git: 535af610a4fd - main - ssh: Update to OpenSSH 9.4p1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 11 Aug 2023 03:11:10 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=535af610a4fdace6d50960c0ad9be0597eea7a1b
commit 535af610a4fdace6d50960c0ad9be0597eea7a1b
Merge: 6b405053c997 78f30535bcdb
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-08-11 03:10:18 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-08-11 03:10:18 +0000
ssh: Update to OpenSSH 9.4p1
Excerpts from the release notes:
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
Full release notes at https://www.openssh.com/txt/release-9.4
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
crypto/openssh/.github/ci-status.md | 6 +-
crypto/openssh/.github/configs | 45 +-
crypto/openssh/.github/setup_ci.sh | 17 +-
crypto/openssh/.github/workflows/c-cpp.yml | 26 +-
crypto/openssh/.github/workflows/selfhosted.yml | 2 +-
crypto/openssh/ChangeLog | 13191 ++++++++++---------
crypto/openssh/INSTALL | 8 +-
crypto/openssh/PROTOCOL.agent | 4 +-
crypto/openssh/PROTOCOL.krl | 55 +-
crypto/openssh/README | 2 +-
crypto/openssh/addr.c | 4 +-
crypto/openssh/auth-options.c | 29 +-
crypto/openssh/auth-pam.c | 4 +-
crypto/openssh/auth2-gss.c | 12 +-
crypto/openssh/auth2-pubkey.c | 35 +-
crypto/openssh/canohost.c | 4 +-
crypto/openssh/chacha.c | 3 +-
crypto/openssh/channels.c | 19 +-
crypto/openssh/channels.h | 8 +-
crypto/openssh/cipher-aes.c | 2 +-
crypto/openssh/cipher-chachapoly-libcrypto.c | 3 +-
crypto/openssh/cipher-chachapoly.c | 3 +-
crypto/openssh/clientloop.c | 14 +-
crypto/openssh/config.h | 94 +-
crypto/openssh/configure.ac | 107 +-
crypto/openssh/contrib/redhat/openssh.spec | 2 +-
crypto/openssh/contrib/ssh-copy-id | 75 +-
crypto/openssh/contrib/ssh-copy-id.1 | 79 +-
crypto/openssh/contrib/suse/openssh.spec | 2 +-
crypto/openssh/gss-serv.c | 2 +-
crypto/openssh/kexgexs.c | 4 +-
crypto/openssh/krl.c | 280 +-
crypto/openssh/krl.h | 10 +-
crypto/openssh/match.c | 5 +-
crypto/openssh/misc.c | 95 +-
crypto/openssh/misc.h | 3 +-
crypto/openssh/moduli | 868 +-
crypto/openssh/monitor.c | 5 +-
crypto/openssh/monitor_wrap.c | 6 +-
crypto/openssh/mux.c | 76 +-
crypto/openssh/openbsd-compat/bsd-getentropy.c | 6 +-
crypto/openssh/openbsd-compat/bsd-snprintf.c | 31 +-
.../openssh/openbsd-compat/libressl-api-compat.c | 556 +-
crypto/openssh/openbsd-compat/openssl-compat.c | 20 +-
crypto/openssh/openbsd-compat/openssl-compat.h | 158 +-
crypto/openssh/openbsd-compat/port-linux.c | 39 +-
.../openbsd-compat/regress/opensslvertest.c | 29 +-
.../openssh/openbsd-compat/regress/snprintftest.c | 6 +-
.../openssh/openbsd-compat/regress/strtonumtest.c | 2 +-
crypto/openssh/packet.c | 4 +-
crypto/openssh/poly1305.c | 3 +-
crypto/openssh/progressmeter.c | 3 +-
crypto/openssh/readconf.c | 108 +-
crypto/openssh/readconf.h | 3 +-
crypto/openssh/regress/Makefile | 10 +-
crypto/openssh/regress/agent-ptrace.sh | 2 +-
crypto/openssh/regress/forcecommand.sh | 8 +-
crypto/openssh/regress/forward-control.sh | 6 +-
crypto/openssh/regress/misc/sk-dummy/sk-dummy.c | 27 +-
crypto/openssh/regress/percent.sh | 5 +-
crypto/openssh/regress/sftp-chroot.sh | 23 +-
.../openssh/regress/unittests/misc/test_ptimeout.c | 4 +-
.../openssh/regress/unittests/sshkey/test_file.c | 2 +
crypto/openssh/regress/unittests/sshsig/tests.c | 2 +-
.../regress/unittests/test_helper/test_helper.c | 2 +-
crypto/openssh/scp.c | 23 +-
crypto/openssh/servconf.c | 20 +-
crypto/openssh/sftp-client.c | 54 +-
crypto/openssh/sftp-common.c | 4 +-
crypto/openssh/sftp-server.c | 4 +-
crypto/openssh/sftp.c | 12 +-
crypto/openssh/sk-usbhid.c | 14 +-
crypto/openssh/ssh-add.c | 6 +-
crypto/openssh/ssh-agent.1 | 14 +-
