openssh/t
	openssh8/DESCR
	openssh8/INSTALL
	openssh8/MESSAGE.Interix
	openssh8/MESSAGE.pam
	openssh8/Makefile
	openssh8/PLIST
	openssh8/distinfo
	openssh8/files/org.openssh.sshd.sb.in
	openssh8/files/smf/manifest.xml
	openssh8/files/smf/sshd.sh
	openssh8/files/sshd.sh
	openssh8/options.mk
	openssh8/patches/patch-Makefile.in
	openssh8/patches/patch-auth-passwd.c
	openssh8/patches/patch-auth-rhosts.c
	openssh8/patches/patch-auth.c
	openssh8/patches/patch-auth2.c
	openssh8/patches/patch-clientloop.c
	openssh8/patches/patch-config.h.in
	openssh8/patches/patch-configure.ac
	openssh8/patches/patch-defines.h
	openssh8/patches/patch-includes.h
	openssh8/patches/patch-loginrec.c
	openssh8/patches/patch-openbsd-compat_bsd-openpty.c
	openssh8/patches/patch-openbsd-compat_openbsd-compat.h
	openssh8/patches/patch-openbsd-compat_port-tun.c
	openssh8/patches/patch-platform.c
	openssh8/patches/patch-sandbox-darwin.c
	openssh8/patches/patch-scp.c
	openssh8/patches/patch-session.c
	openssh8/patches/patch-sftp-common.c
	openssh8/patches/patch-sshd.8
	openssh8/patches/patch-sshd.c
	openssh8/patches/patch-sshpty.c
	openssh8/patches/patch-uidswap.c

Log Message:
openssh8: copy of security/openssh updated to 8.0p1.

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=4f800ff6286f83357b89ae964ca05f0f9c652f09

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 openssh/DESCR                                      |  14 ++
 openssh/INSTALL                                    |  36 ++++
 openssh/MESSAGE.Interix                            |  20 ++
 openssh/MESSAGE.pam                                |   9 +
 openssh/Makefile                                   | 209 +++++++++++++++++++++
 openssh/PLIST                                      |  31 +++
 openssh/distinfo                                   |  29 +++
 openssh/files/org.openssh.sshd.sb.in               |  23 +++
 openssh/files/smf/manifest.xml                     |  46 +++++
 openssh/files/smf/sshd.sh                          |  68 +++++++
 openssh/files/sshd.sh                              | 115 ++++++++++++
 openssh/options.mk                                 |  51 +++++
 openssh/patches/patch-Makefile.in                  |  31 +++
 openssh/patches/patch-auth-passwd.c                |  27 +++
 openssh/patches/patch-auth-rhosts.c                |  33 ++++
 openssh/patches/patch-auth.c                       |  27 +++
 openssh/patches/patch-auth2.c                      |  15 ++
 openssh/patches/patch-clientloop.c                 |  63 +++++++
 openssh/patches/patch-config.h.in                  |  37 ++++
 openssh/patches/patch-configure.ac                 | 138 ++++++++++++++
 openssh/patches/patch-defines.h                    |  47 +++++
 openssh/patches/patch-includes.h                   |  17 ++
 openssh/patches/patch-loginrec.c                   |  68 +++++++
 openssh/patches/patch-openbsd-compat_bsd-openpty.c |  22 +++
 .../patches/patch-openbsd-compat_openbsd-compat.h  |  17 ++
 openssh/patches/patch-openbsd-compat_port-tun.c    |  45 +++++
 openssh/patches/patch-platform.c                   |  16 ++
 openssh/patches/patch-sandbox-darwin.c             |  23 +++
 openssh/patches/patch-scp.c                        |  39 ++++
 openssh/patches/patch-session.c                    |  65 +++++++
 openssh/patches/patch-sftp-common.c                |  14 ++
 openssh/patches/patch-sshd.8                       |  27 +++
 openssh/patches/patch-sshd.c                       | 137 ++++++++++++++
 openssh/patches/patch-sshpty.c                     |  24 +++
 openssh/patches/patch-uidswap.c                    |  77 ++++++++
 openssh/t                                          | 136 ++++++++++++++
 openssh8/DESCR                                     |  14 ++
 openssh8/INSTALL                                   |  36 ++++
 openssh8/MESSAGE.Interix                           |  20 ++
 openssh8/MESSAGE.pam                               |   9 +
 openssh8/Makefile                                  | 209 +++++++++++++++++++++
 openssh8/PLIST                                     |  31 +++
 openssh8/distinfo                                  |  29 +++
 openssh8/files/org.openssh.sshd.sb.in              |  23 +++
 openssh8/files/smf/manifest.xml                    |  46 +++++
 openssh8/files/smf/sshd.sh                         |  68 +++++++
 openssh8/files/sshd.sh                             | 115 ++++++++++++
 openssh8/options.mk                                |  51 +++++
 openssh8/patches/patch-Makefile.in                 |  31 +++
 openssh8/patches/patch-auth-passwd.c               |  27 +++
 openssh8/patches/patch-auth-rhosts.c               |  33 ++++
 openssh8/patches/patch-auth.c                      |  27 +++
 openssh8/patches/patch-auth2.c                     |  15 ++
 openssh8/patches/patch-clientloop.c                |  63 +++++++
 openssh8/patches/patch-config.h.in                 |  37 ++++
 openssh8/patches/patch-configure.ac                | 138 ++++++++++++++
 openssh8/patches/patch-defines.h                   |  47 +++++
 openssh8/patches/patch-includes.h                  |  17 ++
 openssh8/patches/patch-loginrec.c                  |  68 +++++++
 .../patches/patch-openbsd-compat_bsd-openpty.c     |  22 +++
 .../patches/patch-openbsd-compat_openbsd-compat.h  |  17 ++
 openssh8/patches/patch-openbsd-compat_port-tun.c   |  45 +++++
 openssh8/patches/patch-platform.c                  |  16 ++
 openssh8/patches/patch-sandbox-darwin.c            |  23 +++
 openssh8/patches/patch-scp.c                       |  39 ++++
 openssh8/patches/patch-session.c                   |  65 +++++++
 openssh8/patches/patch-sftp-common.c               |  14 ++
 openssh8/patches/patch-sshd.8                      |  27 +++
 openssh8/patches/patch-sshd.c                      | 137 ++++++++++++++
 openssh8/patches/patch-sshpty.c                    |  24 +++
 openssh8/patches/patch-uidswap.c                   |  77 ++++++++
 71 files changed, 3456 insertions(+)

diffs:
diff --git a/openssh/DESCR b/openssh/DESCR
new file mode 100644
index 0000000000..764ae7f090
--- /dev/null
+++ b/openssh/DESCR
@@ -0,0 +1,14 @@
+OpenSSH is based on the last free version of Tatu Ylonen's SSH with
+all patent-encumbered algorithms removed (to external libraries), all
+known security bugs fixed, new features reintroduced and many other
+clean-ups. More information about SSH itself can be found in the file
+README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
+Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
+
+This port consists of the re-introduction of autoconf support, PAM
+support (for Linux and Solaris), EGD[1] support, SOCKS support (using
+the Dante [6] libraries and replacements for OpenBSD library functions
+that are (regrettably) absent from other unices. This port has been
+best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
+SCO, NeXT and other Unices is underway. This version actively tracks
+changes in the OpenBSD CVS repository.
diff --git a/openssh/INSTALL b/openssh/INSTALL
new file mode 100644
index 0000000000..8b8d1d310e
--- /dev/null
+++ b/openssh/INSTALL
@@ -0,0 +1,36 @@
+# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
+
+DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
+FILES="sshd.conf sshd_config"
+
+case ${STAGE} in
+POST-INSTALL)
+	for dir in $DIRS; do
+		if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
+			for file in $FILES; do
+				path=$dir/$file
+				if [ -f $path ]; then
+					${CAT} <<EOF
+===========================================================================
+
+                           *===* NOTICE *===*
+
+WARNING: previous configuration file $path found.
+
+The config files for ${PKGNAME} must be located in:
+
+	@PKG_SYSCONFDIR@
+
+You will need to ensure your configuration files and/or keys are
+placed in the correct directory before using ${PKGNAME}.
+
+===========================================================================
+EOF
+
+					exit
+				fi
+			done
+		fi
+	done
+	;;
+esac
diff --git a/openssh/MESSAGE.Interix b/openssh/MESSAGE.Interix
new file mode 100644
index 0000000000..ee57d65d24
--- /dev/null
+++ b/openssh/MESSAGE.Interix
@@ -0,0 +1,20 @@
+===========================================================================
+$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
+
+OpenSSH on Interix has some important caveats:
+
+* Hostname resolution uses the BIND resolver library rather than Windows
+  native lookup services.  This requires that /etc/resolv.conf be set up
+  properly with a "nameserver" line; see resolv.conf(5).  In most
+  installations, this was generated automatically when Services for UNIX
+  was installed (based on the name server in use at that time).
+
+* Currently, UsePrivilegeSeparation does not work properly, so it defaults
+  to "no" on Interix.
+
+* Network drives and encrypted local files may not be accessible after
+  logging in through sshd thanks to the way the Windows security API works.
+  A workaround is to "exec su USERNAME" after logging in, which will use
+  the password to create a proper Windows access credential key.
+
+===========================================================================
diff --git a/openssh/MESSAGE.pam b/openssh/MESSAGE.pam
new file mode 100644
index 0000000000..e111287144
--- /dev/null
+++ b/openssh/MESSAGE.pam
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
+
+To authenticate for SSH using PAM, add the contents of the file:
+
+	${EGDIR}/sshd.pam
+
+to your PAM configuration file (or PAM configuration directory).
+===========================================================================
diff --git a/openssh/Makefile b/openssh/Makefile
new file mode 100644
index 0000000000..0f497cfb75
--- /dev/null
+++ b/openssh/Makefile
@@ -0,0 +1,209 @@
+# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
+
+DISTNAME=		openssh-8.0p1
+PKGNAME=		${DISTNAME:S/p1/.1/}
+PKGREVISION=		1
+CATEGORIES=		security
+MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
+
+MAINTAINER=		pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE=		http://www.openssh.com/
+COMMENT=		Open Source Secure shell client and server (remote login program)
+LICENSE=		modified-bsd
+
+CONFLICTS=		sftp-[0-9]*
+CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
+CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
+CONFLICTS+=		openssh+gssapi-[0-9]*
+CONFLICTS+=		lsh>2.0
+BROKEN_ON_PLATFORM+=	OpenBSD-*-*
+
+USE_GCC_RUNTIME=	yes
+USE_TOOLS+=		autoconf perl
+
+# retain the following line, for IPv6-ready pkgsrc webpage
+BUILD_DEFS+=		IPV6_READY
+
+PKG_GROUPS_VARS+=	OPENSSH_GROUP
+PKG_USERS_VARS+=	OPENSSH_USER
+BUILD_DEFS+=		OPENSSH_CHROOT
+BUILD_DEFS+=		VARBASE
+
+INSTALL_TARGET=		install-nokeys
+
+.include "options.mk"
+
+# fixes: dyld: Symbol not found: _allow_severity
+CONFIGURE_ARGS.Darwin+=	--disable-strip
+
+# OpenSSH on Interix has some important caveats
+.if ${OPSYS} == "Interix"
+MESSAGE_SRC=		${.CURDIR}/MESSAGE.Interix
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
+CONFIGURE_ENV+=		ac_cv_func_openpty=no
+CONFIGURE_ENV+=		ac_cv_type_struct_timespec=yes
+CPPFLAGS+=		-DIOV_MAX=16 # default is INT_MAX, way too large
+.  if exists(/usr/local/include/bind/resolv.h)
+CPPFLAGS+=		-I/usr/local/include/bind
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
+.  elif exists(/usr/local/bind/include/resolv.h)
+CPPFLAGS+=		-I/usr/local/bind/include
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
+.  endif
+LDFLAGS+=		-L/usr/local/lib/bind
+LIBS+=			-lbind -ldb -lcrypt
+
+.else # not Interix
+
+PKG_GROUPS=		${OPENSSH_GROUP}
+PKG_USERS=		${OPENSSH_USER}:${OPENSSH_GROUP}
+
+PKG_GECOS.${OPENSSH_USER}=	sshd privsep pseudo-user
+PKG_HOME.${OPENSSH_USER}=	${OPENSSH_CHROOT}
+
+.endif
+
+SSH_PID_DIR=		${VARBASE}/run	# default directory for PID files
+
+PKG_SYSCONFSUBDIR=	ssh
+
+GNU_CONFIGURE=		yes
+CONFIGURE_ARGS+=	--with-mantype=man
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+=	--with-pid-dir=${SSH_PID_DIR}
+CONFIGURE_ARGS+=	--with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
+
+.if ${OPSYS} != "Interix"
+CONFIGURE_ARGS+=	--with-privsep-path=${OPENSSH_CHROOT:Q}
+CONFIGURE_ARGS+=	--with-privsep-user=${OPENSSH_USER}
+.endif
+
+# pkgsrc already enforces a "secure" version of zlib via dependencies,
+# so skip this bogus version check.
+CONFIGURE_ARGS+=	--without-zlib-version-check
+
+.if ${_PKGSRC_MKPIE} != "no"
+CONFIGURE_ARGS+=	--with-pie
+.endif
+
+# the openssh configure script finds and uses ${LD} if defined and
+# defaults to ${CC} if not. we override LD here, since running the
+# linker directly results in undefined symbols for obvious reasons.
+#
+CONFIGURE_ENV+=		LD=${CC:Q}
+
+# Enable S/Key support on NetBSD, Darwin, and Solaris.
+.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
+.  include "../../security/skey/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-skey=${BUILDLINK_PREFIX.skey}
+.else
+CONFIGURE_ARGS+=	--without-skey
+.endif
+
+.if (${OPSYS} == "NetBSD")
+.  if exists(/usr/include/utmpx.h)
+# if we have utmpx et al do not try to use login()
+CONFIGURE_ARGS+=	--disable-libutil
+.  endif
+#
+# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
+# prior version don't have it.  So, disable use of strnvis(3) now.
+#
+CONFIGURE_ENV+=		ac_cv_func_strnvis=no
+#
+# workaround for ./configure problem, pkg/50936
+#
+CONFIGURE_ENV+=		ac_cv_func_reallocarray=no
+.endif
+
+.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
+CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp
+.endif
+
+CONFIGURE_ARGS.Linux+=	--enable-md5-password
+
+# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
+# on if it's part of the X11 distribution, or if it's installed from pkgsrc
+# (security/ssh-askpass).
+#
+.if exists(${X11BASE}/bin/ssh-askpass)
+ASKPASS_PROGRAM=	${X11BASE}/bin/ssh-askpass
+.else
+ASKPASS_PROGRAM=	${PREFIX}/bin/ssh-askpass
+.endif
+CONFIGURE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+MAKE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+
+# do the same for xauth
+.if exists(${X11BASE}/bin/xauth)
+CONFIGURE_ARGS+=	--with-xauth=${X11BASE}/bin/xauth
+.else
+CONFIGURE_ARGS+=	--with-xauth=${PREFIX}/bin/xauth
+.endif
+
+CONFS=			ssh_config sshd_config moduli
+
+PLIST_VARS+=		darwin
+
+EGDIR=			${PREFIX}/share/examples/${PKGBASE}
+
+# enable privsep patches
+.if ${OPSYS} == "Darwin"
+CONF_FILES+=		${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
+CPPFLAGS+=		-D__APPLE_SANDBOX_NAMED_EXTERNAL__
+PLIST.darwin=		yes
+.endif
+
+.for f in ${CONFS}
+CONF_FILES+=		${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
+.endfor
+OWN_DIRS=		${OPENSSH_CHROOT}
+RCD_SCRIPTS=		sshd
+RCD_SCRIPT_SRC.sshd=	${WRKDIR}/sshd.sh
+SMF_METHODS=		sshd
+
+FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR}
+
+SUBST_CLASSES+=		patch
+SUBST_STAGE.patch=	pre-configure
+SUBST_FILES.patch=	session.c sandbox-darwin.c
+SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
+SUBST_VARS.patch=	PKG_SYSCONFDIR
+
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/tcp_wrappers/buildlink3.mk"
+
+#
+# type of key "ecdsa" isn't always supported depends on OpenSSL.
