- Unbreak KERBEROS option

- Add option for OpenBSD support
- Fix crash in sftp listing

PR:		ports/138409 (cumulative patch)
Submitted by:	Denis Barov <dindin@dindin.ru> (maintainer)
Feature safe:	yes

security/openssh-portable/Makefile

@@ -7,7 +7,7 @@
 
 PORTNAME=	openssh
 DISTVERSION=	5.2p1
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 .if defined(OPENSSH_SNAPSHOT)
@@ -57,6 +57,7 @@ OPTIONS=	PAM		"Enable pam(3) support"				on \
 		LIBEDIT		"Enable readline support to sftp(1)"		on \
 		KERBEROS	"Enable kerberos (autodetection)"		on \
 		SUID_SSH	"Enable suid SSH (Recommended off)"		off \
+		BSM		"Enable OpenBSM Auditing"			off \
 		GSSAPI		"Enable GSSAPI support (req: KERBEROS)"		off \
 		KERB_GSSAPI	"Enable Kerberos/GSSAPI patch (req: GSSAPI)"	off \
 		OPENSSH_CHROOT	"Enable CHROOT support"				off \
@@ -69,10 +70,6 @@ OPTIONS=	PAM		"Enable pam(3) support"				on \
 
 .include <bsd.port.pre.mk>
 
-.if ${OSVERSION} >= 800037
-BROKEN=		does not compile
-.endif
-
 .if defined(WITH_X509) && ( defined(WITH_HPN) || defined(WITH_LPK))
 BROKEN=		X509 patch incompatible with HPN and LPK patches
 .endif
@@ -97,18 +94,26 @@ CONFIGURE_ARGS+=	--with-libedit
 CONFIGURE_ARGS+=	--disable-suid-ssh
 .endif
 
+.if defined(WITH_BSM)
+CONFIGURE_ARGS+=	--with-audit=bsm
+.endif
+
 .if !defined(WITHOUT_KERBEROS)
 .if defined(KRB5_HOME) && exists(${KRB5_HOME}) || defined(WITH_GSSAPI)
 .if defined(WITH_KERB_GSSAPI)
-BROKEN=			KERB_GSSAPI patch incompatible with ${PORTNAME}-5.2p1
 PATCH_DIST_STRIP=	-p0
 PATCH_SITES+=		http://www.sxw.org.uk/computing/patches/
-PATCHFILES+=		openssh-5.0p1-gsskex-20080404.patch
+PATCHFILES+=		openssh-5.2p1-gsskex-all-20090726.patch
 .endif
 PORTABLE_SUFFIX=	# empty
 GSSAPI_SUFFIX=		-gssapi
 CONFLICTS+=		openssh-portable-*-[0-9]*
 CONFIGURE_ARGS+=	--with-kerberos5=${KRB5_HOME}
+.if defined(HEIMDAL_HOME) && defined(KRB5_HOME) && ${HEIMDAL_HOME} == ${LOCALBASE}
+LIB_DEPENDS+=		krb5.23:${PORTSDIR}/security/heimdal
+.elif defined(KRB5_HOME) && defined(LOCALBASE) && ${KRB5_HOME} == ${LOCALBASE}
+LIB_DEPENDS+=		krb5.3:${PORTSDIR}/security/krb5
+.endif
 .if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
@@ -157,7 +162,7 @@ CONFIGURE_ARGS+=	--with-libs='-lldap' --with-ldflags='-L${LOCALBASE}/lib' \
 # resolve some patches incompatibility between LPK and HPN patches
 
 .if defined(WITH_HPN) && defined(WITH_LPK)
-EXTRA_PATCHES+=		${FILESDIR}/openssh-lpk+hpn-servconf.patch
+EXTRA_PATCHES+=		${FILESDIR}/lpk+hpn-servconf.c.patch
 .elif defined(WITH_HPN) && !defined(WITH_LPK)
 EXTRA_PATCHES+=		${FILESDIR}/openssh-5.2p1-hpn13v6-servconf.c.diff
 .elif defined(WITH_LPK) && !defined(WITH_HPN)
@@ -182,8 +187,7 @@ CONFIGURE_ARGS+=	--localstatedir=/var
 EMPTYDIR=		/var/empty
 PREFIX=			/usr
 ETCSSH=			/etc/ssh
-USE_RC_SUBR=		yes
-SUB_FILES+=		openssh
+USE_RC_SUBR=		openssh
 PLIST_SUB+=		NOTBASE="@comment "
 PLIST_SUB+=		BASE=""
 PLIST_SUB+=		BASEPREFIX="${PREFIX}"

