first pass as merging 9.6

Author: rapier1

.depend

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [rapier1] # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

.github/FUNDING.yml

@@ -182,7 +182,7 @@ case "$config" in
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
 	;;
-    valgrind-[1-5]|valgrind-unit)
+    valgrind-[1-7]|valgrind-unit)
 	# rlimit sandbox and FORTIFY_SOURCE confuse Valgrind.
 	CONFIGFLAGS="--without-sandbox --without-hardening"
 	CONFIGFLAGS="$CONFIGFLAGS --with-cppflags=-D_FORTIFY_SOURCE=0"
@@ -193,17 +193,19 @@ case "$config" in
 	# won't reliably pass, and the unit tests run longer than allowed
 	# by github so split into separate tests.
 	tests2="integrity try-ciphers"
-	tests3="krl forward-control sshsig agent-restrict kextype sftp"
-	tests4="cert-userkey cert-hostkey kextype sftp-perm keygen-comment percent"
+	tests3="krl forward-control sshsig"
+	tests4="cert-userkey cert-hostkey"
 	tests5="rekey"
+	tests6="agent-restrict kextype sftp"
+	tests7="kextype sftp-perm keygen-comment percent"
 	case "$config" in
 	    valgrind-1)
 		# All tests except agent-timeout (which is flaky under valgrind),
 		# connection-timeout (which doesn't work since it's so slow)
 		# and hostbased (since valgrind won't let ssh exec keysign).
 		# Slow ones are run separately to increase parallelism.
 		SKIP_LTESTS="agent-timeout connection-timeout hostbased"
-		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5}"
+		SKIP_LTESTS="$SKIP_LTESTS ${tests2} ${tests3} ${tests4} ${tests5} ${tests6} ${tests7}"
 		;;
 	    valgrind-2)
 		LTESTS="${tests2}"
@@ -217,6 +219,12 @@ case "$config" in
 	    valgrind-5)
 		LTESTS="${tests5}"
 		;;
+	    valgrind-6)
+		LTESTS="${tests6}"
+		;;
+	    valgrind-7)
+		LTESTS="${tests7}"
+		;;
 	    valgrind-unit)
 		TEST_TARGET="unit USE_VALGRIND=1"
 		;;

.github/configs

@@ -17,5 +17,5 @@ if [ "x$LDFLAGS" != "x" ]; then
 	printf "LDFLAGS='$LDFLAGS' "
 fi
 
-echo ./configure ${CONFIGFLAGS}
-./configure ${CONFIGFLAGS} 2>&1
+echo ./configure ${CONFIGFLAGS} --with-privsep-user=sshd
+./configure ${CONFIGFLAGS} --with-privsep-user=sshd

.github/configure.sh

@@ -8,10 +8,10 @@ set -ex
 
 # If we want to test hostbased auth, set up the host for it.
 if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
-    sshconf=/usr/local/etc
+    sshconf=/usr/local/etc/hpnssh
+    $SUDO mkdir -p $sshconf
     hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
     echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
-    $SUDO mkdir -p $sshconf
     $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
     $SUDO make install
     for key in $sshconf/ssh_host*key*.pub; do

.github/run_test.sh

@@ -27,6 +27,7 @@ esac
 TARGETS=$@
 
 INSTALL_FIDO_PPA="no"
+#COPY_PAM_MODULE="no"
 export DEBIAN_FRONTEND=noninteractive
 
 set -e
@@ -159,6 +160,14 @@ if [ "yes" = "$INSTALL_FIDO_PPA" ]; then
     sudo apt-add-repository -y ppa:yubico/stable
 fi
 
+#need to copy the pam modules for sshd to hpnsshd on
+#macos with pam.
+#if [ "yes" = "$COPY_PAM_MODULE" ]; then
+#    if [ `uname` = "Darwin" }; then
+#	sudo cp /etc/pam.d/sshd /etc/pam.d/hpnsshd
+#    fi
+#fi
+
 tries=3
 while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
     case "$PACKAGER" in

.github/setup_ci.sh

@@ -2,8 +2,10 @@ name: C/C++ CI
 
 on:
   push:
+    branches: [ master, pre-stage, '*RC*', dev_major, dev_minor ]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
   pull_request:
+    branches: [ master ]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
 