+#
+pre-configure:
+	cd ${WRKSRC} && autoconf -i
+
+post-configure:
+	if ${EGREP} -q '^\#define[ 	]+OPENSSL_HAS_ECC' \
+	    ${WRKSRC}/config.h; then \
+		${SED} -e '/HAVE_ECDSA/s/.*//' \
+			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+	else \
+		${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
+			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+	fi
+	${SED} -e 's,@VARBASE@,${VARBASE},g' \
+		< ${FILESDIR}/org.openssh.sshd.sb.in \
+		> ${WRKDIR}/org.openssh.sshd.sb
+
+post-install:
+	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
+	cd ${WRKSRC}; for file in ${CONFS}; do				\
+		${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file};		\
+	done
+.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
+	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+	  ${DESTDIR}${EGDIR}/sshd.pam
+.endif
+.if ${OPSYS} == "Darwin"
+	${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
+		${DESTDIR}${EGDIR}/org.openssh.sshd.sb
+.endif
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/openssh/PLIST b/openssh/PLIST
new file mode 100644
index 0000000000..1c18b8b3e9
--- /dev/null
+++ b/openssh/PLIST
@@ -0,0 +1,31 @@
+@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
+bin/scp
+bin/sftp
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-keygen
+bin/ssh-keyscan
+libexec/sftp-server
+libexec/ssh-keysign
+libexec/ssh-pkcs11-helper
+man/man1/scp.1
+man/man1/sftp.1
+man/man1/ssh-add.1
+man/man1/ssh-agent.1
+man/man1/ssh-keygen.1
+man/man1/ssh-keyscan.1
+man/man1/ssh.1
+man/man5/moduli.5
+man/man5/ssh_config.5
+man/man5/sshd_config.5
+man/man8/sftp-server.8
+man/man8/ssh-keysign.8
+man/man8/ssh-pkcs11-helper.8
+man/man8/sshd.8
+sbin/sshd
+share/examples/openssh/moduli
+${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
+share/examples/openssh/ssh_config
+${PLIST.pam}share/examples/openssh/sshd.pam
+share/examples/openssh/sshd_config
diff --git a/openssh/distinfo b/openssh/distinfo
new file mode 100644
index 0000000000..58f19de962
--- /dev/null
+++ b/openssh/distinfo
@@ -0,0 +1,29 @@
+$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
+
+SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
+RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
+SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
+Size (openssh-8.0p1.tar.gz) = 1597697 bytes
+SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
+SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
+SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
+SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
+SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
+SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
+SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
+SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
+SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
+SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
+SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
+SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
+SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
+SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
+SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
+SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
+SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
+SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
+SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
+SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
diff --git a/openssh/files/org.openssh.sshd.sb.in b/openssh/files/org.openssh.sshd.sb.in
new file mode 100644
index 0000000000..e060377c92
--- /dev/null
+++ b/openssh/files/org.openssh.sshd.sb.in
@@ -0,0 +1,23 @@
+;;	$NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+;;
+;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "@VARBASE@"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+	(global-name "com.apple.system.notification_center")
+	(global-name "com.apple.system.logger"))
diff --git a/openssh/files/smf/manifest.xml b/openssh/files/smf/manifest.xml
new file mode 100644
index 0000000000..71e9800b9b
--- /dev/null
+++ b/openssh/files/smf/manifest.xml
@@ -0,0 +1,46 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
+    <create_default_instance enabled='false'/>
+    <single_instance/>
+    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/network/loopback'/>
+    </dependency>
+    <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/network/physical'/>
+    </dependency>
+    <dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/cryptosvc'/>
+    </dependency>
+    <dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/utmp'/>
+    </dependency>
+    <dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
+      <service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
+    </dependency>
+    <dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
+      <service_fmri value='svc:/milestone/multi-user-server'/>
+    </dependent>
+    <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
+    <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+    <exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
+    <property_group name='general' type='framework'>
+      <property name='action_authorization' type='astring'/>
+    </property_group>
+    <property_group name='startd' type='framework'>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>OpenSSH server</loctext>
+      </common_name>
+      <documentation>
+        <manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
+      </documentation>
+    </template>
+  </service>
+</service_bundle>
diff --git a/openssh/files/smf/sshd.sh b/openssh/files/smf/sshd.sh
new file mode 100644
index 0000000000..0ab48193b1
--- /dev/null
+++ b/openssh/files/smf/sshd.sh
@@ -0,0 +1,68 @@
+#!@SMF_METHOD_SHELL@
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"@(#)sshd	1.4	04/11/17 SMI"
+
+SSHDIR=@PKG_SYSCONFDIR@
+KEYGEN="@PREFIX@/bin/ssh-keygen -q"
+PIDFILE=@VARBASE@/run/sshd.pid
+
+# Checks to see if RSA, and DSA host keys are available
+# if any of these keys are not present, the respective keys are created.
+create_key()
+{
+	keypath=$1
+	keytype=$2
+
+	if [ ! -f $keypath ]; then
+		grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			echo Creating new $keytype public/private host key pair
+			$KEYGEN -f $keypath -t $keytype -N ''
+			return $?
+		fi
+	fi
+
+	return 0
+}
+
+# This script is being used for two purposes: as part of an SMF
+# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
+# application.
+#
+# Both, the SMF methods and sysidconfig/sys-unconfig use different
+# arguments..
+
+case $1 in
+	# sysidconfig/sys-unconfig arguments (-c and -u)
+'-c')
+	create_key $SSHDIR/ssh_host_rsa_key rsa
+	create_key $SSHDIR/ssh_host_dsa_key dsa
+	;;
+
+'-u')
+	# sys-unconfig(1M) knows how to remove ssh host keys, so there's
+	# nothing to do here.
+	:
+	;;
+
+	# SMF arguments (start and restart [really "refresh"])
+'start')
+	@PREFIX@/sbin/sshd
+	;;
+
+'restart')
+	if [ -f "$PIDFILE" ]; then
+		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+	fi
+	;;
+
+*)
+	echo "Usage: $0 { start | restart }"
+	exit 1
+	;;
+esac
+
+exit $?
diff --git a/openssh/files/sshd.sh b/openssh/files/sshd.sh
new file mode 100644
index 0000000000..8493e047e4
--- /dev/null
+++ b/openssh/files/sshd.sh
@@ -0,0 +1,115 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
+#
+# PROVIDE: sshd
+# REQUIRE: DAEMON LOGIN
+
+if [ -f /etc/rc.subr ]
+then
+	. /etc/rc.subr
+fi
+
+name="sshd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+keygen_command="@PREFIX@/bin/ssh-keygen"
+pidfile="@SSH_PID_DIR@/${name}.pid"
+required_files="@PKG_SYSCONFDIR@/sshd_config"
+extra_commands="keygen reload"
+
+sshd_keygen()
+{
+	(
+	umask 022
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
+		@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
+		@ECHO@ "Skipping protocol version 2 DSA Key Generation"
+	else
+		${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
+	fi
+
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+		@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
+		@ECHO@ "Skipping protocol version 2 RSA Key Generation"
+	else
+		${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
+	fi
+# HAVE_ECDSA_START
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
+		@ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
+		@ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
+	else
+		${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
+	fi
+# HAVE_ECDSA_STOP
+# HAVE_ED25519_START
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+		@ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
+		@ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
+	else
+		${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
+	fi
+# HAVE_ED25519_STOP
+	)
+}
+
+sshd_precmd()
+{
+	if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+		if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+		then
+			run_rc_command keygen
+		else
+			eval ${keygen_cmd}
+		fi
+	fi
+}
+
+keygen_cmd=sshd_keygen
+start_precmd=sshd_precmd
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+	load_rc_config $name
+	run_rc_command "$1"
+else
+	case ${1:-start} in
+	start)
+		if [ -x ${command} -a -f ${required_files} ]
+		then
+			@ECHO@ "Starting ${name}."
+			eval ${start_precmd}
+			eval ${command} ${sshd_flags} ${command_args}
+		fi
+		;;
+	stop)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "Stopping ${name}."
+			kill -TERM ${pid}
+		else
+			@ECHO@ "${name} not running?"
+		fi
+		;;
+	restart)
+		( $0 stop )
+		sleep 1
+		$0 start
+		;;
+	status)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "${name} is running as pid ${pid}."
+		else
+			@ECHO@ "${name} is not running."
+		fi
+		;;
+	keygen)
+		eval ${keygen_cmd}
+		;;
+	esac
+fi
diff --git a/openssh/options.mk b/openssh/options.mk
new file mode 100644
index 0000000000..6e941d6b5b
--- /dev/null
+++ b/openssh/options.mk
@@ -0,0 +1,51 @@
+# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
+
+PKG_OPTIONS_VAR=	PKG_OPTIONS.openssh
+PKG_SUPPORTED_OPTIONS=	editline kerberos openssl pam
+PKG_SUGGESTED_OPTIONS=	editline openssl
+
+.include "../../mk/bsd.prefs.mk"
+
+.if ${OPSYS} == "NetBSD"
+PKG_SUGGESTED_OPTIONS+=	pam
+.endif
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mopenssl)
+.include "../../security/openssl/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-ssl-dir=${SSLBASE:Q}
+.else
+CONFIGURE_ARGS+=	--without-openssl
+.endif
+
+.if !empty(PKG_OPTIONS:Mkerberos)
+.  include "../../mk/krb5.buildlink3.mk"
+CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE}
+.  if ${KRB5_TYPE} == "mit-krb5"
+CONFIGURE_ENV+=		ac_cv_search_k_hasafs=no
+.  endif
+.endif
+
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES=		openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP=	-p1
+#.endif
+
+PLIST_VARS+=	pam
+
+.if !empty(PKG_OPTIONS:Mpam)
+.include "../../mk/pam.buildlink3.mk"
+CONFIGURE_ARGS+=	--with-pam
+MESSAGE_SRC+=		${.CURDIR}/MESSAGE.pam
+MESSAGE_SUBST+=		EGDIR=${EGDIR}
+.  if ${OPSYS} == "Linux"
+PLIST.pam=	yes
+.  endif
+.endif
+
+.if !empty(PKG_OPTIONS:Meditline)
+.include "../../devel/editline/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-libedit=${BUILDLINK_PREFIX.editline}
+.endif
diff --git a/openssh/patches/patch-Makefile.in b/openssh/patches/patch-Makefile.in
new file mode 100644
index 0000000000..969eab46e7
--- /dev/null
+++ b/openssh/patches/patch-Makefile.in
@@ -0,0 +1,31 @@
+$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Removed install-sysconf as we handle that phase through post-install
+
+--- Makefile.in.orig	2018-10-17 00:01:20.000000000 +0000
++++ Makefile.in
+@@ -1,5 +1,5 @@
+ # uncomment if you run a non bourne compatible shell. Ie. csh
+-#SHELL = @SH@
++SHELL = @SH@
+ 
+ AUTORECONF=autoreconf
+ 
+@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
+ DESTDIR=
+ VPATH=@srcdir@
+ SSH_PROGRAM=@bindir@/ssh
+-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
++#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+@@ -320,7 +320,7 @@ distprep: catman-do depend-check
+ 	-rm -rf autom4te.cache .depend.bak
+ 
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
++install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ 
+ check-config:
diff --git a/openssh/patches/patch-auth-passwd.c b/openssh/patches/patch-auth-passwd.c
new file mode 100644
index 0000000000..68ed2fc1ec
--- /dev/null
+++ b/openssh/patches/patch-auth-passwd.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-passwd.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ auth-passwd.c
+@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
+ 		return 0;
+ 
+ #ifndef HAVE_CYGWIN
+-	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
++	if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
+ 		ok = 0;
+ #endif
+ 	if (*password == '\0' && options.permit_empty_passwd == 0)
+@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
+ 			authctxt->force_pwchange = 1;
+ 	}
+ #endif
++#ifdef HAVE_INTERIX
++	result = (!setuser(pw->pw_name, password, SU_CHECK));
++#else
+ 	result = sys_auth_passwd(ssh, password);
++#endif
+ 	if (authctxt->force_pwchange)
+ 		auth_restrict_session(ssh);
+ 	return (result && ok);
diff --git a/openssh/patches/patch-auth-rhosts.c b/openssh/patches/patch-auth-rhosts.c
new file mode 100644
index 0000000000..fef060635c
--- /dev/null
+++ b/openssh/patches/patch-auth-rhosts.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-rhosts.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ auth-rhosts.c
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 	 * If not logging in as superuser, try /etc/hosts.equiv and
+ 	 * shosts.equiv.
+ 	 */
+-	if (pw->pw_uid == 0)
++	if (pw->pw_uid == ROOTUID)
+ 		debug3("%s: root user, ignoring system hosts files", __func__);
+ 	else {
+ 		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 		return 0;
+ 	}
+ 	if (options.strict_modes &&
+-	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++	    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ 	    (st.st_mode & 022) != 0)) {
+ 		logit("Rhosts authentication refused for %.100s: "
+ 		    "bad ownership or modes for home directory.", pw->pw_name);
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 		 * allowing access to their account by anyone.
+ 		 */
+ 		if (options.strict_modes &&
+-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++		    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ 		    (st.st_mode & 022) != 0)) {
+ 			logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+ 			    pw->pw_name, buf);
diff --git a/openssh/patches/patch-auth.c b/openssh/patches/patch-auth.c
new file mode 100644
index 0000000000..719484c161
--- /dev/null
+++ b/openssh/patches/patch-auth.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+* Replace uid 0 with ROOTUID macro.
+* Use login_getpwclass() instead of login_getclass() so that the root
+  vs. default login class distinction is made correctly, from FrrrBSD's
+  ports.
+
+--- auth.c.orig	2019-05-01 11:28:52.028281617 +0000
++++ auth.c
+@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
+ 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
+ 		if (options.strict_modes &&
+ 		    (stat(user_hostfile, &st) == 0) &&
+-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++		    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ 		    (st.st_mode & 022) != 0)) {
+ 			logit("Authentication refused for %.100s: "
+ 			    "bad owner or modes for %.200s",
+@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
+ 	if (!allowed_user(ssh, pw))
+ 		return (NULL);
+ #ifdef HAVE_LOGIN_CAP
+-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
++	if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
+ 		debug("unable to get login class: %s", user);
+ 		return (NULL);
+ 	}
diff --git a/openssh/patches/patch-auth2.c b/openssh/patches/patch-auth2.c
new file mode 100644
index 0000000000..2182d4afc7
--- /dev/null
+++ b/openssh/patches/patch-auth2.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth2.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ auth2.c
+@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
+ 		fatal("INTERNAL ERROR: authenticated and postponed");
+ 
+ 	/* Special handling for root */
+-	if (authenticated && authctxt->pw->pw_uid == 0 &&
++	if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
+ 	    !auth_root_allowed(ssh, method)) {
+ 		authenticated = 0;
+ #ifdef SSH_AUDIT_EVENTS
diff --git a/openssh/patches/patch-clientloop.c b/openssh/patches/patch-clientloop.c
new file mode 100644
index 0000000000..1089e0330c
--- /dev/null
+++ b/openssh/patches/patch-clientloop.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
+
+Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
+
+https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+
+--- clientloop.c.orig	2016-12-19 04:59:41.000000000 +0000
++++ clientloop.c
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
+ 	struct stat st;
+ 	u_int now, x11_timeout_real;
+ 
++#if __APPLE__
++	int is_path_to_socket = 0;
++#endif /* __APPLE__ */
++
+ 	*_proto = proto;
+ 	*_data = data;
+ 	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
+ 	}
+ 
+ 	if (xauth_path != NULL) {
++#if __APPLE__
++		{
++			/*
++			 * If using launchd socket, remove the screen number from the end
++			 * of $DISPLAY. is_path_to_socket is used later in this function
++			 * to determine if an error should be displayed.
