diff --git a/net-misc/openssh/openssh-8.3p1.recipe b/net-misc/openssh/openssh-8.3p1.recipe index 1d551883e..4e995498e 100644 --- a/net-misc/openssh/openssh-8.3p1.recipe +++ b/net-misc/openssh/openssh-8.3p1.recipe @@ -16,15 +16,10 @@ ssh-keyscan, ssh-keygen and sftp-server." HOMEPAGE="http://www.openssh.com/" COPYRIGHT="2005-2020 Tatu Ylonen et al." LICENSE="OpenSSH" -REVISION="1" +REVISION="2" SOURCE_URI="https://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$portVersion.tar.gz" CHECKSUM_SHA256="f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2" -PATCHES="sshd_config.patch - pathnames.patch - bzero.patch - ssh-copy-id.patch - sha2-gcc2-build-fix.patch - pkcs11-gcc2-build-fix.patch" +PATCHES="opensh-$portVersion.patchset" ADDITIONAL_FILES=" sshd_keymaker.sh fix_openssh_config_paths.sh diff --git a/net-misc/openssh/patches/bzero.patch b/net-misc/openssh/patches/bzero.patch deleted file mode 100644 index cf7d759cc..000000000 --- a/net-misc/openssh/patches/bzero.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 3db15d63ae6a9ceeaad80f367e3a7f9df003dae1 Mon Sep 17 00:00:00 2001 -From: Jerome Duval -Date: Mon, 24 Nov 2014 18:45:00 +0000 -Subject: haiku: we define bzero(x, y) but not bzero. - - -diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c -index 3c85a48..a02e35e 100644 ---- a/openbsd-compat/explicit_bzero.c -+++ b/openbsd-compat/explicit_bzero.c -@@ -23,6 +23,24 @@ explicit_bzero(void *p, size_t n) - - #else /* HAVE_MEMSET_S */ - -+#ifdef __HAIKU__ -+/* Haiku defines bzero(x, y) but not bzero */ -+ -+/* -+ * Indirect memset through a volatile pointer to hopefully avoid -+ * dead-store optimisation eliminating the call. -+ */ -+static void (* volatile ssh_memset)(void *, int, size_t) = memset; -+ -+void -+explicit_bzero(void *p, size_t n) -+{ -+ ssh_memset(p, 0, n); -+} -+ -+ -+#else -+ - /* - * Indirect bzero through a volatile pointer to hopefully avoid - * dead-store optimisation eliminating the call. -@@ -35,6 +53,8 @@ explicit_bzero(void *p, size_t n) - ssh_bzero(p, n); - } - -+#endif -+ - #endif /* HAVE_MEMSET_S */ - - #endif /* HAVE_EXPLICIT_BZERO */ --- -1.8.3.4 - diff --git a/net-misc/openssh/patches/define_bsd_source.patch b/net-misc/openssh/patches/define_bsd_source.patch deleted file mode 100644 index 25f277dcc..000000000 --- a/net-misc/openssh/patches/define_bsd_source.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index b7258bd..d50a413 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -688,6 +688,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) - LIBS="$LIBS -lbsd " - AC_CHECK_LIB([network], [socket]) - AC_DEFINE([HAVE_U_INT64_T]) -+ CFLAGS="$CFLAGS -D_BSD_SOURCE" - MANTYPE=man - ;; - *-*-hpux*) diff --git a/net-misc/openssh/patches/openssh-8.3p1.patchset b/net-misc/openssh/patches/openssh-8.3p1.patchset new file mode 100644 index 000000000..0817bed49 --- /dev/null +++ b/net-misc/openssh/patches/openssh-8.3p1.patchset @@ -0,0 +1,1025 @@ +From bfd521c1af53563cc95c78920836d5ce9aab36ca Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 17:57:38 +0200 +Subject: applying patch sshd_config.patch + + +diff --git a/sshd_config b/sshd_config +index 19b7c91..fcea4fb 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -38,7 +38,7 @@ + + # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 + # but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys ++AuthorizedKeysFile config/settings/ssh/authorized_keys + + #AuthorizedPrincipalsFile none + +-- +2.27.0 + + +From 857f451eaaf9e9c4f548da1b385a9239d90093d9 Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 17:57:38 +0200 +Subject: applying patch pathnames.patch + + +diff --git a/pathnames.h b/pathnames.h +index f7ca5a7..828e43e 100644 +--- a/pathnames.h ++++ b/pathnames.h +@@ -57,7 +57,7 @@ + * The directory in user's home directory in which the files reside. The + * directory should be world-readable (though not all files are). + */ +-#define _PATH_SSH_USER_DIR ".ssh" ++#define _PATH_SSH_USER_DIR "config/settings/ssh" + + /* + * Per-user file containing host keys of known hosts. This file need not be +-- +2.27.0 + + +From 34a94948906168e298d1800ab02d6e5c17212eee Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 17:57:38 +0200 +Subject: applying patch bzero.patch + + +diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c +index 6ef9825..e03a569 100644 +--- a/openbsd-compat/explicit_bzero.c ++++ b/openbsd-compat/explicit_bzero.c +@@ -27,6 +27,24 @@ explicit_bzero(void *p, size_t n) + + #else /* HAVE_MEMSET_S */ + ++#ifdef __HAIKU__ ++/* Haiku defines bzero(x, y) but not bzero */ ++ ++/* ++ * Indirect memset through a volatile pointer to hopefully avoid ++ * dead-store optimisation eliminating the call. ++ */ ++static void (* volatile ssh_memset)(void *, int, size_t) = memset; ++ ++void ++explicit_bzero(void *p, size_t n) ++{ ++ ssh_memset(p, 0, n); ++} ++ ++ ++#else ++ + /* + * Indirect bzero through a volatile pointer to hopefully avoid + * dead-store optimisation eliminating the call. +@@ -52,6 +70,8 @@ explicit_bzero(void *p, size_t n) + ssh_bzero(p, n); + } + ++#endif ++ + #endif /* HAVE_MEMSET_S */ + + #endif /* HAVE_EXPLICIT_BZERO */ +-- +2.27.0 + + +From 3e5142f762f7774af14448c5c81a3cc3b1a226f5 Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 17:57:38 +0200 +Subject: applying patch ssh-copy-id.patch + + +diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id +old mode 100644 +new mode 100755 +index b83b836..f468018 +--- a/contrib/ssh-copy-id ++++ b/contrib/ssh-copy-id +@@ -56,8 +56,8 @@ then + fi + fi + +-most_recent_id="$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" +-DEFAULT_PUB_ID_FILE="${most_recent_id:+$HOME/}$most_recent_id" ++most_recent_id="$(cd `finddir B_USER_SETTINGS_DIRECTORY`/ ; ls -t ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" ++DEFAULT_PUB_ID_FILE="${most_recent_id:+`finddir B_USER_SETTINGS_DIRECTORY`/}$most_recent_id" + + usage () { + printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 +@@ -218,7 +218,7 @@ populate_new_ids() { + eval set -- "$SSH_OPTS" + + umask 0177 +- local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) ++ local L_TMP_ID_FILE=$(mktemp `finddir B_USER_SETTINGS_DIRECTORY`/ssh/ssh-copy-id_id.XXXXXXXXXX) + if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then + printf '%s: ERROR: mktemp failed\n' "$0" >&2 + exit 1 +-- +2.27.0 + + +From 8de2c264738ae83e549f25b7af75deeeb074c9e3 Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 17:57:38 +0200 +Subject: applying patch sha2-gcc2-build-fix.patch + + +diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c +index e36cc24..235d279 100644 +--- a/openbsd-compat/sha2.c ++++ b/openbsd-compat/sha2.c +@@ -616,11 +616,13 @@ SHA256Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *context) + SHA256Pad(context); + + #if BYTE_ORDER == LITTLE_ENDIAN ++{ + int i; + + /* Convert TO host byte order */ + for (i = 0; i < 8; i++) + BE_32_TO_8(digest + i * 4, context->state.st32[i]); ++} + #else + memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); + #endif +@@ -897,11 +899,13 @@ SHA512Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *context) + SHA512Pad(context); + + #if BYTE_ORDER == LITTLE_ENDIAN ++{ + int i; + + /* Convert TO host byte order */ + for (i = 0; i < 8; i++) + BE_64_TO_8(digest + i * 8, context->state.st64[i]); ++} + #else + memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH); + #endif +@@ -954,11 +958,13 @@ SHA384Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *context) + SHA384Pad(context); + + #if BYTE_ORDER == LITTLE_ENDIAN ++{ + int i; + + /* Convert TO host byte order */ + for (i = 0; i < 6; i++) + BE_64_TO_8(digest + i * 8, context->state.st64[i]); ++} + #else + memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); + #endif +-- +2.27.0 + + +From 1dd835d3871f67cd9a32fbe28aaabaa968550161 Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 17:57:38 +0200 +Subject: applying patch pkcs11-gcc2-build-fix.patch + + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index 8a0ffef..cd75bf2 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -248,6 +248,7 @@ pkcs11_start_helper_methods(void) + return (0); + + #ifdef HAVE_EC_KEY_METHOD_NEW ++ { + int (*orig_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; + if (helper_ecdsa != NULL) +@@ -257,6 +258,7 @@ pkcs11_start_helper_methods(void) + return (-1); + EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); + EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); ++ } + #endif /* HAVE_EC_KEY_METHOD_NEW */ + + if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) +-- +2.27.0 + + +From bd350747310617de68e3e64d52558466cb4c9265 Mon Sep 17 00:00:00 2001 +From: Adrien Destugues +Date: Thu, 16 Jul 2020 18:08:27 +0200 +Subject: Fix configuration path in manpages + + +diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 +index ae75c79..bc8d89c 100644 +--- a/contrib/ssh-copy-id.1 ++++ b/contrib/ssh-copy-id.1 +@@ -53,7 +53,7 @@ this may result in you being repeatedly prompted for pass-phrases). + It then assembles a list of those that failed to log in, and using ssh, + enables logins with those keys on the remote server. By default it adds + the keys by appending them to the remote user's +-.Pa ~/.ssh/authorized_keys ++.Pa ~/config/settings/settings/ssh/authorized_keys + (creating the file, and directory, if necessary). It is also capable + of detecting if the remote system is a NetScreen, and using its + .Ql set ssh pka-dsa key ... +@@ -117,9 +117,9 @@ will be used. + The + .Ic default_ID_file + is the most recent file that matches: +-.Pa ~/.ssh/id*.pub , ++.Pa ~/config/settings/settings/ssh/id*.pub , + (excluding those that match +-.Pa ~/.ssh/*-cert.pub ) ++.Pa ~/config/settings/settings/ssh/*-cert.pub ) + so if you create a key that is not the one you want + .Nm + to use, just use +diff --git a/ssh-add.0 b/ssh-add.0 +index 698f1b8..a8f84f2 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -13,8 +13,8 @@ SYNOPSIS + DESCRIPTION + ssh-add adds private key identities to the authentication agent, + ssh-agent(1). When run without arguments, it adds the files +- ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, +- ~/.ssh/id_ed25519, and ~/.ssh/id_ed25519_sk. After loading a private ++ ~/config/settings/settings/ssh/id_rsa, ~/config/settings/settings/ssh/id_dsa, ~/config/settings/settings/ssh/id_ecdsa, ~/config/settings/settings/ssh/id_ecdsa_sk, ++ ~/config/settings/settings/ssh/id_ed25519, and ~/config/settings/settings/ssh/id_ed25519_sk. After loading a private + key, ssh-add will try to load corresponding certificate information from + the filename obtained by appending -cert.pub to the name of the private + key file. Alternative file names can be given on the command line. +@@ -114,12 +114,12 @@ ENVIRONMENT + the built-in USB HID support. + + FILES +- ~/.ssh/id_dsa +- ~/.ssh/id_ecdsa +- ~/.ssh/id_ecdsa_sk +- ~/.ssh/id_ed25519 +- ~/.ssh/id_ed25519_sk +- ~/.ssh/id_rsa ++ ~/config/settings/settings/ssh/id_dsa ++ ~/config/settings/settings/ssh/id_ecdsa ++ ~/config/settings/settings/ssh/id_ecdsa_sk ++ ~/config/settings/settings/ssh/id_ed25519 ++ ~/config/settings/settings/ssh/id_ed25519_sk ++ ~/config/settings/settings/ssh/id_rsa + Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, + authenticator-hosted Ed25519 or RSA authentication identity of + the user. +diff --git a/ssh-add.1 b/ssh-add.1 +index 58d4213..a70be12 100644 +--- a/ssh-add.1 ++++ b/ssh-add.1 +@@ -60,13 +60,13 @@ + adds private key identities to the authentication agent, + .Xr ssh-agent 1 . + When run without arguments, it adds the files +-.Pa ~/.ssh/id_rsa , +-.Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ecdsa_sk , +-.Pa ~/.ssh/id_ed25519 , ++.Pa ~/config/settings/settings/ssh/id_rsa , ++.Pa ~/config/settings/settings/ssh/id_dsa , ++.Pa ~/config/settings/settings/ssh/id_ecdsa , ++.Pa ~/config/settings/settings/ssh/id_ecdsa_sk , ++.Pa ~/config/settings/settings/ssh/id_ed25519 , + and +-.Pa ~/.ssh/id_ed25519_sk . ++.Pa ~/config/settings/settings/ssh/id_ed25519_sk . + After loading a private key, + .Nm + will try to load corresponding certificate information from the +@@ -205,12 +205,12 @@ the built-in USB HID support. + .El + .Sh FILES + .Bl -tag -width Ds -compact +-.It Pa ~/.ssh/id_dsa +-.It Pa ~/.ssh/id_ecdsa +-.It Pa ~/.ssh/id_ecdsa_sk +-.It Pa ~/.ssh/id_ed25519 +-.It Pa ~/.ssh/id_ed25519_sk +-.It Pa ~/.ssh/id_rsa ++.It Pa ~/config/settings/settings/ssh/id_dsa ++.It Pa ~/config/settings/settings/ssh/id_ecdsa ++.It Pa ~/config/settings/settings/ssh/id_ecdsa_sk ++.It Pa ~/config/settings/settings/ssh/id_ed25519 ++.It Pa ~/config/settings/settings/ssh/id_ed25519_sk ++.It Pa ~/config/settings/settings/ssh/id_rsa + Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, + authenticator-hosted Ed25519 or RSA authentication identity of the user. + .El +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index c388cdf..8af15a1 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -52,9 +52,9 @@ DESCRIPTION + KEY REVOCATION LISTS section for details. + + Normally each user wishing to use SSH with public key authentication runs +- this once to create the authentication key in ~/.ssh/id_dsa, +- ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, +- ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system ++ this once to create the authentication key in ~/config/settings/settings/ssh/id_dsa, ++ ~/config/settings/settings/ssh/id_ecdsa, ~/config/settings/settings/ssh/id_ecdsa_sk, ~/config/settings/settings/ssh/id_ed25519, ++ ~/config/settings/settings/ssh/id_ed25519_sk or ~/config/settings/settings/ssh/id_rsa. Additionally, the system + administrator may use this to generate host keys, as seen in /etc/rc. + + Normally this program generates the key and asks for a file in which to +@@ -585,7 +585,7 @@ CERTIFICATES + no-pty Disable PTY allocation (permitted by default). + + no-user-rc +- Disable execution of ~/.ssh/rc by sshd(8) (permitted by default). ++ Disable execution of ~/config/settings/settings/ssh/rc by sshd(8) (permitted by default). + + no-x11-forwarding + Disable X11 forwarding (permitted by default). +@@ -600,7 +600,7 @@ CERTIFICATES + Allows PTY allocation. + + permit-user-rc +- Allows execution of ~/.ssh/rc by sshd(8). ++ Allows execution of ~/config/settings/settings/ssh/rc by sshd(8). + + permit-X11-forwarding + Allows X11 forwarding. +@@ -742,12 +742,12 @@ ENVIRONMENT + the built-in USB HID support. + + FILES +- ~/.ssh/id_dsa +- ~/.ssh/id_ecdsa +- ~/.ssh/id_ecdsa_sk +- ~/.ssh/id_ed25519 +- ~/.ssh/id_ed25519_sk +- ~/.ssh/id_rsa ++ ~/config/settings/settings/ssh/id_dsa ++ ~/config/settings/settings/ssh/id_ecdsa ++ ~/config/settings/settings/ssh/id_ecdsa_sk ++ ~/config/settings/settings/ssh/id_ed25519 ++ ~/config/settings/settings/ssh/id_ed25519_sk ++ ~/config/settings/settings/ssh/id_rsa + Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, + authenticator-hosted Ed25519 or RSA authentication identity of + the user. This file should not be readable by anyone but the +@@ -758,16 +758,16 @@ FILES + the private key. ssh(1) will read this file when a login attempt + is made. + +- ~/.ssh/id_dsa.pub +- ~/.ssh/id_ecdsa.pub +- ~/.ssh/id_ecdsa_sk.pub +- ~/.ssh/id_ed25519.pub +- ~/.ssh/id_ed25519_sk.pub +- ~/.ssh/id_rsa.pub ++ ~/config/settings/settings/ssh/id_dsa.pub ++ ~/config/settings/settings/ssh/id_ecdsa.pub ++ ~/config/settings/settings/ssh/id_ecdsa_sk.pub ++ ~/config/settings/settings/ssh/id_ed25519.pub ++ ~/config/settings/settings/ssh/id_ed25519_sk.pub ++ ~/config/settings/settings/ssh/id_rsa.pub + Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, + authenticator-hosted Ed25519 or RSA public key for + authentication. The contents of this file should be added to +- ~/.ssh/authorized_keys on all machines where the user wishes to ++ ~/config/settings/settings/ssh/authorized_keys on all machines where the user wishes to + log in using public key authentication. There is no need to keep + the contents of this file secret. + +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index 059c1b0..9d14d20 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 +@@ -190,13 +190,13 @@ section for details. + Normally each user wishing to use SSH + with public key authentication runs this once to create the authentication + key in +-.Pa ~/.ssh/id_dsa , +-.Pa ~/.ssh/id_ecdsa , +-.Pa ~/.ssh/id_ecdsa_sk , +-.Pa ~/.ssh/id_ed25519 , +-.Pa ~/.ssh/id_ed25519_sk ++.Pa ~/config/settings/settings/ssh/id_dsa , ++.Pa ~/config/settings/settings/ssh/id_ecdsa , ++.Pa ~/config/settings/settings/ssh/id_ecdsa_sk , ++.Pa ~/config/settings/settings/ssh/id_ed25519 , ++.Pa ~/config/settings/settings/ssh/id_ed25519_sk + or +-.Pa ~/.ssh/id_rsa . ++.Pa ~/config/settings/settings/ssh/id_rsa . + Additionally, the system administrator may use this to generate host keys, + as seen in + .Pa /etc/rc . +@@ -924,7 +924,7 @@ Disable PTY allocation (permitted by default). + .Pp + .It Ic no-user-rc + Disable execution of +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + by + .Xr sshd 8 + (permitted by default). +@@ -945,7 +945,7 @@ Allows PTY allocation. + .Pp + .It Ic permit-user-rc + Allows execution of +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + by + .Xr sshd 8 . + .Pp +@@ -1126,12 +1126,12 @@ the built-in USB HID support. + .El + .Sh FILES + .Bl -tag -width Ds -compact +-.It Pa ~/.ssh/id_dsa +-.It Pa ~/.ssh/id_ecdsa +-.It Pa ~/.ssh/id_ecdsa_sk +-.It Pa ~/.ssh/id_ed25519 +-.It Pa ~/.ssh/id_ed25519_sk +-.It Pa ~/.ssh/id_rsa ++.It Pa ~/config/settings/settings/ssh/id_dsa ++.It Pa ~/config/settings/settings/ssh/id_ecdsa ++.It Pa ~/config/settings/settings/ssh/id_ecdsa_sk ++.It Pa ~/config/settings/settings/ssh/id_ed25519 ++.It Pa ~/config/settings/settings/ssh/id_ed25519_sk ++.It Pa ~/config/settings/settings/ssh/id_rsa + Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, + authenticator-hosted Ed25519 or RSA authentication identity of the user. + This file should not be readable by anyone