chore(net-misc/openssh): import from portage

Change-Id: I5cc0cce57f7cd152096c5e505279636016d06239

sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest

@@ -0,0 +1,52 @@
+AUX openssh-4.7_p1-GSSAPI-dns.patch 4494 SHA256 88a08f349258d4be5b2faa838a89fe1aa0196502990b745ac0e3a70dda30a0d7 SHA512 4d00a9ed79f66b92502c3e5ee580523f63d7b3643fe1bd330ff97994acce527d4d285d38199cef66eddc0ef68afabf7b268abc60cba871bac5d2e99045d4ac11 WHIRLPOOL 2f118fd2f016c529dbc31e8f2b6b418931e6770ab02c28b7feeaba93e84e7fcd1c742f4420a43a9fec0bdfaa4d4bc7cf14fb860c0a56c68a30e7b136fb60bcdb
+AUX openssh-5.2_p1-autoconf.patch 386 SHA256 42bb5f23f02241186abd6158ac15cd1fba0fadb4bd79e6b051fbd05605419ebb SHA512 80a2244e243492d3933646a32fa673078efd72d0e87939b326c2210f23d72675839cfefa2f31617279d51834cc34daf2c3c189c9d92b08875b6b4f68fa7f3844 WHIRLPOOL d4ca3dd8554863d074054489a2dbe5aca3d07fcc5858e908caa5d76dcf8beb661cc3ca6d22a02ab2ca9f504160a6a1acc7f45a4fa775d879b02ee1ae3d113926
+AUX openssh-5.2_p1-gsskex-fix.patch 408 SHA256 8190db31ed2e8dc6ce79030e5c648d04610b06dd8366df5948ef6e990314ee96 SHA512 2022cd25b3e07430752569e07165db313e49a0902ef251df3e50ca96197849be6efbdee360a3a435cae0b5d2dda55acc8676b232d3584f87e204c2fc04b92801 WHIRLPOOL 65da9f3450493ca9a25741e66b2ecf97d7a5576c15485ff3a7c08fc57b06a17b3b6e73b14d2962bf958d9326a6d54c2940f56eb42de4bd5011324bba84c67cca
+AUX openssh-5.2_p1-x509-hpn-glue.patch 2851 SHA256 a21336a892b61e29a556d16e9f0a67ee08ad04dd61e3963a201fdf032ce55f75 SHA512 417617acba409539cd2edd59e7640fe732f90265f70d7f4cd91c8b059d44c9c1be63cf336ee3a39a45f1a066bc577e261836b8113296535b9320d77fed3a05bf WHIRLPOOL 901fd8e0ceafd27bd5fdca9007b82842dce2b5aee11c069d0f0229c4568886f0df861c80eb5b3a754a0af795ebb9c78a78a3e76002f17bdbf8349923439deecf
+AUX openssh-5.2p1-ldap-stdargs.diff 252 SHA256 97281375efa33e9ce70a55bfa95b6b426208175e7e3ff493012bc25d9b012f45 SHA512 2577b1476211f563bf8a7e62c2341e35cff7208a04b7a3fb1d331721e58f395cdef1ce2ac735b95c31781e06e16ec27c6692df09928393248c971837a1e03079 WHIRLPOOL df65dd54dd12be39fb4b830536f86aef97c086b227de1d87d56788bf8bce39a345da0ed814dd53abdaa5d158c99f0b87cb8510812d10c353a3b8a82493b210af
+AUX openssh-5.4_p1-openssl.patch 255 SHA256 f83627039491e9969f1ed5d77fe816465ce75809e8c2f2bfb07012bc21384347 SHA512 8cfd757dbe79ee502c10c5d518730f4e790bd61753120bb168d545dfc702a7a55c274fd9c81d2798ec78cba30f173aaf0bee1f15bb23f9f465c3524a5c81ca2d WHIRLPOOL 852f3e9dc6cd05934b52effa03961a0d989734a28649eb199e1f260d4e8129dffed378d8efdbd40a5f520362fe8fa404a744724135caa39f48e876849cf2350b
+AUX openssh-5.6_p1-hpn-progressmeter.patch 334 SHA256 eaa98f954934364a1994111f5a422d0730b6e224822cef03efe6d6fc0c7f056f SHA512 46eb5253549ddca045e67841daa092a8a33a6ae4411e75c301589f0a88159c6d2ccfe45c2f0502314465b93ac6f1965264a9b92b13e0e88d4ff15ced5f4ebfeb WHIRLPOOL 72b05e4243e746fc315468ac1dc8988b92919dbd147470855b8753e0ae37ad3696de6c9ec29346596aee2d60acbbcce79cea5735b9a91b3452a4b4f3f69d3012
+AUX openssh-5.6_p1-x509-hpn-glue.patch 1974 SHA256 164db7af08e0565821d6d609b1beadab39777521bfff143a83acc1e097ad60f1 SHA512 a764d8411f0b7c49d6f51b25153c18648d58dfbc82897903bad826293f3497010ab0343e4a4cc81b37e51c3a28ec04cd5be7c8882126295ba2b38e734e262995 WHIRLPOOL 4a8151dde306eace1404b8e83dc2514cb8f073acb6c759b9a2a9e619181951873afad785f565861f6d1031d9314f8d450faef63629dfd5f1b0074cb78b059578
+AUX openssh-5.7_p1-x509-hpn-glue.patch 1888 SHA256 30f63dea0e810d92790ddaf9813f0b8dec1e827a39e1752faff6bb41382f3c1b SHA512 db839f3cf3c67ef28290551810dc5c8937d1ef401f48ed937165b57191e75944adb25ab36cbf30289f7fc0076ec192c030e40fb5a744c63932b414e49b99946a WHIRLPOOL 2e539c49ef613e2a9912011ac289036381f8fd8d8ff5f2e0088dd3443a1c7fd86c3efe2b2041736bf67b73c8b4b298208de183945dc68c73ad6f35c41fb8a619
+AUX openssh-5.8_p1-selinux.patch 433 SHA256 0de250c75f4dae78406e5151f563bd104b8e7792a825515510e095fb47462cfd SHA512 e6c89eb26b4bc651503ab81d346e780fdec3056302c5e2d8a6be5892fa514f83093370c463aae88091dc20d30013fd32250e040649147797bcca69ddc7d05ae3 WHIRLPOOL f72ccd773b9ff7a897940afddcb38ba9512e0830c33a2381886d2698e0ae0c6a7db9678326945bdf6769acc21d3e4bf8a196161114805d4570af2819e610df84
+AUX openssh-5.8_p1-x509-hpn-glue.patch 1907 SHA256 7ab452c02b141645b764d404aa3de0754ab240a64601a6bb587919673f957682 SHA512 317c04fab93aaf82685e54335c876b2399623ef69428297c2e5934d45f69f0e78a89c79ad7bb186ef12a779ebf0f088ca142d6a426baeb32b166ceca8098572d WHIRLPOOL 34fdef826750070d112dc6c1bf84de11ebfa646fb5cbfb9f76d13dab925cff94996ed51cfdcba4e0b536915883bb4728756b79db157c019ba951ee1a32c18fe3
+AUX openssh-5.9_p1-drop-openssl-check.patch 848 SHA256 89b011e27548b9922deed63ed57a6c94ea8013bb3bfb4d6590ba43d284a2ab86 SHA512 bbcbb61b6fea194e7ee3862a5b462d48ce4cf4fec12cc8a8564fc5fc8f840dca2b4ddf301bf9d12bcbfd3922948023320ea660a8c194d57bf2b1e9d095fc8eb2 WHIRLPOOL dc8e140d2bfe59546b944236ebcc702cd4a19ed5c6ee24d590bb0d50221069666b3797cf1717e6090d12525b3310cd963537e4c2c413bb2692ec85dcb2d33b43
+AUX openssh-5.9_p1-sshd-gssapi-multihomed.patch 6622 SHA256 f5ae8419023d9e5f64c4273e43d60664d0079b5888ed999496038f295852e0ae SHA512 ffa45e97e585c8624792e039e7571b2bb5f38e4554de8bfc1d532f3348fa4a712ea1b6ca054e6a59ed1321a15cf1a9d3bdf3f399cec315346db89bae77abf57d WHIRLPOOL cc4871e3fb91a8075a13b5e49d7d3e0e83106bae0820ae3cf19d3427aad3d701b8f25b2cc2cc881a6315f8e5114fb82da9ca335acccb24afe221d66574fb7685
+AUX openssh-5.9_p1-x509-glue.patch 569 SHA256 579ef6409878cea36828057a82a37232ba230af0acb58438f020c284f06a6510 SHA512 534697c03837c8a6084348245722b8730b2547d0e2adca274077fcac295e13e8f2d8ae4cd788fc1c58824fc7b591e731e02d43873fdbe5f20ca1a87fa3060886 WHIRLPOOL 9dd0de494ba2c4a2dc1577e48ae8a63d95c794981ce1aa8d8f0d7fe464e489763f9af042ebecb6428c70cce56ae0b5ca93904669403bd9cc0e61e34989b82462
+AUX openssh-6.0_p1-fix-freebsd-compilation.patch 546 SHA256 4cee4d0b68a847b7686309ddc92f86fc36254d6e864682225143a28fc91e6187 SHA512 f9b783f76212ded27181b0a5ab8b4efc999a9960a020de54f109dad01a3e49b126a9c59da2286e565717f9e68991d2275e0872d54406f2c56a37d4dd439d92e4 WHIRLPOOL d0307e8e2a464914c9f4b2c790d72ff94eddc776986f0a847e04abede59feb6339bd256fe3dc831b362cb8e7f4e3cdb763a5c3c834f1fd7c32e4325cfb91ce63
+AUX openssh-6.0_p1-hpn-progressmeter.patch 379 SHA256 fb38d9d16132fcc16fb2648bce21e2260fb5cadf0ae2e2a7849638aeb79d3dc7 SHA512 4885f49f38c8a3afdef2ba63f324601214810aef8bbac89c926edca9edc8998f49f5060f1070ee0278ef7cdcdd7329a9b9fa37d1466e32cd2dc81edcdee50f51 WHIRLPOOL f73843d69f9aacea93a965eafecd16a037dae996d879d4b755831413321e3ed1e3e3167eff716a4ae836698b4e51c740bbfcca48033cb1dd4353f8599296272e
+AUX openssh-6.0_p1-test.patch 780 SHA256 c5893911cec3eecf84dc13bddbefbe1e1053db11e65a909b5f28eacbdd88a29c SHA512 733ee29c64f2469678ca0a4056332d43179cfe73d7efdd0c3c4b24da75baa74b7661e5039bd6fdbb0a375ae5ad5b60353c715946bb59d477ea0c5efaf70b1697 WHIRLPOOL a98055e2634eea3421dc2117a19e0548dae9b4705f7681e45bd4f33e3782f2ec22097de7f7ed4507d1ba5ed983d10499b786347688fadb6e803d20ea86bd7a02
+AUX openssh-6.0_p1-x509-glue.patch 569 SHA256 8c9048a33036a93f56e254cfd53b18313682d466deadfdcd8937a46793617900 SHA512 ad0c0cc7745a80dcc59e671f98608c0bdadf276449352615e738fe7f2e740e0f68713320c48b88b3b4565fd7e1f1a5653a0965e247bec68011c4eff72a9ffece WHIRLPOOL dde2aa90d6a19aeae8b6ad9586a10ac6b9c0e7b9e30f3e1d511bf7b938a299c75cc5771c8bc22ce6b6582ca7ea4804e545c463546580eacbcd38fa664841add1
+AUX openssh-6.0_p1-x509-hpn-glue.patch 1774 SHA256 b2dcff21652eea92d2ff2640a568070a944e7bfb2bd3217c433e6383a64b0970 SHA512 82793502b8c943f0bd69019ea1cf1172f9579dc6a8f6c91f6aba9a9d743384d5ac84f7a49df07165e252b4ef4fc06b745463bdc58d06da2aca3c7acbb3dd8623 WHIRLPOOL ffd01827dbf8162359cf7a278020f2bfa7ed1ee1051774522623bcf448ffc8a3e28ecff2de5733b352beef5722a9dec2e9bb25fabc7edca615a774f65f756246
+AUX openssh-6.1_p1-x509-glue.patch 573 SHA256 e51aa53e9e0336606fc36af237d50338347b845ee56a66d01f86829c4b46feb6 SHA512 bac2971b6435433d6ac88fb127c178e678fe805f51260454d9d0b631ef52dbafc08343fb307a74a116691545a82f5369dc014e71a7c8c65ba41699b31e1dfb6f WHIRLPOOL dd514ce502f7c7968e8fa526b1b2f7d7945f2d5b5f1f013e54f7513a7c7bf6025dbdeabe566958018db8f7442c9611f7efd435501b4b965b0fe7594e24ee20fc
+AUX openssh-6.1_p1-x509-hpn-glue.patch 1491 SHA256 28c5000f7c8b23afc363d066cf96d39c00882274f227b7743b1e376df8b61a2e SHA512 0d6bab08cc400b81d936883bf39f5a461799874f6ea3dcf55c083372ed379bc0066b913646f7a0e32167079ba85409c272b258de179d55660739df4bbbf30e5b WHIRLPOOL dbfbf8eb0312ae119421e45efd8243b089ab2d3c2bc1f7b7cbd5b56f86844dfe42b27952e4ed88653679ec036f70b8edd3e00f17ae097241fbc88567bab38505
+AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53
+AUX sshd.pam 294 SHA256 f01cc51c624b21a815fb6c0be35edc590e2e6f8a5ffbdcabc220a9630517972f SHA512 3268dc826978fbb205968744d83c6f1c838c9c73bf9c4ceee709c5b4168b4aaf06bcde47a32808571fa71cbc5a6bfdb98406995b2b28c9e633ce392a53932d64 WHIRLPOOL fff8966d66d75cd4d70607585b5de063f225a776b73b8b0f8146c5eed6c8ffd2ca38c46f86fa4e2ca8caafcde7797a3f0b177e60baa6fa0642064080883fa68a
+AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b
+AUX sshd.rc6 2189 SHA256 627125378ccfdd81289531f527346980da249d35499cb71518f88f1452f4c098 SHA512 b2981a6dd9b83a21c718bb4dbfe88a0f1157bc764d1795291a381e380b40141719e5e5cf0cbd89845e81a7e9b0b4fdf938a55ff80ae4b5cac1969189aefa2b1d WHIRLPOOL 136497f366686ae25d78b11c17d4f9235d8980a8a147b380c00c281adaa91940f82a709b7da312736608e3b3ce3a2dbca465a2010f27e9562389de98be5885cf
+AUX sshd.rc6.1 2270 SHA256 153119116208d328c496d29b7cb9f85991df93020cc50c83b05ed498b10a2126 SHA512 80f0e460ad7ffd9a6fb279ce2d307cbda1f7352745ffaca381867f636ae64df336a03de0da15aca39619acdbebf41e2ccbd2bb233433f93625754965aaaab780 WHIRLPOOL 6b7a4519282fe99fc36cd0f89f6163ad9c8c9d998b15e84d3758af607627db48cf58ffee1bc4291ac0e7f75455f8f8873cd5d996f3c75f1ea3bef0b249abdffe