crypto/openssh/ssh-agent.c | 8 +-
crypto/openssh/ssh-keygen.1 | 6 +-
crypto/openssh/ssh-keygen.c | 16 +-
crypto/openssh/ssh-keyscan.c | 28 +-
crypto/openssh/ssh-pkcs11-client.c | 389 +-
crypto/openssh/ssh-pkcs11.c | 43 +-
crypto/openssh/ssh-sk.c | 8 +-
crypto/openssh/ssh-xmss.c | 4 +-
crypto/openssh/ssh.1 | 19 +-
crypto/openssh/ssh.c | 59 +-
crypto/openssh/ssh_config | 2 +-
crypto/openssh/ssh_config.5 | 39 +-
crypto/openssh/ssh_namespace.h | 3 +
crypto/openssh/sshconnect2.c | 12 +-
crypto/openssh/sshd_config | 2 +-
crypto/openssh/sshd_config.5 | 14 +-
crypto/openssh/sshkey.c | 18 +-
crypto/openssh/sshkey.h | 4 +-
crypto/openssh/sshsig.c | 11 +-
crypto/openssh/version.h | 8 +-
94 files changed, 8883 insertions(+), 8229 deletions(-)
diff --cc crypto/openssh/INSTALL
index 77b56a9bb734,000000000000..adc6e0825738
mode 100644,000000..100644
--- a/crypto/openssh/INSTALL
+++ b/crypto/openssh/INSTALL
@@@ -1,297 -1,0 +1,293 @@@
+1. Prerequisites
+----------------
+
+A C compiler. Any C89 or better compiler that supports variadic macros
+should work. Where supported, configure will attempt to enable the
+compiler's run-time integrity checking options. Some notes about
+specific compilers:
+ - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
+ (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
+
+To support Privilege Separation (which is now required) you will need
+to create the user, group and directory used by sshd for privilege
+separation. See README.privsep for details.
+
+
+The remaining items are optional.
+
+A working installation of zlib:
+Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
+https://zlib.net/
+
+libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
+is supported but severely restricts the available ciphers and algorithms.
- - LibreSSL (https://www.libressl.org/)
- - OpenSSL (https://www.openssl.org) with any of the following versions:
- - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
-
- Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
- 1.1.0g can't be used.
++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater
+
+LibreSSL/OpenSSL should be compiled as a position-independent library
+(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
+or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not
+be able to link with it. If you must use a non-position-independent
+libcrypto, then you may need to configure OpenSSH --without-pie.
+
+If you build either from source, running the OpenSSL self-test ("make
+tests") or the LibreSSL equivalent ("make check") and ensuring that all
+tests pass is strongly recommended.
+
+NB. If you operating system supports /dev/random, you should configure
+libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
+direct support of /dev/random, or failing that, either prngd or egd.
+
+PRNGD:
+
+If your system lacks kernel-based random collection, the use of Lutz
+Jaenicke's PRNGd is recommended. It requires that libcrypto be configured
+to support it.
+
+http://prngd.sourceforge.net/
+
+EGD:
+
+The Entropy Gathering Daemon (EGD) supports the same interface as prngd.
+It also supported only if libcrypto is configured to support it.
+
+http://egd.sourceforge.net/
+
+PAM:
+
+OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
+system supports it. PAM is standard most Linux distributions, Solaris,
+HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X.
+
+Information about the various PAM implementations are available:
+
+Solaris PAM: http://www.sun.com/software/solaris/pam/
+Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
+OpenPAM: http://www.openpam.org/
+
+If you wish to build the GNOME passphrase requester, you will need the GNOME
+libraries and headers.
