net-misc/openssh: update openssh to 8.1

To address the security issue
[CVE-2019-16905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16905),
update openssh from 7.9 to 8.1.

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest

@@ -1,6 +1,7 @@
-DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
+DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba787281f5a1775d169a9dcda6f78742eb8cb3cce4ebe3a4c506c75a8ac142700669cf04b7475e35f6a06a4499d3d076e4e88e4fc59f3e6 SHA512 270d532fc7f4ec10c5ee56677f8280dec47a96e73f8032713b212cfad64a58ef142a7f49b7981dca80cbf0dd99753ef7a93b6af164cad9492fa224d546c27f14
-DIST openssh-7.9p1-patches-1.0.tar.xz 9080 BLAKE2B c14106a875b6ea0672a03f6cb292386daba96da23fed4ebd04a75f712e252bc88a25116b0b3b27446421aadf112451cb3b8a96d2f7d437e6728fe782190bc69e SHA512 7903cdb4ce5be0f1b1b741788fb372e68b0c9c1d6da0d854d8bc62e4743ad7cd13101b867b541828d3786b0857783377457e5e87ba9b63bfd9afcdbfd93ac103
+DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192
-DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4044c0f364a2eea748cc4edd1501faec69a3c5b9e0b7db336968399ec684b6c8aceeac9196ba1ecf563ae3d660682cbc9a0 SHA512 d4d37a49cd43a3b9b7b173b0935267b84133b9b0954b7f71714ba781a6129c6d424f8b7a528dd7d4f287784c5517d57b1d6d7c6df8b5d738e34eb6dc7eae7191
+DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566
-DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
+DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925
-DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
+DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
-DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
+DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
+DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/README

@@ -1,2 +0,0 @@
-If sshd.pam_include.2 changes make sure to apply the change to sys-auth/google-oslogin
-Those files must be kept in sync.

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch

@@ -1,16 +0,0 @@
-CVE-2018-20685
-
-https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
-
---- a/scp.c
-+++ b/scp.c
-@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
- 			SCREWUP("size out of range");
- 		size = (off_t)ull;
- 
--		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
-+		if (*cp == '\0' || strchr(cp, '/') != NULL ||
-+		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
- 			run_err("error: unexpected filename: %s", cp);
- 			exit(1);
- 		}

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch

@@ -1,12 +0,0 @@
-diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in
---- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in	2018-10-16 17:01:20.000000000 -0700
-+++ openssh-7.9p1/openbsd-compat/regress/Makefile.in	2018-12-19 11:03:14.421028691 -0800
-@@ -7,7 +7,7 @@
- CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
--CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
-+CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@
- EXEEXT=@EXEEXT@
- LIBCOMPAT=../libopenbsd-compat.a
- LIBS=@LIBS@

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch

@@ -1,16 +0,0 @@
---- a/openssh-7.9p1+x509-11.6.diff	2018-12-07 17:24:03.211328918 -0800
-+++ b/openssh-7.9p1+x509-11.6.diff	2018-12-07 17:24:13.399262277 -0800
-@@ -40681,12 +40681,11 @@
-
-  install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-  install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
--@@ -333,6 +351,8 @@
-+@@ -333,6 +351,7 @@
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
-  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
-  	$(MKDIR_P) $(DESTDIR)$(libexecdir)
- +	$(MKDIR_P) $(DESTDIR)$(sshcadir)
--+	$(MKDIR_P) $(DESTDIR)$(piddir)
-  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch

@@ -1,28 +0,0 @@
---- a/openssh-7.9p1+x509-11.6.diff	2018-12-19 10:42:01.241775036 -0800
-+++ b/openssh-7.9p1+x509-11.6.diff	2018-12-19 10:43:33.383140818 -0800
-@@ -45862,7 +45862,7 @@
-  	ENGINE_register_all_complete();
- +#endif
-  
---#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- +	/* OPENSSL_config will load buildin engines and engines
- +	 * specified in configuration file, i.e. method call
- +	 * ENGINE_load_builtin_engines. Latter is only for
-@@ -81123,16 +81123,6 @@
-  		    setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
-  			return;
-  		setlocale(LC_CTYPE, "C");
--diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.6/version.h
----- openssh-7.9p1/version.h	2018-10-17 03:01:20.000000000 +0300
--+++ openssh-7.9p1+x509-11.6/version.h	2018-12-18 20:07:00.000000000 +0200
--@@ -2,5 +2,4 @@
-- 
-- #define SSH_VERSION	"OpenSSH_7.9"
-- 
---#define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.6/version.m4
- --- openssh-7.9p1/version.m4	1970-01-01 02:00:00.000000000 +0200
- +++ openssh-7.9p1+x509-11.6/version.m4	2018-12-18 20:07:00.000000000 +0200