+AUX sshd.rc6.2 2069 SHA256 94b1fc0d608464fd4a6c7ed23f0b9c44aada3404982d8fd25b8bfe202baffaa6 SHA512 f75f95e6cf912b8c45f7ccf81e764805a56057368b18425abe699b29c3c66d32ea5b2d1c9f6fadf97487430e703e01dc2d965e41b8511f31a3e06d3bcbbc1006 WHIRLPOOL b9082ba3854e1842e057717b9a1571ba5ac6bf69c5facb391b7a3d890b13f879d7ae1484eafbbffc17746c3a8184f23e4c3fa831f678eabdea7d23e2c0d1bf63
+AUX sshd.rc6.3 2057 SHA256 43d95b495440ed6b3c1eb82b81712d7f6e58246527605c11d733cb5eb5523254 SHA512 3ddcdeae6c7f4755df1f8fe77d9d1af8c728f8cc18da0feaeccc4b8147f86b4db1ab1bf4ad362c31fac986270b21fe2c80e0414d64f70bfdac2370e22c2c9db2 WHIRLPOOL 57a18d85ab77abe64eddf852975481d974bd68b0b058d854a31158aed14b1706743ad563aa013c770aa124533fb5344bc64d0c06b564e1b53e28e1b0ebe463e8
+AUX sshd.rc6.4 2758 SHA256 7596248118e3d4087a9bbb4d9c7a9a949a472c73e94585084df1d0a744c17e12 SHA512 bfda73dddd8362005b8fc236132e4421e71ee6af4d917fc4956dd37a244b4ed888b10f7b86f90005bdf782e77346fbeb3453f5ffcf39906aee3e06596f84ccec WHIRLPOOL 1881214407406613b62ab86654b757433596f99b481ca80e106937c34b817750813d68a5df48f3004acb4df89c6a48426e3f7cbb4f9c2b6e49a809b50e50260e
+AUX sshd.service 206 SHA256 093d4f526e740cbec46ad6a69207407daf01e74da44599d75b979f294c9b0a7b SHA512 67d96a63a6bc874bacc2f43b51c003f2209a4d2283f8435ba3495266e4823d73962fd995f46eab0e8b260107b9a8c416709b2f19e8e94ecea30ddd8280444cfe WHIRLPOOL b48005444104583bd230e68f870a1d0c4a8709f5e8f7fafa45becf259df64052b1938853e8e232b32aae882dbad83d5c78d7796eafb6c02bd0196f7a6a44075f
+AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5
+AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1
+DIST openssh-5.9p1+x509-7.0.diff.gz 181263 SHA256 a28e2535ecbf95deeef682682e7551459cc494bbc1c4ccb89be93cfe826d76ca SHA512 5f6e2be10ce8cf26fffcb782824f59c1f1ca0fa271800e162685ce74d1aac6d9035cfdacc87d3f859d3538bc0b22438a701dfc3c8108a130e6e4b7fdd36e6b16 WHIRLPOOL 00f92e2e235da11a87b30dc49e1a469a781482ea53ddf99fb892ec3796b9a68f62234c0ed72f2a3330f7af90f3afcdc90e2574b6ab5955ec6e64c13b75ab5e89
+DIST openssh-5.9p1-hpn13v11.diff.gz 21971 SHA256 6a47a9e57f87385cac9a380b0b1649b73532afaf40c15f62e9236427c84e7aae SHA512 6f7ae144ff61b4ec7913dc94c7ed9550cfcd30336e3bbfafc6c875c99cf0c90cd7f8ce89d530f2861b9bda95433d591673136ba5a31310226207f787257da3be WHIRLPOOL fe4d9f515e5c51b159b0aa51b01840003de443c2f3e8eca90b657d54f490273d1ba98dbabe2cf3a104edaa0971cae5f5f8c739691310822493f8f2705c01465d
+DIST openssh-5.9p1.tar.gz 1110014 SHA256 8d3e8b6b6ff04b525a6dfa6fdeb6a99043ccf6c3310cc32eba84c939b07777d5 SHA512 ccf13e3cb11489f9f7e4788f93ffae1f2c39d48819f0e9cd9197842abc922173d2c3c1ad1a87a2acf4497d67cb9edd48416098388fa33fc0b8e09456b1be7e2f WHIRLPOOL 2e8bd89fd14954a232602a912845ed29a08ca40637f8863fed675b19d18944125ecdbf292c45cf5c297584df6c3131ae4fd3c6bc62595dfebb3831120ea21cd1
+DIST openssh-6.0p1+x509-7.1.diff.gz 200986 SHA256 c11e3837704a24393353fe264d61ffea8c1f23c0cb5b8261866c25677930768b SHA512 f45e16a21955546829c70bbad67a6af2cdf60fc6019d34c8563c3c328ffc477d1b31c3443ce032e7ff29d027979ecade476679d33c40961ac4ba65f96dac4b7f WHIRLPOOL 120063e566d721c233ea02cdf2ea114b7f707248962c126dd9def5377188283bb9da58a32a2d49453f4c37ad7a975e03bcdf106a28a0cb7e655eacc7c3f965c1
+DIST openssh-6.0p1-hpn13v11.diff.bz2 19979 SHA256 a096f6ee6dfddb3996b5e7b806ece2a7709c8cce6560eb026c28d3fb56f71ee9 SHA512 2805ddac19a5c4962e6a57d9a6efd3f17ebac82ee2b6a7eed60521a4fd23468d4be7f67e59562120fb21e1efa7ab9213be5d8ab8e3ff6fb9c2ccd6d6989f460f WHIRLPOOL a588288d0b3a64a8414bf1061055dbf41b8370e59fd89ab6cdc2fc7b93046b467aefb9f9196a65f96bda395db38e3841e1ad781341919829de0d9d8d2a220df1
+DIST openssh-6.0p1-hpn13v12.diff.gz 20223 SHA256 b6158c10fac153dd2a9f5d9b29df1e4db17a91f84f100b99526655317d9bf4c0 SHA512 d5decf82bfdbdcdcea974b3a8d990929908077851a3a8c122bda37e439e19e69973a371ac46683840263ec3c85fb2393a70183786f94b2afaff6577209f202c2 WHIRLPOOL 9347431c34737294f98aa07d1c4468ab0357e766c1ff55ad2e39af10041d9fa0e0253d36c5dde354513c97cf7ccb19ac1db7214c25797d57d917d4ee5a1199da
+DIST openssh-6.0p1.tar.gz 1126034 SHA256 589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de SHA512 4fe1f7e0d5e572575b11253916354b333a7eca558720885d5dceb7c89dc5da81cd57feaa4be756dfa4f3e9ef508e5f460e5fda221765191b1c02ae37431a444e WHIRLPOOL 7853155dfd35962ae31958600b6d4f94a3a916dac942f5f533cde3d85c8ea64066b887d66d7722bd647196f57df7ed27f62d5ec4588868754b6cdf999a404001
+DIST openssh-6.1p1+x509-7.2.1.diff.gz 208071 SHA256 02d3703d419fc72be819a4e7fc8cbbb269182862465b6a99cc7b2af32d75a181 SHA512 6c1786c2c32d884e7b8f15e39912ca1d8fb54b1132ffae6d8d4f262356a16267a8e549a822911d0f40eabe49015080ae35fdec521f90e0ef4d05554339f35fa0 WHIRLPOOL 7f260caebdc58fe415b3cb93b08600942a6b171b45df8ff1279d4280930a7103cbefac63ec7f32fdbf9bdcf64278c39bfd55c2dcb41ea5c4934574930494df67
+DIST openssh-6.1p1-hpn13v11.diff.bz2 19999 SHA256 08bfc1f3c582f23b3ce386e78baf37be4af03645fc6eef87f1ef819cc273ecc7 SHA512 4e21384ef4d0b7539c9b7aecb158748b959db7ec84fa023f7969c2db50794e1f68bab375cdea9c2ae8fe16b759650e250aa21d6b8772a1c671d2e1e59adef08a WHIRLPOOL 3918c2c118908e67de4523c8d1f142ca4b2d2d7c045c2337b2f7914096108cf1a138009a838519d292e53fec454ced3a9590bbddf93096bd377196bd7d73ed55
+DIST openssh-6.1p1.tar.gz 1134820 SHA256 d1c157f6c0852e90c191cc7c9018a583b51e3db4035489cb262639d337a1c411 SHA512 1cd58f18b047fa92a3155fa215d69c04e1f03914488a21bcda5434899df6055567e59f77063f0080b0cb437bb2396d3bf4050ed0c5ea2d1dc20d6fd928d5a76c WHIRLPOOL a1ecf33e8c4048c59e55d38cc8bb3f89357ac8fb74fdbb57e24e111e1749620fe6f7e329a744e3cfc9ced3e445539ce85926c7877a0f12475ccf14f124f9234b
+DIST openssh-lpk-5.9p1-0.3.14.patch.gz 18335 SHA256 1a922d57a2e7020bf597135437a57080d7d046c9f41a7a53559945ddddbe0892 SHA512 eb4641d30e221eaa409d22ab423e38c1a31dd9dfeacbf978c94827194cb838cc0f832bf96aa4c494a71a5d5d1b90fc6789e8469e35d82ffcaf54305f07ccdb9b WHIRLPOOL 6748426d6d0cda07729744d8993d96a762134a61acf757afc1618ada5cbd9752d9211a89be831e5a4f1744f70cc4fc643b5f745d1f785b53a4e1dbf9d7c92680
+DIST openssh-lpk-6.0p1-0.3.14.patch.gz 18401 SHA256 d0f3d55fd92ecc45aa6120d6ea919c903e4828ce0c2b07612c742a2aa7648beb SHA512 ebf680b90bc289c0d69c22fd6fd666032cdcf4c3850ecdf03e264200d60c50a12f4a5254907c6ab850727216e7837176be5564ae22b68d9b80a67c62f372a9dd WHIRLPOOL 4f8b32c77fc2a9205d283109ccd787a3f37757c18060da39c63147ff09f6b922f4a57ca1ba8d0cdc692f3f1eaba3e5e88eb4287f728ddaaf544d2d425c0cca91
+DIST openssh-lpk-6.1p1-0.3.14.patch.gz 18458 SHA256 2d0e40116e021913668519a42743f89b8fb77f8d5beed863d620cc79999b0b79 SHA512 9cfd83e650cedbc3950b8cf80d0b36fbb7dff8fbe7d017378f9a2ae18189fa6e459e323dae6cd1fa1d82ff948f628563892d0a0f30113b3a8ba5269fe051e784 WHIRLPOOL c1ee5570f0bfb3191c602d575e0e05cabe7d42183bd78c07cac19a2743a59f110728e309fcee6f0b6abc7b141ae8c701d92d010d2b7737739b4cac92406552fa
+EBUILD openssh-5.9_p1-r4.ebuild 9210 SHA256 efed8260b1799d44b3d313539c7f88761761e665ab38b2740895d6a99405152c SHA512 e9344b99a24fce4c3f2c186108443079fc66b410373170e57d3be04a74678579fd2dcf136344ca820b8b7f75121ef924c4b36e6a2dfa11dc298dabcd8d91fb98 WHIRLPOOL 9add398de7095604a716a2b76f3bd5ce7cd8035304efaaa1a6a60557804c5714160d582a6f768a2024d8f466db31aca10b4028746d450f09c9b6874e893d6442
+EBUILD openssh-6.0_p1-r1.ebuild 9488 SHA256 f99e6f51f5fc1809cc093e84834699097802d92f8aee712ffcdf1b8548698c08 SHA512 10b19d45b60658e3c61fb74a4c6d4ae1341b4d1129faaa08ec3b655a64f1dc3625ffbe363add33c8e31ac5ebf66cd24415c2324bd5c8d23fad4191e431143be3 WHIRLPOOL 0c35ba4608a5a4fd6c65bfed0f3cde8e8cd7067a94bacf41104c2f0105146a5c79bdec873c2c3a6086637359805ecbb353a2abc9c6e0f2a93a409650aadfff78
+EBUILD openssh-6.0_p1.ebuild 9485 SHA256 32c4280a8babafa169543a919f4cf31231c3d759a7c116b42e3c3981242c0d59 SHA512 bae20dfbea14cfc30f16c7619d63a4a4cb2546d9d5e903e93e3c4d18745c1398d42ab6580a3e10609d81e1020b8f54c35b6413e168775efd3cb8fab064d67f8a WHIRLPOOL 24d16d37714e69a0d4593b745feeb54853e8d7b2de799be8ed76c0e09fe9459da8a3bfbb67b36f120345fc24fdc307a346c4fcb79b95fd8831e8944383f36759
+EBUILD openssh-6.1_p1-r1.ebuild 10144 SHA256 d3a9498da4e88e1a90c5d6573152019f681b12e046dfa0b6a0f186b198cf5bcc SHA512 eb4e95964daa6249c87b3589d85f74fa8ba2bef39e65c9886614a4198aecdc4a7924f9c0d8822a0fbf5d47d26f2f201fcee40dcdf5fc9b773ba1bb4400d75f0c WHIRLPOOL b25c79632964123988bfa97b24c063edf566da56501cd20d6da6ac6aa77e1dc33340a528af20ab2d0404e9a4d7876d61d29dd8d38feba3b7cce205a098372565
+EBUILD openssh-6.1_p1.ebuild 9582 SHA256 e4e060b08be1ae2238889463ad257e6d3b60ccc33c0bd6e5f73e63155795b2cc SHA512 dc3376d4317fe4692b0e3a62acfe7307df0208744dfd35f585eee9768e16493b81dc1ac854f32050dc21470cf1e7681a71c463c4e15a86d8a4b1c99dfdbc83fd WHIRLPOOL d2e7fe4d73ee58318b2b3099d18596db58d2d988e26a1792b9d68dadd3a0fbcda20bf52faf8006913614c995cd7cb7a2e69492c12ede66016639466206fbbc98
+MISC ChangeLog 75754 SHA256 5fd858c44b140031d196ab18449f5daf74d2c5e5d98d0b4baea7ac61c16f6f15 SHA512 8ad2f358741f793aeee19c674177519c696bc1d39fd61336ae46ce423c05ae8221d1d1acb3ec959fbb821debf210761d95cded53b20d40b5a78d7c325ccab7a2 WHIRLPOOL f79d0e0d6db81f5768b4ee3de42508a7ab25ab3ca666410c63065f525e85ca045e30adad0e36799ce5906fe8d3fd8a27cfb68c13a5e8c321226ea1c2382aab5e
+MISC metadata.xml 1749 SHA256 efc4abf9bfbc17c1312052e84e77058539851b2e9d0fffb16b2c13bcfda08993 SHA512 18e254f223ddd5bba1b1c4f0ecdd78bffe446a23108bc649d73d8ba626e2940a5a9c5878ab1f8b2689434876e76260fe5a9970649a1287f51033862cf0d5ce36 WHIRLPOOL acb0ce741349f25dbfd58a02a72f5ca45a42ba5441b96766a91b381ed9735efe5105fd6dfaf576bf2dfdd4ef0ed542f81601d74378bc526aac9c0165672dffac