 jobs:
@@ -19,31 +21,23 @@ jobs:
           - macos-11
           - macos-12
           - macos-13
-          - windows-2019
-          - windows-2022
         config: [default]
         # Then we include any extra configs we want to test for specific VMs.
-        # Valgrind slows things down quite a bit, so start them first.
         include:
-          - { target: windows-2019, config: cygwin-release }
-          - { target: windows-2022, config: cygwin-release }
           - { target: ubuntu-20.04, config: valgrind-1 }
           - { target: ubuntu-20.04, config: valgrind-2 }
           - { target: ubuntu-20.04, config: valgrind-3 }
           - { target: ubuntu-20.04, config: valgrind-4 }
-          - { target: ubuntu-20.04, config: valgrind-5 }
-          - { target: ubuntu-20.04, config: valgrind-unit }
+#          - { target: ubuntu-20.04, config: valgrind-5 }
+          - { target: ubuntu-20.04, config: valgrind-6 }
+          - { target: ubuntu-20.04, config: valgrind-7 }
           - { target: ubuntu-20.04, config: c89 }
           - { target: ubuntu-20.04, config: clang-6.0 }
           - { target: ubuntu-20.04, config: clang-8 }
           - { target: ubuntu-20.04, config: clang-9 }
           - { target: ubuntu-20.04, config: clang-10 }
           - { target: ubuntu-20.04, config: clang-11 }
           - { target: ubuntu-20.04, config: clang-12-Werror }
-          - { target: ubuntu-20.04, config: clang-sanitize-address }
-          - { target: ubuntu-20.04, config: clang-sanitize-undefined }
-          - { target: ubuntu-20.04, config: gcc-sanitize-address }
-          - { target: ubuntu-20.04, config: gcc-sanitize-undefined }
           - { target: ubuntu-20.04, config: gcc-7 }
           - { target: ubuntu-20.04, config: gcc-8 }
           - { target: ubuntu-20.04, config: gcc-10 }
@@ -53,14 +47,9 @@ jobs:
           - { target: ubuntu-20.04, config: kitchensink }
           - { target: ubuntu-22.04, config: hardenedmalloc }
           - { target: ubuntu-20.04, config: tcmalloc }
-          - { target: ubuntu-20.04, config: musl }
-          - { target: ubuntu-latest, config: boringssl }
+#	  musl doesn't work because it doesn't know about linux/tcp.h
+#         - { target: ubuntu-20.04, config: musl }
           - { target: ubuntu-latest, config: libressl-master }
-          - { target: ubuntu-latest, config: libressl-3.2.6 }
-          - { target: ubuntu-latest, config: libressl-3.3.6 }
-          - { target: ubuntu-latest, config: libressl-3.4.3 }
-          - { target: ubuntu-latest, config: libressl-3.5.3 }
-          - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
           - { target: ubuntu-latest, config: libressl-3.8.2 }
           - { target: ubuntu-latest, config: openssl-master }
@@ -85,17 +74,17 @@ jobs:
           - { target: ubuntu-22.04, config: selinux }
           - { target: ubuntu-22.04, config: kitchensink }
           - { target: ubuntu-22.04, config: without-openssl }
-          - { target: macos-11, config: pam }
-          - { target: macos-12, config: pam }
-          - { target: macos-13, config: pam }
+          - { target: ubuntu-22.04, config: clang-sanitize-address }
+          - { target: ubuntu-22.04, config: clang-sanitize-undefined }
+          - { target: ubuntu-22.04, config: gcc-sanitize-address }
+          - { target: ubuntu-22.04, config: gcc-sanitize-undefined }
+# we know pam doesn't work because we can't install a new pam file
+# for hpnssh via the CI test methods
+#          - { target: macos-11, config: pam }
+#          - { target: macos-12, config: pam }
+#          - { target: macos-13, config: pam }
     runs-on: ${{ matrix.target }}
     steps:
-    - name: set cygwin git params
-      if: ${{ startsWith(matrix.target, 'windows') }}
-      run: git config --global core.autocrlf input
-    - name: install cygwin
-      if: ${{ startsWith(matrix.target, 'windows') }}
-      uses: cygwin/cygwin-install-action@master
     - uses: actions/checkout@main
     - name: setup CI system
       run: sh ./.github/setup_ci.sh ${{ matrix.config }}

.github/workflows/c-cpp.yml

@@ -1,13 +1,14 @@
 name: CIFuzz
 on:
   push:
+    branches: [master, pre-stage]
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
   pull_request:
     paths: [ '**.c', '**.h', '**.m4', '**.sh', '.github/**', '**/Makefile.in', 'configure.ac' ]
 
 jobs:
   Fuzzing:
-    if: github.repository != 'openssh/openssh-portable-selfhosted'
+    if: github.repository != 'rapier1/openssh-portable-selfhosted'
     runs-on: ubuntu-latest
     steps:
     - name: Build Fuzzers

.github/workflows/cifuzz.yml

@@ -0,0 +1,19 @@
+name: github-repo-stats
+
+on:
+  schedule:
+    # Run this once per day, towards the end of the day for keeping the most
+    # recent data point most meaningful (hours are interpreted in UTC).
+    - cron: "0 23 * * *"
+  workflow_dispatch: # Allow for running this manually.
+
+jobs:
+  j1:
+    name: github-repo-stats
+    runs-on: ubuntu-latest
+    steps:
+      - name: run-ghrs
+        # Use latest release.
+        uses: jgehrcke/github-repo-stats@RELEASE
+        with:
+          ghtoken: ${{ secrets.ghrs_github_api_token }}