++			 */
++			char path[PATH_MAX];
++			struct stat sbuf;
++
++			strlcpy(path, display, sizeof(path));
++			if (0 == stat(path, &sbuf)) {
++				is_path_to_socket = 1;
++			} else {
++				char *dot = strrchr(path, '.');
++				if (dot) {
++					*dot = '\0';
++					/* screen = atoi(dot + 1); */
++					if (0 == stat(path, &sbuf)) {
++						is_path_to_socket = 1;
++						debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
++						setenv("DISPLAY", path, 1);
++					}
++				}
++			}
++		}
++#endif /* __APPLE__ */
+ 		/*
+ 		 * Handle FamilyLocal case where $DISPLAY does
+ 		 * not match an authorization entry.  For this we
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+ 		u_int8_t rnd[16];
+ 		u_int i;
+ 
++#if __APPLE__
++		if (!is_path_to_socket)
++#endif /* __APPLE__ */
+ 		logit("Warning: No xauth data; "
+ 		    "using fake authentication data for X11 forwarding.");
+ 		strlcpy(proto, SSH_X11_PROTO, sizeof proto);
diff --git a/openssh/patches/patch-config.h.in b/openssh/patches/patch-config.h.in
new file mode 100644
index 0000000000..c1bb668067
--- /dev/null
+++ b/openssh/patches/patch-config.h.in
@@ -0,0 +1,37 @@
+$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+* Added Interix and define new path to if_tun.h.
+* Revive tcp_wrappers support.
+
+--- config.h.in.orig	2018-10-19 01:06:33.000000000 +0000
++++ config.h.in
+@@ -741,6 +741,9 @@
+ /* define if you have int64_t data type */
+ #undef HAVE_INT64_T
+ 
++/* Define if you are on Interix */
++#undef HAVE_INTERIX
++
+ /* Define to 1 if the system has the type `intmax_t'. */
+ #undef HAVE_INTMAX_T
+ 
+@@ -910,6 +913,9 @@
+ /* Define to 1 if you have the <net/route.h> header file. */
+ #undef HAVE_NET_ROUTE_H
+ 
++/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
++#undef HAVE_NET_TUN_IF_TUN_H
++
+ /* Define if you are on NeXT */
+ #undef HAVE_NEXT
+ 
+@@ -1617,6 +1623,9 @@
+ /* Define if pututxline updates lastlog too */
+ #undef LASTLOG_WRITE_PUTUTXLINE
+ 
++/* Define if you want TCP Wrappers support */
++#undef LIBWRAP
++
+ /* Define to whatever link() returns for "not supported" if it doesn't return
+    EOPNOTSUPP. */
+ #undef LINK_OPNOTSUPP_ERRNO
diff --git a/openssh/patches/patch-configure.ac b/openssh/patches/patch-configure.ac
new file mode 100644
index 0000000000..ec50365d8e
--- /dev/null
+++ b/openssh/patches/patch-configure.ac
@@ -0,0 +1,138 @@
+$NetBSD$
+
+--- configure.ac.orig	2019-04-17 22:52:57.000000000 +0000
++++ configure.ac
+@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
+ 	]
+ )
+ 
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ 	[  --with-cflags           Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+ 	maillock.h \
+ 	ndir.h \
+ 	net/if_tun.h \
++	net/tun/if_tun.h \
+ 	netdb.h \
+ 	netgroup.h \
+ 	pam/pam_appl.h \
+@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+ 		;;
+ 	esac
+ 	;;
++*-*-interix*)
++        AC_DEFINE(HAVE_INTERIX)
++        AC_DEFINE(DISABLE_FD_PASSING)
++        AC_DEFINE(DISABLE_SHADOW)
++        AC_DEFINE(IP_TOS_IS_BROKEN)
++        AC_DEFINE(MISSING_HOWMANY)
++        AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++        AC_DEFINE(USE_PIPES)
++        ;;
+ *-*-irix5*)
+ 	PATH="$PATH:/usr/etc"
+ 	AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1494,6 +1507,62 @@ else
+ 	AC_MSG_RESULT([no])
+ fi
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ 	if test x"$system_wtmpx_path" = x"no" ; then
+-		AC_DEFINE([DISABLE_WTMPX])
++		for f in /var/log/wtmpx; do
++			if test -f $f ; then
++				conf_wtmpx_location=$f
++			fi
++		done
++		if test -z "$conf_wtmpx_location"; then
++			AC_DEFINE(DISABLE_WTMPX)
++		fi
+ 	fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ 	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ 		[Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
+ echo "                     User binaries: $B"
+ echo "                   System binaries: $C"
+ echo "               Configuration files: $D"
+-echo "                   Askpass program: $E"
++echo "                   Askpass program: ${ASKPASS_PROGRAM}"
+ echo "                      Manual pages: $F"
+ echo "                          PID file: $G"
+ echo "  Privilege separation chroot path: $H"
+@@ -5245,6 +5322,7 @@ echo "                       PAM support
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "                   libldns support: $LDNS_MSG"
diff --git a/openssh/patches/patch-defines.h b/openssh/patches/patch-defines.h
new file mode 100644
index 0000000000..63788b31ba
--- /dev/null
+++ b/openssh/patches/patch-defines.h
@@ -0,0 +1,47 @@
+$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Define ROOTUID, UTMPX_FILE and WTMPX_FILE
+
+--- defines.h.orig	2015-08-21 04:49:03.000000000 +0000
++++ defines.h
+@@ -30,6 +30,15 @@
+ 
+ /* Constants */
+ 
++#ifdef HAVE_INTERIX
++/* Interix has a special concept of "administrator". */
++# define ROOTUID	197108
++# define ROOTGID	131616
++#else
++# define ROOTUID	0
++# define ROOTGID	0
++#endif
++
+ #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
+ enum
+ {
+@@ -721,6 +730,24 @@ struct winsize {
+ #    endif
+ #  endif
+ #endif
++#ifndef UTMPX_FILE
++#  ifdef _PATH_UTMPX
++#    define UTMPX_FILE _PATH_UTMPX
++#  else
++#    ifdef CONF_UTMPX_FILE
++#      define UTMPX_FILE CONF_UTMPX_FILE
++#    endif
++#  endif
++#endif
++#ifndef WTMPX_FILE
++#  ifdef _PATH_WTMPX
++#    define WTMPX_FILE _PATH_WTMPX
++#  else
++#    ifdef CONF_WTMPX_FILE
++#      define WTMPX_FILE CONF_WTMPX_FILE
++#    endif
++#  endif
++#endif
+ /* pick up the user's location for lastlog if given */
+ #ifndef LASTLOG_FILE
+ #  ifdef _PATH_LASTLOG
diff --git a/openssh/patches/patch-includes.h b/openssh/patches/patch-includes.h
new file mode 100644
index 0000000000..5e54a9dcd8
--- /dev/null
+++ b/openssh/patches/patch-includes.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- includes.h.orig	2015-08-21 04:49:03.000000000 +0000
++++ includes.h
+@@ -127,6 +127,10 @@
+ #ifdef HAVE_READPASSPHRASE_H
+ # include <readpassphrase.h>
+ #endif
++#ifdef HAVE_INTERIX
++# include <interix/env.h>
++# include <interix/security.h>
++#endif
+ 
+ #ifdef HAVE_IA_H
+ # include <ia.h>
diff --git a/openssh/patches/patch-loginrec.c b/openssh/patches/patch-loginrec.c
new file mode 100644
index 0000000000..fa56d5a158
--- /dev/null
+++ b/openssh/patches/patch-loginrec.c
@@ -0,0 +1,68 @@
+$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support and related fixes. Fix build on FreeBSD.
+
+--- loginrec.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ loginrec.c
+@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
+ int
+ login_write(struct logininfo *li)
+ {
+-#ifndef HAVE_CYGWIN
+-	if (geteuid() != 0) {
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
++        if (geteuid() != ROOTUID) {
+ 		logit("Attempt to write login records by non-root user (aborting)");
+ 		return (1);
+ 	}
+@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
+ 
+ 	/* set the timestamp */
+ 	login_set_current_time(li);
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && (HAVE_UTMP_H)
+ 	syslogin_write_entry(li);
+ #endif
+ #ifdef USE_LASTLOG
+@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
+  ** into account.
+  **/
+ 
+-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
++#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
+ 
+ /* build the utmp structure */
+ void
+@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
+ 	set_utmpx_time(li, utx);
+ 	utx->ut_pid = li->pid;
+ 
+-	/* strncpy(): Don't necessarily want null termination */
+-	strncpy(utx->ut_user, li->username,
+-	    MIN_SIZEOF(utx->ut_user, li->username));
+-
+ 	if (li->type == LTYPE_LOGOUT)
+ 		return;
+ 
+@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
+ 	 * for logouts.
+ 	 */
+ 
++	/* strncpy(): Don't necessarily want null termination */
++#if defined(__FreeBSD__)
++	strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
++#else
++	strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
++#endif
+ # ifdef HAVE_HOST_IN_UTMPX
+ 	strncpy(utx->ut_host, li->hostname,
+ 	    MIN_SIZEOF(utx->ut_host, li->hostname));
+@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
+  ** Low-level libutil login() functions
+  **/
+ 
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
+ static int
+ syslogin_perform_login(struct logininfo *li)
+ {
diff --git a/openssh/patches/patch-openbsd-compat_bsd-openpty.c b/openssh/patches/patch-openbsd-compat_bsd-openpty.c
new file mode 100644
index 0000000000..adbacbee3a
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_bsd-openpty.c
@@ -0,0 +1,22 @@
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
+
+Interix support
+
+--- openbsd-compat/bsd-openpty.c.orig	2016-12-19 04:59:41.000000000 +0000
++++ openbsd-compat/bsd-openpty.c
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char 
+ 		return (-1);
+ 	}
+ 
++#if !defined(HAVE_INTERIX)
+ 	/*
+ 	 * Try to push the appropriate streams modules, as described
+ 	 * in Solaris pts(7).
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char 
+ # ifndef __hpux
+ 	ioctl(*aslave, I_PUSH, "ttcompat");
+ # endif /* __hpux */
++#endif /* !HAVE_INTERIX */
+ 
+ 	return (0);
+ 
diff --git a/openssh/patches/patch-openbsd-compat_openbsd-compat.h b/openssh/patches/patch-openbsd-compat_openbsd-compat.h
new file mode 100644
index 0000000000..771757f15f
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_openbsd-compat.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+strtoll() declaration
+
+--- openbsd-compat/openbsd-compat.h.orig	2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/openbsd-compat.h
+@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
+ int setenv(register const char *name, register const char *value, int rewrite);
+ #endif
+ 
++#ifndef HAVE_STRTOLL
++long long strtoll(const char *, char **, int);
++#endif
++
+ #ifndef HAVE_STRMODE
+ void strmode(int mode, char *p);
+ #endif
diff --git a/openssh/patches/patch-openbsd-compat_port-tun.c b/openssh/patches/patch-openbsd-compat_port-tun.c
new file mode 100644
index 0000000000..e538617426
--- /dev/null
+++ b/openssh/patches/patch-openbsd-compat_port-tun.c
@@ -0,0 +1,45 @@
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
+
+if_tun.h can be found in net/tun
+
+--- openbsd-compat/port-net.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ openbsd-compat/port-net.c
+@@ -1,3 +1,4 @@
++
+ /*
+  * Copyright (c) 2005 Reyk Floeter <reyk%openbsd.org@localhost>
+  *
+@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
+ #include <sys/socket.h>
+ #include <net/if.h>
+ 
++#ifdef HAVE_NET_TUN_IF_TUN_H
++#include <net/tun/if_tun.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
+@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
+ {
+ 	struct ifreq ifr;
+ 	char name[100];
+-	int fd = -1, sock, flag;
++	int fd = -1, sock;
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
++	int flag;
++#endif
+ 	const char *tunbase = "tun";
+ 
+ 	if (ifname != NULL)
+@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
+ 		return (-1);
+ 	}
+ 
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ 	/* Turn on tunnel headers */
+ 	flag = 1;
+-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ 	if (mode != SSH_TUNMODE_ETHERNET &&
+ 	    ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ 		debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
diff --git a/openssh/patches/patch-platform.c b/openssh/patches/patch-platform.c
new file mode 100644
index 0000000000..fe837c1b5a
--- /dev/null
+++ b/openssh/patches/patch-platform.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- platform.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ platform.c
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
+ 	/* uid 0 is not special on Cygwin so always try */
+ 	return 1;
+ #else
++#if !defined(HAVE_INTERIX)
+ 	return (getuid() == 0 || geteuid() == 0);
++#endif /* !HAVE_INTERIX */
+ #endif
+ }
+ 
diff --git a/openssh/patches/patch-sandbox-darwin.c b/openssh/patches/patch-sandbox-darwin.c
new file mode 100644
index 0000000000..b6624a068e
--- /dev/null
+++ b/openssh/patches/patch-sandbox-darwin.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+Support sandbox on newer OSX, from MacPorts.
+
+--- sandbox-darwin.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ sandbox-darwin.c
+@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ 	struct rlimit rl_zero;
+ 
+ 	debug3("%s: starting Darwin sandbox", __func__);
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++#ifndef SANDBOX_NAMED_EXTERNAL
++#define SANDBOX_NAMED_EXTERNAL (0x3)
++#endif
++	if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
++	    SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
++#else
+ 	if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
+ 	    &errmsg) == -1)
++#endif
+ 		fatal("%s: sandbox_init: %s", __func__, errmsg);
+ 
+ 	/*
diff --git a/openssh/patches/patch-scp.c b/openssh/patches/patch-scp.c
new file mode 100644
index 0000000000..415ddfbc2b
--- /dev/null
+++ b/openssh/patches/patch-scp.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- scp.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ scp.c
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
+ 	argc -= optind;
+ 	argv += optind;
+ 
++#ifdef HAVE_INTERIX
++	if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
++#else
+ 	if ((pwd = getpwuid(userid = getuid())) == NULL)
++#endif
+ 		fatal("unknown user %u", (u_int) userid);
+ 
+ 	if (!isatty(STDOUT_FILENO))
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
+ 		return;
+ 	}
+ 	while ((dp = readdir(dirp)) != NULL) {
++#ifndef HAVE_INTERIX
+ 		if (dp->d_ino == 0)
+ 			continue;
++#endif
+ 		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+ 			continue;
+ 		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
+ 			case '\'':
+ 			case '"':
+ 			case '`':
++#ifndef HAVE_INTERIX
+ 			case ' ':
++#endif
+ 			case '#':
+ 				goto bad;
+ 			default:
diff --git a/openssh/patches/patch-session.c b/openssh/patches/patch-session.c
new file mode 100644
index 0000000000..d0b9df8d7d
--- /dev/null
+++ b/openssh/patches/patch-session.c
@@ -0,0 +1,65 @@
+$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
+
+* Interix support.