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-3.9_p1-opensc.patch

@@ -0,0 +1,130 @@
+http://bugs.gentoo.org/43593
+http://bugzilla.mindrot.org/show_bug.cgi?id=608
+
+Index: scard-opensc.c
+===================================================================
+RCS file: /cvs/openssh/scard-opensc.c,v
+retrieving revision 1.12
+--- scard-opensc.c
++++ scard-opensc.c
+@@ -38,6 +38,8 @@
+ #include "readpass.h"
+ #include "scard.h"
+ 
++int ask_for_pin=0;
++
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
+ #define USE_ENGINE
+ #define RSA_get_default_method RSA_get_default_openssl_method
+@@ -119,6 +121,7 @@
+ 	struct sc_pkcs15_prkey_info *key;
+ 	struct sc_pkcs15_object *pin_obj;
+ 	struct sc_pkcs15_pin_info *pin;
++	char *passphrase = NULL;
+ 
+ 	priv = (struct sc_priv_data *) RSA_get_app_data(rsa);
+ 	if (priv == NULL)
+@@ -156,24 +159,47 @@
+ 		goto err;
+ 	}
+ 	pin = pin_obj->data;
++
++	if (sc_pin)
++		passphrase = sc_pin;
++	else if (ask_for_pin) {
++		/* we need a pin but don't have one => ask for the pin */
++		char prompt[64];
++
++		snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
++			key_obj->label ? key_obj->label : "smartcard key");
++		passphrase = read_passphrase(prompt, 0);
++		if (!passphrase || !strcmp(passphrase, ""))
++			goto err;
++	} else 
++		/* no pin => error */
++		goto err;
++
+ 	r = sc_lock(card);
+ 	if (r) {
+ 		error("Unable to lock smartcard: %s", sc_strerror(r));
+ 		goto err;
+ 	}
+-	if (sc_pin != NULL) {
+-		r = sc_pkcs15_verify_pin(p15card, pin, sc_pin,
+-					 strlen(sc_pin));
+-		if (r) {
+-			sc_unlock(card);
+-			error("PIN code verification failed: %s",
+-			      sc_strerror(r));
+-			goto err;
+-		}
++	r = sc_pkcs15_verify_pin(p15card, pin, passphrase,
++				 strlen(passphrase));
++	if (r) {
++		sc_unlock(card);
++		error("PIN code verification failed: %s",
++		      sc_strerror(r));
++		goto err;
+ 	}
++
+ 	*key_obj_out = key_obj;
++	if (!sc_pin) {
++		memset(passphrase, 0, strlen(passphrase));
++		xfree(passphrase);
++	}
+ 	return 0;
+ err:
++	if (!sc_pin && passphrase) {
++		memset(passphrase, 0, strlen(passphrase));
++		xfree(passphrase);
++	}
+ 	sc_close();
+ 	return -1;
+ }
+Index: scard.c
+===================================================================
+RCS file: /cvs/openssh/scard.c,v
+retrieving revision 1.27
+--- scard.c
++++ scard.c
+@@ -35,6 +35,9 @@
+ #include "readpass.h"
+ #include "scard.h"
+ 
++/* currently unused */
++int ask_for_pin = 0;
++
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+ #define USE_ENGINE
+ #define RSA_get_default_method RSA_get_default_openssl_method
+Index: scard.h
+===================================================================
+RCS file: /cvs/openssh/scard.h,v
+retrieving revision 1.10
+--- scard.h
++++ scard.h
+@@ -33,6 +33,8 @@
+ #define SCARD_ERROR_NOCARD	-2
+ #define SCARD_ERROR_APPLET	-3
+ 
++extern int ask_for_pin;
++
+ Key	**sc_get_keys(const char *, const char *);
+ void	 sc_close(void);
+ int	 sc_put_key(Key *, const char *);
+Index: ssh.c
+===================================================================
+RCS file: /cvs/openssh/ssh.c,v
+retrieving revision 1.180
+--- ssh.c
++++ ssh.c
+@@ -1155,6 +1155,9 @@
+ #ifdef SMARTCARD
+ 	Key **keys;
+ 
++	if (!options.batch_mode)
++		ask_for_pin = 1;
++
+ 	if (options.smartcard_device != NULL &&
+ 	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ 	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-4.4_p1-ldap-hpn-glue.patch

@@ -0,0 +1,54 @@
+allow ldap and hpn patches to play nice
+
+--- servconf.c
++++ servconf.c
+@@ -116,24 +116,6 @@
+ 	options->num_allow_groups = 0;
+ 	options->num_deny_groups = 0;
+ 	options->ciphers = NULL;
+-	options->macs = NULL;
+-	options->protocol = SSH_PROTO_UNKNOWN;
+-	options->gateway_ports = -1;
+-	options->num_subsystems = 0;
+-	options->max_startups_begin = -1;
+-	options->max_startups_rate = -1;
+-	options->max_startups = -1;
+-	options->max_authtries = -1;
+-	options->banner = NULL;
+-	options->use_dns = -1;
+-	options->client_alive_interval = -1;
+-	options->client_alive_count_max = -1;
+-	options->authorized_keys_file = NULL;
+-	options->authorized_keys_file2 = NULL;
+-	options->num_accept_env = 0;
+-	options->permit_tun = -1;
+-	options->num_permitted_opens = -1;
+-	options->adm_forced_command = NULL;
+ #ifdef WITH_LDAP_PUBKEY
+ 	/* XXX dirty */
+ 	options->lpk.ld = NULL;
+@@ -152,6 +134,24 @@
+ 	options->lpk.flags = FLAG_EMPTY;
+ #endif
+ 
++	options->macs = NULL;
++	options->protocol = SSH_PROTO_UNKNOWN;
++	options->gateway_ports = -1;
++	options->num_subsystems = 0;
++	options->max_startups_begin = -1;
++	options->max_startups_rate = -1;
++	options->max_startups = -1;
++	options->max_authtries = -1;
++	options->banner = NULL;
++	options->use_dns = -1;
++	options->client_alive_interval = -1;
++	options->client_alive_count_max = -1;
++	options->authorized_keys_file = NULL;
++	options->authorized_keys_file2 = NULL;
++	options->num_accept_env = 0;
++	options->permit_tun = -1;
++	options->num_permitted_opens = -1;
++	options->adm_forced_command = NULL;
+ }
+ 
+ void

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch

@@ -0,0 +1,127 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+Index: readconf.c
+===================================================================
+RCS file: /cvs/openssh/readconf.c,v
+retrieving revision 1.135
+diff -u -r1.135 readconf.c
+--- readconf.c	5 Aug 2006 02:39:40 -0000	1.135
++++ readconf.c	19 Aug 2006 11:59:52 -0000
+@@ -126,6 +126,7 @@
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++	oGssTrustDns, 
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -163,9 +164,11 @@
+ #if defined(GSSAPI)
+ 	{ "gssapiauthentication", oGssAuthentication },
+ 	{ "gssapidelegatecredentials", oGssDelegateCreds },
++	{ "gssapitrustdns", oGssTrustDns },
+ #else
+ 	{ "gssapiauthentication", oUnsupported },
+ 	{ "gssapidelegatecredentials", oUnsupported },
++	{ "gssapitrustdns", oUnsupported },
+ #endif
+ 	{ "fallbacktorsh", oDeprecated },
+ 	{ "usersh", oDeprecated },
+@@ -444,6 +447,10 @@
+ 		intptr = &options->gss_deleg_creds;
+ 		goto parse_flag;
+ 
++	case oGssTrustDns:
++		intptr = &options->gss_trust_dns;
++		goto parse_flag;
++
+ 	case oBatchMode:
+ 		intptr = &options->batch_mode;
+ 		goto parse_flag;
+@@ -1010,6 +1017,7 @@
+ 	options->challenge_response_authentication = -1;
+ 	options->gss_authentication = -1;
+ 	options->gss_deleg_creds = -1;
++	options->gss_trust_dns = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->kbd_interactive_devices = NULL;
+@@ -1100,6 +1108,8 @@
+ 		options->gss_authentication = 0;
+ 	if (options->gss_deleg_creds == -1)
+ 		options->gss_deleg_creds = 0;
++	if (options->gss_trust_dns == -1)
++		options->gss_trust_dns = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+Index: readconf.h
+===================================================================
+RCS file: /cvs/openssh/readconf.h,v
+retrieving revision 1.63
+diff -u -r1.63 readconf.h
+--- readconf.h	5 Aug 2006 02:39:40 -0000	1.63
++++ readconf.h	19 Aug 2006 11:59:52 -0000
+@@ -45,6 +45,7 @@
+ 					/* Try S/Key or TIS, authentication. */
+ 	int     gss_authentication;	/* Try GSS authentication */
+ 	int     gss_deleg_creds;	/* Delegate GSS credentials */
++	int	gss_trust_dns;		/* Trust DNS for GSS canonicalization */
+ 	int     password_authentication;	/* Try password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+Index: ssh_config.5
+===================================================================
+RCS file: /cvs/openssh/ssh_config.5,v
+retrieving revision 1.97
+diff -u -r1.97 ssh_config.5
+--- ssh_config.5	5 Aug 2006 01:34:51 -0000	1.97
++++ ssh_config.5	19 Aug 2006 11:59:53 -0000
+@@ -483,7 +483,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Dq no .
+-Note that this option applies to protocol version 2 only.
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to 
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If 
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+Index: sshconnect2.c
+===================================================================
+RCS file: /cvs/openssh/sshconnect2.c,v
+retrieving revision 1.151
+diff -u -r1.151 sshconnect2.c
+--- sshconnect2.c	18 Aug 2006 14:33:34 -0000	1.151
++++ sshconnect2.c	19 Aug 2006 11:59:53 -0000
+@@ -499,6 +499,12 @@
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int ok = 0;
++	const char *gss_host;
++
++	if (options.gss_trust_dns)
++		gss_host = get_canonical_hostname(1);
++	else
++		gss_host = authctxt->host;
+ 
+ 	/* Try one GSSAPI method at a time, rather than sending them all at
+ 	 * once. */
+@@ -511,7 +517,7 @@
+ 		/* My DER encoding requires length<128 */
+ 		if (gss_supported->elements[mech].length < 128 &&
+ 		    ssh_gssapi_check_mechanism(&gssctxt, 
+-		    &gss_supported->elements[mech], authctxt->host)) {
++		    &gss_supported->elements[mech], gss_host)) {
+ 			ok = 1; /* Mechanism works */
+ 		} else {
+ 			mech++;

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-4.7p1-selinux.diff

@@ -0,0 +1,11 @@
+diff -purN openssh-4.7p1.orig/configure.ac openssh-4.7p1/configure.ac
+--- openssh-4.7p1.orig/configure.ac	2007-08-10 00:36:12.000000000 -0400
++++ openssh-4.7p1/configure.ac	2008-03-31 19:38:54.548935620 -0400
+@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux,
+ 		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
+ 		    AC_MSG_ERROR(SELinux support requires libselinux library))
+ 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
++		LIBS="$LIBS $LIBSELINUX"
+ 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ 		LIBS="$save_LIBS"
+ 	fi ]

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-4.9_p1-x509-hpn-glue.patch

@@ -0,0 +1,91 @@
+move things around so hpn applies cleanly when using X509
+
+--- servconf.c
++++ servconf.c
+@@ -106,6 +106,17 @@
+ 	options->log_level = SYSLOG_LEVEL_NOT_SET;
+ 	options->rhosts_rsa_authentication = -1;
+ 	options->hostbased_authentication = -1;
++	options->hostbased_algorithms = NULL;
++	options->pubkey_algorithms = NULL;
++	ssh_x509flags_initialize(&options->x509flags, 1);
++#ifndef SSH_X509STORE_DISABLED
++	ssh_x509store_initialize(&options->ca);
++#endif /*ndef SSH_X509STORE_DISABLED*/
++#ifdef SSH_OCSP_ENABLED
++	options->va.type = -1;
++	options->va.certificate_file = NULL;
++	options->va.responder_url = NULL;
++#endif /*def SSH_OCSP_ENABLED*/
+ 	options->hostbased_uses_name_from_packet_only = -1;
+ 	options->rsa_authentication = -1;
+ 	options->pubkey_authentication = -1;
+@@ -147,18 +158,6 @@
+ 	options->num_permitted_opens = -1;
+ 	options->adm_forced_command = NULL;
+ 	options->chroot_directory = NULL;
+-
+-	options->hostbased_algorithms = NULL;
+-	options->pubkey_algorithms = NULL;
+-	ssh_x509flags_initialize(&options->x509flags, 1);
+-#ifndef SSH_X509STORE_DISABLED
+-	ssh_x509store_initialize(&options->ca);
+-#endif /*ndef SSH_X509STORE_DISABLED*/
+-#ifdef SSH_OCSP_ENABLED
+-	options->va.type = -1;
+-	options->va.certificate_file = NULL;
+-	options->va.responder_url = NULL;
+-#endif /*def SSH_OCSP_ENABLED*/
+ }
+ 
+ void
+@@ -329,6 +329,16 @@
+ 	/* Portable-specific options */
+ 	sUsePAM,
+ 	/* Standard Options */
++	sHostbasedAlgorithms,
++	sPubkeyAlgorithms,
++	sX509KeyAlgorithm,
++	sAllowedClientCertPurpose,
++	sKeyAllowSelfIssued, sMandatoryCRL,
++	sCACertificateFile, sCACertificatePath,
++	sCARevocationFile, sCARevocationPath,
++	sCAldapVersion, sCAldapURL,
++	sVAType, sVACertificateFile,
++	sVAOCSPResponderURL,
+ 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sRhostsRSAAuthentication, sRSAAuthentication,
+@@ -351,16 +361,6 @@
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand,
+ 	sUsePrivilegeSeparation,
+-	sHostbasedAlgorithms,
+-	sPubkeyAlgorithms,
+-	sX509KeyAlgorithm,
+-	sAllowedClientCertPurpose,
+-	sKeyAllowSelfIssued, sMandatoryCRL,
+-	sCACertificateFile, sCACertificatePath,
+-	sCARevocationFile, sCARevocationPath,
+-	sCAldapVersion, sCAldapURL,
+-	sVAType, sVACertificateFile,
+-	sVAOCSPResponderURL,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+--- Makefile.in
++++ Makefile.in
+@@ -44,11 +44,12 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS += @LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.1_p1-better-ssp-check.patch

@@ -0,0 +1,21 @@
+a simple 'int main(){}' function won't generate references to SSP functions
+when using -fstack-protector which means systems that dont have SSP support
+wont get properly detected as lacking support.  instead, create a big buffer
+on the stack and use it as that seems to do the trick.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=1538
+https://bugs.gentoo.org/244776
+
+--- openssh-5.1p1/configure.ac
++++ openssh-5.1p1/configure.ac
+@@ -145,8 +145,8 @@ int main(void){return 0;}
+ 		      AC_MSG_CHECKING(if $t works)
+ 		      AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([
+-#include <stdlib.h>
+-int main(void){exit(0);}
++#include <stdio.h>
++int main(void){char foo[[1024]];return sprintf(foo, "moo cow") == 7;}
+ 			])],
+ 			[ AC_MSG_RESULT(yes)
+ 			  break ],