security/openssh-portable/distinfo

@@ -4,3 +4,6 @@ SIZE (openssh-5.2p1.tar.gz) = 1016612
 MD5 (openssh-5.2p1+x509-6.2.diff.gz) = 8dbbfb743226864f6bb49b56e77776d9
 SHA256 (openssh-5.2p1+x509-6.2.diff.gz) = 72cfb1e232b6ae0a9df6e8539a9f6b53db7c0a2141cf2e4dd65b407748fa9f34
 SIZE (openssh-5.2p1+x509-6.2.diff.gz) = 153010
+MD5 (openssh-5.2p1-gsskex-all-20090726.patch) = e5c116b4bc3f4b816206e8403dd08af7
+SHA256 (openssh-5.2p1-gsskex-all-20090726.patch) = 6eb297d6fa74be3323c5e4f53df5b6e1f4edf6bf394e3e707c075846886e18e7
+SIZE (openssh-5.2p1-gsskex-all-20090726.patch) = 90959

security/openssh-portable/files/openssh.in

@@ -24,6 +24,7 @@ load_rc_config ${name}
 
 : ${openssh_enable="NO"}
 : ${openssh_pidfile="/var/run/sshd.pid"}
+: ${openssh_skipportscheck="NO"}
 
 command=%%PREFIX%%/sbin/sshd
 extra_commands="reload keygen"
@@ -75,10 +76,69 @@ openssh_keygen()
 	fi
 }
 
+openssh_check_same_ports(){
+    # check if opensshd don't use base system sshd's port
+    #
+    # openssh binds ports in priority (lowest first):
+    # Port from sshd_config
+    # -p option from command line
+    # ListenAddress addr:port from sshd_config
+
+
+    #check if opensshd-portable installed in replacement of base sshd
+    if [ "%%ETCSSH%%" = "/etc/ssh" ]; then
+        return 1
+    fi
+
+    self_port=$(awk '$1~/^ListenAddress/ \
+        {mlen=match($0,":[0-9]*$"); print \
+        substr($0,mlen+1,length($0)-mlen)}' %%ETCSSH%%/sshd_config)
+    if [ -z "$self_port" ]; then
+        self_port=$(echo $openssh_flags | awk \
+            '{for (i = 1; i <= NF; i++) if ($i == "-p") \
+            {i++; printf "%s", $i; break; }; }')
+        if [ -z "$self_port" ]; then
+            self_port=$(awk '$1~/^Port/ {print $2}' \
+                %%ETCSSH%%/sshd_config)
+        fi
+    fi
+    # assume default 22 port
+    if [ -z "$self_port" ]; then
+        self_port=22
+    fi
+
+    load_rc_config "sshd"
+
+    base_sshd_port=$(awk '$1~/^ListenAddress/ \
+        {mlen=match($0,":[0-9]*$"); print \
+        substr($0,mlen+1,length($0)-mlen)}' /etc/ssh/sshd_config)
+    if [ -z "$base_sshd_port" ]; then
+        base_sshd_port=$(echo $sshd_flags | awk \
+            '{for (i = 1; i <= NF; i++) if ($i == "-p") \
+            {i++; printf "%s", $i; break; }; }')
+        if [ -z "$base_sshd_port" ]; then
+            base_sshd_port=$(awk '$1~/^Port/ {print $2}' \
+                /etc/ssh/sshd_config)
+        fi
+    fi
+    if [ -z "$base_sshd_port" ]; then
+        base_sshd_port=22
+    fi
+
+    if [ "${self_port}" -eq "${base_sshd_port}" ]; then 
+        return 0
+    else
+        return 1
+    fi
+}
+
 openssh_checks()
 {
 	if checkyesno sshd_enable ; then
-		err 1 "sshd_enable is set. Please set sshd_enable to NO in your rc.conf"
+      if openssh_check_same_ports && ! checkyesno openssh_skipportscheck; then
+          err 1 "sshd_enable is set and $name and sshd are use \
+same port"
+      fi
 	fi
 
 	run_rc_command keygen