sshd-auth likely remains stuck in a busy-poll loop. A diagnosis report and patch proposal were created locally.
Published session
Prompt
## Plan Pass
You are planning a fixer patch before any edits happen.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. The original pre-edit snapshot is available at `./source` if you need to inspect it. For interpreter processes, plan from the script/application entrypoint evidence first and include the runtime only as a second investigation target unless the evidence proves a runtime bug.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround. Inspect the relevant code, nearby callers, project contribution docs, and local helper/compat APIs, but do not edit files in this pass.
Return a short markdown plan with these exact sections:
## Problem
## Evidence Confidence
## Proposed Subject
## Patch Plan
## Risks
## Validation
Classify `## Evidence Confidence` as exactly one of `reproduced`, `observed`, or `inferred`. Use `inferred` only for a no-patch diagnosis/report plan unless you can name the extra evidence you will collect before editing; inferred source patches are blocked by Fixer because they are not pull-request-ready. For `observed` source-patch plans, plan to say in the final `## Issue Connection` that the failure was observed by Fixer and not independently reproduced. If the plan touches authentication, authorization, credentials, cryptography, sandboxing, permissions, or timing/throttling behavior, treat it as security-sensitive: do not plan a source patch unless validation can reproduce the behavior and analyze the security impact; otherwise plan a no-patch diagnosis/report. The plan must explain how the proposed code change addresses the observed issue evidence, call out any prior Fixer patch that should be improved or replaced, reject awkward control flow such as avoidable `goto` if there is a cleaner bounded alternative, name any local helper APIs or maintainer conventions the patch should follow, and keep the intended maintainer-facing explanation clear enough that someone unfamiliar with the local complaint wording can still follow the fix. In `## Validation`, name the reproducible configure/build/test entrypoint you will try from the workspace root before any focused leaf compile or smoke check, and include one bounded independent reproduction attempt for the collected failure signal when it is safe and cheap. Do not plan to claim `reproduced` unless that reproduction command or test can actually show the failure.
## Patch Pass
You are working on a bounded fixer proposal.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. Produce the smallest reasonable patch for the target repository, keep the change upstreamable, prefer the clearest control flow available, and do not keep avoidable `goto` when a simpler structure would read better. Before introducing new file, process, allocation, locking, networking, or platform APIs, inspect nearby code and project contribution docs for existing helpers or compatibility wrappers and use those local patterns unless you can explain why they do not fit. Validate from a reproducible workspace-root entrypoint before falling back to focused leaf commands; if a build or test cannot run, report the exact command, the exact blocker, and any narrower check you ran instead. During validation, also try one bounded independent reproduction of the collected failure signal when it is safe and cheap, such as a failing test, smoke command, perf/strace comparison, or before/after runtime check. Only use `reproduced` if that command or test actually reproduced the failure; otherwise keep `observed` and report the reproduction blocker. The final explanation must connect the observed issue evidence to the actual code change, not just paraphrase the diff. Write like a maintainer is going to read the patch mail cold: explain the bug in plain language, define subsystem-specific jargon the first time you need it, and make the causal story obvious. Explicitly classify evidence confidence as `reproduced`, `observed`, or `inferred`: `reproduced` means you reproduced the failure locally; `observed` means Fixer has direct crash/log/trace evidence but you did not independently reproduce it; `inferred` means the source patch is not pull-request-ready, so do not leave a source diff unless you first gather stronger observed/reproduced evidence; otherwise return a no-patch diagnosis/report. For any source-changing `observed` patch, say explicitly in `## Issue Connection` that the failure was observed by Fixer and not independently reproduced. Security-sensitive areas such as authentication, authorization, credentials, cryptography, sandboxing, permissions, and timing/throttling behavior need reproduced evidence plus explicit security-impact analysis before leaving a source diff; otherwise return a no-patch diagnosis/report for human review. If you introduce non-obvious state translation, index remapping, or backend split logic, add a short source comment that explains the invariant being preserved.
Start by explaining the likely root cause from the collected perf, strace, and /proc evidence. If you cannot land a safe patch, leave a diagnosis that is strong enough for an upstream bug report.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround.
Keep the change narrowly scoped and summarize validation clearly.
In every authoring pass, your final response must start with `Subject: <single-line git commit subject>` and then include these markdown sections exactly:
## Commit Message
A short upstream-friendly explanation of what changed and why. Write it in plain language that a maintainer can follow without local complaint context. If you use subsystem jargon, define it immediately.
## Evidence Confidence
Exactly one word: `reproduced`, `observed`, or `inferred`. Use `reproduced` only when you reproduced the failure locally with a command or test, and include that command/test in `## Validation`. Use `observed` when Fixer has direct crash/log/trace evidence but you did not independently reproduce it. If `## Git Add Paths` lists source files for an `observed` patch, `## Issue Connection` must explicitly say the failure was observed by Fixer and not independently reproduced. Security-sensitive source changes touching authentication, authorization, credentials, cryptography, sandboxing, permissions, or timing/throttling behavior require reproduced evidence and explicit security-impact analysis; otherwise list `None` under `## Git Add Paths` and write a no-patch diagnosis/report. Use `inferred` for profiler/strace/indirect evidence; inferred responses may be no-patch diagnoses or reports, but inferred source patches are not pull-request-ready until stronger evidence is gathered.