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.1_p1-escaped-banner.patch

@@ -0,0 +1,18 @@
+don't escape the banner output
+
+http://bugs.gentoo.org/244222
+https://bugzilla.mindrot.org/show_bug.cgi?id=1533
+
+fix by Michał Górny <mgorny.3ehbo@mailnull.com>
+
+--- sshconnect2.c
++++ sshconnect2.c
+@@ -415,7 +415,7 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
+ 		if (len > 65536)
+ 			len = 65536;
+ 		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+-		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
++		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+ 		fprintf(stderr, "%s", msg);
+ 		xfree(msg);
+ 	}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.1_p1-ldap-hpn-glue.patch

@@ -0,0 +1,55 @@
+diff -Nuar --exclude '*.rej' --exclude '*.orig' openssh-5.1p1+lpk/servconf.c openssh-5.1p1+lpk+glue/servconf.c
+--- openssh-5.1p1+lpk/servconf.c	2008-08-23 14:37:18.000000000 -0700
++++ openssh-5.1p1+lpk+glue/servconf.c	2008-08-23 14:52:19.000000000 -0700
+@@ -111,6 +111,25 @@
+ 	options->num_allow_groups = 0;
+ 	options->num_deny_groups = 0;
+ 	options->ciphers = NULL;
++#ifdef WITH_LDAP_PUBKEY
++ 	/* XXX dirty */
++ 	options->lpk.ld = NULL;
++ 	options->lpk.on = -1;
++ 	options->lpk.servers = NULL;
++ 	options->lpk.u_basedn = NULL;
++ 	options->lpk.g_basedn = NULL;
++ 	options->lpk.binddn = NULL;
++ 	options->lpk.bindpw = NULL;
++ 	options->lpk.sgroup = NULL;
++ 	options->lpk.filter = NULL;
++ 	options->lpk.fgroup = NULL;
++ 	options->lpk.l_conf = NULL;
++ 	options->lpk.tls = -1;
++ 	options->lpk.b_timeout.tv_sec = -1;
++ 	options->lpk.s_timeout.tv_sec = -1;
++ 	options->lpk.flags = FLAG_EMPTY;
++#endif
++
+ 	options->macs = NULL;
+ 	options->protocol = SSH_PROTO_UNKNOWN;
+ 	options->gateway_ports = -1;
+@@ -131,25 +150,6 @@
+ 	options->num_permitted_opens = -1;
+ 	options->adm_forced_command = NULL;
+ 	options->chroot_directory = NULL;
+-#ifdef WITH_LDAP_PUBKEY
+- 	/* XXX dirty */
+- 	options->lpk.ld = NULL;
+- 	options->lpk.on = -1;
+- 	options->lpk.servers = NULL;
+- 	options->lpk.u_basedn = NULL;
+- 	options->lpk.g_basedn = NULL;
+- 	options->lpk.binddn = NULL;
+- 	options->lpk.bindpw = NULL;
+- 	options->lpk.sgroup = NULL;
+- 	options->lpk.filter = NULL;
+- 	options->lpk.fgroup = NULL;
+- 	options->lpk.l_conf = NULL;
+- 	options->lpk.tls = -1;
+- 	options->lpk.b_timeout.tv_sec = -1;
+- 	options->lpk.s_timeout.tv_sec = -1;
+- 	options->lpk.flags = FLAG_EMPTY;
+-#endif
+-
+ }
+ 
+ void

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.1_p1-null-banner.patch

@@ -0,0 +1,35 @@
+apply fixes from upstream for empty banner
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=1496
+http://bugs.gentoo.org/244222
+
+----------------------------
+revision 1.168
+date: 2008/10/03 23:56:28;  author: deraadt;  state: Exp;  lines: +3 -3
+Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the
+function.
+spotted by des@freebsd, who commited an incorrect fix to the freebsd tree
+and (as is fairly typical) did not report the problem to us.  But this fix
+is correct.
+ok djm
+----------------------------
+revision 1.167
+date: 2008/07/31 14:48:28;  author: markus;  state: Exp;  lines: +2 -2
+don't allocate space for empty banners; report t8m at centrum.cz; ok deraadt
+--- src/usr.bin/ssh/sshconnect2.c	2008/07/17 09:48:00	1.166
++++ src/usr.bin/ssh/sshconnect2.c	2008/10/04 00:56:28	1.168
+@@ -377,11 +377,11 @@ input_userauth_banner(int type, u_int32_t seq, void *c
+ 	debug3("input_userauth_banner");
+ 	raw = packet_get_string(&len);
+ 	lang = packet_get_string(NULL);
+-	if (options.log_level >= SYSLOG_LEVEL_INFO) {
++	if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ 		if (len > 65536)
+ 			len = 65536;
+-		msg = xmalloc(len * 4); /* max expansion from strnvis() */
+-		strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL);
++		msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
++		strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
+ 		fprintf(stderr, "%s", msg);
+ 		xfree(msg);
+ 	}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.1_p1-x509-headers.patch

@@ -0,0 +1,14 @@
+need strsep() prototype for 64bit systems
+
+http://bugs.gentoo.org/258795
+
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -54,6 +54,7 @@
+ #endif
+ #include "monitor_wrap.h"
+ #include "ssh-x509.h"
++#include <string.h>
+ #include "misc.h"
+ 
+ /* import */

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.1_p1-x509-hpn-glue.patch

@@ -0,0 +1,96 @@
+Move things around so hpn applies cleanly when using X509.
+
+Forward-Ported-from: files/openssh-4.9_p1-x509-hpn-glue.patch
+Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
+
+diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1+x509/Makefile.in openssh-5.1p1+x509-hpn-glue/Makefile.in
+--- openssh-5.1p1+x509/Makefile.in	2008-08-23 14:12:53.000000000 -0700
++++ openssh-5.1p1+x509-hpn-glue/Makefile.in	2008-08-23 14:13:51.000000000 -0700
+@@ -44,11 +44,12 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS += @LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-5.1p1+x509/servconf.c openssh-5.1p1+x509-hpn-glue/servconf.c
+--- openssh-5.1p1+x509/servconf.c	2008-08-23 14:12:53.000000000 -0700
++++ openssh-5.1p1+x509-hpn-glue/servconf.c	2008-08-23 14:23:56.000000000 -0700
+@@ -108,6 +108,17 @@
+ 	options->log_level = SYSLOG_LEVEL_NOT_SET;
+ 	options->rhosts_rsa_authentication = -1;
+ 	options->hostbased_authentication = -1;
++	options->hostbased_algorithms = NULL;
++	options->pubkey_algorithms = NULL;
++	ssh_x509flags_initialize(&options->x509flags, 1);
++#ifndef SSH_X509STORE_DISABLED
++	ssh_x509store_initialize(&options->ca);
++#endif /*ndef SSH_X509STORE_DISABLED*/
++#ifdef SSH_OCSP_ENABLED
++	options->va.type = -1;
++	options->va.certificate_file = NULL;
++	options->va.responder_url = NULL;
++#endif /*def SSH_OCSP_ENABLED*/
+ 	options->hostbased_uses_name_from_packet_only = -1;
+ 	options->rsa_authentication = -1;
+ 	options->pubkey_authentication = -1;
+@@ -151,18 +162,6 @@
+ 	options->num_permitted_opens = -1;
+ 	options->adm_forced_command = NULL;
+ 	options->chroot_directory = NULL;
+-
+-	options->hostbased_algorithms = NULL;
+-	options->pubkey_algorithms = NULL;
+-	ssh_x509flags_initialize(&options->x509flags, 1);
+-#ifndef SSH_X509STORE_DISABLED
+-	ssh_x509store_initialize(&options->ca);
+-#endif /*ndef SSH_X509STORE_DISABLED*/
+-#ifdef SSH_OCSP_ENABLED
+-	options->va.type = -1;
+-	options->va.certificate_file = NULL;
+-	options->va.responder_url = NULL;
+-#endif /*def SSH_OCSP_ENABLED*/
+ }
+ 
+ void
+@@ -338,6 +337,16 @@
+ 	/* Portable-specific options */
+ 	sUsePAM,
+ 	/* Standard Options */
++	sHostbasedAlgorithms,
++	sPubkeyAlgorithms,
++	sX509KeyAlgorithm,
++	sAllowedClientCertPurpose,
++	sKeyAllowSelfIssued, sMandatoryCRL,
++	sCACertificateFile, sCACertificatePath,
++	sCARevocationFile, sCARevocationPath,
++	sCAldapVersion, sCAldapURL,
++	sVAType, sVACertificateFile,
++	sVAOCSPResponderURL,
+ 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sRhostsRSAAuthentication, sRSAAuthentication,
+@@ -360,16 +369,6 @@
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+-	sHostbasedAlgorithms,
+-	sPubkeyAlgorithms,
+-	sX509KeyAlgorithm,
+-	sAllowedClientCertPurpose,
+-	sKeyAllowSelfIssued, sMandatoryCRL,
+-	sCACertificateFile, sCACertificatePath,
+-	sCARevocationFile, sCARevocationPath,
+-	sCAldapVersion, sCAldapURL,
+-	sVAType, sVACertificateFile,
+-	sVAOCSPResponderURL,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.2_p1-autoconf.patch

@@ -0,0 +1,15 @@
+workaround problems with autoconf-2.63
+
+http://lists.gnu.org/archive/html/autoconf/2009-04/msg00007.html
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -3603,7 +3603,7 @@
+ #include <shadow.h>
+ 	struct spwd sp;
+ 	],[ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ],
+-	[ sp_expire_available=yes ], []
++	[ sp_expire_available=yes ], [:]
+ 	)
+ 
+ 	if test "x$sp_expire_available" = "xyes" ; then

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.2_p1-gsskex-fix.patch

@@ -0,0 +1,16 @@
+--- clientloop.c
++++ clientloop.c
+@@ -1434,11 +1434,13 @@
+ 		if (!rekeying) {
+ 			channel_after_select(readset, writeset);
+ 
++#ifdef GSSAPI
+ 			if (options.gss_renewal_rekey &&
+ 			    ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
+ 				debug("credentials updated - forcing rekey");
+ 				need_rekeying = 1;
+ 			}
++#endif
+ 
+ 			if (need_rekeying || packet_need_rekeying()) {
+ 				debug("need rekeying");

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.2_p1-ssh-keysign-readconf.patch

@@ -0,0 +1,15 @@
+fix from newer versions for parallel build failures
+
+http://crosbug.com/31285
+
+--- Makefile.in
++++ Makefile.in
+@@ -149,7 +149,7 @@
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
+ 	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
++ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
+ 	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.2_p1-x509-hpn-glue.patch

@@ -0,0 +1,91 @@
+Move things around so hpn applies cleanly when using X509.
+
+--- openssh-5.2p1+x509/Makefile.in
++++ openssh-5.2p1+x509/Makefile.in
+@@ -44,11 +44,12 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS += @LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- openssh-5.2p1+x509/servconf.c
++++ openssh-5.2p1+x509/servconf.c
+@@ -108,6 +108,17 @@
+ 	options->log_level = SYSLOG_LEVEL_NOT_SET;
+ 	options->rhosts_rsa_authentication = -1;
+ 	options->hostbased_authentication = -1;
++	options->hostbased_algorithms = NULL;
++	options->pubkey_algorithms = NULL;
++	ssh_x509flags_initialize(&options->x509flags, 1);
++#ifndef SSH_X509STORE_DISABLED
++	ssh_x509store_initialize(&options->ca);
++#endif /*ndef SSH_X509STORE_DISABLED*/
++#ifdef SSH_OCSP_ENABLED
++	options->va.type = -1;
++	options->va.certificate_file = NULL;
++	options->va.responder_url = NULL;
++#endif /*def SSH_OCSP_ENABLED*/
+ 	options->hostbased_uses_name_from_packet_only = -1;
+ 	options->rsa_authentication = -1;
+ 	options->pubkey_authentication = -1;
+@@ -152,18 +163,6 @@
+ 	options->adm_forced_command = NULL;
+ 	options->chroot_directory = NULL;
+ 	options->zero_knowledge_password_authentication = -1;
+-
+-	options->hostbased_algorithms = NULL;
+-	options->pubkey_algorithms = NULL;
+-	ssh_x509flags_initialize(&options->x509flags, 1);
+-#ifndef SSH_X509STORE_DISABLED
+-	ssh_x509store_initialize(&options->ca);
+-#endif /*ndef SSH_X509STORE_DISABLED*/
+-#ifdef SSH_OCSP_ENABLED
+-	options->va.type = -1;
+-	options->va.certificate_file = NULL;
+-	options->va.responder_url = NULL;
+-#endif /*def SSH_OCSP_ENABLED*/
+ }
+ 
+ void
+@@ -341,6 +340,16 @@
+ 	/* Portable-specific options */
+ 	sUsePAM,
+ 	/* Standard Options */
++	sHostbasedAlgorithms,
++	sPubkeyAlgorithms,
++	sX509KeyAlgorithm,
++	sAllowedClientCertPurpose,
++	sKeyAllowSelfIssued, sMandatoryCRL,
++	sCACertificateFile, sCACertificatePath,
++	sCARevocationFile, sCARevocationPath,
++	sCAldapVersion, sCAldapURL,
++	sVAType, sVACertificateFile,
++	sVAOCSPResponderURL,
+ 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sRhostsRSAAuthentication, sRSAAuthentication,
+@@ -364,16 +373,6 @@
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+ 	sZeroKnowledgePasswordAuthentication,
+-	sHostbasedAlgorithms,
+-	sPubkeyAlgorithms,
+-	sX509KeyAlgorithm,
+-	sAllowedClientCertPurpose,
+-	sKeyAllowSelfIssued, sMandatoryCRL,
+-	sCACertificateFile, sCACertificatePath,
+-	sCARevocationFile, sCARevocationPath,
+-	sCAldapVersion, sCAldapURL,
+-	sVAType, sVACertificateFile,
+-	sVAOCSPResponderURL,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.2p1-ldap-stdargs.diff

@@ -0,0 +1,10 @@
+--- ldapauth.c.orig	2009-04-18 18:06:38.000000000 +0200
++++ ldapauth.c	2009-04-18 18:06:11.000000000 +0200
+@@ -31,6 +31,7 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <string.h>
++#include <stdarg.h>
+ 
+ #include "ldapauth.h"
+ #include "log.h"