+
+--- session.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ session.c
+@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
+ 	if (tmpenv == NULL)
+ 		return;
+ 
+-	if (uid == 0)
++	if (uid == ROOTUID)
+ 		var = child_get_env(tmpenv, "SUPATH");
+ 	else
+ 		var = child_get_env(tmpenv, "PATH");
+@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
+ #  endif /* HAVE_ETC_DEFAULT_LOGIN */
+ 	if (path == NULL || *path == '\0') {
+ 		child_set_env(&env, &envsize, "PATH",
+-		    s->pw->pw_uid == 0 ?  SUPERUSER_PATH : _PATH_STDPATH);
++		    s->pw->pw_uid == ROOTUID ?  SUPERUSER_PATH : _PATH_STDPATH);
+ 	}
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
+ 		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
+ 		    original_command);
+ 
++#ifdef HAVE_INTERIX
++	{
++		/* copy standard Windows environment, then apply changes */
++		env_t *winenv = env_login(pw);
++		env_putarray(winenv, env, ENV_OVERRIDE);
++
++		/* swap over to altered environment as a traditional array */
++		env = env_array(winenv);
++	}
++#endif
++
+ 	if (debug_flag) {
+ 		/* dump the environment */
+ 		fprintf(stderr, "Environment:\n");
+@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
+ 			perror("setgid");
+ 			exit(1);
+ 		}
++# if !defined(HAVE_INTERIX)
+ 		/* Initialize the group list. */
+ 		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+ 			perror("initgroups");
+ 			exit(1);
+ 		}
++# endif /* !HAVE_INTERIX */
+ 		endgrent();
+ #endif
+ 
+@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
+ 		record_logout(s->pid, s->tty, s->pw->pw_name);
+ 
+ 	/* Release the pseudo-tty. */
+-	if (getuid() == 0)
++	if (getuid() == ROOTUID)
+ 		pty_release(s->tty);
+ 
+ 	/*
diff --git a/openssh/patches/patch-sftp-common.c b/openssh/patches/patch-sftp-common.c
new file mode 100644
index 0000000000..b17738bd7f
--- /dev/null
+++ b/openssh/patches/patch-sftp-common.c
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- sftp-common.c.orig	2019-04-17 22:52:57.000000000 +0000
++++ sftp-common.c
+@@ -36,7 +36,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <stdarg.h>
++#ifdef HAVE_UNISTD_H
+ #include <unistd.h>
++#endif
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
diff --git a/openssh/patches/patch-sshd.8 b/openssh/patches/patch-sshd.8
new file mode 100644
index 0000000000..085accf98c
--- /dev/null
+++ b/openssh/patches/patch-sshd.8
@@ -0,0 +1,27 @@
+$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+* Revive tcp_wrappers support.
+
+--- sshd.8.orig	2015-08-21 04:49:03.000000000 +0000
++++ sshd.8
+@@ -850,6 +850,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -953,6 +959,7 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/openssh/patches/patch-sshd.c b/openssh/patches/patch-sshd.c
new file mode 100644
index 0000000000..ccab150f1b
--- /dev/null
+++ b/openssh/patches/patch-sshd.c
@@ -0,0 +1,137 @@
+$NetBSD$
+
+--- sshd.c.orig	2019-04-17 22:52:57.000000000 +0000
++++ sshd.c
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -235,7 +242,11 @@ static int *startup_flags = NULL;	/* Ind
+ static int startup_pipe = -1;		/* in child */
+ 
+ /* variables used for privilege separation */
++#ifdef HAVE_INTERIX
++int use_privsep = 0;
++#else
+ int use_privsep = -1;
++#endif
+ struct monitor *pmonitor = NULL;
+ int privsep_is_preauth = 1;
+ static int privsep_chroot = 1;
+@@ -467,10 +478,15 @@ privsep_preauth_child(void)
+ 		/* Drop our privileges */
+ 		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+ 		    (u_int)privsep_pw->pw_gid);
++#ifdef HAVE_INTERIX
++		if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
++			fatal("setuser: %.100s", strerror(errno));
++#else
+ 		gidset[0] = privsep_pw->pw_gid;
+ 		if (setgroups(1, gidset) < 0)
+ 			fatal("setgroups: %.100s", strerror(errno));
+ 		permanently_set_uid(privsep_pw);
++#endif /* HAVE_INTERIX */
+ 	}
+ }
+ 
+@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
+ 		/* Arrange for logging to be sent to the monitor */
+ 		set_log_handler(mm_log_handler, pmonitor);
+ 
++#ifdef  __APPLE_SANDBOX_NAMED_EXTERNAL__
++		/* We need to do this before we chroot() so we can read sshd.sb */
++		if (box != NULL)
++			ssh_sandbox_child(box);
++#endif
+ 		privsep_preauth_child();
+ 		setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ 		if (box != NULL)
+ 			ssh_sandbox_child(box);
++#endif
+ 
+ 		return 0;
+ 	}
+@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
+ #ifdef DISABLE_FD_PASSING
+ 	if (1) {
+ #else
+-	if (authctxt->pw->pw_uid == 0) {
++	if (authctxt->pw->pw_uid == ROOTUID) {
+ #endif
+ 		/* File descriptor passing is broken or root login */
+ 		use_privsep = 0;
+@@ -1454,7 +1477,7 @@ main(int ac, char **av)
+ 	av = saved_argv;
+ #endif
+ 
+-	if (geteuid() == 0 && setgroups(0, NULL) == -1)
++	if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
+ 		debug("setgroups(): %.200s", strerror(errno));
+ 
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+@@ -1686,7 +1709,7 @@ main(int ac, char **av)
+ 	);
+ 
+ 	/* Store privilege separation user for later use if required. */
+-	privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
++	privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
+ 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ 		if (privsep_chroot || options.kerberos_authentication)
+ 			fatal("Privilege separation user %s does not exist",
+@@ -1830,7 +1853,7 @@ main(int ac, char **av)
+ 		    (st.st_uid != getuid () ||
+ 		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+ #else
+-		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
++		if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ #endif
+ 			fatal("%s must be owned by root and not group or "
+ 			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+@@ -1858,8 +1881,10 @@ main(int ac, char **av)
+ 	 * to create a file, and we can't control the code in every
+ 	 * module which might be used).
+ 	 */
++#ifndef HAVE_INTERIX
+ 	if (setgroups(0, NULL) < 0)
+ 		debug("setgroups() failed: %.200s", strerror(errno));
++#endif
+ 
+ 	if (rexec_flag) {
+ 		if (rexec_argc < 0)
+@@ -2053,6 +2078,25 @@ main(int ac, char **av)
+ 	audit_connection_from(remote_ip, remote_port);
+ #endif
+ 
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (ssh_packet_connection_is_on_socket(ssh)) {
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
++
+ 	rdomain = ssh_packet_rdomain_in(ssh);
+ 
+ 	/* Log the connection. */
diff --git a/openssh/patches/patch-sshpty.c b/openssh/patches/patch-sshpty.c
new file mode 100644
index 0000000000..c96ba181fe
--- /dev/null
+++ b/openssh/patches/patch-sshpty.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- sshpty.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ sshpty.c
+@@ -86,7 +86,7 @@ void
+ pty_release(const char *tty)
+ {
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
+-	if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
++	if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
+ 		error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
+ 	if (chmod(tty, (mode_t) 0666) < 0)
+ 		error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
+ 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+ 		if (chown(tty, pw->pw_uid, gid) < 0) {
+ 			if (errno == EROFS &&
+-			    (st.st_uid == pw->pw_uid || st.st_uid == 0))
++			    (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
+ 				debug("chown(%.100s, %u, %u) failed: %.100s",
+ 				    tty, (u_int)pw->pw_uid, (u_int)gid,
+ 				    strerror(errno));
diff --git a/openssh/patches/patch-uidswap.c b/openssh/patches/patch-uidswap.c
new file mode 100644
index 0000000000..32a76c6922
--- /dev/null
+++ b/openssh/patches/patch-uidswap.c
@@ -0,0 +1,77 @@
+$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Interix support
+
+--- uidswap.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ uidswap.c
+@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
+ 	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
+ 	    (u_int)saved_euid, (u_int)saved_egid);
+ #ifndef HAVE_CYGWIN
+-	if (saved_euid != 0) {
++	if (saved_euid != ROOTUID) {
+ 		privileged = 0;
+ 		return;
+ 	}
+ #endif
+ #else
+-	if (geteuid() != 0) {
++	if (geteuid() != ROOTUID) {
+ 		privileged = 0;
+ 		return;
+ 	}
+@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
+ 
+ 	/* set and save the user's groups */
+ 	if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
++#ifndef HAVE_INTERIX
+ 		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ 			fatal("initgroups: %s: %.100s", pw->pw_name,
+ 			    strerror(errno));
+-
++#endif
+ 		user_groupslen = getgroups(0, NULL);
+ 		if (user_groupslen < 0)
+ 			fatal("getgroups: %.100s", strerror(errno));
+@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
+ 		}
+ 		user_groups_uid = pw->pw_uid;
+ 	}
++#ifndef HAVE_INTERIX
+ 	/* Set the effective uid to the given (unprivileged) uid. */
+ 	if (setgroups(user_groupslen, user_groups) < 0)
+ 		fatal("setgroups: %.100s", strerror(errno));
++#endif
+ #ifndef SAVED_IDS_WORK_WITH_SETEUID
+ 	/* Propagate the privileged gid to all of our gids. */
+ 	if (setgid(getegid()) < 0)
+@@ -166,8 +169,10 @@ restore_uid(void)
+ 	setgid(getgid());
+ #endif /* SAVED_IDS_WORK_WITH_SETEUID */
+ 
++#ifndef HAVE_INTERIX
+ 	if (setgroups(saved_egroupslen, saved_egroups) < 0)
+ 		fatal("setgroups: %.100s", strerror(errno));
++#endif
+ 	temporarily_use_uid_effective = 0;
+ }
+ 
+@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
+ 	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
+ 	    (u_int)pw->pw_gid);
+ 
++#if defined(HAVE_INTERIX)
++	if (setuser(pw->pw_name, NULL, SU_COMPLETE))
++		fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
++#else
+ 	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+ 		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+ 
+@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
+ 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ 		fatal("%s: was able to restore old [e]uid", __func__);
+ #endif
++#endif /* HAVE_INTERIX */
+ 
+ 	/* Verify UID drop was successful */
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {
diff --git a/openssh/t b/openssh/t
new file mode 100644
index 0000000000..1b533975cb
--- /dev/null
+++ b/openssh/t
@@ -0,0 +1,136 @@
+--- /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac.orig	2019-04-17 22:52:57.000000000 +0000
++++ /var/tmp/pkgsrc-obj/security/openssh/work/openssh-8.0p1/configure.ac	2019-05-01 12:11:27.813134298 +0000
+@@ -294,6 +294,9 @@
+ 	]
+ )
+ 
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ 	[  --with-cflags           Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@
+ 	maillock.h \
+ 	ndir.h \
+ 	net/if_tun.h \
++	net/tun/if_tun.h \
+ 	netdb.h \
+ 	netgroup.h \
+ 	pam/pam_appl.h \
+@@ -737,6 +741,15 @@
+ 		;;
+ 	esac
+ 	;;
++*-*-interix*)
++        AC_DEFINE(HAVE_INTERIX)
++        AC_DEFINE(DISABLE_FD_PASSING)
++        AC_DEFINE(DISABLE_SHADOW)
++        AC_DEFINE(IP_TOS_IS_BROKEN)
++        AC_DEFINE(MISSING_HOWMANY)
++        AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++        AC_DEFINE(USE_PIPES)
++        ;;
+ *-*-irix5*)
+ 	PATH="$PATH:/usr/etc"
+ 	AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1494,6 +1507,62 @@
+ 	AC_MSG_RESULT([no])
+ fi
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5129,9 +5198,17 @@
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ 	if test x"$system_wtmpx_path" = x"no" ; then
+-		AC_DEFINE([DISABLE_WTMPX])
++		for f in /var/log/wtmpx; do
++			if test -f $f ; then
++				conf_wtmpx_location=$f
++			fi
++		done
++		if test -z "$conf_wtmpx_location"; then
++			AC_DEFINE(DISABLE_WTMPX)
++		fi
+ 	fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ 	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ 		[Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -5223,7 +5300,7 @@
+ echo "                     User binaries: $B"
+ echo "                   System binaries: $C"
+ echo "               Configuration files: $D"
+-echo "                   Askpass program: $E"
++echo "                   Askpass program: ${ASKPASS_PROGRAM}"
+ echo "                      Manual pages: $F"
+ echo "                          PID file: $G"
+ echo "  Privilege separation chroot path: $H"
+@@ -5245,6 +5322,7 @@
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "                   libldns support: $LDNS_MSG"
diff --git a/openssh8/DESCR b/openssh8/DESCR
new file mode 100644
index 0000000000..764ae7f090
--- /dev/null
+++ b/openssh8/DESCR
@@ -0,0 +1,14 @@
+OpenSSH is based on the last free version of Tatu Ylonen's SSH with
+all patent-encumbered algorithms removed (to external libraries), all
+known security bugs fixed, new features reintroduced and many other
+clean-ups. More information about SSH itself can be found in the file
+README.Ylonen. OpenSSH has been created by Aaron Campbell, Bob Beck,
+Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song.
+
+This port consists of the re-introduction of autoconf support, PAM
+support (for Linux and Solaris), EGD[1] support, SOCKS support (using
+the Dante [6] libraries and replacements for OpenBSD library functions
+that are (regrettably) absent from other unices. This port has been
+best tested on Linux, Solaris, HPUX, NetBSD and Irix. Support for AIX,
+SCO, NeXT and other Unices is underway. This version actively tracks
+changes in the OpenBSD CVS repository.
diff --git a/openssh8/INSTALL b/openssh8/INSTALL
new file mode 100644
index 0000000000..8b8d1d310e
--- /dev/null
+++ b/openssh8/INSTALL
@@ -0,0 +1,36 @@
+# $NetBSD: INSTALL,v 1.10 2003/08/30 20:23:06 jlam Exp $
+
+DIRS="/etc /etc/ssh ${PKG_PREFIX}/etc ${PKG_PREFIX}/etc/ssh"
+FILES="sshd.conf sshd_config"
+
+case ${STAGE} in
+POST-INSTALL)
+	for dir in $DIRS; do
+		if [ "@PKG_SYSCONFDIR@" != "$dir" ]; then
+			for file in $FILES; do
+				path=$dir/$file
+				if [ -f $path ]; then
+					${CAT} <<EOF
+===========================================================================
+
+                           *===* NOTICE *===*
+
+WARNING: previous configuration file $path found.
+
+The config files for ${PKGNAME} must be located in:
+
+	@PKG_SYSCONFDIR@
+
+You will need to ensure your configuration files and/or keys are
+placed in the correct directory before using ${PKGNAME}.
+
+===========================================================================
+EOF
+
+					exit
+				fi
+			done
+		fi
+	done
+	;;
+esac
diff --git a/openssh8/MESSAGE.Interix b/openssh8/MESSAGE.Interix
new file mode 100644
index 0000000000..ee57d65d24
--- /dev/null
+++ b/openssh8/MESSAGE.Interix
@@ -0,0 +1,20 @@
+===========================================================================
+$NetBSD: MESSAGE.Interix,v 1.1 2005/03/07 23:29:49 tv Exp $
+
+OpenSSH on Interix has some important caveats:
+
+* Hostname resolution uses the BIND resolver library rather than Windows
+  native lookup services.  This requires that /etc/resolv.conf be set up
+  properly with a "nameserver" line; see resolv.conf(5).  In most
+  installations, this was generated automatically when Services for UNIX
+  was installed (based on the name server in use at that time).
+
+* Currently, UsePrivilegeSeparation does not work properly, so it defaults
+  to "no" on Interix.
+
+* Network drives and encrypted local files may not be accessible after
+  logging in through sshd thanks to the way the Windows security API works.
+  A workaround is to "exec su USERNAME" after logging in, which will use
+  the password to create a proper Windows access credential key.
+
+===========================================================================
diff --git a/openssh8/MESSAGE.pam b/openssh8/MESSAGE.pam
new file mode 100644
index 0000000000..e111287144
--- /dev/null
+++ b/openssh8/MESSAGE.pam
@@ -0,0 +1,9 @@
+===========================================================================
+$NetBSD: MESSAGE.pam,v 1.3 2003/10/08 18:54:42 reed Exp $
+
+To authenticate for SSH using PAM, add the contents of the file:
+
+	${EGDIR}/sshd.pam
+
+to your PAM configuration file (or PAM configuration directory).