## Issue Connection
Write this as maintainer-facing patch mail, not as local Fixer notes. Cover four things explicitly in readable sentences: the user-visible symptom or the exact collected signal, the code-level cause or the cautious inference from evidence, the specific change you made, and the expected effect. Do not invent a reproducer, command line, crash, or user-visible failure that is not present in the evidence bundle. If the evidence is direct-but-not-reproduced, say it was observed by Fixer and not independently reproduced. If the evidence is indirect and you did not gather stronger evidence, do not leave a source diff; write a no-patch diagnosis/report instead. Include an explicit effect sentence such as `The expected effect is ...`, `This should reduce ...`, or `This prevents ...` for source patches. If the logic is non-obvious in code, mention that you added a short explanatory comment.
## Git Add Paths
List the repo-relative paths that belong in the final patch, one per line. Use `None` only when you intentionally made no source changes. Include intentionally new files, and do not list generated build artifacts.
## Validation
List the checks you ran, or say clearly that you could not run them. Include the independent reproduction command/test and result when `## Evidence Confidence` is `reproduced`; if reproduction was attempted but blocked, name the exact blocker and keep confidence at `observed` or `inferred`.
Before editing, read the plan at `./plan-output.txt` and follow it unless the code proves part of it wrong. If you change course, say so explicitly in the final write-up instead of silently drifting from the plan.
## Review Pass 1
You are reviewing a freshly generated fixer patch.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. Review the first patch pass. The original pre-edit snapshot is available at `./source` for diffing.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`, `make` and, if available, `make check`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout. The latest author response is at `./patch-output.txt`. Inspect the current code and changed paths like a strict code reviewer. Focus on correctness, regressions, maintainability, awkward control flow such as avoidable `goto`, missing validation, weak or non-gittable commit message text, and explanations that fail to connect the observed issue evidence to the code change. Also review the maintainer experience: the patch mail should be easy to accept upstream, the user-visible bug should be explained in plain language, subsystem-specific jargon should be defined when first used, and any non-obvious state translation or index remapping in code should have a short explanatory comment. Reject patches that omit `## Evidence Confidence`, use anything other than `reproduced`, `observed`, or `inferred`, or sound more certain than that evidence level allows. Reject patches that claim `reproduced` unless `## Validation` names the concrete reproduction command or test and its result. Reject source patches in security-sensitive areas such as authentication, authorization, credentials, cryptography, sandboxing, permissions, and timing/throttling behavior unless the author reproduced the behavior and explicitly analyzed the security impact of the change; observed-only evidence should become a diagnosis/report, not a PR-ready source diff. Reject patches that invent a reproducer, command line, crash, or user-visible failure not present in the evidence bundle; indirect profiler or strace evidence may justify a cautious mitigation, but the author must say it is indirect instead of presenting it as a confirmed upstream bug. Reject patches that introduce generic libc/std APIs when nearby code or project docs provide a local compat/helper API for the same job, unless the author explicitly justifies the exception. Reject validation that only reports a leaf object/syntax build when a project-level configure/build/test entrypoint exists and was not attempted; if a full build cannot run, the author must show the exact failed command and blocker.
Do not apply code changes in this pass.
Return a short markdown review report. The first non-empty line must be exactly one of:
RESULT: ok
RESULT: fix-needed
If you choose `RESULT: fix-needed`, add a `## Findings` section with concrete, actionable items.
Response
## Plan Pass
## Problem
Fixer flagged `sshd-auth` as a runaway/busy-poll process, but the bundle shows `process_state: S`, `total_cpu_percent: 0.1`, blocking `read()` calls, two `clock_nanosleep()` calls, then `ECONNRESET` and exit. The `nanosleep()` maps to `auth2.c` failed-auth delay logic, which is authentication timing behavior and therefore security-sensitive.
## Evidence Confidence
inferred
## Proposed Subject
No source patch: diagnose the finding as insufficient evidence for an OpenSSH busy-loop bug unless an independent reproduction shows real high CPU or unbounded wakeups.
## Patch Plan
Do not edit code in this pass. The observed `read -> nanosleep -> write` sequence matches `input_userauth_request()` calling `ensure_minimum_time_since()` before `userauth_finish()` sends `SSH2_MSG_USERAUTH_FAILURE`.
Before any future patch, collect stronger evidence with a bounded local failed-auth reproduction under `strace`/CPU sampling. A source change is blocked unless that shows actual runaway CPU or repeated nonblocking wakeups.