+
+GNOME:
+http://www.gnome.org/
+
+Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
+passphrase requester. This is maintained separately at:
+
+http://www.jmknoble.net/software/x11-ssh-askpass/
+
+TCP Wrappers:
+
+If you wish to use the TCP wrappers functionality you will need at least
+tcpd.h and libwrap.a, either in the standard include and library paths,
+or in the directory specified by --with-tcp-wrappers. Version 7.6 is
+known to work.
+
+http://ftp.porcupine.org/pub/security/index.html
+
+LibEdit:
+
+sftp supports command-line editing via NetBSD's libedit. If your platform
+has it available natively you can use that, alternatively you might try
+these multi-platform ports:
+
+http://www.thrysoee.dk/editline/
+http://sourceforge.net/projects/libedit/
+
+LDNS:
+
+LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
+
+http://nlnetlabs.nl/projects/ldns/
+
+Autoconf:
+
+If you modify configure.ac or configure doesn't exist (eg if you checked
+the code out of git yourself) then you will need autoconf-2.69 and
+automake-1.16.1 to rebuild the automatically generated files by running
+"autoreconf". Earlier versions may also work but this is not guaranteed.
+
+http://www.gnu.org/software/autoconf/
+http://www.gnu.org/software/automake/
+
+Basic Security Module (BSM):
+
+Native BSM support is known to exist in Solaris from at least 2.5.1,
+FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
+implementation (http://www.openbsm.org).
+
+makedepend:
+
+https://www.x.org/archive/individual/util/
+
+If you are making significant changes to the code you may need to rebuild
+the dependency (.depend) file using "make depend", which requires the
+"makedepend" tool from the X11 distribution.
+
+libfido2:
+
+libfido2 allows the use of hardware security keys over USB. libfido2
+in turn depends on libcbor. libfido2 >= 1.5.0 is strongly recommended.
+Limited functionality is possible with earlier libfido2 versions.
+
+https://github.com/Yubico/libfido2
+https://github.com/pjk/libcbor
+
+
+2. Building / Installation
+--------------------------
+
+To install OpenSSH with default options:
+
+./configure
+make
+make install
+
+This will install the OpenSSH binaries in /usr/local/bin, configuration files
+in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
+installation prefix, use the --prefix option to configure:
+
+./configure --prefix=/opt
+make
+make install
+
+Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
+specific paths, for example:
+
+./configure --prefix=/opt --sysconfdir=/etc/ssh
+make
+make install
+
+This will install the binaries in /opt/{bin,lib,sbin}, but will place the
+configuration files in /etc/ssh.
+
+If you are using PAM, you may need to manually install a PAM control
+file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
+them). Note that the service name used to start PAM is __progname,
+which is the basename of the path of your sshd (e.g., the service name
+for /usr/sbin/osshd will be osshd). If you have renamed your sshd
+executable, your PAM configuration may need to be modified.
+
+A generic PAM configuration is included as "contrib/sshd.pam.generic",
+you may need to edit it before using it on your system. If you are
+using a recent version of Red Hat Linux, the config file in
+contrib/redhat/sshd.pam should be more useful. Failure to install a
+valid PAM file may result in an inability to use password
+authentication. On HP-UX 11 and Solaris, the standard /etc/pam.conf
+configuration will work with sshd (sshd will match the other service
+name).
+
+There are a few other options to the configure script:
+
+--with-audit=[module] enable additional auditing via the specified module.
+Currently, drivers for "debug" (additional info via syslog) and "bsm"
+(Sun's Basic Security Module) are supported.
+
+--with-pam enables PAM support. If PAM support is compiled in, it must
+also be enabled in sshd_config (refer to the UsePAM directive).
+
+--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
+support and to specify a PRNGd socket. Use this if your Unix lacks
+/dev/random.
+
+--with-prngd-port=portnum allows you to enable EGD or PRNGD support
+and to specify a EGD localhost TCP port. Use this if your Unix lacks
+/dev/random.
+
+--with-lastlog=FILE will specify the location of the lastlog file.
+./configure searches a few locations for lastlog, but may not find
+it if lastlog is installed in a different place.
+
+--without-lastlog will disable lastlog support entirely.
+
+--with-osfsia, --without-osfsia will enable or disable OSF1's Security
+Integration Architecture. The default for OSF1 machines is enable.
+
+--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
+support.
+
+--with-utmpx enables utmpx support. utmpx support is automatic for
+some platforms.
+
+--without-shadow disables shadow password support.