but the user. +@@ -1144,16 +1144,16 @@ but it is offered as the default file for the private key. + .Xr ssh 1 + will read this file when a login attempt is made. + .Pp +-.It Pa ~/.ssh/id_dsa.pub +-.It Pa ~/.ssh/id_ecdsa.pub +-.It Pa ~/.ssh/id_ecdsa_sk.pub +-.It Pa ~/.ssh/id_ed25519.pub +-.It Pa ~/.ssh/id_ed25519_sk.pub +-.It Pa ~/.ssh/id_rsa.pub ++.It Pa ~/config/settings/settings/ssh/id_dsa.pub ++.It Pa ~/config/settings/settings/ssh/id_ecdsa.pub ++.It Pa ~/config/settings/settings/ssh/id_ecdsa_sk.pub ++.It Pa ~/config/settings/settings/ssh/id_ed25519.pub ++.It Pa ~/config/settings/settings/ssh/id_ed25519_sk.pub ++.It Pa ~/config/settings/settings/ssh/id_rsa.pub + Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, + authenticator-hosted Ed25519 or RSA public key for authentication. + The contents of this file should be added to +-.Pa ~/.ssh/authorized_keys ++.Pa ~/config/settings/settings/ssh/authorized_keys + on all machines + where the user wishes to log in using public key authentication. + There is no need to keep the contents of this file secret. +diff --git a/ssh.0 b/ssh.0 +index 474bb1e..4d52611 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -109,7 +109,7 @@ DESCRIPTION + Specifies an alternative per-user configuration file. If a + configuration file is given on the command line, the system-wide + configuration file (/etc/ssh/ssh_config) will be ignored. The +- default for the per-user configuration file is ~/.ssh/config. If ++ default for the per-user configuration file is ~/config/settings/ssh/config. If + set to M-bM-^@M-^\noneM-bM-^@M-^], no configuration files will be read. + + -f Requests ssh to go to background just before command execution. +@@ -136,9 +136,9 @@ DESCRIPTION + + -i identity_file + Selects a file from which the identity (private key) for public +- key authentication is read. The default is ~/.ssh/id_dsa, +- ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, +- ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa. Identity files may also ++ key authentication is read. The default is ~/config/settings/settings/ssh/id_dsa, ++ ~/config/settings/settings/ssh/id_ecdsa, ~/config/settings/settings/ssh/id_ecdsa_sk, ~/config/settings/settings/ssh/id_ed25519, ++ ~/config/settings/settings/ssh/id_ed25519_sk and ~/config/settings/settings/ssh/id_rsa. Identity files may also + be specified on a per-host basis in the configuration file. It + is possible to have multiple -i options (and multiple identities + specified in configuration files). If no certificates have been +@@ -154,7 +154,7 @@ DESCRIPTION + is a shortcut to specify a ProxyJump configuration directive. + Note that configuration directives supplied on the command-line + generally apply to the destination host and not any specified +- jump hosts. Use ~/.ssh/config to specify configuration for jump ++ jump hosts. Use ~/config/settings/settings/ssh/config to specify configuration for jump + hosts. + + -K Enables GSSAPI-based authentication and forwarding (delegation) +@@ -467,7 +467,7 @@ AUTHENTICATION + the client machine and the name of the user on that machine, the user is + considered for login. Additionally, the server must be able to verify + the client's host key (see the description of /etc/ssh/ssh_known_hosts +- and ~/.ssh/known_hosts, below) for login to be permitted. This ++ and ~/config/settings/settings/ssh/known_hosts, below) for login to be permitted. This + authentication method closes security holes due to IP spoofing, DNS + spoofing, and routing spoofing. [Note to the administrator: + /etc/hosts.equiv, ~/.rhosts, and the rlogin/rsh protocol in general, are +@@ -483,7 +483,7 @@ AUTHENTICATION + one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of + ssl(8) contains a brief discussion of the DSA and RSA algorithms. + +- The file ~/.ssh/authorized_keys lists the public keys that are permitted ++ The file ~/config/settings/settings/ssh/authorized_keys lists the public keys that are permitted + for logging in. When the user logs in, the ssh program tells the server + which key pair it would like to use for authentication. The client + proves that it has access to the private key and the server checks that +@@ -495,15 +495,15 @@ AUTHENTICATION + DEBUG or higher (e.g. by using the -v flag). + + The user creates his/her key pair by running ssh-keygen(1). This stores +- the private key in ~/.ssh/id_dsa (DSA), ~/.ssh/id_ecdsa (ECDSA), +- ~/.ssh/id_ecdsa_sk (authenticator-hosted ECDSA), ~/.ssh/id_ed25519 +- (Ed25519), ~/.ssh/id_ed25519_sk (authenticator-hosted Ed25519), or +- ~/.ssh/id_rsa (RSA) and stores the public key in ~/.ssh/id_dsa.pub (DSA), +- ~/.ssh/id_ecdsa.pub (ECDSA), ~/.ssh/id_ecdsa_sk.pub (authenticator-hosted +- ECDSA), ~/.ssh/id_ed25519.pub (Ed25519), ~/.ssh/id_ed25519_sk.pub +- (authenticator-hosted Ed25519), or ~/.ssh/id_rsa.pub (RSA) in the user's ++ the private key in ~/config/settings/settings/ssh/id_dsa (DSA), ~/config/settings/settings/ssh/id_ecdsa (ECDSA), ++ ~/config/settings/settings/ssh/id_ecdsa_sk (authenticator-hosted ECDSA), ~/config/settings/settings/ssh/id_ed25519 ++ (Ed25519), ~/config/settings/settings/ssh/id_ed25519_sk (authenticator-hosted Ed25519), or ++ ~/config/settings/settings/ssh/id_rsa (RSA) and stores the public key in ~/config/settings/settings/ssh/id_dsa.pub (DSA), ++ ~/config/settings/settings/ssh/id_ecdsa.pub (ECDSA), ~/config/settings/settings/ssh/id_ecdsa_sk.pub (authenticator-hosted ++ ECDSA), ~/config/settings/settings/ssh/id_ed25519.pub (Ed25519), ~/config/settings/settings/ssh/id_ed25519_sk.pub ++ (authenticator-hosted Ed25519), or ~/config/settings/settings/ssh/id_rsa.pub (RSA) in the user's + home directory. The user should then copy the public key to +- ~/.ssh/authorized_keys in his/her home directory on the remote machine. ++ ~/config/settings/settings/ssh/authorized_keys in his/her home directory on the remote machine. + The authorized_keys file corresponds to the conventional ~/.rhosts file, + and