No prior Fixer patch is present in this workspace to improve or replace. If later evidence justifies a patch, follow OpenSSH conventions already present here: `xmalloc`/`freezero`, `fatal_f`/`debug3_f`, `sshbuf`/`sshpkt`, `monitor_wrap`, `monotime_double`, and existing cleanup style. Avoid changing the auth failure delay with awkward control flow or avoidable `goto`.
## Risks
Changing this path without reproduction could weaken username/authentication timing resistance or alter throttling semantics.
The profiler hotspot is in the kernel TCP path, and the raw investigation files referenced by `evidence.json` are not available at their recorded paths, so the bundle excerpt is the only direct evidence.
## Validation
First try the project-level entrypoint from the workspace root: `./configure && make`.
If dependencies or generated files are missing, record the exact command and failure. Then use the narrowest reproducible check, likely `make sshd-auth` after successful configure.
For bounded independent reproduction, run a local test `sshd` on a high port with test host keys and a deliberately failed password auth attempt while tracing `sshd-auth`; verify whether CPU is actually high or whether the trace only shows the expected failed-auth delay and exit.
## Patch Pass
Subject: Diagnose sshd-auth busy-poll finding
## Commit Message
The likely root cause is a misclassified trace, not an OpenSSH userspace busy loop. The collected `sshd-auth` process was sleeping in a Unix socket read, intentionally delayed failed authentication with `nanosleep`, wrote failure data, then exited after the peer reset the connection. No source change is proposed because this is authentication timing behavior and the failure was not reproduced.
## Evidence Confidence
inferred
## Issue Connection
The collected signal was a short Fixer perf/strace sample reporting `sshd-auth` as a likely busy-poll process, with `read`, `clock_nanosleep`, and `write` as the dominant sequence. The same bundle also records the process as sleeping, using only 0.1% CPU, blocked in `unix_stream_read_generic`, and exiting after `ECONNRESET`.
The code-level inference is that the `clock_nanosleep` entries correspond to `auth2.c` failed-authentication delay logic: `input_userauth_request()` calls `ensure_minimum_time_since()` before `userauth_finish()` sends `SSH2_MSG_USERAUTH_FAILURE`. That path is timing/throttling behavior in authentication, so changing it without a reproduced runaway would risk weakening timing resistance or altering throttling semantics.
I followed the saved plan and left no source diff. The specific “change” in this proposal is a no-patch diagnosis for human review, because the evidence is indirect and the independent reproduction was blocked. The expected effect is to avoid landing a speculative security-sensitive auth timing patch based on a trace that is consistent with normal failed-auth delay and connection teardown.
README.md was the only contribution/build doc found. Relevant OpenSSH conventions/helpers in this area include `xmalloc`, `freezero`, `fatal_f`/`fatal_fr`, `debug3_f`, `sshbuf`/`sshpkt`, `monitor_wrap`, `atomicio`, `monotime_double`, and `openbsd-compat` wrappers.
## Git Add Paths
None
## Validation
`./configure && make` from the workspace root failed before compilation with:
`configure: error: ./configure.ac newer than configure, run autoreconf`
Narrow build checks:
`touch configure && ./configure && make sshd-auth` passed.
`make ssh sshd sshd-session` passed.
Independent reproduction attempt:
A local failed-publickey login under `strace -ff` was attempted against a test `sshd`, but the environment blocked tracing with `PTRACE_TRACEME: Operation not permitted` and `ptrace(PTRACE_SEIZE, 9): Operation not permitted`.
A follow-up untraced localhost smoke attempt was also blocked before exercising auth: the client reported `socket: Operation not permitted`, and the test server setup reported unsupported `UsePAM` in the no-PAM build plus missing `/var/empty`. The original busy-poll failure was not reproduced, so confidence remains `inferred`.
## Review Pass 1
RESULT: ok
No source diff is present, and `## Git Add Paths` correctly lists `None`.
The author’s diagnosis matches the evidence limits: the bundle is indirect profiler/strace evidence, the sampled process was sleeping with 0.1% CPU, and the traced `clock_nanosleep` maps plausibly to OpenSSH’s failed-auth delay path. Because this touches authentication timing/throttling, the no-patch diagnosis is the correct outcome without reproduced evidence and security-impact validation.
The response includes the required evidence confidence, does not overclaim reproduction, names the project-level validation failure, reports narrower build checks, and documents the blocked independent reproduction attempt.
Diff
--- a/buildpkg.sh 1970-01-01 04:00:00.000000000 +0400
+++ b/buildpkg.sh 2026-05-25 18:01:10.981662037 +0400
@@ -0,0 +1,677 @@
+#!/bin/sh
+#
+# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
+#
+# The following code has been provide under Public Domain License. I really
+# don't care what you use it for. Just as long as you don't complain to me
+# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
+#
+umask 022
+#
+# Options for building the package
+# You can create a openssh-config.local with your customized options
+#
+REMOVE_FAKE_ROOT_WHEN_DONE=yes
+#
+# uncommenting TEST_DIR and using
+# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
+# and
+# PKGNAME=tOpenSSH should allow testing a package without interfering
+# with a real OpenSSH package on a system. This is not needed on systems
+# that support the -R option to pkgadd.