+
+--with-ipaddr-display forces the use of a numeric IP address in the
+$DISPLAY environment variable. Some broken systems need this.
+
+--with-default-path=PATH allows you to specify a default $PATH for sessions
+started by sshd. This replaces the standard path entirely.
+
+--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
+created.
+
+--with-xauth=PATH specifies the location of the xauth binary
+
+--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
+libraries are installed.
+
+--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
+
+--without-openssl builds without using OpenSSL. Only a subset of ciphers
+and algorithms are supported in this configuration.
+
+--without-zlib builds without zlib. This disables the Compression option.
+
+--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
+real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
+
+If you need to pass special options to the compiler or linker, you
+can specify these as environment variables before running ./configure.
+For example:
+
+CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
+
+3. Configuration
+----------------
+
+The runtime configuration files are installed by in ${prefix}/etc or
+whatever you specified as your --sysconfdir (/usr/local/etc by default).
+
+The default configuration should be instantly usable, though you should
+review it to ensure that it matches your security requirements.
+
+To generate a host key, run "make host-key". Alternately you can do so
+manually using the following commands:
+
+ ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
+
+for each of the types you wish to generate (rsa, dsa or ecdsa) or
+
+ ssh-keygen -A
+
+to generate keys for all supported types.
+
+Replacing /etc/ssh with the correct path to the configuration directory.
+(${prefix}/etc or whatever you specified with --sysconfdir during
+configuration).
+
+If you have configured OpenSSH with EGD/prngd support, ensure that EGD or
+prngd is running and has collected some entropy first.
+
+For more information on configuration, please refer to the manual pages
+for sshd, ssh and ssh-agent.
+
+4. (Optional) Send survey
+-------------------------
+
+$ make survey
+[check the contents of the file "survey" to ensure there's no information
+that you consider sensitive]
+$ make send-survey
+
+This will send configuration information for the currently configured
+host to a survey address. This will help determine which configurations
+are actually in use, and what valid combinations of configure options
+exist. The raw data is available only to the OpenSSH developers, however
+summary data may be published.
+
+5. Problems?
+------------
+
+If you experience problems compiling, installing or running OpenSSH,
+please refer to the "reporting bugs" section of the webpage at
+https://www.openssh.com/
diff --cc crypto/openssh/config.h
index 4a274147b22e,000000000000..385e53c82ea3
mode 100644,000000..100644
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@@ -1,2132 -1,0 +1,2042 @@@
+/* config.h. Generated from config.h.in by configure. */
+/* config.h.in. Generated from configure.ac by autoheader. */
+
+/* Define if building universal (internal helper macro) */
+/* #undef AC_APPLE_UNIVERSAL_BUILD */
+
+/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
+ */
+/* #undef AIX_GETNAMEINFO_HACK */
+
+/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
+/* #undef AIX_LOGINFAILED_4ARG */
+
+/* System only supports IPv4 audit records */
+/* #undef AU_IPv4 */
+
+/* Define if your resolver libs need this for getrrsetbyname */
+/* #undef BIND_8_COMPAT */
+
+/* The system has incomplete BSM API */
+/* #undef BROKEN_BSM_API */
+
+/* broken in chroots on older kernels */
+/* #undef BROKEN_CLOSEFROM */
+
+/* Define if cmsg_type is not passed correctly */
