security/openssh-portable: sync with upstream

Taken from: FreeBSD

security/openssh-portable/Makefile

@@ -1,6 +1,6 @@
 PORTNAME=	openssh
 DISTVERSION=	9.9p1
-PORTREVISION=	0
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	security
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -223,6 +223,8 @@ post-install:
 	    ${STAGEDIR}${ETCDIR}/ssh_config.sample
 	${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
 	    ${STAGEDIR}${ETCDIR}/sshd_config.sample
+	${MKDIR} ${STAGEDIR}${ETCDIR}/ssh_config.d \
+		 ${STAGEDIR}${ETCDIR}/sshd_config.d
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}

security/openssh-portable/files/patch-ssh_config

@@ -0,0 +1,11 @@
+--- ssh_config.orig	2024-09-19 15:20:48.000000000 -0700
++++ ssh_config	2024-11-09 12:23:47.263548000 -0800
+@@ -17,6 +17,8 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
++Include ssh_config.d/*.conf
++
+ # Host *
+ #   ForwardAgent no
+ #   ForwardX11 no

security/openssh-portable/files/patch-sshd_config

@@ -1,19 +1,18 @@
-!!!
-!!! Note files/extra-patch-pam-sshd_config contains more changes for default PAM option.
-!!!
---- sshd_config.orig	2022-02-11 18:49:55.062881000 +0000
-+++ sshd_config	2022-02-11 18:52:31.639435000 +0000
-@@ -10,6 +10,9 @@
+--- sshd_config.orig	2024-11-09 12:22:03.414050000 -0800
++++ sshd_config	2024-11-09 12:25:59.964286000 -0800
+@@ -10,6 +10,11 @@
  # possible, but leave them commented.  Uncommented options override the
  # default value.
  
 +# Note that some of FreeBSD's defaults differ from OpenBSD's, and
 +# FreeBSD has a few additional options.
++
++Include sshd_config.d/*.conf
 +
  #Port 22
  #AddressFamily any
  #ListenAddress 0.0.0.0
-@@ -37,8 +40,7 @@
+@@ -37,8 +42,7 @@
  #PubkeyAuthentication yes
  
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
@@ -23,7 +22,7 @@
  
  #AuthorizedPrincipalsFile none
  
-@@ -84,7 +86,7 @@
+@@ -84,7 +88,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no

security/openssh-portable/files/patch-sshd_config.5

@@ -11,7 +11,7 @@
  with successful public key client host authentication is allowed
  (host-based authentication).
  The default is
-@@ -1416,6 +1434,13 @@
+@@ -1416,6 +1434,15 @@
  .Cm ethernet .
  The default is
  .Cm no .
@@ -21,11 +21,13 @@
 +.Cm yes ,
 +the root user may be allowed in with its password even if
 +.Cm PermitRootLogin is set to
++.Cm prohibit-password
++or
 +.Cm without-password .
  .Pp
  Independent of this setting, the permissions of the selected
  .Xr tun 4
-@@ -1774,12 +1799,19 @@
+@@ -1774,12 +1801,19 @@
  .Xr sshd 8
  as a non-root user.
  The default is
@@ -46,7 +48,7 @@
  .It Cm X11DisplayOffset
  Specifies the first display number available for
  .Xr sshd 8 Ns 's
-@@ -1793,7 +1825,7 @@
+@@ -1793,7 +1827,7 @@
  or
  .Cm no .
  The default is

security/openssh-portable/pkg-plist

@@ -8,6 +8,8 @@ bin/ssh-keyscan
 @sample %%ETCDIR%%/moduli.sample
 @sample %%ETCDIR%%/ssh_config.sample
 @sample %%ETCDIR%%/sshd_config.sample
+@dir %%ETCDIR%%/ssh_config.d
+@dir %%ETCDIR%%/sshd_config.d
 @postexec if [ -f %D/%%ETCDIR%%/ssh_host_ecdsa_key ] && grep -q DSA %D/%%ETCDIR%%/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/%%ETCDIR%%/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/%%ETCDIR%%/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
 sbin/sshd
 libexec/sftp-server