+#TEST_DIR=/var/tmp # leave commented out for production build
+PKGNAME=OpenSSH
+# revisions within the same version (REV=a)
+#REV=
+SYSVINIT_NAME=opensshd
+AWK=${AWK:="nawk"}
+MAKE=${MAKE:="make"}
+SSHDUID=67 # Default privsep uid
+SSHDGID=67 # Default privsep gid
+# uncomment these next three as needed
+#PERMIT_ROOT_LOGIN=no
+#X11_FORWARDING=yes
+#USR_LOCAL_IS_SYMLINK=yes
+# System V init run levels
+SYSVINITSTART=S98
+SYSVINITSTOP=K30
+# We will source these if they exist
+POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
+POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
+# We'll be one level deeper looking for these
+PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
+PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local
+PKG_PREREMOVE_LOCAL=../pkg-preremove.local
+PKG_POSTREMOVE_LOCAL=../pkg-postremove.local
+PKG_REQUEST_LOCAL=../pkg-request.local
+# end of sourced files
+#
+OPENSSHD=opensshd.init
+OPENSSH_MANIFEST=openssh.xml
+OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
+SMF_METHOD_DIR=/lib/svc/method/site
+SMF_MANIFEST_DIR=/var/svc/manifest/site
+
+PATH_GROUPADD_PROG=/usr/sbin/groupadd
+PATH_USERADD_PROG=/usr/sbin/useradd
+PATH_PASSWD_PROG=/usr/bin/passwd
+#
+# list of system directories we do NOT want to change owner/group/perms
+# when installing our package
+SYSTEM_DIR="/etc \
+/etc/init.d \
+/etc/rcS.d \
+/etc/rc0.d \
+/etc/rc1.d \
+/etc/rc2.d \
+/etc/opt \
+/lib \
+/lib/svc \
+/lib/svc/method \
+/lib/svc/method/site \
+/opt \
+/opt/bin \
+/usr \
+/usr/bin \
+/usr/lib \
+/usr/sbin \
+/usr/share \
+/usr/share/man \
+/usr/share/man/man1 \
+/usr/share/man/man8 \
+/usr/local \
+/usr/local/bin \
+/usr/local/etc \
+/usr/local/libexec \
+/usr/local/man \
+/usr/local/man/man1 \
+/usr/local/man/man8 \
+/usr/local/sbin \
+/usr/local/share \
+/var \
+/var/opt \
+/var/run \
+/var/svc \
+/var/svc/manifest \
+/var/svc/manifest/site \
+/var/tmp \
+/tmp"
+
+# We may need to build as root so we make sure PATH is set up
+# only set the path if it's not set already
+[ -d /opt/bin ] && {
+ echo $PATH | grep ":/opt/bin" > /dev/null 2>&1
+ [ $? -ne 0 ] && PATH=$PATH:/opt/bin
+}
+[ -d /usr/local/bin ] && {
+ echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
+ [ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
+}
+[ -d /usr/ccs/bin ] && {
+ echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1
+ [ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
+}
+export PATH
+#
+
+[ -f Makefile ] || {
+ echo "Please run this script from your build directory"
+ exit 1
+}
+
+# we will look for openssh-config.local to override the above options
+[ -s ./openssh-config.local ] && . ./openssh-config.local
+
+START=`pwd`
+FAKE_ROOT=$START/pkg
+
+## Fill in some details, like prefix and sysconfdir
+for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir
+do
+ eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
+done
+
+## Are we using Solaris' SMF?
+DO_SMF=0
+if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
+then
+ DO_SMF=1
+fi
+
+## Collect value of privsep user
+for confvar in SSH_PRIVSEP_USER
+do
+ eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
+done
+
+## Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+ SSH_PRIVSEP_USER=sshd
+fi
+
+## Extract common info requires for the 'info' part of the package.
+VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
+
+ARCH=`uname -m`
+DEF_MSG="\n"
+OS_VER=`uname -v`
+SCRIPT_SHELL=/sbin/sh
+UNAME_R=`uname -r`
+UNAME_S=`uname -s`
+case ${UNAME_S} in
+ SunOS) UNAME_S=Solaris
+ OS_VER=${UNAME_R}
+ ARCH=`uname -p`
+ RCS_D=yes
+ DEF_MSG="(default: n)"
+ ;;
+ SCO_SV) case ${UNAME_R} in
+ 3.2) UNAME_S=OpenServer5
+ OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
+ ;;
+ 5) UNAME_S=OpenServer6
+ ;;
+ esac
+ SCRIPT_SHELL=/bin/sh
+ RC1_D=no
+ DEF_MSG="(default: n)"
+ ;;
+esac
+
+case `basename $0` in
+ buildpkg.sh)
+## Start by faking root install
+echo "Faking root install..."
+[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT
+mkdir $FAKE_ROOT
+${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
+if [ $? -gt 0 ]
+then
+ echo "Fake root install failed, stopping."
