Fri Feb 7 22:32:38 UTC 202020200207223238

a/kernel-firmware-20200206_5351afe-noarch-1.txz:  Upgraded.
ap/ghostscript-9.50-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
ap/gutenprint-5.3.3-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
ap/nano-4.8-x86_64-1.txz:  Upgraded.
ap/screen-4.8.0-x86_64-1.txz:  Upgraded.
ap/vim-8.2.0224-x86_64-1.txz:  Upgraded.
d/cvs-1.11.23-x86_64-4.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
d/strace-5.5-x86_64-1.txz:  Upgraded.
kde/kdelibs-4.14.38-x86_64-6.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/gtk+2-2.24.32-x86_64-3.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/gtk+3-3.24.13-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/libsoup-2.68.3-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/libssh-0.9.3-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/loudmouth-1.5.3-x86_64-4.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
l/neon-0.30.2-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
n/cifs-utils-6.10-x86_64-2.txz:  Rebuilt.
  Recompiled to build cifs.upcall.
n/curl-7.68.0-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
n/cyrus-sasl-2.1.27-x86_64-2.txz:  Rebuilt.
  Recompiled against krb5-1.17.1.
xap/vim-gvim-8.2.0224-x86_64-1.txz:  Upgraded.

4 files changed, 55 insertions, 2 deletions

diff --git a/source/n/openssh/doinst.sh b/source/n/openssh/doinst.sh
index 08536ff69..ba1d1cdd3 100644
--- a/source/n/openssh/doinst.sh
+++ b/source/n/openssh/doinst.sh
@@ -21,6 +21,9 @@ preserve_perms() {
   config ${NEW}
 }
 
+if [ -r etc/pam.d/sshd.new ]; then
+  config etc/pam.d/sshd.new
+fi
 config etc/default/sshd.new
 config etc/ssh/ssh_config.new
 config etc/ssh/sshd_config.new
diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild
index 6b634a23c..3c614d877 100755
--- a/source/n/openssh/openssh.SlackBuild
+++ b/source/n/openssh/openssh.SlackBuild
@@ -2,7 +2,7 @@
 
 # Copyright 2000 BSDi, Inc. Concord, CA, USA
 # Copyright 2001, 2002, 2003, 2004  Slackware Linux, Inc. Concord, CA, USA
-# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018  Patrick J. Volkerding, Sebeka, MN, USA
+# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2018, 2020  Patrick J. Volkerding, Sebeka, MN, USA
 # All rights reserved.
 #
 # Redistribution and use of this script, with or without modification, is
@@ -54,16 +54,22 @@ fi
 
 if [ "$ARCH" = "i586" ]; then
   SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "s390" ]; then
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "x86_64" ]; then
   SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
 elif [ "$ARCH" = "arm" ]; then
   SLKCFLAGS="-O2 -march=armv4 -mtune=xscale"
+  LIBDIRSUFFIX=""
 elif [ "$ARCH" = "armel" ]; then
   SLKCFLAGS="-O2 -march=armv4t"
+  LIBDIRSUFFIX=""
 else
   SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
 fi
 
 # Clean target location:
@@ -80,6 +86,17 @@ chown -R root:root .
 # Restore support for tcpwrappers:
 zcat $CWD/openssh.tcp_wrappers.diff.gz | patch -p1 --verbose || exit 1
 
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-pam --with-kerberos5"
+  unset SHADOW_OPTIONS
+  # Enable PAM in sshd_config:
+  zcat $CWD/sshd_config-pam.diff.gz | patch -p1 --verbose || exit 1
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--without-pam"
+fi
+
 autoreconf -vif
 
 # Compile package:
@@ -88,7 +105,8 @@ CFLAGS="$SLKCFLAGS" \
   --prefix=/usr \
   --mandir=/usr/man \
   --sysconfdir=/etc/ssh \
-  --without-pam \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
   --with-md5-passwords \
   --with-libedit \
   --with-tcp-wrappers \
@@ -170,6 +188,12 @@ fi
   cat $CWD/rc.sshd > etc/rc.d/rc.sshd.new
   chmod 755 etc/rc.d/rc.sshd.new
 
+  if [ ! -z "$PAM_OPTIONS" ]; then
+    # Add the pam stuff:
+    mkdir -p etc/pam.d
+    cat $CWD/sshd.pam > etc/pam.d/sshd.new
+  fi
+
   # Copy runtime installation files:
   mkdir -p install
   zcat $CWD/doinst.sh.gz > install/doinst.sh
diff --git a/source/n/openssh/sshd.pam b/source/n/openssh/sshd.pam
new file mode 100644
index 000000000..0c465192e
--- /dev/null
+++ b/source/n/openssh/sshd.pam
@@ -0,0 +1,14 @@
+#%PAM-1.0
+# pam_securetty.so is commented out since sshd already does a good job of
+# protecting itself. You may uncomment it if you like, but then you may
+# need to add additional consoles to /etc/securetty if you want to allow
+# root logins on them, such as: ssh, pts/0, :0, etc
+#auth		required	pam_securetty.so
+auth		include		system-auth
+auth		include		postlogin
+account		required	pam_nologin.so
+account		include		system-auth
+password	include		system-auth
+session		include		system-auth
+session		include		postlogin
+session		required	pam_loginuid.so
diff --git a/source/n/openssh/sshd_config-pam.diff b/source/n/openssh/sshd_config-pam.diff
new file mode 100644
index 000000000..d5198c2ff
--- /dev/null
+++ b/source/n/openssh/sshd_config-pam.diff
@@ -0,0 +1,12 @@
+diff -Nur openssh-6.6p1.orig/sshd_config openssh-6.6p1/sshd_config
+--- openssh-6.6p1.orig/sshd_config	2014-01-12 02:20:47.000000000 -0600
++++ openssh-6.6p1/sshd_config	2014-07-26 17:28:35.993833123 -0500
+@@ -94,7 +94,7 @@
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
++UsePAM yes
+ 
+ #AllowAgentForwarding yes
+ #AllowTcpForwarding yes