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch

@@ -1,79 +0,0 @@
---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig	2018-09-12 15:58:57.377986085 -0700
-+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff	2018-09-12 16:07:15.376711327 -0700
-@@ -4,8 +4,8 @@
- +++ b/Makefile.in
- @@ -42,7 +42,7 @@ CC=@CC@
-  LD=@LD@
-- CFLAGS=@CFLAGS@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
-  K5LIBS=@K5LIBS@
-@@ -788,8 +788,8 @@
-  ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
-  {
-  	struct session_state *state;
---	const struct sshcipher *none = cipher_by_name("none");
--+	struct sshcipher *none = cipher_by_name("none");
-+-	const struct sshcipher *none = cipher_none();
-++	struct sshcipher *none = cipher_none();
-  	int r;
-
-  	if (none == NULL) {
-@@ -933,9 +933,9 @@
-  	/* Portable-specific options */
-  	sUsePAM,
- +	sDisableMTAES,
-- 	/* Standard Options */
-- 	sPort, sHostKeyFile, sLoginGraceTime,
-- 	sPermitRootLogin, sLogFacility, sLogLevel,
-+ 	/* X.509 Standard Options */
-+ 	sHostbasedAlgorithms,
-+ 	sPubkeyAlgorithms,
- @@ -626,6 +630,7 @@ static struct {
-  	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-  	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 16:38:16.947447218 -0700
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 16:32:35.479700864 -0700
-@@ -382,7 +382,7 @@
- @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
-  	int nenc, nmac, ncomp;
-  	u_int mode, ctos, need, dh_need, authlen;
-- 	int r, first_kex_follows;
-+ 	int r, first_kex_follows = 0;
- +	int auth_flag;
- +
- +	auth_flag = packet_authentication_state(ssh);
-@@ -1125,15 +1125,6 @@
- index a738c3a..b32dbe0 100644
- --- a/sshd.c
- +++ b/sshd.c
--@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
-- 	char remote_version[256];	/* Must be at least as big as buf. */
-- 
-- 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
---	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
--+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
-- 	    *options.version_addendum == '\0' ? "" : " ",
-- 	    options.version_addendum);
-- 
- @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
-  	int ret, listen_sock;
-  	struct addrinfo *ai;
-@@ -1213,14 +1204,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch

@@ -1,91 +0,0 @@
---- openssh-7.9p1.orig/cipher-ctr-mt.c	2018-10-24 20:48:00.909255466 -0000
-+++ openssh-7.9p1/cipher-ctr-mt.c	2018-10-24 20:48:17.378155144 -0000
-@@ -46,7 +46,7 @@
-
- /*-------------------- TUNABLES --------------------*/
- /* maximum number of threads and queues */
--#define MAX_THREADS      32
-+#define MAX_THREADS      32
- #define MAX_NUMKQ        (MAX_THREADS * 2)
-
- /* Number of pregen threads to use */
-@@ -435,7 +435,7 @@
- 		destp.u += AES_BLOCK_SIZE;
- 		srcp.u += AES_BLOCK_SIZE;
- 		len -= AES_BLOCK_SIZE;
--		ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
-+		ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
-
- 		/* Increment read index, switch queues on rollover */
- 		if ((ridx = (ridx + 1) % KQLEN) == 0) {
-@@ -481,8 +481,6 @@
- 	/* get the number of cores in the system */
- 	/* if it's not linux it currently defaults to 2 */
- 	/* divide by 2 to get threads for each direction (MODE_IN||MODE_OUT) */
--	/* NB: assigning a float to an int discards the remainder which is */
--	/* acceptable (and wanted) in this case */
- #ifdef __linux__
- 	cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2;
- #endif /*__linux__*/
-@@ -551,16 +550,16 @@
- 	}
-
- 	if (iv != NULL) {
--		memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-+		memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
- 		c->state |= HAVE_IV;
- 	}
-
- 	if (c->state == (HAVE_KEY | HAVE_IV)) {
- 		/* Clear queues */
--		memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
-+		memcpy(c->q[0].ctr, c->aes_counter, AES_BLOCK_SIZE);
- 		c->q[0].qstate = KQINIT;
- 		for (i = 1; i < numkq; i++) {
--			memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
-+			memcpy(c->q[i].ctr, c->aes_counter, AES_BLOCK_SIZE);
- 			ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
- 			c->q[i].qstate = KQEMPTY;
- 		}
-@@ -644,8 +643,22 @@
- const EVP_CIPHER *
- evp_aes_ctr_mt(void)
- {
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL && !defined(LIBRESSL_VERSION_NUMBER)
-+	static EVP_CIPHER *aes_ctr;
-+	aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
-+	EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
-+	EVP_CIPHER_meth_set_init(aes_ctr, ssh_aes_ctr_init);
-+	EVP_CIPHER_meth_set_cleanup(aes_ctr, ssh_aes_ctr_cleanup);
-+	EVP_CIPHER_meth_set_do_cipher(aes_ctr, ssh_aes_ctr);
-+#  ifndef SSH_OLD_EVP
-+	EVP_CIPHER_meth_set_flags(aes_ctr, EVP_CIPH_CBC_MODE
-+				      | EVP_CIPH_VARIABLE_LENGTH
-+				      | EVP_CIPH_ALWAYS_CALL_INIT
-+				      | EVP_CIPH_CUSTOM_IV);
-+#  endif /*SSH_OLD_EVP*/
-+	return (aes_ctr);
-+# else /*earlier version of openssl*/
- 	static EVP_CIPHER aes_ctr;
--
- 	memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
- 	aes_ctr.nid = NID_undef;
- 	aes_ctr.block_size = AES_BLOCK_SIZE;
-@@ -654,11 +667,12 @@
- 	aes_ctr.init = ssh_aes_ctr_init;
- 	aes_ctr.cleanup = ssh_aes_ctr_cleanup;
- 	aes_ctr.do_cipher = ssh_aes_ctr;
--#ifndef SSH_OLD_EVP
--	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
--	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
--#endif
--	return &aes_ctr;
-+#  ifndef SSH_OLD_EVP
-+        aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-+		EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+#  endif /*SSH_OLD_EVP*/
-+        return &aes_ctr;
-+# endif /*OPENSSH_VERSION_NUMBER*/
- }
-
- #endif /* defined(WITH_OPENSSL) */