+===========================================================================
diff --git a/openssh8/Makefile b/openssh8/Makefile
new file mode 100644
index 0000000000..0f497cfb75
--- /dev/null
+++ b/openssh8/Makefile
@@ -0,0 +1,209 @@
+# $NetBSD: Makefile,v 1.258 2019/04/25 14:55:04 tron Exp $
+
+DISTNAME=		openssh-8.0p1
+PKGNAME=		${DISTNAME:S/p1/.1/}
+PKGREVISION=		1
+CATEGORIES=		security
+MASTER_SITES=		${MASTER_SITE_OPENBSD:=OpenSSH/portable/}
+
+MAINTAINER=		pkgsrc-users%NetBSD.org@localhost
+HOMEPAGE=		http://www.openssh.com/
+COMMENT=		Open Source Secure shell client and server (remote login program)
+LICENSE=		modified-bsd
+
+CONFLICTS=		sftp-[0-9]*
+CONFLICTS+=		ssh-[0-9]* ssh6-[0-9]*
+CONFLICTS+=		ssh2-[0-9]* ssh2-nox11-[0-9]*
+CONFLICTS+=		openssh+gssapi-[0-9]*
+CONFLICTS+=		lsh>2.0
+BROKEN_ON_PLATFORM+=	OpenBSD-*-*
+
+USE_GCC_RUNTIME=	yes
+USE_TOOLS+=		autoconf perl
+
+# retain the following line, for IPv6-ready pkgsrc webpage
+BUILD_DEFS+=		IPV6_READY
+
+PKG_GROUPS_VARS+=	OPENSSH_GROUP
+PKG_USERS_VARS+=	OPENSSH_USER
+BUILD_DEFS+=		OPENSSH_CHROOT
+BUILD_DEFS+=		VARBASE
+
+INSTALL_TARGET=		install-nokeys
+
+.include "options.mk"
+
+# fixes: dyld: Symbol not found: _allow_severity
+CONFIGURE_ARGS.Darwin+=	--disable-strip
+
+# OpenSSH on Interix has some important caveats
+.if ${OPSYS} == "Interix"
+MESSAGE_SRC=		${.CURDIR}/MESSAGE.Interix
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/lib/bind
+CONFIGURE_ENV+=		ac_cv_func_openpty=no
+CONFIGURE_ENV+=		ac_cv_type_struct_timespec=yes
+CPPFLAGS+=		-DIOV_MAX=16 # default is INT_MAX, way too large
+.  if exists(/usr/local/include/bind/resolv.h)
+CPPFLAGS+=		-I/usr/local/include/bind
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/include/bind
+.  elif exists(/usr/local/bind/include/resolv.h)
+CPPFLAGS+=		-I/usr/local/bind/include
+BUILDLINK_PASSTHRU_DIRS+= /usr/local/bind/include
+.  endif
+LDFLAGS+=		-L/usr/local/lib/bind
+LIBS+=			-lbind -ldb -lcrypt
+
+.else # not Interix
+
+PKG_GROUPS=		${OPENSSH_GROUP}
+PKG_USERS=		${OPENSSH_USER}:${OPENSSH_GROUP}
+
+PKG_GECOS.${OPENSSH_USER}=	sshd privsep pseudo-user
+PKG_HOME.${OPENSSH_USER}=	${OPENSSH_CHROOT}
+
+.endif
+
+SSH_PID_DIR=		${VARBASE}/run	# default directory for PID files
+
+PKG_SYSCONFSUBDIR=	ssh
+
+GNU_CONFIGURE=		yes
+CONFIGURE_ARGS+=	--with-mantype=man
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+=	--with-pid-dir=${SSH_PID_DIR}
+CONFIGURE_ARGS+=	--with-tcp-wrappers=${BUILDLINK_PREFIX.tcp_wrappers}
+
+.if ${OPSYS} != "Interix"
+CONFIGURE_ARGS+=	--with-privsep-path=${OPENSSH_CHROOT:Q}
+CONFIGURE_ARGS+=	--with-privsep-user=${OPENSSH_USER}
+.endif
+
+# pkgsrc already enforces a "secure" version of zlib via dependencies,
+# so skip this bogus version check.
+CONFIGURE_ARGS+=	--without-zlib-version-check
+
+.if ${_PKGSRC_MKPIE} != "no"
+CONFIGURE_ARGS+=	--with-pie
+.endif
+
+# the openssh configure script finds and uses ${LD} if defined and
+# defaults to ${CC} if not. we override LD here, since running the
+# linker directly results in undefined symbols for obvious reasons.
+#
+CONFIGURE_ENV+=		LD=${CC:Q}
+
+# Enable S/Key support on NetBSD, Darwin, and Solaris.
+.if (${OPSYS} == "NetBSD") || (${OPSYS} == "Darwin") || (${OPSYS} == "SunOS")
+.  include "../../security/skey/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-skey=${BUILDLINK_PREFIX.skey}
+.else
+CONFIGURE_ARGS+=	--without-skey
+.endif
+
+.if (${OPSYS} == "NetBSD")
+.  if exists(/usr/include/utmpx.h)
+# if we have utmpx et al do not try to use login()
+CONFIGURE_ARGS+=	--disable-libutil
+.  endif
+#
+# NetBSD current after 2011/03/12 has incompatible strnvis(3) and
+# prior version don't have it.  So, disable use of strnvis(3) now.
+#
+CONFIGURE_ENV+=		ac_cv_func_strnvis=no
+#
+# workaround for ./configure problem, pkg/50936
+#
+CONFIGURE_ENV+=		ac_cv_func_reallocarray=no
+.endif
+
+.if (${OPSYS} == "SunOS") && (${OS_VERSION} == "5.8" || ${OS_VERSION} == "5.9")
+CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp
+.endif
+
+CONFIGURE_ARGS.Linux+=	--enable-md5-password
+
+# The ssh-askpass program is in ${X11BASE}/bin or ${PREFIX}/bin depending
+# on if it's part of the X11 distribution, or if it's installed from pkgsrc
+# (security/ssh-askpass).
+#
+.if exists(${X11BASE}/bin/ssh-askpass)
+ASKPASS_PROGRAM=	${X11BASE}/bin/ssh-askpass
+.else
+ASKPASS_PROGRAM=	${PREFIX}/bin/ssh-askpass
+.endif
+CONFIGURE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+MAKE_ENV+=		ASKPASS_PROGRAM=${ASKPASS_PROGRAM:Q}
+
+# do the same for xauth
+.if exists(${X11BASE}/bin/xauth)
+CONFIGURE_ARGS+=	--with-xauth=${X11BASE}/bin/xauth
+.else
+CONFIGURE_ARGS+=	--with-xauth=${PREFIX}/bin/xauth
+.endif
+
+CONFS=			ssh_config sshd_config moduli
+
+PLIST_VARS+=		darwin
+
+EGDIR=			${PREFIX}/share/examples/${PKGBASE}
+
+# enable privsep patches
+.if ${OPSYS} == "Darwin"
+CONF_FILES+=		${EGDIR}/org.openssh.sshd.sb ${PKG_SYSCONFDIR}/org.openssh.sshd.sb
+CPPFLAGS+=		-D__APPLE_SANDBOX_NAMED_EXTERNAL__
+PLIST.darwin=		yes
+.endif
+
+.for f in ${CONFS}
+CONF_FILES+=		${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
+.endfor
+OWN_DIRS=		${OPENSSH_CHROOT}
+RCD_SCRIPTS=		sshd
+RCD_SCRIPT_SRC.sshd=	${WRKDIR}/sshd.sh
+SMF_METHODS=		sshd
+
+FILES_SUBST+=		SSH_PID_DIR=${SSH_PID_DIR}
+
+SUBST_CLASSES+=		patch
+SUBST_STAGE.patch=	pre-configure
+SUBST_FILES.patch=	session.c sandbox-darwin.c
+SUBST_SED.patch=	-e '/channel_input_port_forward_request/s/0/ROOTUID/'
+SUBST_VARS.patch=	PKG_SYSCONFDIR
+
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/tcp_wrappers/buildlink3.mk"
+
+#
+# type of key "ecdsa" isn't always supported depends on OpenSSL.
+#
+pre-configure:
+	cd ${WRKSRC} && autoconf -i
+
+post-configure:
+	if ${EGREP} -q '^\#define[ 	]+OPENSSL_HAS_ECC' \
+	    ${WRKSRC}/config.h; then \
+		${SED} -e '/HAVE_ECDSA/s/.*//' \
+			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+	else \
+		${SED} -e '/HAVE_ECDSA_START/,/HAVE_ECDSA_STOP/d' \
+			${FILESDIR}/sshd.sh > ${WRKDIR}/sshd.sh; \
+	fi
+	${SED} -e 's,@VARBASE@,${VARBASE},g' \
+		< ${FILESDIR}/org.openssh.sshd.sb.in \
+		> ${WRKDIR}/org.openssh.sshd.sb
+
+post-install:
+	${INSTALL_DATA_DIR} ${DESTDIR}${EGDIR}
+	cd ${WRKSRC}; for file in ${CONFS}; do				\
+		${INSTALL_DATA} $${file}.out ${DESTDIR}${EGDIR}/$${file};		\
+	done
+.if !empty(PKG_OPTIONS:Mpam) && ${OPSYS} == "Linux"
+	${INSTALL_DATA} ${WRKSRC}/contrib/sshd.pam.generic \
+	  ${DESTDIR}${EGDIR}/sshd.pam
+.endif
+.if ${OPSYS} == "Darwin"
+	${INSTALL_DATA} ${WRKDIR}/org.openssh.sshd.sb \
+		${DESTDIR}${EGDIR}/org.openssh.sshd.sb
+.endif
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/openssh8/PLIST b/openssh8/PLIST
new file mode 100644
index 0000000000..1c18b8b3e9
--- /dev/null
+++ b/openssh8/PLIST
@@ -0,0 +1,31 @@
+@comment $NetBSD: PLIST,v 1.19 2017/01/19 03:50:53 maya Exp $
+bin/scp
+bin/sftp
+bin/ssh
+bin/ssh-add
+bin/ssh-agent
+bin/ssh-keygen
+bin/ssh-keyscan
+libexec/sftp-server
+libexec/ssh-keysign
+libexec/ssh-pkcs11-helper
+man/man1/scp.1
+man/man1/sftp.1
+man/man1/ssh-add.1
+man/man1/ssh-agent.1
+man/man1/ssh-keygen.1
+man/man1/ssh-keyscan.1
+man/man1/ssh.1
+man/man5/moduli.5
+man/man5/ssh_config.5
+man/man5/sshd_config.5
+man/man8/sftp-server.8
+man/man8/ssh-keysign.8
+man/man8/ssh-pkcs11-helper.8
+man/man8/sshd.8
+sbin/sshd
+share/examples/openssh/moduli
+${PLIST.darwin}share/examples/openssh/org.openssh.sshd.sb
+share/examples/openssh/ssh_config
+${PLIST.pam}share/examples/openssh/sshd.pam
+share/examples/openssh/sshd_config
diff --git a/openssh8/distinfo b/openssh8/distinfo
new file mode 100644
index 0000000000..58f19de962
--- /dev/null
+++ b/openssh8/distinfo
@@ -0,0 +1,29 @@
+$NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $
+
+SHA1 (openssh-8.0p1.tar.gz) = 756dbb99193f9541c9206a667eaa27b0fa184a4f
+RMD160 (openssh-8.0p1.tar.gz) = 9c0d0d97a5f9f97329bf334725dfbad53576d612
+SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
+Size (openssh-8.0p1.tar.gz) = 1597697 bytes
+SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1
+SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd
+SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4
+SHA1 (patch-auth.c) = ec68a8a66b9838ba136f8181b93eb38f5b3d3249
+SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535
+SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e
+SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f
+SHA1 (patch-configure.ac) = 4500549c9b85eb5502101f1043ccb85154df04b7
+SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4
+SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda
+SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c
+SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae
+SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4
+SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228
+SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5
+SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75
+SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1
+SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264
+SHA1 (patch-sftp-common.c) = bd3c726c056116da7673fb4649e5e7afa9db9ec3
+SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1
+SHA1 (patch-sshd.c) = 4dfe5ff525617d5d3743672f14811213eb5b6635
+SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938
+SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4
diff --git a/openssh8/files/org.openssh.sshd.sb.in b/openssh8/files/org.openssh.sshd.sb.in
new file mode 100644
index 0000000000..e060377c92
--- /dev/null
+++ b/openssh8/files/org.openssh.sshd.sb.in
@@ -0,0 +1,23 @@
+;;	$NetBSD: org.openssh.sshd.sb.in,v 1.1 2015/08/14 08:57:00 jperkin Exp $
+;;
+;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "@VARBASE@"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+	(global-name "com.apple.system.notification_center")
+	(global-name "com.apple.system.logger"))
diff --git a/openssh8/files/smf/manifest.xml b/openssh8/files/smf/manifest.xml
new file mode 100644
index 0000000000..71e9800b9b
--- /dev/null
+++ b/openssh8/files/smf/manifest.xml
@@ -0,0 +1,46 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<service_bundle type='manifest' name='export'>
+  <service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
+    <create_default_instance enabled='false'/>
+    <single_instance/>
+    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/filesystem/local'/>
+    </dependency>
+    <dependency name='net-loopback' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/network/loopback'/>
+    </dependency>
+    <dependency name='net-physical' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/network/physical'/>
+    </dependency>
+    <dependency name='cryptosvc' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/cryptosvc'/>
+    </dependency>
+    <dependency name='utmp' grouping='require_all' restart_on='none' type='service'>
+      <service_fmri value='svc:/system/utmp'/>
+    </dependency>
+    <dependency name='config_data' grouping='require_all' restart_on='restart' type='path'>
+      <service_fmri value='file://localhost@PKG_SYSCONFDIR@/sshd_config'/>
+    </dependency>
+    <dependent name='openssh_multi-user-server' restart_on='none' grouping='optional_all'>
+      <service_fmri value='svc:/milestone/multi-user-server'/>
+    </dependent>
+    <exec_method name='start' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ start' timeout_seconds='60'/>
+    <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
+    <exec_method name='refresh' type='method' exec='@PREFIX@/@SMF_METHOD_FILE.sshd@ restart' timeout_seconds='60'/>
+    <property_group name='general' type='framework'>
+      <property name='action_authorization' type='astring'/>
+    </property_group>
+    <property_group name='startd' type='framework'>
+      <propval name='ignore_error' type='astring' value='core,signal'/>
+    </property_group>
+    <template>
+      <common_name>
+        <loctext xml:lang='C'>OpenSSH server</loctext>
+      </common_name>
+      <documentation>
+        <manpage title='sshd' section='1M' manpath='@PREFIX@/@PKGMANDIR@'/>
+      </documentation>
+    </template>
+  </service>
+</service_bundle>
diff --git a/openssh8/files/smf/sshd.sh b/openssh8/files/smf/sshd.sh
new file mode 100644
index 0000000000..0ab48193b1
--- /dev/null
+++ b/openssh8/files/smf/sshd.sh
@@ -0,0 +1,68 @@
+#!@SMF_METHOD_SHELL@
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"@(#)sshd	1.4	04/11/17 SMI"
+
+SSHDIR=@PKG_SYSCONFDIR@
+KEYGEN="@PREFIX@/bin/ssh-keygen -q"
+PIDFILE=@VARBASE@/run/sshd.pid
+
+# Checks to see if RSA, and DSA host keys are available
+# if any of these keys are not present, the respective keys are created.
+create_key()
+{
+	keypath=$1
+	keytype=$2
+
+	if [ ! -f $keypath ]; then
+		grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			echo Creating new $keytype public/private host key pair
+			$KEYGEN -f $keypath -t $keytype -N ''
+			return $?
+		fi
+	fi
+
+	return 0
+}
+
+# This script is being used for two purposes: as part of an SMF
+# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
+# application.
+#
+# Both, the SMF methods and sysidconfig/sys-unconfig use different
+# arguments..