has one key per line, though the lines can be very long. After this, + the user can log in without giving the password. +@@ -531,7 +531,7 @@ AUTHENTICATION + + ssh automatically maintains and checks a database containing + identification for all hosts it has ever been used with. Host keys are +- stored in ~/.ssh/known_hosts in the user's home directory. Additionally, ++ stored in ~/config/settings/settings/ssh/known_hosts in the user's home directory. Additionally, + the file /etc/ssh/ssh_known_hosts is automatically checked for known + hosts. Any new hosts are automatically added to the user's file. If a + host's identification ever changes, ssh warns about this and disables +@@ -686,7 +686,7 @@ VERIFYING HOST KEYS + To get a listing of the fingerprints along with their random art for all + known hosts, the following command line can be used: + +- $ ssh-keygen -lv -f ~/.ssh/known_hosts ++ $ ssh-keygen -lv -f ~/config/settings/settings/ssh/known_hosts + + If the fingerprint is unknown, an alternative method of verification is + available: SSH fingerprints verified by DNS. An additional resource +@@ -820,7 +820,7 @@ ENVIRONMENT + + USER Set to the name of the user logging in. + +- Additionally, ssh reads ~/.ssh/environment, and adds lines of the format ++ Additionally, ssh reads ~/config/settings/settings/ssh/environment, and adds lines of the format + M-bM-^@M-^\VARNAME=valueM-bM-^@M-^] to the environment if the file exists and users are + allowed to change their environment. For more information, see the + PermitUserEnvironment option in sshd_config(5). +@@ -840,36 +840,36 @@ FILES + host-based authentication without permitting login with + rlogin/rsh. + +- ~/.ssh/ ++ ~/config/settings/settings/ssh/ + This directory is the default location for all user-specific + configuration and authentication information. There is no + general requirement to keep the entire contents of this directory + secret, but the recommended permissions are read/write/execute + for the user, and not accessible by others. + +- ~/.ssh/authorized_keys ++ ~/config/settings/settings/ssh/authorized_keys + Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used + for logging in as this user. The format of this file is + described in the sshd(8) manual page. This file is not highly + sensitive, but the recommended permissions are read/write for the + user, and not accessible by others. + +- ~/.ssh/config ++ ~/config/settings/settings/ssh/config + This is the per-user configuration file. The file format and + configuration options are described in ssh_config(5). Because of + the potential for abuse, this file must have strict permissions: + read/write for the user, and not writable by others. + +- ~/.ssh/environment ++ ~/config/settings/settings/ssh/environment + Contains additional definitions for environment variables; see + ENVIRONMENT, above. + +- ~/.ssh/id_dsa +- ~/.ssh/id_ecdsa +- ~/.ssh/id_ecdsa_sk +- ~/.ssh/id_ed25519 +- ~/.ssh/id_ed25519_sk +- ~/.ssh/id_rsa ++ ~/config/settings/settings/ssh/id_dsa ++ ~/config/settings/settings/ssh/id_ecdsa ++ ~/config/settings/settings/ssh/id_ecdsa_sk ++ ~/config/settings/settings/ssh/id_ed25519 ++ ~/config/settings/settings/ssh/id_ed25519_sk ++ ~/config/settings/settings/ssh/id_rsa + Contains the private key for authentication. These files contain + sensitive data and should be readable by the user but not + accessible by others (read/write/execute). ssh will simply +@@ -878,22 +878,22 @@ FILES + will be used to encrypt the sensitive part of this file using + AES-128. + +- ~/.ssh/id_dsa.pub +- ~/.ssh/id_ecdsa.pub +- ~/.ssh/id_ecdsa_sk.pub +- ~/.ssh/id_ed25519.pub +- ~/.ssh/id_ed25519_sk.pub +- ~/.ssh/id_rsa.pub ++ ~/config/settings/settings/ssh/id_dsa.pub ++ ~/config/settings/settings/ssh/id_ecdsa.pub ++ ~/config/settings/settings/ssh/id_ecdsa_sk.pub ++ ~/config/settings/settings/ssh/id_ed25519.pub ++ ~/config/settings/settings/ssh/id_ed25519_sk.pub ++ ~/config/settings/settings/ssh/id_rsa.pub + Contains the public key for authentication. These files are not + sensitive and can (but need not) be readable by anyone. + +- ~/.ssh/known_hosts ++ ~/config/settings/settings/ssh/known_hosts + Contains a list of host keys for all hosts the user has logged + into that are not already in the systemwide list of known host + keys. See sshd(8) for further details of the format of this + file. + +- ~/.ssh/rc ++ ~/config/settings/settings/ssh/rc + Commands in this file are executed by ssh when the user logs in, + just before the user's shell (or command) is started. See the + sshd(8) manual page for more information. +diff --git a/sshd.0 b/sshd.0 +index 5f9aadd..25f8b3b 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -182,13 +182,13 @@ LOGIN PROCESS + + 5. Sets up basic environment. + +- 6. Reads the file ~/.ssh/environment, if it exists, and users are ++ 6. Reads the file ~/config/settings/settings/ssh/environment, if it exists, and users are + allowed to change their environment. See the + PermitUserEnvironment option in sshd_config(5). + + 7. Changes to user's home directory. + +- 8. If ~/.ssh/rc exists and the sshd_config(5) PermitUserRC option ++ 8. If ~/config/settings/settings/ssh/rc exists and the sshd_config(5) PermitUserRC option + is set, runs it; else if /etc/ssh/sshrc exists, runs it; + otherwise runs xauth. The M-bM-^@M-^\rcM-bM-^@M-^] files are given the X11 + authentication protocol and cookie in standard input. See +@@ -199,7 +199,7 @@ LOGIN PROCESS + database. + + SSHRC +- If the file ~/.ssh/rc exists, sh(1) runs it after reading the environment ++ If the file ~/config/settings/settings/ssh/rc exists, sh(1) runs it after reading the environment + files but before starting the user's shell or command. It must not + produce any output on stdout; stderr must be used instead. If X11 + forwarding is in use, it will receive the "proto cookie" pair in its +@@ -231,7 +231,7 @@ SSHRC + AUTHORIZED_KEYS FILE FORMAT + AuthorizedKeysFile specifies the