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch

@@ -1,17 +0,0 @@
---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-12 18:18:51.851536374 -0700
-+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-12 18:19:01.116475099 -0700
-@@ -1190,14 +1190,3 @@
-  # Example of overriding settings on a per-user basis
-  #Match User anoncvs
-  #	X11Forwarding no
--diff --git a/version.h b/version.h
--index f1bbf00..21a70c2 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION	"OpenSSH_7.8"
-- 
-- #define SSH_PORTABLE	"p1"
---#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
--+ 

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch

@@ -1,13 +0,0 @@
-diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
-index 8b4a3627..590b66d1 100644
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
- 	ENGINE_load_builtin_engines();
- 	ENGINE_register_all_complete();
-
--#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- 	OPENSSL_config(NULL);
- #else
- 	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch

@@ -0,0 +1,31 @@
+From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lonnie@abelbeck.com>
+Date: Tue, 1 Oct 2019 09:05:09 -0500
+Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
+
+New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
+in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
+---
+ sandbox-seccomp-filter.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 840c5232b..39dc289e3 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_stat64
+ 	SC_DENY(__NR_stat64, EACCES),
+ #endif
++#ifdef __NR_shmget
++	SC_DENY(__NR_shmget, EACCES),
++#endif
++#ifdef __NR_shmat
++	SC_DENY(__NR_shmat, EACCES),
++#endif
++#ifdef __NR_shmdt
++	SC_DENY(__NR_shmdt, EACCES),
++#endif
+ 
+ 	/* Syscalls to permit */
+ #ifdef __NR_brk

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch

@@ -0,0 +1,57 @@
+Make sure that host keys are already accepted before
+running tests.
+
+https://bugs.gentoo.org/493866
+
+--- a/regress/putty-ciphers.sh
++++ b/regress/putty-ciphers.sh
+@@ -10,11 +10,17 @@ fi
+ 
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
+ 	verbose "$tid: cipher $c"
++	rm -f ${COPY}
+ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
+ 	    ${OBJ}/.putty/sessions/cipher_$c
+ 	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+ 
+-	rm -f ${COPY}
++	env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
+ 	    cat ${DATA} > ${COPY}
+ 	if [ $? -ne 0 ]; then
+--- a/regress/putty-kex.sh
++++ b/regress/putty-kex.sh
+@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
+ 	    ${OBJ}/.putty/sessions/kex_$k
+ 	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+ 
++	env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
+ 	if [ $? -ne 0 ]; then
+ 		fail "KEX $k failed"
+--- a/regress/putty-transfer.sh
++++ b/regress/putty-transfer.sh
+@@ -14,6 +14,13 @@ for c in 0 1 ; do
+ 	cp ${OBJ}/.putty/sessions/localhost_proxy \
+ 	    ${OBJ}/.putty/sessions/compression_$c
+ 	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
++
++	env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
++	    -i ${OBJ}/putty.rsa2 "exit"
++	if [ $? -ne 0 ]; then
++		fail "failed to pre-cache host key"
++	fi
++
+ 	env HOME=$PWD ${PLINK} -load compression_$c -batch \
+ 	    -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
+ 	if [ $? -ne 0 ]; then