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.3_p1-pkcs11-hpn-glue.patch

@@ -0,0 +1,15 @@
+diff -Nuar openssh-5.3p1/Makefile.in openssh-5.3p1.pkcs-hpn-glue/Makefile.in
+--- openssh-5.3p1/Makefile.in	2009-10-10 22:52:10.081356354 -0700
++++ openssh-5.3p1.pkcs-hpn-glue/Makefile.in	2009-10-10 22:55:47.158418049 -0700
+@@ -64,10 +64,10 @@
+ 
+ LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+ 	canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
+-	pkcs11.o \
+ 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
+ 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
+ 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
++	pkcs11.o \
+ 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
+ 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+ 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.4_p1-openssl.patch

@@ -0,0 +1,12 @@
+pull in openssl/conf.h for OPENSSL_config() prototype
+
+--- openbsd-compat/openssl-compat.c
++++ openbsd-compat/openssl-compat.c
+@@ -59,6 +59,7 @@
+ #endif
+ 
+ #ifdef	USE_OPENSSL_ENGINE
++#include <openssl/conf.h>
+ void
+ ssh_SSLeay_add_all_algorithms(void)
+ {

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.6_p1-hpn-progressmeter.patch

@@ -0,0 +1,15 @@
+don't go reading random stack values
+
+already e-mailed to upstream hpn devs
+
+--- progressmeter.c
++++ progressmeter.c
+@@ -183,7 +183,7 @@
+ 	else
+ 		percent = 100;
+ 
+-	snprintf(buf + strlen(buf), win_size - strlen(buf-8),
++	snprintf(buf + strlen(buf), win_size - strlen(buf) - 8,
+ 	    " %3d%% ", percent);
+ 
+ 	/* amount transferred */

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.6_p1-x509-hpn-glue.patch

@@ -0,0 +1,60 @@
+Move things around so hpn applies cleanly when using X509.
+
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -46,11 +46,12 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- a/servconf.c
++++ b/servconf.c
+@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options)
+ 	options->adm_forced_command = NULL;
+ 	options->chroot_directory = NULL;
+ 	options->zero_knowledge_password_authentication = -1;
+-	options->revoked_keys_file = NULL;
+-	options->trusted_user_ca_keys = NULL;
+-	options->authorized_principals_file = NULL;
+ 
+ 	options->hostbased_algorithms = NULL;
+ 	options->pubkey_algorithms = NULL;
+@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options)
+ 	options->va.certificate_file = NULL;
+ 	options->va.responder_url = NULL;
+ #endif /*def SSH_OCSP_ENABLED*/
++	options->revoked_keys_file = NULL;
++	options->trusted_user_ca_keys = NULL;
++	options->authorized_principals_file = NULL;
+ }
+ 
+ void
+@@ -367,9 +367,6 @@ typedef enum {
+ 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+-	sUsePrivilegeSeparation, sAllowAgentForwarding,
+-	sZeroKnowledgePasswordAuthentication, sHostCertificate,
+-	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ 	sHostbasedAlgorithms,
+ 	sPubkeyAlgorithms,
+ 	sX509KeyAlgorithm,
+@@ -380,6 +377,9 @@ typedef enum {
+ 	sCAldapVersion, sCAldapURL,
+ 	sVAType, sVACertificateFile,
+ 	sVAOCSPResponderURL,
++	sUsePrivilegeSeparation, sAllowAgentForwarding,
++	sZeroKnowledgePasswordAuthentication, sHostCertificate,
++	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.7_p1-x509-hpn-glue.patch

@@ -0,0 +1,60 @@
+Move things around so hpn applies cleanly when using X509.
+
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -46,11 +46,12 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- a/servconf.c
++++ b/servconf.c
+@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options)
+ 	options->zero_knowledge_password_authentication = -1;
+ 	options->revoked_keys_file = NULL;
+ 	options->trusted_user_ca_keys = NULL;
+-	options->authorized_principals_file = NULL;
+-	options->ip_qos_interactive = -1;
+-	options->ip_qos_bulk = -1;
+ 
+ 	options->hostbased_algorithms = NULL;
+ 	options->pubkey_algorithms = NULL;
+@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options)
+ 	options->va.certificate_file = NULL;
+ 	options->va.responder_url = NULL;
+ #endif /*def SSH_OCSP_ENABLED*/
++	options->authorized_principals_file = NULL;
++	options->ip_qos_interactive = -1;
++	options->ip_qos_bulk = -1;
+ }
+ 
+ void
+@@ -367,9 +367,6 @@ typedef enum {
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+-	sZeroKnowledgePasswordAuthentication, sHostCertificate,
+-	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-	sKexAlgorithms, sIPQoS,
+ 	sHostbasedAlgorithms,
+ 	sPubkeyAlgorithms,
+ 	sX509KeyAlgorithm,
+@@ -380,6 +377,9 @@ typedef enum {
+ 	sCAldapVersion, sCAldapURL,
+ 	sVAType, sVACertificateFile,
+ 	sVAOCSPResponderURL,
++	sZeroKnowledgePasswordAuthentication, sHostCertificate,
++	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
++	sKexAlgorithms, sIPQoS,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.8_p1-selinux.patch

@@ -0,0 +1,18 @@
+http://bugs.gentoo.org/354247
+
+[openbsd-compat/port-linux.c] Bug #1851: fix syntax error in
+	selinux code.  Patch from Leonardo Chiquitto.
+
+/* $Id: openssh-5.8_p1-selinux.patch,v 1.1 2011/02/10 02:44:53 vapier Exp $ */
+
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -213,7 +213,7 @@
+ 
+ 	if (!ssh_selinux_enabled())
+ 		return;
+-	if (path == NULL)
++	if (path == NULL) {
+ 		setfscreatecon(NULL);
+ 		return;
+ 	}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.8_p1-x509-hpn-glue.patch

@@ -0,0 +1,61 @@
+Move things around so hpn applies cleanly when using X509.
+
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -46,12 +46,13 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHLIBS=@SSHLIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- a/servconf.c
++++ b/servconf.c
+@@ -153,9 +153,6 @@ initialize_server_options(ServerOptions *options)
+ 	options->zero_knowledge_password_authentication = -1;
+ 	options->revoked_keys_file = NULL;
+ 	options->trusted_user_ca_keys = NULL;
+-	options->authorized_principals_file = NULL;
+-	options->ip_qos_interactive = -1;
+-	options->ip_qos_bulk = -1;
+ 
+ 	options->hostbased_algorithms = NULL;
+ 	options->pubkey_algorithms = NULL;
+@@ -168,6 +165,9 @@ initialize_server_options(ServerOptions *options)
+ 	options->va.certificate_file = NULL;
+ 	options->va.responder_url = NULL;
+ #endif /*def SSH_OCSP_ENABLED*/
++	options->authorized_principals_file = NULL;
++	options->ip_qos_interactive = -1;
++	options->ip_qos_bulk = -1;
+ }
+ 
+ void
+@@ -367,9 +367,6 @@ typedef enum {
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+-	sZeroKnowledgePasswordAuthentication, sHostCertificate,
+-	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-	sKexAlgorithms, sIPQoS,
+ 	sHostbasedAlgorithms,
+ 	sPubkeyAlgorithms,
+ 	sX509KeyAlgorithm,
+@@ -380,6 +377,9 @@ typedef enum {
+ 	sCAldapVersion, sCAldapURL,
+ 	sVAType, sVACertificateFile,
+ 	sVAOCSPResponderURL,
++	sZeroKnowledgePasswordAuthentication, sHostCertificate,
++	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
++	sKexAlgorithms, sIPQoS,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.9_p1-drop-openssl-check.patch

@@ -0,0 +1,25 @@
+newer versions of openssl have started to be compatible across minor versions
+too, so this sanity check fails.  since we already handle compatibility with
+openssl via SONAME checks, we don't need this openssh check at all.
+
+http://marc.info/?l=openssl-dev&m=133176786215023&w=2
+
+--- a/entropy.c
++++ b/entropy.c
+@@ -208,16 +208,7 @@ seed_rng(void)
+ {
+ #ifndef OPENSSL_PRNG_ONLY
+ 	unsigned char buf[RANDOM_SEED_SIZE];
+-#endif
+-	/*
+-	 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+-	 * We match major, minor, fix and status (not patch)
+-	 */
+-	if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L)
+-		fatal("OpenSSL version mismatch. Built against %lx, you "
+-		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ 
+-#ifndef OPENSSL_PRNG_ONLY
+ 	if (RAND_status() == 1) {
+ 		debug3("RNG is ready, skipping seeding");
+ 		return;

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch

@@ -0,0 +1,184 @@
+Index: gss-serv.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
+retrieving revision 1.22
+diff -u -p -r1.22 gss-serv.c
+--- gss-serv.c	8 May 2008 12:02:23 -0000	1.22
++++ gss-serv.c	11 Jan 2010 05:38:29 -0000
+@@ -41,9 +41,12 @@
+ #include "channels.h"
+ #include "session.h"
+ #include "misc.h"
++#include "servconf.h"
+ 
+ #include "ssh-gss.h"
+ 
++extern ServerOptions options;
++
+ static ssh_gssapi_client gssapi_client =
+     { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+     GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ 	char lname[MAXHOSTNAMELEN];
+ 	gss_OID_set oidset;
+ 
+-	gss_create_empty_oid_set(&status, &oidset);
+-	gss_add_oid_set_member(&status, ctx->oid, &oidset);
+-
+-	if (gethostname(lname, MAXHOSTNAMELEN)) {
+-		gss_release_oid_set(&status, &oidset);
+-		return (-1);
+-	}
++	if (options.gss_strict_acceptor) {
++		gss_create_empty_oid_set(&status, &oidset);
++		gss_add_oid_set_member(&status, ctx->oid, &oidset);
++
++		if (gethostname(lname, MAXHOSTNAMELEN)) {
++			gss_release_oid_set(&status, &oidset);
++			return (-1);
++		}
++
++		if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
++			gss_release_oid_set(&status, &oidset);
++			return (ctx->major);
++		}
++
++		if ((ctx->major = gss_acquire_cred(&ctx->minor,
++		    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
++		    NULL, NULL)))
++			ssh_gssapi_error(ctx);
+ 
+-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ 		gss_release_oid_set(&status, &oidset);
+ 		return (ctx->major);
++	} else {
++		ctx->name = GSS_C_NO_NAME;
++		ctx->creds = GSS_C_NO_CREDENTIAL;
+ 	}
+-
+-	if ((ctx->major = gss_acquire_cred(&ctx->minor,
+-	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+-		ssh_gssapi_error(ctx);
+-
+-	gss_release_oid_set(&status, &oidset);
+-	return (ctx->major);
++	return GSS_S_COMPLETE;
+ }
+ 
+ /* Privileged */
+Index: servconf.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
+retrieving revision 1.201
+diff -u -p -r1.201 servconf.c
+--- servconf.c	10 Jan 2010 03:51:17 -0000	1.201
++++ servconf.c	11 Jan 2010 05:34:56 -0000
+@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions 
+ 	options->kerberos_get_afs_token = -1;
+ 	options->gss_authentication=-1;
+ 	options->gss_cleanup_creds = -1;
++	options->gss_strict_acceptor = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->challenge_response_authentication = -1;
+@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
+ 		options->gss_authentication = 0;
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
++	if (options->gss_strict_acceptor == -1)
++		options->gss_strict_acceptor = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+@@ -277,7 +280,8 @@ typedef enum {
+ 	sBanner, sUseDNS, sHostbasedAuthentication,
+ 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ 	sClientAliveCountMax, sAuthorizedKeysFile,
+-	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
++	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++	sAcceptEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+ 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
+@@ -327,9 +331,11 @@ static struct {
+ #ifdef GSSAPI
+ 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+ 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+ 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
+ 
+ 	case sGssCleanupCreds:
+ 		intptr = &options->gss_cleanup_creds;
++		goto parse_flag;
++
++	case sGssStrictAcceptor:
++		intptr = &options->gss_strict_acceptor;
+ 		goto parse_flag;
+ 
+ 	case sPasswordAuthentication:
+Index: servconf.h
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
+retrieving revision 1.89
+diff -u -p -r1.89 servconf.h
+--- servconf.h	9 Jan 2010 23:04:13 -0000	1.89
++++ servconf.h	11 Jan 2010 05:32:28 -0000
+@@ -92,6 +92,7 @@ typedef struct {
+ 						 * authenticated with Kerberos. */
+ 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
+ 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
++	int 	gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
+ 	int     password_authentication;	/* If true, permit password
+ 						 * authentication. */
+ 	int     kbd_interactive_authentication;	/* If true, permit */
+Index: sshd_config
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
+retrieving revision 1.81
+diff -u -p -r1.81 sshd_config
+--- sshd_config	8 Oct 2009 14:03:41 -0000	1.81
++++ sshd_config	11 Jan 2010 05:32:28 -0000
+@@ -69,6 +69,7 @@
+ # GSSAPI options
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
++#GSSAPIStrictAcceptorCheck yes
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing, 
+ # and session processing. If this is enabled, PAM authentication will 
+Index: sshd_config.5
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
+retrieving revision 1.116
+diff -u -p -r1.116 sshd_config.5
+--- sshd_config.5	9 Jan 2010 23:04:13 -0000	1.116
++++ sshd_config.5	11 Jan 2010 05:37:20 -0000
+@@ -386,6 +386,21 @@ on logout.
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIStrictAcceptorCheck
++Determines whether to be strict about the identity of the GSSAPI acceptor
++a client authenticates against.
++If set to
++.Dq yes
++then the client must authenticate against the
++.Pa host
++service on the current hostname.
++If set to
++.Dq no
++then the client may authenticate against any service key stored in the
++machine's default store.
++This facility is provided to assist with operation on multi homed machines.
++The default is
++.Dq yes .
+ .It Cm HostbasedAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication together
+ with successful public key client host authentication is allowed

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-5.9_p1-x509-glue.patch

@@ -0,0 +1,15 @@
+make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch
+
+--- openssh-5.9p1+x509-7.0.diff
++++ openssh-5.9p1+x509-7.0.diff
+@@ -11995,9 +11995,9 @@
+  Specifies whether challenge-response authentication is allowed (e.g. via
+  PAM or though authentication styles supported in
+ @@ -430,6 +507,16 @@
++ This facility is provided to assist with operation on multi homed machines.
+  The default is
+  .Dq yes .
+- Note that this option applies to protocol version 2 only.
+ +.It Cm HostbasedAlgorithms
+ +Specifies the protocol version 2 algorithms used in
+ +.Dq hostbased

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.0_p1-fix-freebsd-compilation.patch

@@ -0,0 +1,15 @@
+diff --git a/configure.ac b/configure.ac
+index 2b60300..21b6112 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -725,6 +725,10 @@ mips-sony-bsd|mips-sony-newsos4)
+ 	AC_CHECK_HEADER([net/if_tap.h], ,
+ 	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
+ 	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
++	AC_DEFINE([DISABLE_UTMP], [1],
++		[Define if you don't want to use utmp])
++	AC_DEFINE([DISABLE_WTMP], [1],
++		[Define if you don't want to use wtmp])
+ 	;;
+ *-*-bsdi*)
+ 	AC_DEFINE([SETEUID_BREAKS_SETUID])

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.0_p1-hpn-progressmeter.patch