files containing public keys for public + key authentication; if this option is not specified, the default is +- ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the ++ ~/config/settings/settings/ssh/authorized_keys and ~/config/settings/settings/ssh/authorized_keys2. Each line of the + file contains one key (empty lines and lines starting with a M-bM-^@M-^X#M-bM-^@M-^Y are + ignored as comments). Public keys consist of the following space- + separated fields: options, keytype, base64-encoded key, comment. The +@@ -342,7 +342,7 @@ AUTHORIZED_KEYS FILE FORMAT + no-pty Prevents tty allocation (a request to allocate a pty will fail). + + no-user-rc +- Disables execution of ~/.ssh/rc. ++ Disables execution of ~/config/settings/settings/ssh/rc. + + no-X11-forwarding + Forbids X11 forwarding when this key is used for authentication. +@@ -394,7 +394,7 @@ AUTHORIZED_KEYS FILE FORMAT + restrict + Enable all restrictions, i.e. disable port, agent and X11 + forwarding, as well as disabling PTY allocation and execution of +- ~/.ssh/rc. If any future restriction capabilities are added to ++ ~/config/settings/settings/ssh/rc. If any future restriction capabilities are added to + authorized_keys files they will be included in this set. + + tunnel="n" +@@ -403,7 +403,7 @@ AUTHORIZED_KEYS FILE FORMAT + tunnel. + + user-rc +- Enables execution of ~/.ssh/rc previously disabled by the ++ Enables execution of ~/config/settings/settings/ssh/rc previously disabled by the + restrict option. + + X11-forwarding +@@ -432,7 +432,7 @@ AUTHORIZED_KEYS FILE FORMAT + user@example.net + + SSH_KNOWN_HOSTS FILE FORMAT +- The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host ++ The /etc/ssh/ssh_known_hosts and ~/config/settings/settings/ssh/known_hosts files contain host + public keys for all known hosts. The global file should be prepared by + the administrator (optional), and the per-user file is maintained + automatically: whenever the user connects to an unknown host, its key is +@@ -502,7 +502,7 @@ SSH_KNOWN_HOSTS FILE FORMAT + Rather, generate them by a script, ssh-keyscan(1) or by taking, for + example, /etc/ssh/ssh_host_rsa_key.pub and adding the host names at the + front. ssh-keygen(1) also offers some basic automated editing for +- ~/.ssh/known_hosts including removing hosts matching a host name and ++ ~/config/settings/settings/ssh/known_hosts including removing hosts matching a host name and + converting all host names to their hashed representations. + + An example ssh_known_hosts file: +@@ -540,27 +540,27 @@ FILES + host-based authentication without permitting login with + rlogin/rsh. + +- ~/.ssh/ ++ ~/config/settings/settings/ssh/ + This directory is the default location for all user-specific + configuration and authentication information. There is no + general requirement to keep the entire contents of this directory + secret, but the recommended permissions are read/write/execute + for the user, and not accessible by others. + +- ~/.ssh/authorized_keys ++ ~/config/settings/settings/ssh/authorized_keys + Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used + for logging in as this user. The format of this file is + described above. The content of the file is not highly + sensitive, but the recommended permissions are read/write for the + user, and not accessible by others. + +- If this file, the ~/.ssh directory, or the user's home directory ++ If this file, the ~/config/settings/settings/ssh directory, or the user's home directory + are writable by other users, then the file could be modified or + replaced by unauthorized users. In this case, sshd will not + allow it to be used unless the StrictModes option has been set to + M-bM-^@M-^\noM-bM-^@M-^]. + +- ~/.ssh/environment ++ ~/config/settings/settings/ssh/environment + This file is read into the environment at login (if it exists). + It can only contain empty lines, comment lines (that start with + M-bM-^@M-^X#M-bM-^@M-^Y), and assignment lines of the form name=value. The file +@@ -568,14 +568,14 @@ FILES + anyone else. Environment processing is disabled by default and + is controlled via the PermitUserEnvironment option. + +- ~/.ssh/known_hosts ++ ~/config/settings/settings/ssh/known_hosts + Contains a list of host keys for all hosts the user has logged + into that are not already in the systemwide list of known host + keys. The format of this file is described above. This file + should be writable only by root/the owner and can, but need not + be, world-readable. + +- ~/.ssh/rc ++ ~/config/settings/settings/ssh/rc + Contains initialization routines to be run before the user's home + directory becomes accessible. This file should be writable only + by the user, and need not be readable by anyone else. +@@ -634,7 +634,7 @@ FILES + configuration options are described in sshd_config(5). + + /etc/ssh/sshrc +- Similar to ~/.ssh/rc, it can be used to specify machine-specific ++ Similar to ~/config/settings/settings/ssh/rc, it can be used to specify machine-specific + login-time initializations globally. This file should be + writable only by root, and should be world-readable. + +diff --git a/sshd.8 b/sshd.8 +index c5f8987..720e302 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -338,7 +338,7 @@ Changes to run with normal user privileges. + Sets up basic environment. + .It + Reads the file +-.Pa ~/.ssh/environment , ++.Pa ~/config/settings/settings/ssh/environment , + if it exists, and users are allowed to change their environment. + See the + .Cm PermitUserEnvironment +@@ -348,7 +348,7 @@ option in + Changes to user's home directory. + .It + If +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + exists and the + .Xr sshd_config 5 + .Cm PermitUserRC +@@ -370,7 +370,7 @@ system password database. + .El + .Sh SSHRC + If the file +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + exists, + .Xr sh 1 + runs it after reading the +@@ -415,9 +415,9 @@ does not exist either, xauth is used to add the