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch

@@ -0,0 +1,114 @@
+--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2019-04-18 17:07:59.413376785 -0700
++++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2019-04-18 20:05:12.622588051 -0700
+@@ -382,7 +382,7 @@
+ @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
+  	int nenc, nmac, ncomp;
+  	u_int mode, ctos, need, dh_need, authlen;
+- 	int r, first_kex_follows;
++ 	int r, first_kex_follows = 0;
+ +	int auth_flag;
+ +
+ +	auth_flag = packet_authentication_state(ssh);
+@@ -441,6 +441,39 @@
+  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);
+  int	 ssh_packet_set_state(struct ssh *, struct sshbuf *);
+  
++diff --git a/packet.c b/packet.c
++index dcf35e6..9433f08 100644
++--- a/packet.c
+++++ b/packet.c
++@@ -920,6 +920,14 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++ 	return 0;
++ }
++ 
+++/* this supports the forced rekeying required for the NONE cipher */
+++int rekey_requested = 0;
+++void
+++packet_request_rekeying(void)
+++{
+++        rekey_requested = 1;
+++}
+++
++ #define MAX_PACKETS	(1U<<31)
++ static int
++ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
++@@ -946,6 +954,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
++ 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
++ 		return 0;
++ 
+++        /* used to force rekeying when called for by the none
+++         * cipher switch and aes-mt-ctr methods -cjr */
+++        if (rekey_requested == 1) {
+++                rekey_requested = 0;
+++                return 1;
+++        }
+++	
++ 	/* Time-based rekeying */
++ 	if (state->rekey_interval != 0 &&
++ 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
+ diff --git a/readconf.c b/readconf.c
+ index db5f2d5..33f18c9 100644
+ --- a/readconf.c
+@@ -453,10 +486,9 @@
+  
+  /* Format of the configuration file:
+  
+-@@ -166,6 +167,8 @@ typedef enum {
++@@ -166,5 +167,7 @@ typedef enum {
+  	oTunnel, oTunnelDevice,
+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+- 	oDisableMTAES,
+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ +	oNoneEnabled, oNoneSwitch,
+  	oVisualHostKey,
+@@ -592,10 +624,9 @@
+  	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
+  	SyslogFacility log_facility;	/* Facility for system logging. */
+-@@ -111,7 +115,10 @@ typedef struct {
++@@ -111,6 +115,9 @@ typedef struct {
+  	int	enable_ssh_keysign;
+  	int64_t rekey_limit;
+- 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/
+ +	int     none_switch;    /* Use none cipher */
+ +	int     none_enabled;   /* Allow none to be used */
+  	int	rekey_interval;
+@@ -650,10 +681,8 @@
+  
+  	/* Portable-specific options */
+  	if (options->use_pam == -1)
+-@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
++@@ -391,4 +400,41 @@ fill_default_server_options(ServerOptions *options)
+  		options->permit_tun = SSH_TUNMODE_NO;
+- 	if (options->disable_multithreaded == -1)
+- 		options->disable_multithreaded = 0;
+ +	if (options->none_enabled == -1)
+ +		options->none_enabled = 0;
+ +	if (options->hpn_disabled == -1)
+@@ -1095,9 +1124,9 @@
+ +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ +		}
+ +	}
++ 	debug("Authentication succeeded (%s).", authctxt.method->name);
++ }
+  
+- #ifdef WITH_OPENSSL
+- 	if (options.disable_multithreaded == 0) {
+ diff --git a/sshd.c b/sshd.c
+ index a738c3a..b32dbe0 100644
+ --- a/sshd.c
+@@ -1181,14 +1210,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index f1bbf00..21a70c2 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,5 @@
+- #define SSH_VERSION	"OpenSSH_7.8"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+ 

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch

@@ -0,0 +1,13 @@
+diff --git a/kex.c b/kex.c
+index 34808b5c..88d7ccac 100644
+--- a/kex.c
++++ b/kex.c
+@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+ 	if (version_addendum != NULL && *version_addendum == '\0')
+ 		version_addendum = NULL;
+ 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
+-	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ 	    version_addendum == NULL ? "" : " ",
+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
+ 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch

@@ -1,8 +1,8 @@
 diff --git a/auth.c b/auth.c
-index 9a3bc96f..fc2c3620 100644
+index ca450f4e..2994a4e4 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -733,120 +733,6 @@ fakepw(void)
+@@ -723,120 +723,6 @@ fakepw(void)
  	return (&fake);
  }
  
@@ -29,7 +29,7 @@ index 9a3bc96f..fc2c3620 100644
 -	fromlen = sizeof(from);
 -	memset(&from, 0, sizeof(from));
 -	if (getpeername(ssh_packet_get_connection_in(ssh),
--	    (struct sockaddr *)&from, &fromlen) < 0) {
+-	    (struct sockaddr *)&from, &fromlen) == -1) {
 -		debug("getpeername failed: %.100s", strerror(errno));
 -		return strdup(ntop);
 -	}
@@ -124,7 +124,7 @@ index 9a3bc96f..fc2c3620 100644
   * Runs command in a subprocess with a minimal environment.
   * Returns pid on success, 0 on failure.
 diff --git a/canohost.c b/canohost.c
-index f71a0856..3e162d8c 100644
+index abea9c6e..4f4524d2 100644
 --- a/canohost.c
 +++ b/canohost.c
 @@ -202,3 +202,117 @@ get_local_port(int sock)
@@ -246,10 +246,10 @@ index f71a0856..3e162d8c 100644
 +	}
 +}
 diff --git a/readconf.c b/readconf.c
-index db5f2d54..67feffa5 100644
+index f78b4d6f..747287f7 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
+@@ -162,6 +162,7 @@ typedef enum {
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
  	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -257,7 +257,7 @@ index db5f2d54..67feffa5 100644
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
-@@ -202,9 +203,11 @@ static struct {
+@@ -203,9 +204,11 @@ static struct {
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -268,8 +268,8 @@ index db5f2d54..67feffa5 100644
 +	{ "gssapitrustdns", oUnsupported },
  #endif
  #ifdef ENABLE_PKCS11
- 	{ "smartcarddevice", oPKCS11Provider },
+ 	{ "pkcs11provider", oPKCS11Provider },
-@@ -977,6 +980,10 @@ parse_time:
+@@ -992,6 +995,10 @@ parse_time:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
  