+ exit 1
+fi
+
+## Setup our run level stuff while we are at it.
+if [ $DO_SMF -eq 1 ]
+then
+ # For Solaris' SMF, /lib/svc/method/site is the preferred place
+ # for start/stop scripts that aren't supplied with the OS, and
+ # similarly /var/svc/manifest/site for manifests.
+ mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
+ mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
+
+ cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
+ chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
+
+ cat ${OPENSSH_MANIFEST} | \
+ sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
+ -e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
+ > $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
+ chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
+else
+ mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
+
+ cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+ chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
+fi
+
+[ "${PERMIT_ROOT_LOGIN}" = no ] && \
+ perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
+ $FAKE_ROOT${sysconfdir}/sshd_config
+[ "${X11_FORWARDING}" = yes ] && \
+ perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+ $FAKE_ROOT${sysconfdir}/sshd_config
+# fix PrintMotd
+perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
+ $FAKE_ROOT${sysconfdir}/sshd_config
+
+# We don't want to overwrite config files on multiple installs
+mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
+mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
+
+# local tweeks here
+[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
+
+cd $FAKE_ROOT
+
+## Ok, this is outright wrong, but it will work. I'm tired of pkgmk
+## whining.
+for i in *; do
+ PROTO_ARGS="$PROTO_ARGS $i=/$i";
+done
+
+## Build info file
+echo "Building pkginfo file..."
+cat > pkginfo << _EOF
+PKG=$PKGNAME
+NAME="OpenSSH Portable for ${UNAME_S}"
+DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
+VENDOR="OpenSSH Portable Team - https://www.openssh.com/portable.html"
+ARCH=$ARCH
+VERSION=$VERSION$REV
+CATEGORY="Security,application"
+BASEDIR=/
+CLASSES="none"
+PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
+_EOF
+
+## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS
+echo "Building depend file..."
+touch depend
+
+## Build space file
+echo "Building space file..."
+if [ $DO_SMF -eq 1 ]
+then
+ # XXX Is this necessary? If not, remove space line from mk-proto.awk.
+ touch space
+else
+ cat > space << _EOF
+# extra space required by start/stop links added by installf
+# in postinstall
+$TEST_DIR/etc/rc0.d/${SYSVINITSTOP}${SYSVINIT_NAME} 0 1
+$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
+_EOF
+ [ "$RC1_D" = no ] || \
+ echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOP}${SYSVINIT_NAME} 0 1" >> space
+ [ "$RCS_D" = yes ] && \
+ echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOP}${SYSVINIT_NAME} 0 1" >> space
+fi
+
+## Build preinstall file
+echo "Building preinstall file..."
+cat > preinstall << _EOF
+#! ${SCRIPT_SHELL}
+#
+_EOF
+
+# local preinstall changes here
+[ -s "${PKG_PREINSTALL_LOCAL}" ] && . ${PKG_PREINSTALL_LOCAL}
+
+cat >> preinstall << _EOF
+#
+if [ "\${PRE_INS_STOP}" = "yes" ]
+then
+ if [ $DO_SMF -eq 1 ]
+ then
+ svcadm disable $OPENSSH_FMRI
+ else
+ ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+ fi
+fi
+
+exit 0
+_EOF
+
+## Build postinstall file
+echo "Building postinstall file..."
+cat > postinstall << _EOF
+#! ${SCRIPT_SHELL}
+#
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\
+ cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
+ \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
+[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\
+ cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
+ \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
+
+# make rc?.d dirs only if we are doing a test install
+[ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && {
+ [ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d
+ mkdir -p ${TEST_DIR}/etc/rc0.d
+ [ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d
+ mkdir -p ${TEST_DIR}/etc/rc2.d
+}
+
+if [ $DO_SMF -eq 1 ]
+then
+ # Delete the existing service, if it exists, then import the
+ # new one.
+ if svcs $OPENSSH_FMRI > /dev/null 2>&1
+ then
+ svccfg delete -f $OPENSSH_FMRI
+ fi
+ # NOTE, The manifest disables sshd by default.
+ svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
+else
+ if [ "\${USE_SYM_LINKS}" = yes ]
+ then
+ [ "$RCS_D" = yes ] && \\
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOP}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOP}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ [ "$RC1_D" = no ] || \\
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOP}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
+ else
+ [ "$RCS_D" = yes ] && \\
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOP}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOP}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ [ "$RC1_D" = no ] || \\
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOP}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
+ fi
+fi
+
+# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
+[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys
+
+_EOF
+
+# local postinstall changes here
+[ -s "${PKG_POSTINSTALL_LOCAL}" ] && . ${PKG_POSTINSTALL_LOCAL}
+
+cat >> postinstall << _EOF
+installf -f ${PKGNAME}
+
+# Use chroot to handle PKG_INSTALL_ROOT
+if [ ! -z "\${PKG_INSTALL_ROOT}" ]
+then
+ chroot="chroot \${PKG_INSTALL_ROOT}"
+fi
+# If this is a test build, we will skip the groupadd/useradd/passwd commands
+if [ ! -z "${TEST_DIR}" ]
+then
+ chroot=echo
+fi
+
+ echo "PrivilegeSeparation user always required."