cookie. + specifies the files containing public keys for + public key authentication; + if this option is not specified, the default is +-.Pa ~/.ssh/authorized_keys ++.Pa ~/config/settings/settings/ssh/authorized_keys + and +-.Pa ~/.ssh/authorized_keys2 . ++.Pa ~/config/settings/settings/ssh/authorized_keys2 . + Each line of the file contains one + key (empty lines and lines starting with a + .Ql # +@@ -561,7 +561,7 @@ option. + Prevents tty allocation (a request to allocate a pty will fail). + .It Cm no-user-rc + Disables execution of +-.Pa ~/.ssh/rc . ++.Pa ~/config/settings/settings/ssh/rc . + .It Cm no-X11-forwarding + Forbids X11 forwarding when this key is used for authentication. + Any X11 forward requests by the client will return an error. +@@ -635,7 +635,7 @@ and + Enable all restrictions, i.e. disable port, agent and X11 forwarding, + as well as disabling PTY allocation + and execution of +-.Pa ~/.ssh/rc . ++.Pa ~/config/settings/settings/ssh/rc . + If any future restriction capabilities are added to authorized_keys files + they will be included in this set. + .It Cm tunnel="n" +@@ -646,7 +646,7 @@ Without this option, the next available device will be used if + the client requests a tunnel. + .It Cm user-rc + Enables execution of +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + previously disabled by the + .Cm restrict + option. +@@ -681,7 +681,7 @@ user@example.net + The + .Pa /etc/ssh/ssh_known_hosts + and +-.Pa ~/.ssh/known_hosts ++.Pa ~/config/settings/settings/ssh/known_hosts + files contain host public keys for all known hosts. + The global file should + be prepared by the administrator (optional), and the per-user file is +@@ -790,7 +790,7 @@ or by taking, for example, + and adding the host names at the front. + .Xr ssh-keygen 1 + also offers some basic automated editing for +-.Pa ~/.ssh/known_hosts ++.Pa ~/config/settings/settings/ssh/known_hosts + including removing hosts matching a host name and converting all host + names to their hashed representations. + .Pp +@@ -842,14 +842,14 @@ This file is used in exactly the same way as + but allows host-based authentication without permitting login with + rlogin/rsh. + .Pp +-.It Pa ~/.ssh/ ++.It Pa ~/config/settings/settings/ssh/ + This directory is the default location for all user-specific configuration + and authentication information. + There is no general requirement to keep the entire contents of this directory + secret, but the recommended permissions are read/write/execute for the user, + and not accessible by others. + .Pp +-.It Pa ~/.ssh/authorized_keys ++.It Pa ~/config/settings/settings/ssh/authorized_keys + Lists the public keys (DSA, ECDSA, Ed25519, RSA) + that can be used for logging in as this user. + The format of this file is described above. +@@ -857,7 +857,7 @@ The content of the file is not highly sensitive, but the recommended + permissions are read/write for the user, and not accessible by others. + .Pp + If this file, the +-.Pa ~/.ssh ++.Pa ~/config/settings/settings/ssh + directory, or the user's home directory are writable + by other users, then the file could be modified or replaced by unauthorized + users. +@@ -868,7 +868,7 @@ will not allow it to be used unless the + option has been set to + .Dq no . + .Pp +-.It Pa ~/.ssh/environment ++.It Pa ~/config/settings/settings/ssh/environment + This file is read into the environment at login (if it exists). + It can only contain empty lines, comment lines (that start with + .Ql # ) , +@@ -880,14 +880,14 @@ controlled via the + .Cm PermitUserEnvironment + option. + .Pp +-.It Pa ~/.ssh/known_hosts ++.It Pa ~/config/settings/settings/ssh/known_hosts + Contains a list of host keys for all hosts the user has logged into + that are not already in the systemwide list of known host keys. + The format of this file is described above. + This file should be writable only by root/the owner and + can, but need not be, world-readable. + .Pp +-.It Pa ~/.ssh/rc ++.It Pa ~/config/settings/settings/ssh/rc + Contains initialization routines to be run before + the user's home directory becomes accessible. + This file should be writable only by the user, and need not be +@@ -965,7 +965,7 @@ The file format and configuration options are described in + .Pp + .It Pa /etc/ssh/sshrc + Similar to +-.Pa ~/.ssh/rc , ++.Pa ~/config/settings/settings/ssh/rc , + it can be used to specify + machine-specific login-time initializations globally. + This file should be writable only by root, and should be world-readable. +diff --git a/sshd_config.5 b/sshd_config.5 +index b294efc..10f843b 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -359,7 +359,7 @@ Note that + is only used when authentication proceeds using a CA listed in + .Cm TrustedUserCAKeys + and is not consulted for certification authorities trusted via +-.Pa ~/.ssh/authorized_keys , ++.Pa ~/config/settings/settings/ssh/authorized_keys , + though the + .Cm principals= + key option offers a similar facility (see +@@ -598,7 +598,7 @@ The default is + Forces the execution of the command specified by + .Cm ForceCommand , + ignoring any command supplied by the client and +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + if present. + The command is invoked by using the user's login shell with the -c option. + This applies to shell, command, or subsystem execution. +@@ -806,7 +806,7 @@ and + Specifies whether + .Xr sshd 8 + should ignore the user's +-.Pa ~/.ssh/known_hosts ++.Pa ~/config/settings/settings/ssh/known_hosts + during + .Cm HostbasedAuthentication + and use only the system-wide known hosts file +@@ -1383,11 +1383,11 @@ Independent of this setting, the permissions of the selected + device must allow access to the user. + .It Cm PermitUserEnvironment + Specifies whether +-.Pa ~/.ssh/environment ++.Pa ~/config/settings/settings/ssh/environment + and + .Cm environment= + options in +-.Pa ~/.ssh/authorized_keys ++.Pa ~/config/settings/settings/ssh/authorized_keys + are processed by + .Xr sshd 8 . + Valid options are +@@ -1403,7 +1403,7 @@ restrictions in some configurations using mechanisms such as + .Ev LD_PRELOAD . + .It Cm PermitUserRC + Specifies whether any +-.Pa ~/.ssh/rc ++.Pa ~/config/settings/settings/ssh/rc + file is executed. + The default is + .Cm yes . +@@ -1676,7 +1676,7 @@ very same IP address. + If this option is set to + .Cm no + (the default) then only addresses and not host names may be used in +-.Pa ~/.ssh/authorized_keys ++.Pa ~/config/settings/settings/ssh/authorized_keys + .Cm from + and + .Nm +-- +2.27.0 + diff --git a/net-misc/openssh/patches/pathnames.patch b/net-misc/openssh/patches/pathnames.patch deleted file mode 100644 index 8c911e943..000000000 --- a/net-misc/openssh/patches/pathnames.