@@ -280,7 +280,7 @@ index db5f2d54..67feffa5 100644
  	case oBatchMode:
  		intptr = &options->batch_mode;
  		goto parse_flag;
-@@ -1818,6 +1825,7 @@ initialize_options(Options * options)
+@@ -1864,6 +1871,7 @@ initialize_options(Options * options)
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
@@ -288,7 +288,7 @@ index db5f2d54..67feffa5 100644
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -1964,6 +1972,8 @@ fill_default_options(Options * options)
+@@ -2011,6 +2019,8 @@ fill_default_options(Options * options)
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
@@ -298,7 +298,7 @@ index db5f2d54..67feffa5 100644
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index c5688781..af809cc8 100644
+index 8e36bf32..c9e4718d 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -41,6 +41,7 @@ typedef struct {
@@ -310,10 +310,10 @@ index c5688781..af809cc8 100644
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/ssh_config.5 b/ssh_config.5
-index f499396a..be758544 100644
+index 02a87892..95de538b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -722,6 +722,16 @@ The default is
+@@ -762,6 +762,16 @@ The default is
  Forward (delegate) credentials to the server.
  The default is
  .Cm no .
@@ -331,29 +331,29 @@ index f499396a..be758544 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 10e4f0a0..4f7d49e3 100644
+index 87fa70a4..a6ffdc96 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -657,6 +657,13 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh)
- 	static u_int mech = 0;
  	OM_uint32 min;
  	int r, ok = 0;
+ 	gss_OID mech = NULL;
 +	const char *gss_host;
 +
 +	if (options.gss_trust_dns) {
 +		extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+		gss_host = auth_get_canonical_hostname(active_state, 1);
++		gss_host = auth_get_canonical_hostname(ssh, 1);
 +	} else
 +		gss_host = authctxt->host;
  
  	/* Try one GSSAPI method at a time, rather than sending them all at
  	 * once. */
-@@ -669,7 +676,7 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh)
+ 		    elements[authctxt->mech_tried];
  		/* My DER encoding requires length<128 */
- 		if (gss_supported->elements[mech].length < 128 &&
+ 		if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
- 		    ssh_gssapi_check_mechanism(&gssctxt,
+-		    mech, authctxt->host)) {
--		    &gss_supported->elements[mech], authctxt->host)) {
++		    mech, gss_host)) {
-+		    &gss_supported->elements[mech], gss_host)) {
  			ok = 1; /* Mechanism works */
  		} else {
- 			mech++;
+ 			authctxt->mech_tried++;

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch

@@ -1,11 +1,12 @@
---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig	2018-09-11 17:19:19.968420409 -0700
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
-+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff	2018-09-11 17:39:19.977535398 -0700
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff	2020-02-04 14:55:30.408567718 -0800
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff	2020-02-04 15:16:14.646567224 -0800
 @@ -409,18 +409,10 @@
- index dcf35e6..da4ced0 100644
+ index 817da43b..b2bcf78f 100644
  --- a/packet.c
  +++ b/packet.c
--@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
   	return 0;
   }
   
@@ -24,7 +25,7 @@
   #define MAX_PACKETS	(1U<<31)
   static int
   ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
 - 	if (state->p_send.packets == 0 && state->p_read.packets == 0)
 - 		return 0;
 - 
@@ -39,12 +40,12 @@
 - 	if (state->rekey_interval != 0 &&
 - 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())
  diff --git a/packet.h b/packet.h
- index 170203c..f4d9df2 100644
+ index 8ccfd2e0..1ad9bc06 100644
  --- a/packet.h
 @@ -476,9 +454,9 @@
   /* Format of the configuration file:
   