+ if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+ then
+ echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+ SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\`
+ SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\`
+ else
+ DO_PASSWD=yes
+ fi
+ [ -z "\$SSH_PRIVSEP_GROUP" ] && SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER
+
+ # group required?
+ if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null
+ then
+ echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists."
+ else
+ DO_GROUP=yes
+ fi
+
+ # create group if required
+ [ "\$DO_GROUP" = yes ] && {
+ # Use gid of 67 if possible
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
+ then
+ :
+ else
+ sshdgid="-g $SSHDGID"
+ fi
+ echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP."
+ \$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP
+ }
+
+ # Create user if required
+ [ "\$DO_PASSWD" = yes ] && {
+ # Use uid of 67 if possible
+ if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
+ then
+ :
+ else
+ sshduid="-u $SSHDUID"
+ fi
+ echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+ \$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
+ \$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
+ }
+
+if [ "\${POST_INS_START}" = "yes" ]
+then
+ if [ $DO_SMF -eq 1 ]
+ then
+ svcadm enable $OPENSSH_FMRI
+ else
+ ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
+ fi
+fi
+exit 0
+_EOF
+
+## Build preremove file
+echo "Building preremove file..."
+cat > preremove << _EOF
+#! ${SCRIPT_SHELL}
+#
+if [ $DO_SMF -eq 1 ]
+then
+ svcadm disable $OPENSSH_FMRI
+else
+ ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
+fi
+_EOF
+
+# local preremove changes here
+[ -s "${PKG_PREREMOVE_LOCAL}" ] && . ${PKG_PREREMOVE_LOCAL}
+
+cat >> preremove << _EOF
+exit 0
+_EOF
+
+## Build postremove file
+echo "Building postremove file..."
+cat > postremove << _EOF
+#! ${SCRIPT_SHELL}
+#
+if [ $DO_SMF -eq 1 ]
+then
+ if svcs $OPENSSH_FMRI > /dev/null 2>&1
+ then
+ svccfg delete -f $OPENSSH_FMRI
+ fi
+fi
+_EOF
+
+# local postremove changes here
+[ -s "${PKG_POSTREMOVE_LOCAL}" ] && . ${PKG_POSTREMOVE_LOCAL}
+
+cat >> postremove << _EOF
+exit 0
+_EOF
+
+## Build request file
+echo "Building request file..."
+cat > request << _EOF
+trap 'exit 3' 15
+
+_EOF
+
+[ -x /usr/bin/ckyorn ] || cat >> request << _EOF
+
+ckyorn() {
+# for some strange reason OpenServer5 has no ckyorn
+# We build a striped down version here
+
+DEFAULT=n
+PROMPT="Yes or No [yes,no,?,quit]"
+HELP_PROMPT=" Enter y or yes if your answer is yes; n or no if your answer is no."
+USAGE="usage: ckyorn [options]
+where options may include:
+ -d default
+ -h help
+ -p prompt
+"
+
+if [ \$# != 0 ]
+then
+ while getopts d:p:h: c
+ do
+ case \$c in
+ h) HELP_PROMPT="\$OPTARG" ;;
+ d) DEFAULT=\$OPTARG ;;
+ p) PROMPT=\$OPTARG ;;
+ \\?) echo "\$USAGE" 1>&2
+ exit 1 ;;
+ esac
+ done
+ shift \`expr \$OPTIND - 1\`
+fi
+
+while true
+do
+ echo "\${PROMPT}\\c " 1>&2
+ read key
+ [ -z "\$key" ] && key=\$DEFAULT
+ case \$key in
+ [n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S]) echo "\${key}\\c"
+ exit 0 ;;
+ \\?) echo \$HELP_PROMPT 1>&2 ;;
+ q|quit) echo "q\\c" 1>&2
+ exit 3 ;;
+ esac
+done
+
+}
+
+_EOF
+
+if [ $DO_SMF -eq 1 ]
+then
+ # This could get hairy, as the running sshd may not be under SMF.
+ # We'll assume an earlier version of OpenSSH started via SMF.
+ cat >> request << _EOF
+PRE_INS_STOP=no
+POST_INS_START=no
+# determine if should restart the daemon
+if [ -s ${piddir}/sshd.pid ] && \\
+ /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
+then
+ ans=\`ckyorn -d n \\
+-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
+ case \$ans in
+ [y,Y]*) PRE_INS_STOP=yes
+ POST_INS_START=yes
+ ;;
+ esac
+
+else
+
+# determine if we should start sshd
+ ans=\`ckyorn -d n \\
+-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
+ case \$ans in
+ [y,Y]*) POST_INS_START=yes ;;
+ esac
+fi
+
+# make parameters available to installation service,
+# and so to any other packaging scripts
+cat >\$1 <<!