+/* #undef BROKEN_CMSG_TYPE */
+
+/* getaddrinfo is broken (if present) */
+/* #undef BROKEN_GETADDRINFO */
+
+/* getgroups(0,NULL) will return -1 */
+/* #undef BROKEN_GETGROUPS */
+
+/* getline is not what we expect */
+/* #undef BROKEN_GETLINE */
+
+/* FreeBSD glob does not do what we need */
+#define BROKEN_GLOB 1
+
+/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
+/* #undef BROKEN_INET_NTOA */
+
+/* Define if your struct dirent expects you to allocate extra space for d_name
+ */
+/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */
+
+/* System poll(2) implementation is broken */
+/* #undef BROKEN_POLL */
+
+/* Can't do comparisons on readv */
+/* #undef BROKEN_READV_COMPARISON */
+
+/* NetBSD read function is sometimes redirected, breaking atomicio comparisons
+ against it */
+/* #undef BROKEN_READ_COMPARISON */
+
+/* Needed for NeXT */
+/* #undef BROKEN_SAVED_UIDS */
+
+/* Define if your setregid() is broken */
+/* #undef BROKEN_SETREGID */
+
+/* Define if your setresgid() is broken */
+/* #undef BROKEN_SETRESGID */
+
+/* Define if your setresuid() is broken */
+/* #undef BROKEN_SETRESUID */
+
+/* Define if your setreuid() is broken */
+/* #undef BROKEN_SETREUID */
+
+/* LynxOS has broken setvbuf() implementation */
+/* #undef BROKEN_SETVBUF */
+
+/* QNX shadow support is broken */
+/* #undef BROKEN_SHADOW_EXPIRE */
+
+/* Define if your snprintf is busted */
+/* #undef BROKEN_SNPRINTF */
+
+/* strndup broken, see APAR IY61211 */
+/* #undef BROKEN_STRNDUP */
+
+/* strnlen broken, see APAR IY62551 */
+/* #undef BROKEN_STRNLEN */
+
+/* strnvis detected broken */
+#define BROKEN_STRNVIS 1
+
+/* tcgetattr with ICANON may hang */
+/* #undef BROKEN_TCGETATTR_ICANON */
+
+/* updwtmpx is broken (if present) */
+/* #undef BROKEN_UPDWTMPX */
+
+/* Define if you have BSD auth support */
+/* #undef BSD_AUTH */
+
+/* Define if you want to specify the path to your lastlog file */
+/* #undef CONF_LASTLOG_FILE */
+
+/* Define if you want to specify the path to your utmp file */
+/* #undef CONF_UTMP_FILE */
+
+/* Define if you want to specify the path to your wtmpx file */
+/* #undef CONF_WTMPX_FILE */
+
+/* Define if you want to specify the path to your wtmp file */
+/* #undef CONF_WTMP_FILE */
+
+/* Need to call setpgrp as root */
+/* #undef DISABLE_FD_PASSING */
+
+/* Define if you don't want to use lastlog */
+/* #undef DISABLE_LASTLOG */
+
+/* Define if you don't want to use your system's login() call */
+/* #undef DISABLE_LOGIN */
+
+/* Define if you don't want to use pututline() etc. to write [uw]tmp */
+/* #undef DISABLE_PUTUTLINE */
+
+/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
+/* #undef DISABLE_PUTUTXLINE */
+
+/* Define if you want to disable shadow passwords */
+/* #undef DISABLE_SHADOW */
+
+/* Define if you don't want to use utmp */
+#define DISABLE_UTMP 1
+
+/* Define if you don't want to use utmpx */
+/* #undef DISABLE_UTMPX */
+
+/* Define if you don't want to use wtmp */
+#define DISABLE_WTMP 1
+
+/* Define if you don't want to use wtmpx */
+#define DISABLE_WTMPX 1
+
+/* Enable for PKCS#11 support */
+#define ENABLE_PKCS11 /**/
+
+/* Enable for U2F/FIDO support */
+#define ENABLE_SK /**/
+
+/* Enable for built-in U2F/FIDO support */
+/* #undef ENABLE_SK_INTERNAL */
+
+/* define if fflush(NULL) does not work */
+/* #undef FFLUSH_NULL_BUG */
+
+/* File names may not contain backslash characters */
+/* #undef FILESYSTEM_NO_BACKSLASH */
+
+/* fsid_t has member val */
+/* #undef FSID_HAS_VAL */
+
+/* fsid_t has member __val */
+/* #undef FSID_HAS___VAL */
+
+/* getpgrp takes one arg */
+#define GETPGRP_VOID 1
+
+/* Conflicting defs for getspnam */
+/* #undef GETSPNAM_CONFLICTING_DEFS */
+
+/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
+#define GLOB_HAS_ALTDIRFUNC 1
+