- @@ -166,6 +167,8 @@ typedef enum {
+ @@ -167,6 +168,8 @@ typedef enum {
 - 	oHashKnownHosts,
   	oTunnel, oTunnelDevice,
   	oLocalCommand, oPermitLocalCommand, oRemoteCommand,
@@ -55,7 +56,7 @@
 @@ -615,9 +593,9 @@
   	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
   	SyslogFacility log_facility;	/* Facility for system logging. */
- @@ -111,7 +115,10 @@ typedef struct {
+ @@ -112,7 +116,10 @@ typedef struct {
 - 
   	int	enable_ssh_keysign;
   	int64_t rekey_limit;
@@ -63,50 +64,42 @@
  +	int     none_switch;    /* Use none cipher */
  +	int     none_enabled;   /* Allow none to be used */
   	int	rekey_interval;
-@@ -673,9 +651,9 @@
+@@ -700,9 +678,9 @@
-  	/* Portable-specific options */
+ +			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
-  	if (options->use_pam == -1)
+ +	}
- @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
+ +
-- 	}
-- 	if (options->permit_tun == -1)
-  		options->permit_tun = SSH_TUNMODE_NO;
 + 	if (options->disable_multithreaded == -1)
 + 		options->disable_multithreaded = 0;
- +	if (options->none_enabled == -1)
+  	if (options->ip_qos_interactive == -1)
- +		options->none_enabled = 0;
+- 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
- +	if (options->hpn_disabled == -1)
+- 	if (options->ip_qos_bulk == -1)
-@@ -1092,7 +1070,7 @@
+ @@ -486,6 +532,8 @@ typedef enum {
+  	sPasswordAuthentication, sKbdInteractiveAuthentication,
+  	sListenAddress, sAddressFamily,
+@@ -1079,11 +1057,11 @@
   	xxx_host = host;
   	xxx_hostaddr = hostaddr;
   
--@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
+-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
   
   	if (!authctxt.success)
   		fatal("Authentication failed.");
-@@ -1117,10 +1095,9 @@
+-+
- +			fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
++ 
+ +	/*
+ +	 * If the user wants to use the none cipher, do it post authentication
+ +	 * and only if the right conditions are met -- both of the NONE commands
+@@ -1105,9 +1083,9 @@
  +		}
  +	}
--+
+ +
 - 	debug("Authentication succeeded (%s).", authctxt.method->name);
 - }
-  
+- 
 + #ifdef WITH_OPENSSL
 + 	if (options.disable_multithreaded == 0) {
++ 		/* if we are using aes-ctr there can be issues in either a fork or sandbox
  diff --git a/sshd.c b/sshd.c
- index a738c3a..b32dbe0 100644
+ index 11571c01..23a06022 100644
  --- a/sshd.c
-@@ -1217,11 +1194,10 @@
- index f1bbf00..21a70c2 100644
- --- a/version.h
- +++ b/version.h
--@@ -3,4 +3,6 @@
-+@@ -3,4 +3,5 @@
-  #define SSH_VERSION	"OpenSSH_7.8"
-  
-  #define SSH_PORTABLE	"p1"
- -#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN         "-hpn14v16"
- +#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
- + 

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch

@@ -0,0 +1,19 @@
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff	2020-02-04 14:55:30.408567718 -0800
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff	2020-02-04 16:36:51.394069720 -0800
+@@ -1191,15 +1191,3 @@
+  # Example of overriding settings on a per-user basis
+  #Match User anoncvs
+  #	X11Forwarding no
+-diff --git a/version.h b/version.h
+-index 6b3fadf8..ec1d2e27 100644
+---- a/version.h
+-+++ b/version.h
+-@@ -3,4 +3,6 @@
+- #define SSH_VERSION	"OpenSSH_8.1"
+- 
+- #define SSH_PORTABLE	"p1"
+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-+#define SSH_HPN         "-hpn14v20"
+-+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN
+-+ 

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch

@@ -0,0 +1,26 @@
+diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
+index 86ea6250..844adabc 100644
+--- a/regress/cert-hostkey.sh
++++ b/regress/cert-hostkey.sh
+@@ -252,7 +252,7 @@ test_one() {
+ test_one "user-certificate"	failure "-n $HOSTS"
+ test_one "empty principals"	success "-h"
+ test_one "wrong principals"	failure "-h -n foo"
+-test_one "cert not yet valid"	failure "-h -V20200101:20300101"
++test_one "cert not yet valid"	failure "-h -V20300101:20320101"
+ test_one "cert expired"		failure "-h -V19800101:19900101"
+ test_one "cert valid interval"	success "-h -V-1w:+2w"
+ test_one "cert has constraints"	failure "-h -Oforce-command=false"
+diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
+index 38c14a69..5cd02fc3 100644
+--- a/regress/cert-userkey.sh
++++ b/regress/cert-userkey.sh
+@@ -338,7 +338,7 @@ test_one() {
+ test_one "correct principal"	success "-n ${USER}"
+ test_one "host-certificate"	failure "-n ${USER} -h"
+ test_one "wrong principals"	failure "-n foo"
+-test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
++test_one "cert not yet valid"	failure "-n ${USER} -V20300101:20320101"
+ test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
+ test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
+ test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd

@@ -0,0 +1,21 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.initd

@@ -0,0 +1,89 @@
+#!/sbin/openrc-run
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
+: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
+: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
+: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
+: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
+
+command="${SSHD_BINARY}"
+pidfile="${SSHD_PIDFILE}"
+command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
+
+# Wait one second (length chosen arbitrarily) to see if sshd actually
+# creates a PID file, or if it crashes for some reason like not being
+# able to bind to the address in ListenAddress (bug 617596).
+: ${SSHD_SSD_OPTS:=--wait 1000}
+start_stop_daemon_args="${SSHD_SSD_OPTS}"
+
+depend() {
+	# Entropy can be used by ssh-keygen, among other things, but
+	# is not strictly required (bug 470020).
+	use logger dns entropy
+	if [ "${rc_need+set}" = "set" ] ; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		local x warn_addr
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "${x}" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} ${x}" ;;
+			esac
+		done
+		if [ -n "${warn_addr}" ] ; then
+			need net
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+	fi
+}
+
+checkconfig() {
+	checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
+
+	if [ ! -e "${SSHD_CONFIG}" ] ; then
+		eerror "You need an ${SSHD_CONFIG} file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	${SSHD_KEYGEN_BINARY} -A || return 2
+
+	"${command}" -t ${command_args} || return 3
+}
+
+start_pre() {
+	# If this isn't a restart, make sure that the user's config isn't
+	# busted before we try to start the daemon (this will produce
+	# better error messages than if we just try to start it blindly).
+	#
+	# If, on the other hand, this *is* a restart, then the stop_pre
+	# action will have ensured that the config is usable and we don't
+	# need to do that again.
+	if [ "${RC_CMD}" != "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+stop_pre() {
+	# If this is a restart, check to make sure the user's config
+	# isn't busted before we stop the running daemon.
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return $?
+	fi
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml

@@ -29,9 +29,11 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
     <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
     <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
     <flag name="livecd">Enable root password logins for live-cd environment.</flag>
+    <flag name="security-key">Include builtin U2F/FIDO support</flag>
     <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
     <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
     <flag name="X509">Adds support for X.509 certificate authentication</flag>
+    <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
   </use>
   <upstream>
     <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>

sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.1_p1-r3.ebuild

@@ -1,47 +1,52 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=6
+EAPI=7
 
-inherit user flag-o-matic multilib autotools pam systemd
+inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
 
 # Make it more portable between straight releases
 # and _p? releases.
 PARCH=${P/_}
-#HPN_PV="${PV^^}"
+HPN_PV="${PV^^}"
-HPN_PV="7.8_P1"
 
-HPN_VER="14.16"
+HPN_VER="14.20"
 HPN_PATCHES=(
 	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
 	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
 )
 
 SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+X509_VER="12.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
 
 PATCH_SET="openssh-7.9p1-patches-1.0"
 
 DESCRIPTION="Port of OpenBSD's free SSH release"
 HOMEPAGE="https://www.openssh.com/"
 SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
-	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
+	https://dev.gentoo.org/~chutzpah/dist/openssh/${P}-glibc-2.31-patches.tar.xz
-	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
-	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
 	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
-	"
+"
+S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
+
 RESTRICT="!test? ( test )"
-REQUIRED_USE="ldns? ( ssl )
+
+REQUIRED_USE="
+	ldns? ( ssl )
 	pie? ( !static )
 	static? ( !kerberos !pam )
 	X509? ( !sctp ssl )
-	test? ( ssl )"
+	test? ( ssl )
+"
 
 LIB_DEPEND="
 	audit? ( sys-process/audit[static-libs(+)] )
@@ -66,22 +71,29 @@ LIB_DEPEND="
 		)
 		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
 	)
-	>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
+	virtual/libcrypt:=[static-libs(+)]
+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]
+"
 RDEPEND="
+	acct-group/sshd
+	acct-user/sshd
 	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
-	pam? ( virtual/pam )
+	pam? ( sys-libs/pam )
-	kerberos? ( virtual/krb5 )"
+	kerberos? ( virtual/krb5 )
+"
 DEPEND="${RDEPEND}
 	static? ( ${LIB_DEPEND} )
-	virtual/pkgconfig
 	virtual/os-headers
-	sys-devel/autoconf"
+"
 RDEPEND="${RDEPEND}
 	pam? ( >=sys-auth/pambase-20081028 )
-	userland_GNU? ( virtual/shadow )
+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )
-	X? ( x11-apps/xauth )"
+	X? ( x11-apps/xauth )
-
+"
-S="${WORKDIR}/${PARCH}"
+BDEPEND="
+	virtual/pkgconfig
+	sys-devel/autoconf
+"
 
 pkg_pretend() {
 	# this sucks, but i'd rather have people unable to `emerge -u openssh`
@@ -102,53 +114,39 @@ pkg_pretend() {
 	fi
 
 	# Make sure people who are using tcp wrappers are notified of its removal. #531156
-	if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
 		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
-		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."
+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."
 	fi
 }
 
 src_prepare() {
 	sed -i \
-		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
 		pathnames.h || die
 
