[Midnightbsd-cvs] [MidnightBSD/mports] fd5623: security/openssh-portable: update to 10.3p1 (#553)
Lucas Holt
noreply at github.com
Tue May 19 10:58:14 EDT 2026
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/mports
Commit: fd5623f015ae155f8b08560f88f08c7568b2cf9b
https://github.com/MidnightBSD/mports/commit/fd5623f015ae155f8b08560f88f08c7568b2cf9b
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M security/openssh-portable/Makefile
M security/openssh-portable/distinfo
M security/openssh-portable/files/extra-patch-blacklistd
R security/openssh-portable/files/extra-patch-gssapi-auth2-gss.c
M security/openssh-portable/files/extra-patch-hpn-compat
R security/openssh-portable/files/extra-patch-ldns
A security/openssh-portable/files/extra-patch-no-blocklistd-hpn-glue
M security/openssh-portable/files/extra-patch-pam-sshd_config
A security/openssh-portable/files/patch-auth-pam.c
R security/openssh-portable/files/patch-configure.ac
M security/openssh-portable/files/patch-regress__test-exec.sh
M security/openssh-portable/files/patch-servconf.c
M security/openssh-portable/files/patch-session.c
M security/openssh-portable/files/patch-ssh-agent.1
M security/openssh-portable/files/patch-ssh-agent.c
M security/openssh-portable/files/patch-ssh.c
M security/openssh-portable/files/patch-sshd.8
M security/openssh-portable/files/patch-sshd.c
M security/openssh-portable/files/patch-sshd_config
M security/openssh-portable/files/patch-sshd_config.5
A security/openssh-portable/files/patch-uidswap.c
M security/openssh-portable/pkg-plist
Log Message:
-----------
security/openssh-portable: update to 10.3p1 (#553)
## Summary
- Update `security/openssh-portable` from 9.9p2 to 10.3p1
- 10.3p1 splits sshd into `sshd-session` and `sshd-auth` helper
binaries; add `sshd-auth` to pkg-plist
- Blacklistd support was integrated upstream; replaced standalone patch
with targeted `patch-auth-pam.c` for the PAM notification (portable
tarball has different indentation than FreeBSD base)
- Remove XMSS option (removed upstream in 10.3p1)
- Add `ssh_config.d` and `sshd_config.d` directory creation in
`post-install`
- Remove obsolete patches (`extra-patch-ldns`,
`extra-patch-gssapi-auth2-gss.c`, `patch-configure.ac`)
- Add new patches from FreeBSD 10.3p1
(`extra-patch-no-blocklistd-hpn-glue`, `patch-uidswap.c`)
- Update all shared patch files to match 10.3p1 source context
- Fix `extra-patch-hpn-compat` and `extra-patch-pam-sshd_config` for
changed source layout
- GSSAPI Debian patch updated to 10.3p1
## Test plan
- [x] `bmake makesum` — distinfo updated for openssh-10.3p1.tar.gz
- [x] `bmake patch` — all patches apply cleanly, no rejects
- [x] `bmake` — build succeeds
- [x] `bmake fake` — staging succeeds, `sshd-auth` and `sshd-session`
present in libexec
- [x] `bmake package` — package created successfully
🤖 Generated with [Claude Code](https://claude.com/claude-code)
## Summary by Sourcery
Update the OpenSSH portable port to 10.3p1 and sync FreeBSD-specific
patches, defaults, and packaging with the new upstream release.
New Features:
- Enable BLACKLISTD support by default and integrate upstream blacklistd
handling with a PAM notification hook.
- Create ssh_config.d and sshd_config.d include directories during
installation for drop-in configuration.
- Add support for ssh-agent -x option on top of the newer upstream
ssh-agent implementation.
Bug Fixes:
- Ensure sshd-session correctly preserves the privileged gid on older
FreeBSD versions when temporarily switching user IDs to avoid losing
privilege state.
- Preserve TZ and MAIL environment variables and login class environment
settings more reliably when setting up user sessions.
- Initialize the resolver before privsep chroot on FreeBSD to avoid DNS
resolution issues in the daemon.
Enhancements:
- Adjust default server configuration to disable root login by password
and align manpages and tests with FreeBSD defaults, including
HostbasedAuthentication and X11 forwarding behavior.
- Improve sshd robustness on FreeBSD in low-memory situations using
madvise-based protection.
- Refine hostname canonicalisation in the ssh client before host key
lookup to better match known_hosts entries.
- Refresh and rebase HPN, PAM, blacklistd, and GSSAPI-related patches to
match the 10.3p1 codebase and Debian GSSAPI patch level.
Build:
- Bump the port to DISTVERSION 10.3p1 and update distinfo and Debian
GSSAPI patch version metadata.
- Remove the obsolete XMSS build option and related configure hook, and
drop no-longer-needed ldns and GSSAPI auth patches.
- Add conditional glue patching for blacklistd and HPN/NONECIPHER
combinations to keep patch application clean across option sets.
Tests:
- Update the regression test sshd_config to reflect new paths for
sshd-session/sshd-auth helpers and FreeBSD-specific defaults.
Signed-off-by: Lucas Holt <luke at foolishgames.com>
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/mports/settings/notifications
More information about the Midnightbsd-cvs
mailing list