@@ -0,0 +1,15 @@
+don't go reading random stack values
+
+already e-mailed to upstream hpn devs
+
+--- progressmeter.c
++++ progressmeter.c
+@@ -183,7 +183,7 @@
+ 		percent = ((float)cur_pos / end_pos) * 100;
+ 	else
+ 		percent = 100;
+-	snprintf(buf + strlen(buf), win_size - strlen(buf-8),
++	snprintf(buf + strlen(buf), win_size - strlen(buf) - 8,
+ 	    " %3d%% ", percent);
+ 
+ 	/* amount transferred */

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.0_p1-test.patch

@@ -0,0 +1,19 @@
+changeset:   10701:b159befd3104
+tag:         tip
+user:        Mike Frysinger <vapier@gentoo.org>
+date:        Sun Apr 29 00:26:33 2012 -0400
+summary:     use = with `test`, not ==
+
+diff -r d8a3ea854288 -r b159befd3104 configure.ac
+--- a/configure.ac	Fri Apr 27 00:55:42 2012 +0000
++++ b/configure.ac	Sun Apr 29 00:26:33 2012 -0400
+@@ -2591,7 +2591,7 @@
+ 	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
+ elif test "x$sandbox_arg" = "xseccomp_filter" || \
+      ( test -z "$sandbox_arg" && \
+-       test "x$have_seccomp_filter" == "x1" && \
++       test "x$have_seccomp_filter" = "x1" && \
+        test "x$ac_cv_header_linux_audit_h" = "xyes" && \
+        test "x$have_seccomp_audit_arch" = "x1" && \
+        test "x$have_linux_no_new_privs" = "x1" && \
+

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.0_p1-x509-glue.patch

@@ -0,0 +1,15 @@
+make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch
+
+--- openssh-6.0p1+x509-7.1.diff
++++ openssh-6.0p1+x509-7.1.diff
+@@ -13502,9 +13502,9 @@
+  Specifies whether challenge-response authentication is allowed (e.g. via
+  PAM or though authentication styles supported in
+ @@ -430,6 +507,16 @@
++ This facility is provided to assist with operation on multi homed machines.
+  The default is
+  .Dq yes .
+- Note that this option applies to protocol version 2 only.
+ +.It Cm HostbasedAlgorithms
+ +Specifies the protocol version 2 algorithms used in
+ +.Dq hostbased

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.0_p1-x509-hpn-glue.patch

@@ -0,0 +1,57 @@
+diff --git a/Makefile.in b/Makefile.in
+index ecb45cd..7834fb1 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -45,12 +45,13 @@ FIPSLD_CC=@FIPSLD_CC@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHLIBS=@SSHLIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+diff --git a/sshconnect.c b/sshconnect.c
+index 19a2b06..dd75f78 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -580,7 +580,7 @@ ssh_exchange_identification(int timeout_ms)
+ 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
+ 	    compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+ 	    compat20 ? PROTOCOL_MINOR_2 : minor1,
+-	    SSH_VERSION, compat20 ? " PKIX\r\n" : "\n");
++	    SSH_VERSION, compat20 ? "\r\n" : "\n");
+ 	if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
+ 	    != strlen(buf))
+ 		fatal("write: %.100s", strerror(errno));
+diff --git a/sshd.c b/sshd.c
+index a5c437d..a1105a0 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -428,8 +428,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
+ 		minor = PROTOCOL_MINOR_1;
+ 		comment = "";
+ 	}
+-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s%s", major, minor,
+-	    SSH_VERSION, comment, newline);
++	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
++	    SSH_VERSION, newline);
+ 	server_version_string = xstrdup(buf);
+ 
+ 	/* Send our protocol version identification. */
+diff --git a/version.h b/version.h
+index 78983d9..ec1746d 100644
+--- a/version.h
++++ b/version.h
+@@ -3,4 +3,5 @@
+ #define SSH_VERSION	"OpenSSH_6.0"
+ 
+ #define SSH_PORTABLE	"p1"
++#define SSH_X509	" PKIX"
+ #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.1_p1-x509-glue.patch

@@ -0,0 +1,15 @@
+make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch
+
+--- openssh-6.1p1+x509-7.2.1.diff
++++ openssh-6.1p1+x509-7.2.1.diff
+@@ -13502,9 +13502,9 @@
+  Specifies whether challenge-response authentication is allowed (e.g. via
+  PAM or though authentication styles supported in
+ @@ -432,6 +509,16 @@
++ This facility is provided to assist with operation on multi homed machines.
+  The default is
+  .Dq yes .
+- Note that this option applies to protocol version 2 only.
+ +.It Cm HostbasedAlgorithms
+ +Specifies the protocol version 2 algorithms used in
+ +.Dq hostbased

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-6.1_p1-x509-hpn-glue.patch

@@ -0,0 +1,49 @@
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -45,12 +45,13 @@ FIPSLD_CC=@FIPSLD_CC@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ SSHLIBS=@SSHLIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -580,7 +580,7 @@ ssh_exchange_identification(int timeout_ms)
+ 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
+ 	    compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1,
+ 	    compat20 ? PROTOCOL_MINOR_2 : minor1,
+-	    SSH_VERSION, compat20 ? " PKIX\r\n" : "\n");
++	    SSH_VERSION, compat20 ? "\r\n" : "\n");
+ 	if (roaming_atomicio(vwrite, connection_out, buf, strlen(buf))
+ 	    != strlen(buf))
+ 		fatal("write: %.100s", strerror(errno));
+--- a/sshd.c
++++ b/sshd.c
+@@ -428,8 +428,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
+ 		comment = "";
+ 	}
+ 
+-	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
++	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+-	    major, minor, SSH_VERSION, comment,
++	    major, minor, SSH_VERSION,
+ 	    *options.version_addendum == '\0' ? "" : " ",
+ 	    options.version_addendum, newline);
+ 
+--- a/version.h
++++ b/version.h
+@@ -3,4 +3,5 @@
+ #define SSH_VERSION	"OpenSSH_6.0"
+ 
+ #define SSH_PORTABLE	"p1"
++#define SSH_X509	" PKIX"
+ #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.confd

@@ -0,0 +1,21 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.pam

@@ -0,0 +1,9 @@
+#%PAM-1.0
+
+auth       required	pam_stack.so service=system-auth
+auth       required     pam_shells.so
+auth	   required	pam_nologin.so
+account    required	pam_stack.so service=system-auth
+password   required	pam_stack.so service=system-auth
+session	   required	pam_stack.so service=system-auth
+

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.pam_include.2

@@ -0,0 +1,4 @@
+auth       include	system-remote-login
+account    include	system-remote-login
+password   include	system-remote-login
+session	   include	system-remote-login

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.rc6

@@ -0,0 +1,82 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.28 2011/12/04 10:08:19 swegener Exp $
+
+extra_commands="checkconfig gen_keys"
+extra_started_commands="reload"
+
+depend() {
+	use logger dns
+	need net
+}
+
+SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
+
+checkconfig() {
+	if [ ! -d /var/empty ] ; then
+		mkdir -p /var/empty || return 1
+	fi
+
+	if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
+		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	gen_keys || return 1
+
+	"${SSHD_BINARY}" -t ${myopts} || return 1
+}
+
+gen_keys() {
+	if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] ; then
+		einfo "Generating Hostkey..."
+		/usr/bin/ssh-keygen -t rsa1 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1
+	fi
+	if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then
+		einfo "Generating DSA-Hostkey..."
+		/usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1
+	fi
+	if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then
+		einfo "Generating RSA-Hostkey..."
+		/usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1
+	fi
+	return 0
+}
+
+start() {
+	local myopts=""
+	[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+		&& myopts="${myopts} -o PidFile=${SSHD_PIDFILE}"
+	[ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
+		&& myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
+
+	checkconfig || return 1
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" \
+	    -- ${myopts} ${SSHD_OPTS}
+	eend $?
+}
+
+stop() {
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return 1
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" --quiet
+	eend $?
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --stop --signal HUP --oknodo \
+	    --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+	eend $?
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.rc6.1

@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.1,v 1.2 2011/12/04 10:08:19 swegener Exp $
+
+extra_commands="checkconfig gen_keys"
+extra_started_commands="reload"
+
+depend() {
+	use logger dns
+	need net
+}
+
+SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
+
+checkconfig() {
+	if [ ! -d /var/empty ] ; then
+		mkdir -p /var/empty || return 1
+	fi
+
+	if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
+		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	gen_keys || return 1
+
+	"${SSHD_BINARY}" -t ${myopts} || return 1
+}
+
+gen_keys() {
+	if [ ! -e "${SSHD_CONFDIR}"/ssh_host_key ] && \
+	   egrep -q '^[ \t]*Protocol[ \t]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then
+		einfo "Generating RSA1-Hostkey..."
+		/usr/bin/ssh-keygen -t rsa1 -f "${SSHD_CONFDIR}"/ssh_host_key -N '' || return 1
+	fi
+	if [ ! -e "${SSHD_CONFDIR}"/ssh_host_dsa_key ] ; then
+		einfo "Generating DSA-Hostkey..."
+		/usr/bin/ssh-keygen -d -f "${SSHD_CONFDIR}"/ssh_host_dsa_key -N '' || return 1
+	fi
+	if [ ! -e "${SSHD_CONFDIR}"/ssh_host_rsa_key ] ; then
+		einfo "Generating RSA-Hostkey..."
+		/usr/bin/ssh-keygen -t rsa -f "${SSHD_CONFDIR}"/ssh_host_rsa_key -N '' || return 1
+	fi
+	return 0
+}
+
+start() {
+	local myopts=""
+	[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+		&& myopts="${myopts} -o PidFile=${SSHD_PIDFILE}"
+	[ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
+		&& myopts="${myopts} -f ${SSHD_CONFDIR}/sshd_config"
+
+	checkconfig || return 1
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" \
+	    -- ${myopts} ${SSHD_OPTS}
+	eend $?
+}
+
+stop() {
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return 1
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" --quiet
+	eend $?
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --stop --signal HUP --oknodo \
+	    --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+	eend $?
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.rc6.2

@@ -0,0 +1,85 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.2,v 1.3 2011/12/04 10:08:19 swegener Exp $
+
+extra_commands="checkconfig gen_keys"
+extra_started_commands="reload"
+
+depend() {
+	use logger dns
+	need net
+}
+
+SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
+
+checkconfig() {
+	if [ ! -d /var/empty ] ; then
+		mkdir -p /var/empty || return 1
+	fi
+
+	if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
+		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	gen_keys || return 1
+
+	[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+		&& SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
+	[ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
+		&& SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config"
+
+	"${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
+}
+
+gen_key() {
+	local type=$1 key ks
+	[ $# -eq 1 ] && ks="${type}_"
+	key="${SSHD_CONFDIR}/ssh_host_${ks}key"
+	if [ ! -e "${key}" ] ; then
+		ebegin "Generating ${type} host key"
+		ssh-keygen -t ${type} -f "${key}" -N ''
+		eend $? || return $?
+	fi
+}
+
+gen_keys() {
+	if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then
+		gen_key rsa1 "" || return 1
+	fi
+	gen_key dsa && gen_key rsa && gen_key ecdsa
+	return $?
+}
+
+start() {
+	checkconfig || return 1
+
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" \
+	    -- ${SSHD_OPTS}
+	eend $?
+}
+
+stop() {
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return 1
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" --quiet
+	eend $?
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --stop --signal HUP --oknodo \
+	    --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+	eend $?
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.rc6.3

@@ -0,0 +1,85 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.3,v 1.2 2011/09/14 21:46:19 polynomial-c Exp $
+
+extra_commands="checkconfig gen_keys"
+extra_started_commands="reload"
+
+depend() {
+	use logger dns
+	need net
+}
+
+SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
+
+checkconfig() {
+	if [ ! -d /var/empty ] ; then
+		mkdir -p /var/empty || return 1
+	fi
+
+	if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
+		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	gen_keys || return 1
+
+	[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+		&& SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
+	[ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
+		&& SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config"
+
+	"${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
+}
+
+gen_key() {
+	local type=$1 key ks
+	[ $# -eq 1 ] && ks="${type}_"
+	key="${SSHD_CONFDIR}/ssh_host_${ks}key"
+	if [ ! -e "${key}" ] ; then
+		ebegin "Generating ${type} host key"
+		ssh-keygen -t ${type} -f "${key}" -N ''
+		eend $? || return $?
+	fi
+}
+
+gen_keys() {
+	if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then
+		gen_key rsa1 "" || return 1
+	fi
+	gen_key dsa && gen_key rsa && gen_key ecdsa
+	return $?
+}
+
+start() {
+	checkconfig || return 1
+
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" \
+	    -- ${SSHD_OPTS}
+	eend $?
+}
+
+stop() {
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return 1
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" --quiet
+	eend $?
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP \
+	    --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+	eend $?
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.rc6.4

@@ -0,0 +1,106 @@
+#!/sbin/runscript
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.2 2012/11/28 01:07:04 robbat2 Exp $
+
+extra_commands="checkconfig gen_keys"
+extra_started_commands="reload"
+
+SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_CONFIG=${SSHD_CONFIG:-${SSHD_CONFDIR}/sshd_config}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
+
+depend() {
+	use logger dns
+	if [ "${rc_need+set}" = "set" ]; then
+		: # Do nothing, the user has explicitly set rc_need
+	else
+		warn_addr=''
+		for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+			case "$x" in
+				0.0.0.0|0.0.0.0:*) ;;
+				::|\[::\]*) ;;
+				*) warn_addr="${warn_addr} $x" ;;
+			esac
+		done
+		unset x
+		if [ "${warn_addr:+set}" = "set" ]; then
+			need net 
+			ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+			ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
+			ewarn "where FOO is the interface(s) providing the following address(es):"
+			ewarn "${warn_addr}"
+		fi
+		unset warn_addr
+	fi
+}
+
+checkconfig() {
+	if [ ! -d /var/empty ] ; then
+		mkdir -p /var/empty || return 1
+	fi
+
+	if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
+		eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
+		eerror "There is a sample file in /usr/share/doc/openssh"
+		return 1
+	fi
+
+	gen_keys || return 1
+
+	[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+		&& SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
+	[ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
+		&& SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config"
+
+	"${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
+}
+
+gen_key() {
+	keytype=$1
+	[ $# -eq 1 ] && ks="${keytype}_"
+	key="${SSHD_CONFDIR}/ssh_host_${ks}key"
+	if [ ! -e "${key}" ] ; then
+		ebegin "Generating ${keytype} host key"
+		ssh-keygen -t ${keytype} -f "${key}" -N ''
+		eend $? || return $?
+	fi
+}
+
+gen_keys() {
+	if egrep -q '^[[:space:]]*Protocol[[:space:]]+.*1' "${SSHD_CONFDIR}"/sshd_config ; then
+		gen_key rsa1 "" || return 1
+	fi
+	gen_key dsa && gen_key rsa && gen_key ecdsa
+	return $?
+}
+
+start() {
+	checkconfig || return 1
+
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" \
+	    -- ${SSHD_OPTS}
+	eend $?
+}
+
+stop() {
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return 1
+	fi
+
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+	    --pidfile "${SSHD_PIDFILE}" --quiet
+	eend $?
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP \
+	    --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+	eend $?
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH server daemon
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd.socket