+PRE_INS_STOP='\$PRE_INS_STOP'
+POST_INS_START='\$POST_INS_START'
+!
+
+_EOF
+else
+ cat >> request << _EOF
+USE_SYM_LINKS=no
+PRE_INS_STOP=no
+POST_INS_START=no
+# Use symbolic links?
+ans=\`ckyorn -d n \\
+-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
+case \$ans in
+ [y,Y]*) USE_SYM_LINKS=yes ;;
+esac
+
+# determine if should restart the daemon
+if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
+then
+ ans=\`ckyorn -d n \\
+-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
+ case \$ans in
+ [y,Y]*) PRE_INS_STOP=yes
+ POST_INS_START=yes
+ ;;
+ esac
+
+else
+
+# determine if we should start sshd
+ ans=\`ckyorn -d n \\
+-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
+ case \$ans in
+ [y,Y]*) POST_INS_START=yes ;;
+ esac
+fi
+
+# make parameters available to installation service,
+# and so to any other packaging scripts
+cat >\$1 <<!
+USE_SYM_LINKS='\$USE_SYM_LINKS'
+PRE_INS_STOP='\$PRE_INS_STOP'
+POST_INS_START='\$POST_INS_START'
+!
+
+_EOF
+fi
+
+# local request changes here
+[ -s "${PKG_REQUEST_LOCAL}" ] && . ${PKG_REQUEST_LOCAL}
+
+cat >> request << _EOF
+exit 0
+
+_EOF
+
+## Next Build our prototype
+echo "Building prototype file..."
+cat >mk-proto.awk << _EOF
+ BEGIN { print "i pkginfo"; print "i depend"; \\
+ print "i preinstall"; print "i postinstall"; \\
+ print "i preremove"; print "i postremove"; \\
+ print "i request"; print "i space"; \\
+ split("$SYSTEM_DIR",sys_files); }
+ {
+ for (dir in sys_files) { if ( \$3 != sys_files[dir] )
+ { if ( \$1 == "s" )
+ { \$5=""; \$6=""; }
+ else
+ { \$5="root"; \$6="sys"; }
+ }
+ else
+ { \$4="?"; \$5="?"; \$6="?"; break;}
+ } }
+ { print; }
+_EOF
+
+find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
+ pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
+
+# /usr/local is a symlink on some systems
+[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && {
+ grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
+ mv prototype.new prototype
+}
+
+## Step back a directory and now build the package.
+cd ..
+# local prototype tweeks here
+[ -s "${POST_PROTOTYPE_EDITS}" ] && . ${POST_PROTOTYPE_EDITS}
+
+echo "Building package.."
+pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
+echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
+ ;;
+
+ justpkg.sh)
+rm -fr ${FAKE_ROOT}/${PKGNAME}
+grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp
+mv $$tmp $FAKE_ROOT/pkginfo
+cat >> $FAKE_ROOT/pkginfo << _EOF
+PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
+_EOF
+pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
+echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
+ ;;
+
+esac
+
+[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ] && rm -rf $FAKE_ROOT
+exit 0
+
--- a/openbsd-compat/include/glob.h 1970-01-01 04:00:00.000000000 +0400
+++ b/openbsd-compat/include/glob.h 2026-05-25 18:01:01.790682682 +0400
@@ -0,0 +1 @@
+#include "openbsd-compat/glob.h"
--- a/openbsd-compat/include/sys/queue.h 1970-01-01 04:00:00.000000000 +0400
+++ b/openbsd-compat/include/sys/queue.h 2026-05-25 18:01:00.756800282 +0400
@@ -0,0 +1 @@
+#include "openbsd-compat/sys-queue.h"
--- a/openbsd-compat/include/sys/tree.h 1970-01-01 04:00:00.000000000 +0400
+++ b/openbsd-compat/include/sys/tree.h 2026-05-25 18:01:00.758600804 +0400
@@ -0,0 +1 @@
+#include "openbsd-compat/sys-tree.h"
--- a/opensshd.init 1970-01-01 04:00:00.000000000 +0400
+++ b/opensshd.init 2026-05-25 18:01:10.986779576 +0400
@@ -0,0 +1,68 @@
+#!/bin/sh
+# Donated code that was put under PD license.
+#
+# Stripped PRNGd out of it for the time being.
+
+umask 022
+
+CAT=/usr/bin/cat
+KILL=/usr/bin/kill
+
+prefix=/usr/local
+sysconfdir=${prefix}/etc
+piddir=/var/run
+
+SSHD=$prefix/sbin/sshd
+PIDFILE=$piddir/sshd.pid
+PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'`
+[ X$PidFile = X ] || PIDFILE=$PidFile
+SSH_KEYGEN=$prefix/bin/ssh-keygen
+
+stop_service() {
+ if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then
+ PID=`${CAT} ${PIDFILE}`
+ fi
+ if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then
+ ${KILL} ${PID}
+ else
+ echo "Unable to read PID file"
+ fi
+}
+
+start_service() {
+ # XXX We really should check if the service is already going, but
+ # XXX we will opt out at this time. - Bal
+
+ # Check to see if we have keys that need to be made
+ ${SSH_KEYGEN} -A
+
+ # Start SSHD
+ echo "starting $SSHD... \c" ; $SSHD
+
+ sshd_rc=$?