+/* Define if your system glob() function has gl_matchc options in glob_t */
+#define GLOB_HAS_GL_MATCHC 1
+
+/* Define if your system glob() function has gl_statv options in glob_t */
+/* #undef GLOB_HAS_GL_STATV */
+
+/* Define this if you want GSSAPI support in the version 2 protocol */
+/* #undef GSSAPI */
+
+/* Define if you want to use shadow password expire field */
+/* #undef HAS_SHADOW_EXPIRE */
+
+/* Define if your system uses access rights style file descriptor passing */
+/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */
+
+/* Define if you have ut_addr in utmp.h */
+/* #undef HAVE_ADDR_IN_UTMP */
+
+/* Define if you have ut_addr in utmpx.h */
+/* #undef HAVE_ADDR_IN_UTMPX */
+
+/* Define if you have ut_addr_v6 in utmp.h */
+/* #undef HAVE_ADDR_V6_IN_UTMP */
+
+/* Define if you have ut_addr_v6 in utmpx.h */
+/* #undef HAVE_ADDR_V6_IN_UTMPX */
+
+/* Define to 1 if you have the `arc4random' function. */
+#define HAVE_ARC4RANDOM 1
+
+/* Define to 1 if you have the `arc4random_buf' function. */
+#define HAVE_ARC4RANDOM_BUF 1
+
+/* Define to 1 if you have the `arc4random_stir' function. */
+/* #undef HAVE_ARC4RANDOM_STIR */
+
+/* Define to 1 if you have the `arc4random_uniform' function. */
+#define HAVE_ARC4RANDOM_UNIFORM 1
+
+/* Define to 1 if you have the `asprintf' function. */
+#define HAVE_ASPRINTF 1
+
+/* OpenBSD's gcc has bounded */
+/* #undef HAVE_ATTRIBUTE__BOUNDED__ */
+
+/* Have attribute nonnull */
+#define HAVE_ATTRIBUTE__NONNULL__ 1
+
+/* OpenBSD's gcc has sentinel */
+/* #undef HAVE_ATTRIBUTE__SENTINEL__ */
+
+/* Define to 1 if you have the `aug_get_machine' function. */
+/* #undef HAVE_AUG_GET_MACHINE */
+
+/* Define to 1 if you have the `auth_hostok' function. */
+#define HAVE_AUTH_HOSTOK 1
+
+/* Define to 1 if you have the `auth_timeok' function. */
+#define HAVE_AUTH_TIMEOK 1
+
+/* Define to 1 if you have the `b64_ntop' function. */
+/* #undef HAVE_B64_NTOP */
+
+/* Define to 1 if you have the `b64_pton' function. */
+/* #undef HAVE_B64_PTON */
+
+/* Define if you have the basename function. */
+#define HAVE_BASENAME 1
+
+/* Define to 1 if you have the `bcopy' function. */
+#define HAVE_BCOPY 1
+
+/* Define to 1 if you have the `bcrypt_pbkdf' function. */
+/* #undef HAVE_BCRYPT_PBKDF */
+
+/* Define to 1 if you have the `bindresvport_sa' function. */
+#define HAVE_BINDRESVPORT_SA 1
+
+/* Define to 1 if you have the `blf_enc' function. */
+/* #undef HAVE_BLF_ENC */
+
+/* Define to 1 if you have the <blf.h> header file. */
+/* #undef HAVE_BLF_H */
+
+/* Define to 1 if you have the `Blowfish_expand0state' function. */
+/* #undef HAVE_BLOWFISH_EXPAND0STATE */
+
+/* Define to 1 if you have the `Blowfish_expandstate' function. */
+/* #undef HAVE_BLOWFISH_EXPANDSTATE */
+
+/* Define to 1 if you have the `Blowfish_initstate' function. */
+/* #undef HAVE_BLOWFISH_INITSTATE */
+
+/* Define to 1 if you have the `Blowfish_stream2word' function. */
+/* #undef HAVE_BLOWFISH_STREAM2WORD */
+
+/* Define to 1 if you have the `BN_is_prime_ex' function. */
+#define HAVE_BN_IS_PRIME_EX 1
+
+/* Define to 1 if you have the <bsd/libutil.h> header file. */
+/* #undef HAVE_BSD_LIBUTIL_H */
+
+/* Define to 1 if you have the <bsm/audit.h> header file. */
+/* #undef HAVE_BSM_AUDIT_H */
+
+/* Define to 1 if you have the <bstring.h> header file. */
+/* #undef HAVE_BSTRING_H */
+
+/* Define to 1 if you have the `bzero' function. */
+#define HAVE_BZERO 1
+
+/* calloc(0, x) returns NULL */
+#define HAVE_CALLOC 1
+
+/* Define if you have caph_cache_tzdata */
+#define HAVE_CAPH_CACHE_TZDATA 1
+
+/* Define to 1 if you have the <capsicum_helpers.h> header file. */
+#define HAVE_CAPSICUM_HELPERS_H 1
+
+/* Define to 1 if you have the `cap_rights_limit' function. */
+#define HAVE_CAP_RIGHTS_LIMIT 1
+