@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target

sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd_at.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=syslog.target auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=syslog

sdk_container/src/third_party/portage-stable/net-misc/openssh/metadata.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <herd>base-system</herd>
+  <maintainer restrict="net-misc/openssh[ldap]">
+    <email>robbat2@gentoo.org</email>
+	<description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
+  </maintainer>
+  <longdescription>
+OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that 
+increasing numbers of people on the Internet are coming to rely on. Many users of telnet, 
+rlogin, ftp, and other such programs might not realize that their password is transmitted 
+across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) 
+to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. 
+Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety 
+of authentication methods.
+
+The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which 
+replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of 
+the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, 
+ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+</longdescription>
+  <use>
+	<flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
+	<flag name="hpn">Enable high performance ssh</flag>
+	<flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
+	<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+	<flag name="X509">Adds support for X.509 certificate authentication</flag>
+  </use>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-5.2_p1-r10.ebuild

@@ -0,0 +1 @@
+openssh-5.2_p1-r3.ebuild

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-5.2_p1-r3.ebuild

@@ -0,0 +1,259 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-5.2_p1-r3.ebuild,v 1.7 2009/10/11 20:21:40 nixnut Exp $
+
+inherit eutils flag-o-matic multilib autotools pam useradd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_/}
+
+HPN_PATCH="${PARCH}-hpn13v6.diff.gz"
+LDAP_PATCH="${PARCH/openssh/openssh-lpk}-0.3.11.patch.gz"
+PKCS11_PATCH="${PARCH/p1}pkcs11-0.26.tar.bz2"
+X509_VER="6.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+# HPN appears twice as sometimes Gentoo has a custom version of it.
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch
+	${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${PKCS11_PATCH:+pkcs11? ( http://alon.barlev.googlepages.com/${PKCS11_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ~ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh ~sparc x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="hpn kerberos ldap libedit pam pkcs11 selinux skey smartcard static tcpd X X509"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( dev-libs/libedit )
+	>=dev-libs/openssl-0.9.6d
+	>=sys-libs/zlib-1.2.3
+	smartcard? ( dev-libs/opensc )
+	pkcs11? ( dev-libs/pkcs11-helper )
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	X? ( x11-apps/xauth )
+	userland_GNU? ( sys-apps/shadow )"
+DEPEND="${RDEPEND}
+	dev-util/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )"
+PROVIDE="virtual/ssh"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && use ${1} && echo ${1} ; }
+	local fail="
+		$(maybe_fail ldap LDAP_PATCH)
+		$(maybe_fail pkcs11 PKCS11_PATCH)
+		$(maybe_fail X509 X509_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+}
+
+src_unpack() {
+	unpack ${PARCH}.tar.gz
+	cd "${S}"
+
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+
+	if use pkcs11 ; then
+		cd "${WORKDIR}"
+		unpack "${PKCS11_PATCH}"
+		cd "${S}"
+		EPATCH_OPTS="-p1" epatch "${WORKDIR}"/*pkcs11*/{1,2,4}*
+		use X509 && EPATCH_OPTS="-R" epatch "${WORKDIR}"/*pkcs11*/1000_all_log.patch
+	fi
+	use X509 && epatch "${DISTDIR}"/${X509_PATCH} "${FILESDIR}"/${P}-x509-hpn-glue.patch
+	use smartcard && epatch "${FILESDIR}"/openssh-3.9_p1-opensc.patch
+	if ! use X509 ; then
+		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+			# The patch for bug 210110 64-bit stuff is now included.
+			epatch "${DISTDIR}"/${LDAP_PATCH}
+			epatch "${FILESDIR}"/${PN}-5.2p1-ldap-stdargs.diff #266654
+		fi
+		epatch "${DISTDIR}"/openssh-5.2p1-gsskex-all-20090726.patch #115553 #216932 #279488
+		epatch "${FILESDIR}"/${P}-gsskex-fix.patch
+	else
+		use ldap && ewarn "Sorry, X509 and ldap don't get along, disabling ldap"
+	fi
+	#epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	[[ -n ${HPN_PATCH} ]] && use hpn && epatch "${DISTDIR}"/${HPN_PATCH}
+	epatch "${FILESDIR}"/${PN}-4.7p1-selinux.diff #191665
+	epatch "${FILESDIR}"/${P}-autoconf.patch
+	epatch "${FILESDIR}"/${P}-ssh-keysign-readconf.patch
+
+	# in 5.2p1, the AES-CTR multithreaded variant is temporarily broken, and
+	# causes random hangs when combined with the -f switch of ssh.
+	# To avoid this, we change the internal table to use the non-multithread
+	# version for the meantime.
+	sed -i \
+		-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
+		cipher.c || die
+
+	sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
+
+	# Disable PATH reset, trust what portage gives us. bug 254615
+	sed -i -e 's:^PATH=/:#PATH=/:' configure || die
+
+	eautoreconf
+}
+
+static_use_with() {
+	local flag=$1
+	if use static && use ${flag} ; then
+		ewarn "Disabling '${flag}' support because of USE='static'"
+		# rebuild args so that we invert the first one (USE flag)
+		# but otherwise leave everything else working so we can
+		# just leverage use_with
+		shift
+		[[ -z $1 ]] && flag="${flag} ${flag}"
+		set -- !${flag} "$@"
+	fi
+	use_with "$@"
+}
+
+src_compile() {
+	export CFLAGS
+	CFLAGS+=" -fno-strict-aliasing"
+
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	local myconf=""
+	use static && append-ldflags -static
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--with-ssl-engine \
+		$(static_use_with pam) \
+		$(static_use_with kerberos kerberos5 /usr) \
+		${LDAP_PATCH:+$(use ldap && use_with ldap)} \
+		$(use_with libedit) \
+		${PKCS11_PATCH:+$(use pkcs11 && static_use_with pkcs11)} \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with smartcard opensc) \
+		$(use_with tcpd tcp-wrappers) \
+		${myconf} \
+		|| die "bad configure"
+	emake || die "compile problem"
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${D}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+	fi
+
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		keepdir /var/empty/dev
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(getent passwd ${UID} | cut -d: -f7)
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_postinst() {
+	add_group sshd 22
+	add_user "sshd" "*" 22 22 "sshd_user" /dev/null /bin/false
+
+	# help fix broken perms caused by older ebuilds.
+	# can probably cut this after the next stage release.
+	chmod u+x "${ROOT}"/etc/skel/.ssh >& /dev/null
+
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "reload sshd: '/etc/init.d/sshd reload'."
+	if use pam ; then
+		echo
+		ewarn "Please be aware users need a valid shell in /etc/passwd"
+		ewarn "in order to be allowed to login."
+	fi
+	if use pkcs11 ; then
+		echo
+		einfo "For PKCS#11 you should also emerge one of the askpass softwares"
+		einfo "Example: net-misc/x11-ssh-askpass"
+	fi
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		echo
+		einfo "For the HPN server logging patch, you must ensure that"
+		einfo "your syslog application also listens at /var/empty/dev/log."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-5.9_p1-r4.ebuild

@@ -0,0 +1,279 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-5.9_p1-r4.ebuild,v 1.14 2013/01/18 01:14:14 robbat2 Exp $
+
+EAPI="2"
+inherit eutils user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpn13v11.diff.gz"
+LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
+X509_VER="7.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( dev-libs/libedit )
+	>=dev-libs/openssl-0.9.6d:0[bindist=]
+	>=sys-libs/zlib-1.2.3
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	X? ( x11-apps/xauth )
+	userland_GNU? ( virtual/shadow )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+}
+
+src_prepare() {
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	epatch "${FILESDIR}"/${PN}-5.9_p1-drop-openssl-check.patch
+	epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+	if use X509 ; then
+		pushd .. >/dev/null
+		epatch "${FILESDIR}"/${PN}-5.9_p1-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-5.8_p1-x509-hpn-glue.patch
+	fi
+	if ! use X509 ; then
+		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+			#epatch "${FILESDIR}"/${PN}-5.2p1-ldap-stdargs.diff #266654 - merged
+			# version.h patch conflict avoidence
+			mv version.h version.h.lpk
+			cp -f version.h.pristine version.h
+		fi
+	else
+		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+	fi
+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		epatch "${WORKDIR}"/${HPN_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch
+		# version.h patch conflict avoidence
+		mv version.h version.h.hpn
+		cp -f version.h.pristine version.h
+		# The AES-CTR multithreaded variant is broken, and causes random hangs
+		# when combined background threading and control sockets. To avoid
+		# this, we change the internal table to use the non-multithread version
+		# for the meantime. Do NOT remove this in new versions. See bug #354113
+		# comment #6 for testcase.
+		# Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
+		## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
+		## cipher. Be aware that if the client process is forked using the -f command line
+		## option the process will hang as the parent thread gets 'divorced' from the key
+		## generation threads. This issue will be resolved as soon as possible
+		sed -i \
+			-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
+			cipher.c || die
+	fi
+
+	sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
+
+	# Disable PATH reset, trust what portage gives us. bug 254615
+	sed -i -e 's:^PATH=/:#PATH=/:' configure || die
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s %s\n' \
+			"$([ -e version.h.hpn ] && echo SSH_HPN)" \
+			"$([ -e version.h.lpk ] && echo SSH_LPK)"
+	) > version.h
+
+	eautoreconf
+}
+
+static_use_with() {
+	local flag=$1
+	if use static && use ${flag} ; then
+		ewarn "Disabling '${flag}' support because of USE='static'"
+		# rebuild args so that we invert the first one (USE flag)
+		# but otherwise leave everything else working so we can
+		# just leverage use_with
+		shift
+		[[ -z $1 ]] && flag="${flag} ${flag}"
+		set -- !${flag} "$@"
+	fi
+	use_with "$@"
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	use static && append-ldflags -static
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--with-ssl-engine \
+		$(static_use_with pam) \
+		$(static_use_with kerberos kerberos5 /usr) \
+		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+		$(use_with libedit) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with tcpd tcp-wrappers)
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id || die
+	newinitd "${FILESDIR}"/sshd.rc6.3 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	# not all openssl installs support ecc, or are functional #352645
+	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+		dosed 's:&& gen_key ecdsa::' /etc/init.d/sshd || die
+	fi
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${D}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+	fi
+
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		keepdir /var/empty/dev
+	fi
+
+	if use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket} || die
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' || die
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	elog "Starting with openssh-5.8p1, the server will default to a newer key"
+	elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+	elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	echo
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "reload sshd: '/etc/init.d/sshd reload'."
+	if use pam ; then
+		echo
+		ewarn "Please be aware users need a valid shell in /etc/passwd"
+		ewarn "in order to be allowed to login."
+	fi
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		echo
+		einfo "For the HPN server logging patch, you must ensure that"
+		einfo "your syslog application also listens at /var/empty/dev/log."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-6.0_p1-r1.ebuild

@@ -0,0 +1,294 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.0_p1-r1.ebuild,v 1.5 2013/01/18 01:14:14 robbat2 Exp $
+
+EAPI="2"
+inherit eutils user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpn13v11.diff.bz2"
+LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
+X509_VER="7.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( dev-libs/libedit )
+	>=dev-libs/openssl-0.9.6d:0[bindist=]
+	>=sys-libs/zlib-1.2.3
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	X? ( x11-apps/xauth )
+	userland_GNU? ( virtual/shadow )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+	if use X509 ; then
+		pushd .. >/dev/null
+		epatch "${FILESDIR}"/${PN}-6.0_p1-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.0_p1-x509-hpn-glue.patch
+		save_version X509
+	fi
+	if ! use X509 ; then
+		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+			save_version LPK
+		fi
+	else
+		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+	fi
+	epatch "${FILESDIR}"/${PN}-6.0_p1-test.patch #391011
+	epatch "${FILESDIR}"/${PN}-6.0_p1-fix-freebsd-compilation.patch #391011
+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		epatch "${WORKDIR}"/${HPN_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch
+		save_version HPN
+		# The AES-CTR multithreaded variant is broken, and causes random hangs
+		# when combined background threading and control sockets. To avoid
+		# this, we change the internal table to use the non-multithread version
+		# for the meantime. Do NOT remove this in new versions. See bug #354113
+		# comment #6 for testcase.
+		# Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
+		## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
+		## cipher. Be aware that if the client process is forked using the -f command line
+		## option the process will hang as the parent thread gets 'divorced' from the key
+		## generation threads. This issue will be resolved as soon as possible
+		sed -i \
+			-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
+			cipher.c || die
+	fi
+
+	sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
+
+	# Disable PATH reset, trust what portage gives us. bug 254615
+	sed -i -e 's:^PATH=/:#PATH=/:' configure || die
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+static_use_with() {
+	local flag=$1
+	if use static && use ${flag} ; then
+		ewarn "Disabling '${flag}' support because of USE='static'"
+		# rebuild args so that we invert the first one (USE flag)
+		# but otherwise leave everything else working so we can
+		# just leverage use_with
+		shift
+		[[ -z $1 ]] && flag="${flag} ${flag}"
+		set -- !${flag} "$@"
+	fi
+	use_with "$@"
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	use static && append-ldflags -static
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--with-ssl-engine \
+		$(static_use_with pam) \
+		$(static_use_with kerberos kerberos5 /usr) \
+		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+		$(use_with libedit) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with tcpd tcp-wrappers)
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id || die
+	newinitd "${FILESDIR}"/sshd.rc6.3 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	# not all openssl installs support ecc, or are functional #352645
+	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+		dosed 's:&& gen_key ecdsa::' /etc/init.d/sshd || die
+	fi
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${D}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${D}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${D}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		keepdir /var/empty/dev
+	fi
+
+	if use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket} || die
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' || die
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	elog "Starting with openssh-5.8p1, the server will default to a newer key"
+	elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+	elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	echo
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "reload sshd: '/etc/init.d/sshd reload'."
+	if use pam ; then
+		echo
+		ewarn "Please be aware users need a valid shell in /etc/passwd"
+		ewarn "in order to be allowed to login."
+	fi
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		echo
+		einfo "For the HPN server logging patch, you must ensure that"
+		einfo "your syslog application also listens at /var/empty/dev/log."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-6.0_p1.ebuild

