Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFH (r261320): upgrade openssh to 6.5p1
MFH (r261340): enable sandboxing by default

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Reduce priority of host key exists message in sshd startup
script to info.

Approved by: re (gjb)

Ditch the random seeding code, which never really worked as intended.
Add config variables to enable / disable individual host key algorithms.
Clean up the host key generation code.

Approved by: re (gjb)
MFC after: 3 weeks

Call sshd_precmd instead of sshd_configtest when the operator
requests reload or restart, which, in addition of testing the
configuration, will also generate host keys when they are not
present (previous behavior).

Obtained from: FreeNAS
Ok'ed by: bdrewery, des
MFC after: 1 week

Also call configtest before reload to ensure working config.

Approved by: jhb
MFC after: 1 week
X-MFC-With: r249489

Run configtest before restarting so that the system is not
left without a running sshd.

Approved by: des
MFC after: 1 week

Simply things so that "#REQUIRE: FILESYSTEMS" means the file
systems are fully "ready to go".

'FILESYSTEMS' states: "This is a dummy dependency, for services which
require file systems to be mounted before starting." However, we have
'var' which is was run after 'FILESYSTEMS' and can mount /var if it
already isn't mounted. Furthermore, several scripts cannot use /var
until 'cleanvar' has done its thing. Thus "FILESYSTEMS" hasn't really
meant all critical file systems are fully usable.

Add a configtest command.

Submitted by: gjb@
MFC after: 1 week

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.

During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.

Upgrade to OpenSSH 5.8p2.

Add the shutdown KEYWORD to those scripts that start persistent services
to allow them to do a "clean" shutdown.

I purposely avoided making changes to network-related stuff since the
system shutting down is pretty conclusive, and there may be complicated
dependencies on the network that I would rather not try to unravel.

I also skipped kerberos-related stuff for the reasons above, and
because I have no way to test it.

Remove $NetBSD$ CVS tags. We no longer attempt to synch our rc.d files
with theirs, so this information doesn't need to be in the live file.
Having it in our CVS history is enough.

Backout this commit since it breaks startup and some scripts in
certain conditions. I haven't been able to find a better solution yet:

- Set a two read-only variables (${prefix} and ${etcdir}). This is
especially useful when using /etc/rc.d scripts with third-party
software installed from ports.
- Fix rc.d/sshd to work with openssh from ports using ${etcdir}
instead of hardcoded /etc.
- Reflect prefix/etcdir changes in rc.subr.8.

src/etc/rc.d/sshd: rev 1.9 -> 1.10
src/etc/rc.subr: rev 1.51 -> 1.52
src/share/man/man8/rc.subr.8: rev 1.11 -> 1.12

Approved by: cperciva (mentor)

- Fix rc.d/sshd test on kern.random.sys.seeded.

PR: conf/94377
Submitted by: dwhite
Approved by: cperciva (mentor)
MFC after: 1 week

- Set a two read-only variables (${prefix} and ${etcdir}). This is
especially useful when using /etc/rc.d scripts with third-party
software installed from ports.
- Fix rc.d/sshd to work with openssh from ports using ${etcdir}
instead of hardcoded /etc.

Reviewed by: brooks
Approved by: cperciva (mentor)
MFC after: 1 week

Don't be lazy, set the "command" variable even if
/etc/defaults/rc.conf will provide foo_program, too.
By specifying "command" we explicitly say that we're
going to rely on rc.subr(8) default methods, and
rc.subr(8) will take advantage of this soon.

The majority of our rc.d scripts already set "command"
if appropriate, so fix just the non-compliant handful.

"REQUIRE: cleanvar" for all RC's writing into /var/run.

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

Give sshd a secure startup, but with a tweakable timeout so that
the box won't hang forever at startup.

Luke Mewburn has indicated that they (NetBSD) are not interested
in keeping the scripts under rc.d in sync with us. So, remove
NetBSD specific stuff (which made our scripts more complicated
than necessary).

The NetBSD ident string will be left intact, both for history and
also incase we wish to pull in future versions.

Luke Mewburn has indicated that they (NetBSD) are not interested
in keeping the scripts under rc.d in sync with us. So, begin removal
of NetBSD specific stuff (which made our scripts more complicated
than necessary), starting with the NetBSD KEYWORD.

Not everyone uses the base system sshd. They can use the sshd_program
variable in rc.conf to have sshd from ports (or somewhere else) installed.
So, don't make the sshd_config for the base system a required file
to start the service.

PR: conf/45766

Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by: Mike Makonnen <makonnen@pacbell.net>
Reviewed by: silence on -current and -hackers
Prodded by: rwatson

This commit was generated by cvs2svn to compensate for changes in r78344,
which included commits to RCS files with non-trunk default branches.

Import the NetBSD 1.5 RC system.

Note that `rc' and `rc.shutdown' could not be imported because we already
have files with those names.