+/* Define to 1 if you have the `clock' function. */
+#define HAVE_CLOCK 1
+
+/* Have clock_gettime */
+#define HAVE_CLOCK_GETTIME 1
+
+/* define if you have clock_t data type */
+#define HAVE_CLOCK_T 1
+
+/* Define to 1 if you have the `closefrom' function. */
+#define HAVE_CLOSEFROM 1
+
+/* Define to 1 if you have the `close_range' function. */
+#define HAVE_CLOSE_RANGE 1
+
+/* Define if gai_strerror() returns const char * */
+#define HAVE_CONST_GAI_STRERROR_PROTO 1
+
+/* Define if your system uses ancillary data style file descriptor passing */
+#define HAVE_CONTROL_IN_MSGHDR 1
+
+/* Define to 1 if you have the `crypt' function. */
+#define HAVE_CRYPT 1
+
+/* Define to 1 if you have the <crypto/sha2.h> header file. */
+/* #undef HAVE_CRYPTO_SHA2_H */
+
+/* Define to 1 if you have the <crypt.h> header file. */
+/* #undef HAVE_CRYPT_H */
+
+/* Define if you are on Cygwin */
+/* #undef HAVE_CYGWIN */
+
+/* Define if your libraries define daemon() */
+#define HAVE_DAEMON 1
+
+/* Define to 1 if you have the declaration of `AI_NUMERICSERV', and to 0 if
+ you don't. */
+#define HAVE_DECL_AI_NUMERICSERV 1
+
+/* Define to 1 if you have the declaration of `authenticate', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL_AUTHENTICATE */
+
+/* Define to 1 if you have the declaration of `bzero', and to 0 if you don't.
+ */
+#define HAVE_DECL_BZERO 1
+
+/* Define to 1 if you have the declaration of `ftruncate', and to 0 if you
+ don't. */
+#define HAVE_DECL_FTRUNCATE 1
+
+/* Define to 1 if you have the declaration of `getentropy', and to 0 if you
+ don't. */
+#define HAVE_DECL_GETENTROPY 1
+
+/* Define to 1 if you have the declaration of `getpeereid', and to 0 if you
+ don't. */
+#define HAVE_DECL_GETPEEREID 1
+
+/* Define to 1 if you have the declaration of `GLOB_NOMATCH', and to 0 if you
+ don't. */
+#define HAVE_DECL_GLOB_NOMATCH 1
+
+/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE',
+ and to 0 if you don't. */
+/* #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE */
+
+/* Define to 1 if you have the declaration of `howmany', and to 0 if you
+ don't. */
+#define HAVE_DECL_HOWMANY 1
+
+/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
+ don't. */
+#define HAVE_DECL_H_ERRNO 1
+
+/* Define to 1 if you have the declaration of `loginfailed', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL_LOGINFAILED */
+
+/* Define to 1 if you have the declaration of `loginrestrictions', and to 0 if
+ you don't. */
+/* #undef HAVE_DECL_LOGINRESTRICTIONS */
+
+/* Define to 1 if you have the declaration of `loginsuccess', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL_LOGINSUCCESS */
+
+/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you
+ don't. */
+#define HAVE_DECL_MAXSYMLINKS 1
+
+/* Define to 1 if you have the declaration of `memmem', and to 0 if you don't.
+ */
+#define HAVE_DECL_MEMMEM 1
+
+/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
+ don't. */
+#define HAVE_DECL_NFDBITS 1
+
+/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
+ don't. */
+#define HAVE_DECL_OFFSETOF 1
+
+/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
+ don't. */
+#define HAVE_DECL_O_NONBLOCK 1
+
+/* Define to 1 if you have the declaration of `passwdexpired', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL_PASSWDEXPIRED */
+
+/* Define to 1 if you have the declaration of `readv', and to 0 if you don't.
+ */
+#define HAVE_DECL_READV 1
+
+/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL_SETAUTHDB */
+
+/* Define to 1 if you have the declaration of `SHUT_RD', and to 0 if you
+ don't. */
+#define HAVE_DECL_SHUT_RD 1
+
+/* Define to 1 if you have the declaration of `UINT32_MAX', and to 0 if you
+ don't. */
+#define HAVE_DECL_UINT32_MAX 1
+
+/* Define to 1 if you have the declaration of `writev', and to 0 if you don't.