+
+case $1 in
+	# sysidconfig/sys-unconfig arguments (-c and -u)
+'-c')
+	create_key $SSHDIR/ssh_host_rsa_key rsa
+	create_key $SSHDIR/ssh_host_dsa_key dsa
+	;;
+
+'-u')
+	# sys-unconfig(1M) knows how to remove ssh host keys, so there's
+	# nothing to do here.
+	:
+	;;
+
+	# SMF arguments (start and restart [really "refresh"])
+'start')
+	@PREFIX@/sbin/sshd
+	;;
+
+'restart')
+	if [ -f "$PIDFILE" ]; then
+		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+	fi
+	;;
+
+*)
+	echo "Usage: $0 { start | restart }"
+	exit 1
+	;;
+esac
+
+exit $?
diff --git a/openssh8/files/sshd.sh b/openssh8/files/sshd.sh
new file mode 100644
index 0000000000..8493e047e4
--- /dev/null
+++ b/openssh8/files/sshd.sh
@@ -0,0 +1,115 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshd.sh,v 1.16 2015/11/11 11:40:06 sevan Exp $
+#
+# PROVIDE: sshd
+# REQUIRE: DAEMON LOGIN
+
+if [ -f /etc/rc.subr ]
+then
+	. /etc/rc.subr
+fi
+
+name="sshd"
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+keygen_command="@PREFIX@/bin/ssh-keygen"
+pidfile="@SSH_PID_DIR@/${name}.pid"
+required_files="@PKG_SYSCONFDIR@/sshd_config"
+extra_commands="keygen reload"
+
+sshd_keygen()
+{
+	(
+	umask 022
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_dsa_key ]; then
+		@ECHO@ "You already have a DSA host key in @PKG_SYSCONFDIR@/ssh_host_dsa_key"
+		@ECHO@ "Skipping protocol version 2 DSA Key Generation"
+	else
+		${keygen_command} -t dsa -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -N ''
+	fi
+
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_rsa_key ]; then
+		@ECHO@ "You already have a RSA host key in @PKG_SYSCONFDIR@/ssh_host_rsa_key"
+		@ECHO@ "Skipping protocol version 2 RSA Key Generation"
+	else
+		${keygen_command} -t rsa -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -N ''
+	fi
+# HAVE_ECDSA_START
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key ]; then
+		@ECHO@ "You already have a ECDSA host key in @PKG_SYSCONFDIR@/ssh_host_ecdsa_key"
+		@ECHO@ "Skipping protocol version 2 ECDSA Key Generation"
+	else
+		${keygen_command} -t ecdsa -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -N ''
+	fi
+# HAVE_ECDSA_STOP
+# HAVE_ED25519_START
+	if [ -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+		@ECHO@ "You already have a ED25519 host key in @PKG_SYSCONFDIR@/ssh_host_ed25519_key"
+		@ECHO@ "Skipping protocol version 2 ED25519 Key Generation"
+	else
+		${keygen_command} -t ed25519 -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key -N ''
+	fi
+# HAVE_ED25519_STOP
+	)
+}
+
+sshd_precmd()
+{
+	if [ ! -f @PKG_SYSCONFDIR@/ssh_host_dsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_rsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_ecdsa_key -o \
+	     ! -f @PKG_SYSCONFDIR@/ssh_host_ed25519_key ]; then
+		if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+		then
+			run_rc_command keygen
+		else
+			eval ${keygen_cmd}
+		fi
+	fi
+}
+
+keygen_cmd=sshd_keygen
+start_precmd=sshd_precmd
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+	load_rc_config $name
+	run_rc_command "$1"
+else
+	case ${1:-start} in
+	start)
+		if [ -x ${command} -a -f ${required_files} ]
+		then
+			@ECHO@ "Starting ${name}."
+			eval ${start_precmd}
+			eval ${command} ${sshd_flags} ${command_args}
+		fi
+		;;
+	stop)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "Stopping ${name}."
+			kill -TERM ${pid}
+		else
+			@ECHO@ "${name} not running?"
+		fi
+		;;
+	restart)
+		( $0 stop )
+		sleep 1
+		$0 start
+		;;
+	status)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "${name} is running as pid ${pid}."
+		else
+			@ECHO@ "${name} is not running."
+		fi
+		;;
+	keygen)
+		eval ${keygen_cmd}
+		;;
+	esac
+fi
diff --git a/openssh8/options.mk b/openssh8/options.mk
new file mode 100644
index 0000000000..6e941d6b5b
--- /dev/null
+++ b/openssh8/options.mk
@@ -0,0 +1,51 @@
+# $NetBSD: options.mk,v 1.36 2019/04/25 14:55:04 tron Exp $
+
+PKG_OPTIONS_VAR=	PKG_OPTIONS.openssh
+PKG_SUPPORTED_OPTIONS=	editline kerberos openssl pam
+PKG_SUGGESTED_OPTIONS=	editline openssl
+
+.include "../../mk/bsd.prefs.mk"
+
+.if ${OPSYS} == "NetBSD"
+PKG_SUGGESTED_OPTIONS+=	pam
+.endif
+
+.include "../../mk/bsd.options.mk"
+
+.if !empty(PKG_OPTIONS:Mopenssl)
+.include "../../security/openssl/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-ssl-dir=${SSLBASE:Q}
+.else
+CONFIGURE_ARGS+=	--without-openssl
+.endif
+
+.if !empty(PKG_OPTIONS:Mkerberos)
+.  include "../../mk/krb5.buildlink3.mk"
+CONFIGURE_ARGS+=	--with-kerberos5=${KRB5BASE}
+.  if ${KRB5_TYPE} == "mit-krb5"
+CONFIGURE_ENV+=		ac_cv_search_k_hasafs=no
+.  endif
+.endif
+
+#.if !empty(PKG_OPTIONS:Mhpn-patch)
+#PATCHFILES=		openssh-7.1p1-hpn-20150822.diff.bz2
+#PATCH_SITES=		ftp://ftp.NetBSD.org/pub/NetBSD/misc/openssh/
+#PATCH_DIST_STRIP=	-p1
+#.endif
+
+PLIST_VARS+=	pam
+
+.if !empty(PKG_OPTIONS:Mpam)
+.include "../../mk/pam.buildlink3.mk"
+CONFIGURE_ARGS+=	--with-pam
+MESSAGE_SRC+=		${.CURDIR}/MESSAGE.pam
+MESSAGE_SUBST+=		EGDIR=${EGDIR}
+.  if ${OPSYS} == "Linux"
+PLIST.pam=	yes
+.  endif
+.endif
+
+.if !empty(PKG_OPTIONS:Meditline)
+.include "../../devel/editline/buildlink3.mk"
+CONFIGURE_ARGS+=	--with-libedit=${BUILDLINK_PREFIX.editline}
+.endif
diff --git a/openssh8/patches/patch-Makefile.in b/openssh8/patches/patch-Makefile.in
new file mode 100644
index 0000000000..969eab46e7
--- /dev/null
+++ b/openssh8/patches/patch-Makefile.in
@@ -0,0 +1,31 @@
+$NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Removed install-sysconf as we handle that phase through post-install
+
+--- Makefile.in.orig	2018-10-17 00:01:20.000000000 +0000
++++ Makefile.in
+@@ -1,5 +1,5 @@
+ # uncomment if you run a non bourne compatible shell. Ie. csh
+-#SHELL = @SH@
++SHELL = @SH@
+ 
+ AUTORECONF=autoreconf
+ 
+@@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@
+ DESTDIR=
+ VPATH=@srcdir@
+ SSH_PROGRAM=@bindir@/ssh
+-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
++#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+@@ -320,7 +320,7 @@ distprep: catman-do depend-check
+ 	-rm -rf autom4te.cache .depend.bak
+ 
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
+-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
++install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+ 
+ check-config:
diff --git a/openssh8/patches/patch-auth-passwd.c b/openssh8/patches/patch-auth-passwd.c
new file mode 100644
index 0000000000..68ed2fc1ec
--- /dev/null
+++ b/openssh8/patches/patch-auth-passwd.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-passwd.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ auth-passwd.c
+@@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha
+ 		return 0;
+ 
+ #ifndef HAVE_CYGWIN
+-	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
++	if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES)
+ 		ok = 0;
+ #endif
+ 	if (*password == '\0' && options.permit_empty_passwd == 0)
+@@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha
+ 			authctxt->force_pwchange = 1;
+ 	}
+ #endif
++#ifdef HAVE_INTERIX
++	result = (!setuser(pw->pw_name, password, SU_CHECK));
++#else
+ 	result = sys_auth_passwd(ssh, password);
++#endif
+ 	if (authctxt->force_pwchange)
+ 		auth_restrict_session(ssh);
+ 	return (result && ok);
diff --git a/openssh8/patches/patch-auth-rhosts.c b/openssh8/patches/patch-auth-rhosts.c
new file mode 100644
index 0000000000..fef060635c
--- /dev/null
+++ b/openssh8/patches/patch-auth-rhosts.c
@@ -0,0 +1,33 @@
+$NetBSD: patch-auth-rhosts.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth-rhosts.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ auth-rhosts.c
+@@ -242,7 +242,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 	 * If not logging in as superuser, try /etc/hosts.equiv and
+ 	 * shosts.equiv.
+ 	 */
+-	if (pw->pw_uid == 0)
++	if (pw->pw_uid == ROOTUID)
+ 		debug3("%s: root user, ignoring system hosts files", __func__);
+ 	else {
+ 		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
+@@ -271,7 +271,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 		return 0;
+ 	}
+ 	if (options.strict_modes &&
+-	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++	    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ 	    (st.st_mode & 022) != 0)) {
+ 		logit("Rhosts authentication refused for %.100s: "
+ 		    "bad ownership or modes for home directory.", pw->pw_name);
+@@ -298,7 +298,7 @@ auth_rhosts2_raw(struct passwd *pw, cons
+ 		 * allowing access to their account by anyone.
+ 		 */
+ 		if (options.strict_modes &&
+-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++		    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ 		    (st.st_mode & 022) != 0)) {
+ 			logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
+ 			    pw->pw_name, buf);
diff --git a/openssh8/patches/patch-auth.c b/openssh8/patches/patch-auth.c
new file mode 100644
index 0000000000..719484c161
--- /dev/null
+++ b/openssh8/patches/patch-auth.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-auth.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+* Replace uid 0 with ROOTUID macro.
+* Use login_getpwclass() instead of login_getclass() so that the root
+  vs. default login class distinction is made correctly, from FrrrBSD's
+  ports.
+
+--- auth.c.orig	2019-05-01 11:28:52.028281617 +0000
++++ auth.c
+@@ -472,7 +472,7 @@ check_key_in_hostfiles(struct passwd *pw
+ 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
+ 		if (options.strict_modes &&
+ 		    (stat(user_hostfile, &st) == 0) &&
+-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
++		    ((st.st_uid != ROOTUID && st.st_uid != pw->pw_uid) ||
+ 		    (st.st_mode & 022) != 0)) {
+ 			logit("Authentication refused for %.100s: "
+ 			    "bad owner or modes for %.200s",
+@@ -599,7 +599,7 @@ getpwnamallow(struct ssh *ssh, const cha
+ 	if (!allowed_user(ssh, pw))
+ 		return (NULL);
+ #ifdef HAVE_LOGIN_CAP
+-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
++	if ((lc = login_getpwclass(pw->pw_class)) == NULL) {
+ 		debug("unable to get login class: %s", user);
+ 		return (NULL);
+ 	}
diff --git a/openssh8/patches/patch-auth2.c b/openssh8/patches/patch-auth2.c
new file mode 100644
index 0000000000..2182d4afc7
--- /dev/null
+++ b/openssh8/patches/patch-auth2.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- auth2.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ auth2.c
+@@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut
+ 		fatal("INTERNAL ERROR: authenticated and postponed");
+ 
+ 	/* Special handling for root */
+-	if (authenticated && authctxt->pw->pw_uid == 0 &&
++	if (authenticated && authctxt->pw->pw_uid == ROOTUID &&
+ 	    !auth_root_allowed(ssh, method)) {
+ 		authenticated = 0;
+ #ifdef SSH_AUDIT_EVENTS
diff --git a/openssh8/patches/patch-clientloop.c b/openssh8/patches/patch-clientloop.c
new file mode 100644
index 0000000000..1089e0330c
--- /dev/null
+++ b/openssh8/patches/patch-clientloop.c
@@ -0,0 +1,63 @@
+$NetBSD: patch-clientloop.c,v 1.5 2016/12/30 04:43:16 taca Exp $
+
+Fix X11 forwarding under Mac OS X Yosemite. Patch taken from MacPorts.
+
+https://trac.macports.org/browser/trunk/dports/net/openssh/files/launchd.patch?rev=121205
+
+--- clientloop.c.orig	2016-12-19 04:59:41.000000000 +0000
++++ clientloop.c
+@@ -315,6 +315,10 @@ client_x11_get_proto(const char *display
+ 	struct stat st;
+ 	u_int now, x11_timeout_real;
+ 
++#if __APPLE__
++	int is_path_to_socket = 0;
++#endif /* __APPLE__ */
++
+ 	*_proto = proto;
+ 	*_data = data;
+ 	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+@@ -331,6 +335,33 @@ client_x11_get_proto(const char *display
+ 	}
+ 
+ 	if (xauth_path != NULL) {
++#if __APPLE__
++		{
++			/*
++			 * If using launchd socket, remove the screen number from the end
++			 * of $DISPLAY. is_path_to_socket is used later in this function
++			 * to determine if an error should be displayed.
++			 */
++			char path[PATH_MAX];
++			struct stat sbuf;
++
++			strlcpy(path, display, sizeof(path));
++			if (0 == stat(path, &sbuf)) {
++				is_path_to_socket = 1;
++			} else {
++				char *dot = strrchr(path, '.');
++				if (dot) {
++					*dot = '\0';
++					/* screen = atoi(dot + 1); */
++					if (0 == stat(path, &sbuf)) {
++						is_path_to_socket = 1;
++						debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
++						setenv("DISPLAY", path, 1);
++					}
++				}
++			}
++		}
++#endif /* __APPLE__ */
+ 		/*
+ 		 * Handle FamilyLocal case where $DISPLAY does
+ 		 * not match an authorization entry.  For this we
+@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display
+ 		u_int8_t rnd[16];
+ 		u_int i;
+ 
++#if __APPLE__
++		if (!is_path_to_socket)
++#endif /* __APPLE__ */
+ 		logit("Warning: No xauth data; "
+ 		    "using fake authentication data for X11 forwarding.");
+ 		strlcpy(proto, SSH_X11_PROTO, sizeof proto);
diff --git a/openssh8/patches/patch-config.h.in b/openssh8/patches/patch-config.h.in
new file mode 100644
index 0000000000..c1bb668067
--- /dev/null
+++ b/openssh8/patches/patch-config.h.in
@@ -0,0 +1,37 @@
+$NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+* Added Interix and define new path to if_tun.h.
+* Revive tcp_wrappers support.