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/pathnames.h b/pathnames.h -index ec89fc6..6ad1b64 100644 ---- a/pathnames.h -+++ b/pathnames.h -@@ -59,7 +59,7 @@ - * The directory in user's home directory in which the files reside. The - * directory should be world-readable (though not all files are). - */ --#define _PATH_SSH_USER_DIR ".ssh" -+#define _PATH_SSH_USER_DIR "config/settings/ssh" - - /* - * Per-user file containing host keys of known hosts. This file need not be diff --git a/net-misc/openssh/patches/pkcs11-gcc2-build-fix.patch b/net-misc/openssh/patches/pkcs11-gcc2-build-fix.patch deleted file mode 100644 index 90e68f358..000000000 --- a/net-misc/openssh/patches/pkcs11-gcc2-build-fix.patch +++ /dev/null @@ -1,32 +0,0 @@ -From f41470d95341ab803010de2687fe5aa166378f41 Mon Sep 17 00:00:00 2001 -From: Augustin Cavalier -Date: Sat, 11 Apr 2020 13:58:14 -0400 -Subject: [PATCH] GCC2 build fix. - ---- - ssh-pkcs11-client.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c -index 8a0ffef..cd75bf2 100644 ---- a/ssh-pkcs11-client.c -+++ b/ssh-pkcs11-client.c -@@ -248,6 +248,7 @@ pkcs11_start_helper_methods(void) - return (0); - - #ifdef HAVE_EC_KEY_METHOD_NEW -+ { - int (*orig_sign)(int, const unsigned char *, int, unsigned char *, - unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; - if (helper_ecdsa != NULL) -@@ -257,6 +258,7 @@ pkcs11_start_helper_methods(void) - return (-1); - EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); - EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); -+ } - #endif /* HAVE_EC_KEY_METHOD_NEW */ - - if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) --- -2.24.1 - diff --git a/net-misc/openssh/patches/sha2-gcc2-build-fix.patch b/net-misc/openssh/patches/sha2-gcc2-build-fix.patch deleted file mode 100644 index c268ac157..000000000 --- a/net-misc/openssh/patches/sha2-gcc2-build-fix.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 92ed1dcaa05f0f425b809a7e1972cad5689c6634 Mon Sep 17 00:00:00 2001 -From: Jerome Duval -Date: Sat, 15 Feb 2020 20:53:00 +0100 -Subject: [PATCH] gcc2 build fix - ---- - openbsd-compat/sha2.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c -index e36cc24..235d279 100644 ---- a/openbsd-compat/sha2.c -+++ b/openbsd-compat/sha2.c -@@ -616,11 +616,13 @@ SHA256Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *context) - SHA256Pad(context); - - #if BYTE_ORDER == LITTLE_ENDIAN -+{ - int i; - - /* Convert TO host byte order */ - for (i = 0; i < 8; i++) - BE_32_TO_8(digest + i * 4, context->state.st32[i]); -+} - #else - memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); - #endif -@@ -897,11 +899,13 @@ SHA512Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *context) - SHA512Pad(context); - - #if BYTE_ORDER == LITTLE_ENDIAN -+{ - int i; - - /* Convert TO host byte order */ - for (i = 0; i < 8; i++) - BE_64_TO_8(digest + i * 8, context->state.st64[i]); -+} - #else - memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH); - #endif -@@ -954,11 +958,13 @@ SHA384Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *context) - SHA384Pad(context); - - #if BYTE_ORDER == LITTLE_ENDIAN -+{ - int i; - - /* Convert TO host byte order */ - for (i = 0; i < 6; i++) - BE_64_TO_8(digest + i * 8, context->state.st64[i]); -+} - #else - memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); - #endif --- -2.24.0 - diff --git a/net-misc/openssh/patches/ssh-copy-id.patch b/net-misc/openssh/patches/ssh-copy-id.patch deleted file mode 100644 index 9d6834351..000000000 --- a/net-misc/openssh/patches/ssh-copy-id.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -old mode 100644 -new mode 100755 -index b83b836..f468018 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -56,8 +56,8 @@ then - fi - fi - --most_recent_id="$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" --DEFAULT_PUB_ID_FILE="${most_recent_id:+$HOME/}$most_recent_id" -+most_recent_id="$(cd `finddir B_USER_SETTINGS_DIRECTORY`/ ; ls -t ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)" -+DEFAULT_PUB_ID_FILE="${most_recent_id:+`finddir B_USER_SETTINGS_DIRECTORY`/}$most_recent_id" - - usage () { - printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o ] ...] [user@]hostname\n' "$0" >&2 -@@ -218,7 +218,7 @@ populate_new_ids() { - eval set -- "$SSH_OPTS" - - umask 0177 -- local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) -+ local L_TMP_ID_FILE=$(mktemp `finddir B_USER_SETTINGS_DIRECTORY`/ssh/ssh-copy-id_id.XXXXXXXXXX) - if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then - printf '%s: ERROR: mktemp failed\n' "$0" >&2 - exit 1 diff --git a/net-misc/openssh/patches/sshd_config.patch b/net-misc/openssh/patches/sshd_config.patch deleted file mode 100644 index a00bb2e0c..000000000 --- a/net-misc/openssh/patches/sshd_config.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/sshd_config b/sshd_config -index e9045bc..0835873 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -51,7 +51,7 @@ - - # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 - # but this is overridden so installations will only check .ssh/authorized_keys --AuthorizedKeysFile .ssh/authorized_keys -+AuthorizedKeysFile config/settings/ssh/authorized_keys - - #AuthorizedPrincipalsFile none -