+ */
+#define HAVE_DECL_WRITEV 1
+
+/* Define to 1 if you have the declaration of `_getlong', and to 0 if you
+ don't. */
+#define HAVE_DECL__GETLONG 0
+
+/* Define to 1 if you have the declaration of `_getshort', and to 0 if you
+ don't. */
+#define HAVE_DECL__GETSHORT 0
+
+/* Define to 1 if you have the `DES_crypt' function. */
+#define HAVE_DES_CRYPT 1
+
+/* Define if you have /dev/ptmx */
+/* #undef HAVE_DEV_PTMX */
+
+/* Define if you have /dev/ptc */
+/* #undef HAVE_DEV_PTS_AND_PTC */
+
- /* Define to 1 if you have the `DH_get0_key' function. */
- #define HAVE_DH_GET0_KEY 1
-
- /* Define to 1 if you have the `DH_get0_pqg' function. */
- #define HAVE_DH_GET0_PQG 1
-
- /* Define to 1 if you have the `DH_set0_key' function. */
- #define HAVE_DH_SET0_KEY 1
-
- /* Define to 1 if you have the `DH_set0_pqg' function. */
- #define HAVE_DH_SET0_PQG 1
-
- /* Define to 1 if you have the `DH_set_length' function. */
- #define HAVE_DH_SET_LENGTH 1
-
+/* Define to 1 if you have the <dirent.h> header file. */
+#define HAVE_DIRENT_H 1
+
+/* Define to 1 if you have the `dirfd' function. */
+#define HAVE_DIRFD 1
+
+/* Define to 1 if you have the `dirname' function. */
+#define HAVE_DIRNAME 1
+
+/* Define to 1 if you have the `dlopen' function. */
+#define HAVE_DLOPEN 1
+
+/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
+#define HAVE_DSA_GENERATE_PARAMETERS_EX 1
+
- /* Define to 1 if you have the `DSA_get0_key' function. */
- #define HAVE_DSA_GET0_KEY 1
-
- /* Define to 1 if you have the `DSA_get0_pqg' function. */
- #define HAVE_DSA_GET0_PQG 1
-
- /* Define to 1 if you have the `DSA_set0_key' function. */
- #define HAVE_DSA_SET0_KEY 1
-
- /* Define to 1 if you have the `DSA_set0_pqg' function. */
- #define HAVE_DSA_SET0_PQG 1
-
- /* Define to 1 if you have the `DSA_SIG_get0' function. */
- #define HAVE_DSA_SIG_GET0 1
-
- /* Define to 1 if you have the `DSA_SIG_set0' function. */
- #define HAVE_DSA_SIG_SET0 1
-
- /* Define to 1 if you have the `ECDSA_SIG_get0' function. */
- #define HAVE_ECDSA_SIG_GET0 1
-
- /* Define to 1 if you have the `ECDSA_SIG_set0' function. */
- #define HAVE_ECDSA_SIG_SET0 1
-
+/* Define to 1 if you have the `EC_KEY_METHOD_new' function. */
+#define HAVE_EC_KEY_METHOD_NEW 1
+
+/* Define to 1 if you have the <elf.h> header file. */
+#define HAVE_ELF_H 1
+
+/* Define to 1 if you have the `endgrent' function. */
+#define HAVE_ENDGRENT 1
+
+/* Define to 1 if you have the <endian.h> header file. */
- /* #undef HAVE_ENDIAN_H */
++#define HAVE_ENDIAN_H 1
+
+/* Define to 1 if you have the `endutent' function. */
+/* #undef HAVE_ENDUTENT */
+
+/* Define to 1 if you have the `endutxent' function. */
+#define HAVE_ENDUTXENT 1
+
+/* Define to 1 if you have the `err' function. */
+#define HAVE_ERR 1
+
+/* Define to 1 if you have the `errx' function. */
+#define HAVE_ERRX 1
+
+/* Define to 1 if you have the <err.h> header file. */
+#define HAVE_ERR_H 1
+
+/* Define if your system has /etc/default/login */
+/* #undef HAVE_ETC_DEFAULT_LOGIN */
+
+/* Define to 1 if you have the `EVP_chacha20' function. */
+#define HAVE_EVP_CHACHA20 1
+
+/* Define to 1 if you have the `EVP_CIPHER_CTX_get_iv' function. */
+/* #undef HAVE_EVP_CIPHER_CTX_GET_IV */
*** 11214 LINES SKIPPED ***