@@ -0,0 +1,294 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.0_p1.ebuild,v 1.11 2013/01/18 01:14:14 robbat2 Exp $
+
+EAPI="2"
+inherit eutils user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpn13v12.diff.gz"
+LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
+X509_VER="7.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509"
+
+RDEPEND="pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	selinux? ( >=sys-libs/libselinux-1.28 )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ldap? ( net-nds/openldap )
+	libedit? ( dev-libs/libedit )
+	>=dev-libs/openssl-0.9.6d:0[bindist=]
+	>=sys-libs/zlib-1.2.3
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
+	X? ( x11-apps/xauth )
+	userland_GNU? ( virtual/shadow )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+	if use X509 ; then
+		pushd .. >/dev/null
+		epatch "${FILESDIR}"/${PN}-6.0_p1-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.0_p1-x509-hpn-glue.patch
+		save_version X509
+	fi
+	if ! use X509 ; then
+		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+			save_version LPK
+		fi
+	else
+		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+	fi
+	epatch "${FILESDIR}"/${PN}-6.0_p1-test.patch #391011
+	epatch "${FILESDIR}"/${PN}-6.0_p1-fix-freebsd-compilation.patch #391011
+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		epatch "${WORKDIR}"/${HPN_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.0_p1-hpn-progressmeter.patch
+		save_version HPN
+		# The AES-CTR multithreaded variant is broken, and causes random hangs
+		# when combined background threading and control sockets. To avoid
+		# this, we change the internal table to use the non-multithread version
+		# for the meantime. Do NOT remove this in new versions. See bug #354113
+		# comment #6 for testcase.
+		# Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
+		## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
+		## cipher. Be aware that if the client process is forked using the -f command line
+		## option the process will hang as the parent thread gets 'divorced' from the key
+		## generation threads. This issue will be resolved as soon as possible
+		sed -i \
+			-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
+			cipher.c || die
+	fi
+
+	sed -i "s:-lcrypto:$(pkg-config --libs openssl):" configure{,.ac} || die
+
+	# Disable PATH reset, trust what portage gives us. bug 254615
+	sed -i -e 's:^PATH=/:#PATH=/:' configure || die
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+static_use_with() {
+	local flag=$1
+	if use static && use ${flag} ; then
+		ewarn "Disabling '${flag}' support because of USE='static'"
+		# rebuild args so that we invert the first one (USE flag)
+		# but otherwise leave everything else working so we can
+		# just leverage use_with
+		shift
+		[[ -z $1 ]] && flag="${flag} ${flag}"
+		set -- !${flag} "$@"
+	fi
+	use_with "$@"
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	use static && append-ldflags -static
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--with-ssl-engine \
+		$(static_use_with pam) \
+		$(static_use_with kerberos kerberos5 /usr) \
+		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+		$(use_with libedit) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with tcpd tcp-wrappers)
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}" || die
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id || die
+	newinitd "${FILESDIR}"/sshd.rc6.3 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	# not all openssl installs support ecc, or are functional #352645
+	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+		dosed 's:&& gen_key ecdsa::' /etc/init.d/sshd || die
+	fi
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${D}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${D}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${D}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		keepdir /var/empty/dev
+	fi
+
+	if use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket} || die
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' || die
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	elog "Starting with openssh-5.8p1, the server will default to a newer key"
+	elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+	elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	echo
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "reload sshd: '/etc/init.d/sshd reload'."
+	if use pam ; then
+		echo
+		ewarn "Please be aware users need a valid shell in /etc/passwd"
+		ewarn "in order to be allowed to login."
+	fi
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		echo
+		einfo "For the HPN server logging patch, you must ensure that"
+		einfo "your syslog application also listens at /var/empty/dev/log."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-6.1_p1-r1.ebuild

@@ -0,0 +1,316 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.1_p1-r1.ebuild,v 1.4 2013/01/22 02:51:55 robbat2 Exp $
+
+EAPI="4"
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpn13v11.diff.bz2"
+LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
+X509_VER="7.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509"
+
+LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	>=dev-libs/openssl-0.9.6d:0[bindist=]
+	dev-libs/openssl[static-libs(+)]
+	>=sys-libs/zlib-1.2.3[static-libs(+)]
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
+RDEPEND="
+	!static? (
+		${LIB_DEPEND//\[static-libs(+)]}
+		ldns? (
+			!bindist? ( net-libs/ldns[ecdsa,ssl] )
+			bindist? ( net-libs/ldns[-ecdsa,ssl] )
+		)
+	)
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? (
+		${LIB_DEPEND}
+		ldns? (
+			!bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
+			bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
+		)
+	)
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+	if use X509 ; then
+		pushd .. >/dev/null
+		epatch "${FILESDIR}"/${PN}-6.1_p1-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.1_p1-x509-hpn-glue.patch
+		save_version X509
+	fi
+	if ! use X509 ; then
+		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+			save_version LPK
+		fi
+	else
+		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+	fi
+	epatch "${FILESDIR}"/${PN}-6.0_p1-fix-freebsd-compilation.patch #391011
+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		epatch "${WORKDIR}"/${HPN_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch
+		save_version HPN
+		# The AES-CTR multithreaded variant is broken, and causes random hangs
+		# when combined background threading and control sockets. To avoid
+		# this, we change the internal table to use the non-multithread version
+		# for the meantime. Do NOT remove this in new versions. See bug #354113
+		# comment #6 for testcase.
+		# Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
+		## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
+		## cipher. Be aware that if the client process is forked using the -f command line
+		## option the process will hang as the parent thread gets 'divorced' from the key
+		## generation threads. This issue will be resolved as soon as possible
+		sed -i \
+			-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
+			cipher.c || die
+	fi
+
+	tc-export PKG_CONFIG
+	sed -i "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" configure{,.ac} || die
+
+	# Disable PATH reset, trust what portage gives us. bug 254615
+	sed -i -e 's:^PATH=/:#PATH=/:' configure || die
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+static_use_with() {
+	local flag=$1
+	if use static && use ${flag} ; then
+		ewarn "Disabling '${flag}' support because of USE='static'"
+		# rebuild args so that we invert the first one (USE flag)
+		# but otherwise leave everything else working so we can
+		# just leverage use_with
+		shift
+		[[ -z $1 ]] && flag="${flag} ${flag}"
+		set -- !${flag} "$@"
+	fi
+	use_with "$@"
+}
+
+src_configure() {
+	local myconf
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	use static && append-ldflags -static
+
+	# Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
+	if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
+		myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx"
+		append-ldflags -lutil
+	fi
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--with-pid-dir=/var/run \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--with-ssl-engine \
+		$(static_use_with pam) \
+		$(static_use_with kerberos kerberos5 /usr) \
+		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+		$(use_with ldns) \
+		$(use_with libedit) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with tcpd tcp-wrappers) \
+		${myconf}
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	# not all openssl installs support ecc, or are functional #352645
+	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+		sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
+	fi
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		keepdir /var/empty/dev
+	fi
+
+	if use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "reload sshd: '/etc/init.d/sshd reload'."
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		echo
+		einfo "For the HPN server logging patch, you must ensure that"
+		einfo "your syslog application also listens at /var/empty/dev/log."
+	fi
+}

sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-6.1_p1.ebuild

@@ -0,0 +1,294 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.1_p1.ebuild,v 1.9 2013/01/18 01:14:14 robbat2 Exp $
+
+EAPI="4"
+inherit eutils user flag-o-matic multilib autotools pam systemd
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PARCH}-hpn13v11.diff.bz2"
+LDAP_PATCH="${PARCH/-/-lpk-}-0.3.14.patch.gz"
+X509_VER="7.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+	${HPN_PATCH:+hpn? ( http://www.psc.edu/networking/projects/hpn-ssh/${HPN_PATCH} mirror://gentoo/${HPN_PATCH} )}
+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+	"
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap libedit pam selinux skey static tcpd X X509"
+
+LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+	libedit? ( dev-libs/libedit[static-libs(+)] )
+	>=dev-libs/openssl-0.9.6d:0[bindist=]
+	dev-libs/openssl[static-libs(+)]
+	>=sys-libs/zlib-1.2.3[static-libs(+)]
+	tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
+RDEPEND="!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
+	pam? ( virtual/pam )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+	static? ( ${LIB_DEPEND} )
+	virtual/pkgconfig
+	virtual/os-headers
+	sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+	pam? ( >=sys-auth/pambase-20081028 )
+	userland_GNU? ( virtual/shadow )
+	X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+	# this sucks, but i'd rather have people unable to `emerge -u openssh`
+	# than not be able to log in to their server any more
+	maybe_fail() { [[ -z ${!2} ]] && echo ${1} ; }
+	local fail="
+		$(use X509 && maybe_fail X509 X509_PATCH)
+		$(use ldap && maybe_fail ldap LDAP_PATCH)
+		$(use hpn && maybe_fail hpn HPN_PATCH)
+	"
+	fail=$(echo ${fail})
+	if [[ -n ${fail} ]] ; then
+		eerror "Sorry, but this version does not yet support features"
+		eerror "that you requested:	 ${fail}"
+		eerror "Please mask ${PF} for now and check back later:"
+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+		die "booooo"
+	fi
+}
+
+save_version() {
+	# version.h patch conflict avoidence
+	mv version.h version.h.$1
+	cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+	sed -i \
+		-e '/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:/usr/bin/xauth:' \
+		pathnames.h || die
+	# keep this as we need it to avoid the conflict between LPK and HPN changing
+	# this file.
+	cp version.h version.h.pristine
+
+	# don't break .ssh/authorized_keys2 for fun
+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+	epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+	if use X509 ; then
+		pushd .. >/dev/null
+		epatch "${FILESDIR}"/${PN}-6.1_p1-x509-glue.patch
+		popd >/dev/null
+		epatch "${WORKDIR}"/${X509_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-6.1_p1-x509-hpn-glue.patch
+		save_version X509
+	fi
+	if ! use X509 ; then
+		if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+			epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+			save_version LPK
+		fi
+	else
+		use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+	fi
+	epatch "${FILESDIR}"/${PN}-6.0_p1-fix-freebsd-compilation.patch #391011
+	epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+	if [[ -n ${HPN_PATCH} ]] && use hpn; then
+		epatch "${WORKDIR}"/${HPN_PATCH%.*}
+		epatch "${FILESDIR}"/${PN}-5.6_p1-hpn-progressmeter.patch
+		save_version HPN
+		# The AES-CTR multithreaded variant is broken, and causes random hangs
+		# when combined background threading and control sockets. To avoid
+		# this, we change the internal table to use the non-multithread version
+		# for the meantime. Do NOT remove this in new versions. See bug #354113
+		# comment #6 for testcase.
+		# Upstream reference: http://www.psc.edu/networking/projects/hpn-ssh/
+		## Additionally, the MT-AES-CTR mode cipher replaces the default ST-AES-CTR mode
+		## cipher. Be aware that if the client process is forked using the -f command line
+		## option the process will hang as the parent thread gets 'divorced' from the key
+		## generation threads. This issue will be resolved as soon as possible
+		sed -i \
+			-e '/aes...-ctr.*SSH_CIPHER_SSH2/s,evp_aes_ctr_mt,evp_aes_128_ctr,' \
+			cipher.c || die
+	fi
+
+	tc-export PKG_CONFIG
+	sed -i "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" configure{,.ac} || die
+
+	# Disable PATH reset, trust what portage gives us. bug 254615
+	sed -i -e 's:^PATH=/:#PATH=/:' configure || die
+
+	# Now we can build a sane merged version.h
+	(
+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+		macros=()
+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+	) > version.h
+
+	eautoreconf
+}
+
+static_use_with() {
+	local flag=$1
+	if use static && use ${flag} ; then
+		ewarn "Disabling '${flag}' support because of USE='static'"
+		# rebuild args so that we invert the first one (USE flag)
+		# but otherwise leave everything else working so we can
+		# just leverage use_with
+		shift
+		[[ -z $1 ]] && flag="${flag} ${flag}"
+		set -- !${flag} "$@"
+	fi
+	use_with "$@"
+}
+
+src_configure() {
+	addwrite /dev/ptmx
+	addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+	use static && append-ldflags -static
+
+	econf \
+		--with-ldflags="${LDFLAGS}" \
+		--disable-strip \
+		--with-pid-dir=/var/run \
+		--sysconfdir=/etc/ssh \
+		--libexecdir=/usr/$(get_libdir)/misc \
+		--datadir=/usr/share/openssh \
+		--with-privsep-path=/var/empty \
+		--with-privsep-user=sshd \
+		--with-md5-passwords \
+		--with-ssl-engine \
+		$(static_use_with pam) \
+		$(static_use_with kerberos kerberos5 /usr) \
+		${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+		$(use_with libedit) \
+		$(use_with selinux) \
+		$(use_with skey) \
+		$(use_with tcpd tcp-wrappers)
+}
+
+src_install() {
+	emake install-nokeys DESTDIR="${D}"
+	fperms 600 /etc/ssh/sshd_config
+	dobin contrib/ssh-copy-id
+	newinitd "${FILESDIR}"/sshd.rc6.3 sshd
+	newconfd "${FILESDIR}"/sshd.confd sshd
+	keepdir /var/empty
+
+	# not all openssl installs support ecc, or are functional #352645
+	if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+		elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+		sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
+	fi
+
+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+	if use pam ; then
+		sed -i \
+			-e "/^#UsePAM /s:.*:UsePAM yes:" \
+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \
+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+			"${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+	fi
+
+	# Gentoo tweaks to default config files
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+	# Allow client to pass locale environment variables #367017
+	AcceptEnv LANG LC_*
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+	# Send locale environment variables #367017
+	SendEnv LANG LC_*
+	EOF
+
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		keepdir /var/empty/dev
+	fi
+
+	if use ldap ; then
+		insinto /etc/openldap/schema/
+		newins openssh-lpk_openldap.schema openssh-lpk.schema
+	fi
+
+	doman contrib/ssh-copy-id.1
+	dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+	diropts -m 0700
+	dodir /etc/skel/.ssh
+
+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+	local t tests skipped failed passed shell
+	tests="interop-tests compat-tests"
+	skipped=""
+	shell=$(egetshell ${UID})
+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+		elog "Running the full OpenSSH testsuite"
+		elog "requires a usable shell for the 'portage'"
+		elog "user, so we will run a subset only."
+		skipped="${skipped} tests"
+	else
+		tests="${tests} tests"
+	fi
+	# It will also attempt to write to the homedir .ssh
+	local sshhome=${T}/homedir
+	mkdir -p "${sshhome}"/.ssh
+	for t in ${tests} ; do
+		# Some tests read from stdin ...
+		HOMEDIR="${sshhome}" \
+		emake -k -j1 ${t} </dev/null \
+			&& passed="${passed}${t} " \
+			|| failed="${failed}${t} "
+	done
+	einfo "Passed tests: ${passed}"
+	ewarn "Skipped tests: ${skipped}"
+	if [[ -n ${failed} ]] ; then
+		ewarn "Failed tests: ${failed}"
+		die "Some tests failed: ${failed}"
+	else
+		einfo "Failed tests: ${failed}"
+		return 0
+	fi
+}
+
+pkg_preinst() {
+	enewgroup sshd 22
+	enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+		elog "Starting with openssh-5.8p1, the server will default to a newer key"
+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"
+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."
+	fi
+	ewarn "Remember to merge your config files in /etc/ssh/ and then"
+	ewarn "reload sshd: '/etc/init.d/sshd reload'."
+	# This instruction is from the HPN webpage,
+	# Used for the server logging functionality
+	if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+		echo
+		einfo "For the HPN server logging patch, you must ensure that"
+		einfo "your syslog application also listens at /var/empty/dev/log."
+	fi
+}