 	# don't break .ssh/authorized_keys2 for fun
 	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
 
-	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
 	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
-	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex
 	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
 	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
-
+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
-	if use X509 ; then
+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-		# patch doesn't apply due to X509 modifications
+	eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch
-		rm \
-			"${WORKDIR}"/patches/0001-fix-key-type-check.patch \
-			"${WORKDIR}"/patches/0002-request-rsa-sha2-cert-signatures.patch \
-			|| die
-	else
-		eapply "${FILESDIR}"/${PN}-7.9_p1-CVE-2018-20685.patch # X509 patch set includes this patch
-	fi
 
 	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
 
 	local PATCHSET_VERSION_MACROS=()
 
 	if use X509 ; then
-		pushd "${WORKDIR}" || die
+		pushd "${WORKDIR}" &>/dev/null || die
-		eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
-		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
+		popd &>/dev/null || die
-		popd || die
-
-		if use hpn ; then
-			einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
-			HPN_DISABLE_MTAES=1
-		fi
 
 		eapply "${WORKDIR}"/${X509_PATCH%.*}
-		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
+		eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
 
 		# We need to patch package version or any X.509 sshd will reject our ssh client
 		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@@ -182,16 +180,22 @@ src_prepare() {
 
 	if use hpn ; then
 		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
-		mkdir "${hpn_patchdir}"
+		mkdir "${hpn_patchdir}" || die
-		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
-		pushd "${hpn_patchdir}"
+		pushd "${hpn_patchdir}" &>/dev/null || die
-		eapply "${FILESDIR}"/${P}-hpn-glue.patch
+		eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-glue.patch
-		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
+		if use X509; then
-		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
+		#	einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
-		popd
+		#	# X509 and AES-CTR-MT don't get along, let's just drop it
+		#	rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
+			eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-${HPN_VER}-X509-glue.patch
+		fi
+		use sctp && eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-sctp-glue.patch
+		popd &>/dev/null || die
 
 		eapply "${hpn_patchdir}"
-		eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
+
+		use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
 
 		einfo "Patching Makefile.in for HPN patch set ..."
 		sed -i \
@@ -274,22 +278,23 @@ src_configure() {
 
 	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
 	use static && append-ldflags -static
+	use xmss && append-cflags -DWITH_XMSS
 
 	local myconf=(
 		--with-ldflags="${LDFLAGS}"
 		--disable-strip
 		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
-		--sysconfdir="${EPREFIX%/}"/etc/ssh
+		--sysconfdir="${EPREFIX}"/etc/ssh
-		--libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
-		--datadir="${EPREFIX%/}"/usr/share/openssh
+		--datadir="${EPREFIX}"/usr/share/openssh
-		--with-privsep-path="${EPREFIX%/}"/var/empty
+		--with-privsep-path="${EPREFIX}"/var/empty
 		--with-privsep-user=sshd
 		$(use_with audit audit linux)
-		$(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
 		# We apply the sctp patch conditionally, so can't pass --without-sctp
 		# unconditionally else we get unknown flag warnings.
 		$(use sctp && use_with sctp)
-		$(use_with ldns ldns "${EPREFIX%/}"/usr)
+		$(use_with ldns ldns "${EPREFIX}"/usr)
 		$(use_with libedit)
 		$(use_with pam)
 		$(use_with pie)
@@ -300,8 +305,8 @@ src_configure() {
 		$(use_with !elibc_Cygwin hardening) #659210
 	)
 
-	# stackprotect is broken on musl x86
+	# stackprotect is broken on musl x86 and ppc
-	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
+	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
 
 	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
 	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
@@ -327,7 +332,7 @@ src_test() {
 	mkdir -p "${sshhome}"/.ssh
 	for t in "${tests[@]}" ; do
 		# Some tests read from stdin ...
-		HOMEDIR="${sshhome}" HOME="${sshhome}" \
+		HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
 		emake -k -j1 ${t} </dev/null \
 			&& passed+=( "${t}" ) \
 			|| failed+=( "${t}" )
@@ -351,7 +356,7 @@ tweak_ssh_configs() {
 	)
 
 	# First the server config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
 
 	# Allow client to pass locale environment variables. #367017
 	AcceptEnv ${locale_vars[*]}
@@ -361,7 +366,7 @@ tweak_ssh_configs() {
 	EOF
 
 	# Then the client config.
-	cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
 
 	# Send locale environment variables. #367017
 	SendEnv ${locale_vars[*]}
@@ -376,13 +381,13 @@ tweak_ssh_configs() {
 			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
 			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
 			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
-			"${ED%/}"/etc/ssh/sshd_config || die
+			"${ED}"/etc/ssh/sshd_config || die
 	fi
 
 	if use livecd ; then
 		sed -i \
 			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
-			"${ED%/}"/etc/ssh/sshd_config || die
+			"${ED}"/etc/ssh/sshd_config || die
 	fi
 }
 
@@ -409,11 +414,6 @@ src_install() {
 	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
 }
 
-pkg_preinst() {
-	enewgroup sshd 22
-	enewuser sshd 22 -1 /var/empty sshd
-}
-
 pkg_postinst() {
 	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
 		elog "Starting with openssh-5.8p1, the server will default to a newer key"