+ if [ $sshd_rc -ne 0 ]; then
+ echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
+ exit $sshd_rc
+ fi
+ echo done.
+}
+
+case $1 in
+
+'start')
+ start_service
+ ;;
+
+'stop')
+ stop_service
+ ;;
+
+'restart')
+ stop_service
+ start_service
+ ;;
+
+*)
+ echo "$0: usage: $0 {start|stop|restart}"
+ ;;
+esac
--- a/openssh.xml 1970-01-01 04:00:00.000000000 +0400
+++ b/openssh.xml 2026-05-25 18:01:10.991749356 +0400
@@ -0,0 +1,90 @@
+<?xml version='1.0'?>
+<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
+<!--
+ Copyright (c) 2006 Chad Mynhier.
+
+ Permission to use, copy, modify, and distribute this software for any
+ purpose with or without fee is hereby granted, provided that the above
+ copyright notice and this permission notice appear in all copies.
+
+ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<service_bundle type='manifest' name='OpenSSH server'>
+
+ <service
+ name='site/__SYSVINIT_NAME__'
+ type='service'
+ version='1'>
+
+<!--
+ We default to disabled so administrator can decide to enable or not.
+-->
+ <create_default_instance enabled='false'/>
+
+ <single_instance/>
+
+ <dependency
+ name='filesystem-local'
+ grouping='require_all'
+ restart_on='none'
+ type='service'>
+ <service_fmri value='svc:/system/filesystem/local'/>
+ </dependency>
+
+ <dependency
+ name='network'
+ grouping='require_all'
+ restart_on='none'
+ type='service'>
+ <service_fmri value='svc:/milestone/network'/>
+ </dependency>
+
+ <dependent
+ name='multi-user-server'
+ restart_on='none'
+ grouping='optional_all'>
+ <service_fmri value='svc:/milestone/multi-user-server'/>
+ </dependent>
+
+ <exec_method
+ name='start'
+ type='method'
+ exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
+ timeout_seconds='60'>
+ <method_context/>
+ </exec_method>
+
+ <exec_method
+ name='stop'
+ type='method'
+ exec=':kill'
+ timeout_seconds='60'>
+ <method_context/>
+ </exec_method>
+
+ <property_group
+ name='startd'
+ type='framework'>
+ <propval name='ignore_error' type='astring' value='core,signal'/>
+ </property_group>
+
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>OpenSSH server</loctext>
+ </common_name>
+ <documentation>
+ <manpage
+ title='sshd'
+ section='1M'
+ manpath='/usr/local/man'/>
+ </documentation>
+ </template>
+ </service>
+</service_bundle>
--- a/survey.sh 1970-01-01 04:00:00.000000000 +0400
+++ b/survey.sh 2026-05-25 18:01:11.009761629 +0400
@@ -0,0 +1,69 @@
+#!/bin/sh
+#
+# Copyright (c) 2004, 2005 Darren Tucker
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+host="x86_64-pc-linux-gnu"
+AWK="gawk"
+CC="cc"
+CPP="cc -E"
+CFLAGS="-g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -ftrivial-auto-var-init=zero -fno-builtin-memset -fstack-protector-strong -fPIE "
+CPPFLAGS=" -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L"
+LDFLAGS=" -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie "
+LIBS=""
+
+# Note format:
+# identifier: [data] CRCR
+
+echo "openssh-survey-version: 1"
+echo
+echo "openssh-version: `./ssh -V 2>&1`"
+echo
+configinv=`$AWK '/^ \\\$.*configure/' config.log | sed 's/^ \\\$ //g'`
+echo "configure-invocation: $configinv"
+echo
+echo "host: $host"
+echo
+echo "uname: `uname`"
+echo
+echo "uname-r: `uname -r`"
+echo
+echo "uname-m: `uname -m`"
+echo
+echo "uname-p: `uname -p`"
+echo
+echo "oslevel: `oslevel 2>/dev/null`"
+echo
+echo "oslevel-r: `oslevel -r 2>/dev/null`"
+echo
+echo "cc: $CC"
+echo
+echo "cflags: $CFLAGS"
+echo
+echo "cppflags: $CPPFLAGS"
+echo
+echo "ldflags: $LDFLAGS"
+echo
+echo "libs: $LIBS"
+echo
+echo "ccver-v: `$CC -v 2>&1 | sed '/^[ \t]*$/d'`"
+echo
+echo "ccver-V: `$CC -V 2>&1 | sed '/^[ \t]*$/d'`"
+echo
+echo "cppdefines:"
+${CPP} -dM - </dev/null
+echo
+echo "config.h:"
+egrep '#define|#undef' config.h
+echo