+
+--- config.h.in.orig	2018-10-19 01:06:33.000000000 +0000
++++ config.h.in
+@@ -741,6 +741,9 @@
+ /* define if you have int64_t data type */
+ #undef HAVE_INT64_T
+ 
++/* Define if you are on Interix */
++#undef HAVE_INTERIX
++
+ /* Define to 1 if the system has the type `intmax_t'. */
+ #undef HAVE_INTMAX_T
+ 
+@@ -910,6 +913,9 @@
+ /* Define to 1 if you have the <net/route.h> header file. */
+ #undef HAVE_NET_ROUTE_H
+ 
++/* Define to 1 if you have the <net/tun/if_tun.h> header file. */
++#undef HAVE_NET_TUN_IF_TUN_H
++
+ /* Define if you are on NeXT */
+ #undef HAVE_NEXT
+ 
+@@ -1617,6 +1623,9 @@
+ /* Define if pututxline updates lastlog too */
+ #undef LASTLOG_WRITE_PUTUTXLINE
+ 
++/* Define if you want TCP Wrappers support */
++#undef LIBWRAP
++
+ /* Define to whatever link() returns for "not supported" if it doesn't return
+    EOPNOTSUPP. */
+ #undef LINK_OPNOTSUPP_ERRNO
diff --git a/openssh8/patches/patch-configure.ac b/openssh8/patches/patch-configure.ac
new file mode 100644
index 0000000000..ec50365d8e
--- /dev/null
+++ b/openssh8/patches/patch-configure.ac
@@ -0,0 +1,138 @@
+$NetBSD$
+
+--- configure.ac.orig	2019-04-17 22:52:57.000000000 +0000
++++ configure.ac
+@@ -294,6 +294,9 @@ AC_ARG_WITH([rpath],
+ 	]
+ )
+ 
++# pkgsrc handles any rpath settings this package needs
++need_dash_r=
++
+ # Allow user to specify flags
+ AC_ARG_WITH([cflags],
+ 	[  --with-cflags           Specify additional flags to pass to compiler],
+@@ -387,6 +390,7 @@ AC_CHECK_HEADERS([ \
+ 	maillock.h \
+ 	ndir.h \
+ 	net/if_tun.h \
++	net/tun/if_tun.h \
+ 	netdb.h \
+ 	netgroup.h \
+ 	pam/pam_appl.h \
+@@ -737,6 +741,15 @@ main() { if (NSVersionOfRunTimeLibrary("
+ 		;;
+ 	esac
+ 	;;
++*-*-interix*)
++        AC_DEFINE(HAVE_INTERIX)
++        AC_DEFINE(DISABLE_FD_PASSING)
++        AC_DEFINE(DISABLE_SHADOW)
++        AC_DEFINE(IP_TOS_IS_BROKEN)
++        AC_DEFINE(MISSING_HOWMANY)
++        AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT)
++        AC_DEFINE(USE_PIPES)
++        ;;
+ *-*-irix5*)
+ 	PATH="$PATH:/usr/etc"
+ 	AC_DEFINE([BROKEN_INET_NTOA], [1],
+@@ -1494,6 +1507,62 @@ else
+ 	AC_MSG_RESULT([no])
+ fi
+ 
++# Check whether user wants TCP wrappers support
++TCPW_MSG="no"
++AC_ARG_WITH([tcp-wrappers],
++	[  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
++	[
++		if test "x$withval" != "xno" ; then
++			saved_LIBS="$LIBS"
++			saved_LDFLAGS="$LDFLAGS"
++			saved_CPPFLAGS="$CPPFLAGS"
++			if test -n "${withval}" && \
++			    test "x${withval}" != "xyes"; then
++				if test -d "${withval}/lib"; then
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++					fi
++				else
++					if test -n "${need_dash_r}"; then
++						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
++					else
++						LDFLAGS="-L${withval} ${LDFLAGS}"
++					fi
++				fi
++				if test -d "${withval}/include"; then
++					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
++				else
++					CPPFLAGS="-I${withval} ${CPPFLAGS}"
++				fi
++			fi
++			LIBS="-lwrap $LIBS"
++			AC_MSG_CHECKING([for libwrap])
++			AC_LINK_IFELSE([AC_LANG_PROGRAM([[
++#include <sys/types.h>
++#include <sys/socket.h>
++#include <netinet/in.h>
++#include <tcpd.h>
++int deny_severity = 0, allow_severity = 0;
++				]], [[
++	hosts_access(0);
++				]])], [
++					AC_MSG_RESULT([yes])
++					AC_DEFINE([LIBWRAP], [1],
++						[Define if you want
++						TCP Wrappers support])
++					SSHDLIBS="$SSHDLIBS -lwrap"
++					TCPW_MSG="yes"
++				], [
++					AC_MSG_ERROR([*** libwrap missing])
++				
++			])
++			LIBS="$saved_LIBS"
++		fi
++	]
++)
++
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -5129,9 +5198,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ ])
+ if test -z "$conf_wtmpx_location"; then
+ 	if test x"$system_wtmpx_path" = x"no" ; then
+-		AC_DEFINE([DISABLE_WTMPX])
++		for f in /var/log/wtmpx; do
++			if test -f $f ; then
++				conf_wtmpx_location=$f
++			fi
++		done
++		if test -z "$conf_wtmpx_location"; then
++			AC_DEFINE(DISABLE_WTMPX)
++		fi
+ 	fi
+-else
++fi
++if test -n "$conf_wtmpx_location"; then
+ 	AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"],
+ 		[Define if you want to specify the path to your wtmpx file])
+ fi
+@@ -5223,7 +5300,7 @@ echo "OpenSSH has been configured with t
+ echo "                     User binaries: $B"
+ echo "                   System binaries: $C"
+ echo "               Configuration files: $D"
+-echo "                   Askpass program: $E"
++echo "                   Askpass program: ${ASKPASS_PROGRAM}"
+ echo "                      Manual pages: $F"
+ echo "                          PID file: $G"
+ echo "  Privilege separation chroot path: $H"
+@@ -5245,6 +5322,7 @@ echo "                       PAM support
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "                   libldns support: $LDNS_MSG"
diff --git a/openssh8/patches/patch-defines.h b/openssh8/patches/patch-defines.h
new file mode 100644
index 0000000000..63788b31ba
--- /dev/null
+++ b/openssh8/patches/patch-defines.h
@@ -0,0 +1,47 @@
+$NetBSD: patch-defines.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Define ROOTUID, UTMPX_FILE and WTMPX_FILE
+
+--- defines.h.orig	2015-08-21 04:49:03.000000000 +0000
++++ defines.h
+@@ -30,6 +30,15 @@
+ 
+ /* Constants */
+ 
++#ifdef HAVE_INTERIX
++/* Interix has a special concept of "administrator". */
++# define ROOTUID	197108
++# define ROOTGID	131616
++#else
++# define ROOTUID	0
++# define ROOTGID	0
++#endif
++
+ #if defined(HAVE_DECL_SHUT_RD) && HAVE_DECL_SHUT_RD == 0
+ enum
+ {
+@@ -721,6 +730,24 @@ struct winsize {
+ #    endif
+ #  endif
+ #endif
++#ifndef UTMPX_FILE
++#  ifdef _PATH_UTMPX
++#    define UTMPX_FILE _PATH_UTMPX
++#  else
++#    ifdef CONF_UTMPX_FILE
++#      define UTMPX_FILE CONF_UTMPX_FILE
++#    endif
++#  endif
++#endif
++#ifndef WTMPX_FILE
++#  ifdef _PATH_WTMPX
++#    define WTMPX_FILE _PATH_WTMPX
++#  else
++#    ifdef CONF_WTMPX_FILE
++#      define WTMPX_FILE CONF_WTMPX_FILE
++#    endif
++#  endif
++#endif
+ /* pick up the user's location for lastlog if given */
+ #ifndef LASTLOG_FILE
+ #  ifdef _PATH_LASTLOG
diff --git a/openssh8/patches/patch-includes.h b/openssh8/patches/patch-includes.h
new file mode 100644
index 0000000000..5e54a9dcd8
--- /dev/null
+++ b/openssh8/patches/patch-includes.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-includes.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- includes.h.orig	2015-08-21 04:49:03.000000000 +0000
++++ includes.h
+@@ -127,6 +127,10 @@
+ #ifdef HAVE_READPASSPHRASE_H
+ # include <readpassphrase.h>
+ #endif
++#ifdef HAVE_INTERIX
++# include <interix/env.h>
++# include <interix/security.h>
++#endif
+ 
+ #ifdef HAVE_IA_H
+ # include <ia.h>
diff --git a/openssh8/patches/patch-loginrec.c b/openssh8/patches/patch-loginrec.c
new file mode 100644
index 0000000000..fa56d5a158
--- /dev/null
+++ b/openssh8/patches/patch-loginrec.c
@@ -0,0 +1,68 @@
+$NetBSD: patch-loginrec.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support and related fixes. Fix build on FreeBSD.
+
+--- loginrec.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ loginrec.c
+@@ -432,8 +432,8 @@ login_set_addr(struct logininfo *li, con
+ int
+ login_write(struct logininfo *li)
+ {
+-#ifndef HAVE_CYGWIN
+-	if (geteuid() != 0) {
++#if !defined(HAVE_CYGWIN) && !defined(HAVE_INTERIX)
++        if (geteuid() != ROOTUID) {
+ 		logit("Attempt to write login records by non-root user (aborting)");
+ 		return (1);
+ 	}
+@@ -441,7 +441,7 @@ login_write(struct logininfo *li)
+ 
+ 	/* set the timestamp */
+ 	login_set_current_time(li);
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && (HAVE_UTMP_H)
+ 	syslogin_write_entry(li);
+ #endif
+ #ifdef USE_LASTLOG
+@@ -625,7 +625,7 @@ line_abbrevname(char *dst, const char *s
+  ** into account.
+  **/
+ 
+-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
++#if defined(USE_UTMP) || defined (USE_WTMP) || (defined (USE_LOGIN) && defined (HAVE_UTMP_H))
+ 
+ /* build the utmp structure */
+ void
+@@ -762,10 +762,6 @@ construct_utmpx(struct logininfo *li, st
+ 	set_utmpx_time(li, utx);
+ 	utx->ut_pid = li->pid;
+ 
+-	/* strncpy(): Don't necessarily want null termination */
+-	strncpy(utx->ut_user, li->username,
+-	    MIN_SIZEOF(utx->ut_user, li->username));
+-
+ 	if (li->type == LTYPE_LOGOUT)
+ 		return;
+ 
+@@ -774,6 +770,12 @@ construct_utmpx(struct logininfo *li, st
+ 	 * for logouts.
+ 	 */
+ 
++	/* strncpy(): Don't necessarily want null termination */
++#if defined(__FreeBSD__)
++	strncpy(utx->ut_user, li->username, MIN_SIZEOF(utx->ut_user, li->username));
++#else
++	strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username));
++#endif
+ # ifdef HAVE_HOST_IN_UTMPX
+ 	strncpy(utx->ut_host, li->hostname,
+ 	    MIN_SIZEOF(utx->ut_host, li->hostname));
+@@ -1409,7 +1411,7 @@ wtmpx_get_entry(struct logininfo *li)
+  ** Low-level libutil login() functions
+  **/
+ 
+-#ifdef USE_LOGIN
++#if defined(USE_LOGIN) && defined(HAVE_UTMP_H)
+ static int
+ syslogin_perform_login(struct logininfo *li)
+ {
diff --git a/openssh8/patches/patch-openbsd-compat_bsd-openpty.c b/openssh8/patches/patch-openbsd-compat_bsd-openpty.c
new file mode 100644
index 0000000000..adbacbee3a
--- /dev/null
+++ b/openssh8/patches/patch-openbsd-compat_bsd-openpty.c
@@ -0,0 +1,22 @@
+$NetBSD: patch-openbsd-compat_bsd-openpty.c,v 1.4 2016/12/30 04:43:16 taca Exp $
+
+Interix support
+
+--- openbsd-compat/bsd-openpty.c.orig	2016-12-19 04:59:41.000000000 +0000
++++ openbsd-compat/bsd-openpty.c
+@@ -121,6 +121,7 @@ openpty(int *amaster, int *aslave, char 
+ 		return (-1);
+ 	}
+ 
++#if !defined(HAVE_INTERIX)
+ 	/*
+ 	 * Try to push the appropriate streams modules, as described
+ 	 * in Solaris pts(7).
+@@ -130,6 +131,7 @@ openpty(int *amaster, int *aslave, char 
+ # ifndef __hpux
+ 	ioctl(*aslave, I_PUSH, "ttcompat");
+ # endif /* __hpux */
++#endif /* !HAVE_INTERIX */
+ 
+ 	return (0);
+ 
diff --git a/openssh8/patches/patch-openbsd-compat_openbsd-compat.h b/openssh8/patches/patch-openbsd-compat_openbsd-compat.h
new file mode 100644
index 0000000000..771757f15f
--- /dev/null
+++ b/openssh8/patches/patch-openbsd-compat_openbsd-compat.h
@@ -0,0 +1,17 @@
+$NetBSD: patch-openbsd-compat_openbsd-compat.h,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+strtoll() declaration
+
+--- openbsd-compat/openbsd-compat.h.orig	2015-08-21 04:49:03.000000000 +0000
++++ openbsd-compat/openbsd-compat.h
+@@ -99,6 +99,10 @@ size_t strlcat(char *dst, const char *sr
+ int setenv(register const char *name, register const char *value, int rewrite);
+ #endif
+ 
++#ifndef HAVE_STRTOLL
++long long strtoll(const char *, char **, int);
++#endif
++
+ #ifndef HAVE_STRMODE
+ void strmode(int mode, char *p);
+ #endif
diff --git a/openssh8/patches/patch-openbsd-compat_port-tun.c b/openssh8/patches/patch-openbsd-compat_port-tun.c
new file mode 100644
index 0000000000..e538617426
--- /dev/null
+++ b/openssh8/patches/patch-openbsd-compat_port-tun.c
@@ -0,0 +1,45 @@
+$NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $
+
+if_tun.h can be found in net/tun
+
+--- openbsd-compat/port-net.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ openbsd-compat/port-net.c
+@@ -1,3 +1,4 @@
++
+ /*
+  * Copyright (c) 2005 Reyk Floeter <reyk%openbsd.org@localhost>
+  *
+@@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i
+ #include <sys/socket.h>
+ #include <net/if.h>
+ 
++#ifdef HAVE_NET_TUN_IF_TUN_H
++#include <net/tun/if_tun.h>
++#endif
++
+ #ifdef HAVE_NET_IF_TUN_H
+ #include <net/if_tun.h>
+ #endif
+@@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i
+ {
+ 	struct ifreq ifr;
+ 	char name[100];
+-	int fd = -1, sock, flag;
++	int fd = -1, sock;
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
++	int flag;
++#endif
+ 	const char *tunbase = "tun";
+ 
+ 	if (ifname != NULL)
+@@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i
+ 		return (-1);
+ 	}
+ 
++#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ 	/* Turn on tunnel headers */
+ 	flag = 1;
+-#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
+ 	if (mode != SSH_TUNMODE_ETHERNET &&
+ 	    ioctl(fd, TUNSIFHEAD, &flag) == -1) {
+ 		debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
diff --git a/openssh8/patches/patch-platform.c b/openssh8/patches/patch-platform.c
new file mode 100644
index 0000000000..fe837c1b5a
--- /dev/null
+++ b/openssh8/patches/patch-platform.c
@@ -0,0 +1,16 @@
+$NetBSD: patch-platform.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- platform.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ platform.c
+@@ -90,7 +90,9 @@ platform_privileged_uidswap(void)
+ 	/* uid 0 is not special on Cygwin so always try */
+ 	return 1;
+ #else
++#if !defined(HAVE_INTERIX)
+ 	return (getuid() == 0 || geteuid() == 0);
++#endif /* !HAVE_INTERIX */
+ #endif
+ }
+ 
diff --git a/openssh8/patches/patch-sandbox-darwin.c b/openssh8/patches/patch-sandbox-darwin.c
new file mode 100644
index 0000000000..b6624a068e
--- /dev/null
+++ b/openssh8/patches/patch-sandbox-darwin.c
@@ -0,0 +1,23 @@
+$NetBSD: patch-sandbox-darwin.c,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+Support sandbox on newer OSX, from MacPorts.
+
+--- sandbox-darwin.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ sandbox-darwin.c
+@@ -62,8 +62,16 @@ ssh_sandbox_child(struct ssh_sandbox *bo
+ 	struct rlimit rl_zero;
+ 
+ 	debug3("%s: starting Darwin sandbox", __func__);
++#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
++#ifndef SANDBOX_NAMED_EXTERNAL
++#define SANDBOX_NAMED_EXTERNAL (0x3)
++#endif
++	if (sandbox_init("@PKG_SYSCONFDIR@/org.openssh.sshd.sb",
++	    SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
++#else
+ 	if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
+ 	    &errmsg) == -1)
++#endif
+ 		fatal("%s: sandbox_init: %s", __func__, errmsg);
+ 
+ 	/*
diff --git a/openssh8/patches/patch-scp.c b/openssh8/patches/patch-scp.c
new file mode 100644
index 0000000000..415ddfbc2b
--- /dev/null
+++ b/openssh8/patches/patch-scp.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-scp.c,v 1.4 2016/01/18 12:53:26 jperkin Exp $
+
+Interix support
+
+--- scp.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ scp.c
+@@ -478,7 +478,11 @@ main(int argc, char **argv)
+ 	argc -= optind;
+ 	argv += optind;
+ 
++#ifdef HAVE_INTERIX
++	if ((pwd = getpwuid_ex(userid = getuid(), PW_FULLNAME)) == NULL)
++#else
+ 	if ((pwd = getpwuid(userid = getuid())) == NULL)
++#endif
+ 		fatal("unknown user %u", (u_int) userid);
+ 
+ 	if (!isatty(STDOUT_FILENO))
+@@ -886,8 +890,10 @@ rsource(char *name, struct stat *statp)
+ 		return;
+ 	}
+ 	while ((dp = readdir(dirp)) != NULL) {
++#ifndef HAVE_INTERIX
+ 		if (dp->d_ino == 0)
+ 			continue;
++#endif
+ 		if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, ".."))
+ 			continue;
+ 		if (strlen(name) + 1 + strlen(dp->d_name) >= sizeof(path) - 1) {
+@@ -1297,7 +1303,9 @@ okname(char *cp0)
+ 			case '\'':
+ 			case '"':
+ 			case '`':
++#ifndef HAVE_INTERIX
+ 			case ' ':
++#endif
+ 			case '#':
+ 				goto bad;
+ 			default:
diff --git a/openssh8/patches/patch-session.c b/openssh8/patches/patch-session.c
new file mode 100644
index 0000000000..d0b9df8d7d
--- /dev/null
+++ b/openssh8/patches/patch-session.c
@@ -0,0 +1,65 @@
+$NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $
+
+* Interix support.
+
+--- session.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ session.c
+@@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in
+ 	if (tmpenv == NULL)
+ 		return;
+ 
+-	if (uid == 0)
++	if (uid == ROOTUID)
+ 		var = child_get_env(tmpenv, "SUPATH");
+ 	else
+ 		var = child_get_env(tmpenv, "PATH");
+@@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s
+ #  endif /* HAVE_ETC_DEFAULT_LOGIN */
+ 	if (path == NULL || *path == '\0') {
+ 		child_set_env(&env, &envsize, "PATH",
+-		    s->pw->pw_uid == 0 ?  SUPERUSER_PATH : _PATH_STDPATH);
++		    s->pw->pw_uid == ROOTUID ?  SUPERUSER_PATH : _PATH_STDPATH);
+ 	}
+ # endif /* HAVE_CYGWIN */
+ #endif /* HAVE_LOGIN_CAP */
+@@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s
+ 		child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
+ 		    original_command);
+ 
++#ifdef HAVE_INTERIX
++	{
++		/* copy standard Windows environment, then apply changes */
++		env_t *winenv = env_login(pw);
++		env_putarray(winenv, env, ENV_OVERRIDE);
++
++		/* swap over to altered environment as a traditional array */
++		env = env_array(winenv);
++	}
++#endif
++
+ 	if (debug_flag) {
+ 		/* dump the environment */
+ 		fprintf(stderr, "Environment:\n");
+@@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw)
+ 			perror("setgid");
+ 			exit(1);
+ 		}
++# if !defined(HAVE_INTERIX)
+ 		/* Initialize the group list. */
+ 		if (initgroups(pw->pw_name, pw->pw_gid) < 0) {
+ 			perror("initgroups");
+ 			exit(1);
+ 		}
++# endif /* !HAVE_INTERIX */
+ 		endgrent();
+ #endif
+ 
+@@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s)
+ 		record_logout(s->pid, s->tty, s->pw->pw_name);
+ 
+ 	/* Release the pseudo-tty. */
+-	if (getuid() == 0)
++	if (getuid() == ROOTUID)
+ 		pty_release(s->tty);
+ 
+ 	/*
diff --git a/openssh8/patches/patch-sftp-common.c b/openssh8/patches/patch-sftp-common.c
new file mode 100644
index 0000000000..b17738bd7f
--- /dev/null
+++ b/openssh8/patches/patch-sftp-common.c
@@ -0,0 +1,14 @@
+$NetBSD$
+
+--- sftp-common.c.orig	2019-04-17 22:52:57.000000000 +0000
++++ sftp-common.c
+@@ -36,7 +36,9 @@
+ #include <string.h>
+ #include <time.h>
+ #include <stdarg.h>
++#ifdef HAVE_UNISTD_H
+ #include <unistd.h>
++#endif
+ #ifdef HAVE_UTIL_H
+ #include <util.h>
+ #endif
diff --git a/openssh8/patches/patch-sshd.8 b/openssh8/patches/patch-sshd.8
new file mode 100644
index 0000000000..085accf98c
--- /dev/null
+++ b/openssh8/patches/patch-sshd.8
@@ -0,0 +1,27 @@
+$NetBSD: patch-sshd.8,v 1.2 2016/01/18 12:53:26 jperkin Exp $
+
+* Revive tcp_wrappers support.
+
+--- sshd.8.orig	2015-08-21 04:49:03.000000000 +0000
++++ sshd.8
+@@ -850,6 +850,12 @@ the user's home directory becomes access
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
++.It Pa /etc/hosts.allow
++.It Pa /etc/hosts.deny
++Access controls that should be enforced by tcp-wrappers are defined here.
++Further details are described in
++.Xr hosts_access 5 .
++.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -953,6 +959,7 @@ The content of this file is not sensitiv
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
++.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
diff --git a/openssh8/patches/patch-sshd.c b/openssh8/patches/patch-sshd.c
new file mode 100644
index 0000000000..ccab150f1b
--- /dev/null
+++ b/openssh8/patches/patch-sshd.c
@@ -0,0 +1,137 @@
+$NetBSD$
+
+--- sshd.c.orig	2019-04-17 22:52:57.000000000 +0000
++++ sshd.c
+@@ -123,6 +123,13 @@
+ #include "version.h"
+ #include "ssherr.h"
+ 
++#ifdef LIBWRAP
++#include <tcpd.h>
++#include <syslog.h>
++int allow_severity;
++int deny_severity;
++#endif /* LIBWRAP */
++
+ /* Re-exec fds */
+ #define REEXEC_DEVCRYPTO_RESERVED_FD	(STDERR_FILENO + 1)
+ #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
+@@ -235,7 +242,11 @@ static int *startup_flags = NULL;	/* Ind
+ static int startup_pipe = -1;		/* in child */
+ 
+ /* variables used for privilege separation */
++#ifdef HAVE_INTERIX
++int use_privsep = 0;
++#else
+ int use_privsep = -1;
++#endif
+ struct monitor *pmonitor = NULL;
+ int privsep_is_preauth = 1;
+ static int privsep_chroot = 1;
+@@ -467,10 +478,15 @@ privsep_preauth_child(void)
+ 		/* Drop our privileges */
+ 		debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid,
+ 		    (u_int)privsep_pw->pw_gid);
++#ifdef HAVE_INTERIX
++		if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE))
++			fatal("setuser: %.100s", strerror(errno));
++#else
+ 		gidset[0] = privsep_pw->pw_gid;
+ 		if (setgroups(1, gidset) < 0)
+ 			fatal("setgroups: %.100s", strerror(errno));
+ 		permanently_set_uid(privsep_pw);
++#endif /* HAVE_INTERIX */
+ 	}
+ }
+ 
+@@ -534,10 +550,17 @@ privsep_preauth(struct ssh *ssh)
+ 		/* Arrange for logging to be sent to the monitor */
+ 		set_log_handler(mm_log_handler, pmonitor);
+ 
++#ifdef  __APPLE_SANDBOX_NAMED_EXTERNAL__
++		/* We need to do this before we chroot() so we can read sshd.sb */
++		if (box != NULL)
++			ssh_sandbox_child(box);
++#endif
+ 		privsep_preauth_child();
+ 		setproctitle("%s", "[net]");
++#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
+ 		if (box != NULL)
+ 			ssh_sandbox_child(box);
++#endif
+ 
+ 		return 0;
+ 	}
+@@ -549,7 +572,7 @@ privsep_postauth(struct ssh *ssh, Authct
+ #ifdef DISABLE_FD_PASSING
+ 	if (1) {
+ #else
+-	if (authctxt->pw->pw_uid == 0) {
++	if (authctxt->pw->pw_uid == ROOTUID) {
+ #endif
+ 		/* File descriptor passing is broken or root login */
+ 		use_privsep = 0;
+@@ -1454,7 +1477,7 @@ main(int ac, char **av)
+ 	av = saved_argv;
+ #endif
+ 
+-	if (geteuid() == 0 && setgroups(0, NULL) == -1)
++	if (geteuid() == ROOTUID && setgroups(0, NULL) == -1)
+ 		debug("setgroups(): %.200s", strerror(errno));
+ 
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+@@ -1686,7 +1709,7 @@ main(int ac, char **av)
+ 	);
+ 
+ 	/* Store privilege separation user for later use if required. */
+-	privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0);
++	privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID);
+ 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
+ 		if (privsep_chroot || options.kerberos_authentication)
+ 			fatal("Privilege separation user %s does not exist",
+@@ -1830,7 +1853,7 @@ main(int ac, char **av)
+ 		    (st.st_uid != getuid () ||
+ 		    (st.st_mode & (S_IWGRP|S_IWOTH)) != 0))
+ #else
+-		if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
++		if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)
+ #endif
+ 			fatal("%s must be owned by root and not group or "
+ 			    "world-writable.", _PATH_PRIVSEP_CHROOT_DIR);
+@@ -1858,8 +1881,10 @@ main(int ac, char **av)
+ 	 * to create a file, and we can't control the code in every
+ 	 * module which might be used).
+ 	 */
++#ifndef HAVE_INTERIX
+ 	if (setgroups(0, NULL) < 0)
+ 		debug("setgroups() failed: %.200s", strerror(errno));
++#endif
+ 
+ 	if (rexec_flag) {
+ 		if (rexec_argc < 0)
+@@ -2053,6 +2078,25 @@ main(int ac, char **av)
+ 	audit_connection_from(remote_ip, remote_port);
+ #endif
+ 
++#ifdef LIBWRAP
++	allow_severity = options.log_facility|LOG_INFO;
++	deny_severity = options.log_facility|LOG_WARNING;
++	/* Check whether logins are denied from this host. */
++	if (ssh_packet_connection_is_on_socket(ssh)) {
++		struct request_info req;
++
++		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
++		fromhost(&req);
++
++		if (!hosts_access(&req)) {
++			debug("Connection refused by tcp wrapper");
++			refuse(&req);
++			/* NOTREACHED */
++			fatal("libwrap refuse returns");
++		}
++	}
++#endif /* LIBWRAP */
++
+ 	rdomain = ssh_packet_rdomain_in(ssh);
+ 
+ 	/* Log the connection. */
diff --git a/openssh8/patches/patch-sshpty.c b/openssh8/patches/patch-sshpty.c
new file mode 100644
index 0000000000..c96ba181fe
--- /dev/null
+++ b/openssh8/patches/patch-sshpty.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-sshpty.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $
+
+Replace uid 0 with ROOTUID macro
+
+--- sshpty.c.orig	2015-08-21 04:49:03.000000000 +0000
++++ sshpty.c
+@@ -86,7 +86,7 @@ void
+ pty_release(const char *tty)
+ {
+ #if !defined(__APPLE_PRIVPTY__) && !defined(HAVE_OPENPTY)
+-	if (chown(tty, (uid_t) 0, (gid_t) 0) < 0)
++	if (chown(tty, (uid_t) ROOTUID, (gid_t) ROOTGID) < 0)
+ 		error("chown %.100s 0 0 failed: %.100s", tty, strerror(errno));
+ 	if (chmod(tty, (mode_t) 0666) < 0)
+ 		error("chmod %.100s 0666 failed: %.100s", tty, strerror(errno));
+@@ -215,7 +215,7 @@ pty_setowner(struct passwd *pw, const ch
+ 	if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+ 		if (chown(tty, pw->pw_uid, gid) < 0) {
+ 			if (errno == EROFS &&
+-			    (st.st_uid == pw->pw_uid || st.st_uid == 0))
++			    (st.st_uid == pw->pw_uid || st.st_uid == ROOTUID))
+ 				debug("chown(%.100s, %u, %u) failed: %.100s",
+ 				    tty, (u_int)pw->pw_uid, (u_int)gid,
+ 				    strerror(errno));
diff --git a/openssh8/patches/patch-uidswap.c b/openssh8/patches/patch-uidswap.c
new file mode 100644
index 0000000000..32a76c6922
--- /dev/null
+++ b/openssh8/patches/patch-uidswap.c
@@ -0,0 +1,77 @@
+$NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $
+
+Interix support
+
+--- uidswap.c.orig	2018-10-17 00:01:20.000000000 +0000
++++ uidswap.c
+@@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw)
+ 	    (u_int)pw->pw_uid, (u_int)pw->pw_gid,
+ 	    (u_int)saved_euid, (u_int)saved_egid);
+ #ifndef HAVE_CYGWIN
+-	if (saved_euid != 0) {
++	if (saved_euid != ROOTUID) {
+ 		privileged = 0;
+ 		return;
+ 	}
+ #endif
+ #else
+-	if (geteuid() != 0) {
++	if (geteuid() != ROOTUID) {
+ 		privileged = 0;
+ 		return;
+ 	}
+@@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw)
+ 
+ 	/* set and save the user's groups */
+ 	if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) {
++#ifndef HAVE_INTERIX
+ 		if (initgroups(pw->pw_name, pw->pw_gid) < 0)
+ 			fatal("initgroups: %s: %.100s", pw->pw_name,
+ 			    strerror(errno));
+-
++#endif
+ 		user_groupslen = getgroups(0, NULL);
+ 		if (user_groupslen < 0)
+ 			fatal("getgroups: %.100s", strerror(errno));
+@@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw)
+ 		}
+ 		user_groups_uid = pw->pw_uid;
+ 	}
++#ifndef HAVE_INTERIX
+ 	/* Set the effective uid to the given (unprivileged) uid. */
+ 	if (setgroups(user_groupslen, user_groups) < 0)
+ 		fatal("setgroups: %.100s", strerror(errno));
++#endif
+ #ifndef SAVED_IDS_WORK_WITH_SETEUID
+ 	/* Propagate the privileged gid to all of our gids. */
+ 	if (setgid(getegid()) < 0)
+@@ -166,8 +169,10 @@ restore_uid(void)
+ 	setgid(getgid());
+ #endif /* SAVED_IDS_WORK_WITH_SETEUID */
+ 
++#ifndef HAVE_INTERIX
+ 	if (setgroups(saved_egroupslen, saved_egroups) < 0)
+ 		fatal("setgroups: %.100s", strerror(errno));
++#endif
+ 	temporarily_use_uid_effective = 0;
+ }
+ 
+@@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw)
+ 	debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid,
+ 	    (u_int)pw->pw_gid);
+ 
++#if defined(HAVE_INTERIX)
++	if (setuser(pw->pw_name, NULL, SU_COMPLETE))
++		fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
++#else
+ 	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0)
+ 		fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno));
+ 
+@@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw)
+ 	    (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+ 		fatal("%s: was able to restore old [e]uid", __func__);
+ #endif
++#endif /* HAVE_INTERIX */
+ 
+ 	/* Verify UID drop was successful */
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) {


Home | Main Index | Thread Index | Old Index