ssh_client: openssh: update to 8.0p1
Change-Id: I26e9fd5e74f5ce43aa029c6cf4f853694b7080f4
Reviewed-on: https://chromium-review.googlesource.com/c/apps/libapps/+/1576540
Reviewed-by: Vitaliy Shipitsyn <vsh@google.com>
Tested-by: Mike Frysinger <vapier@chromium.org>
diff --git a/ssh_client/build.sh b/ssh_client/build.sh
index 72ec6fd..5c90955 100755
--- a/ssh_client/build.sh
+++ b/ssh_client/build.sh
@@ -33,7 +33,7 @@
./third_party/ldns/build
./third_party/mandoc/build
-./third_party/openssh-7.9/build
+./third_party/openssh-8.0/build
BUILD_ARGS=()
if [[ $DEBUG == 1 ]]; then
diff --git a/ssh_client/third_party/openssh-8.0/LICENCE b/ssh_client/third_party/openssh-8.0/LICENCE
new file mode 100644
index 0000000..1524821
--- /dev/null
+++ b/ssh_client/third_party/openssh-8.0/LICENCE
@@ -0,0 +1,319 @@
+This file is part of the OpenSSH software.
+
+The licences which components of this software fall under are as
+follows. First, we will summarize and say that all components
+are under a BSD licence, or a licence more free than that.
+
+OpenSSH contains no GPL code.
+
+1)
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ * All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose. Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+
+ [Tatu continues]
+ * However, I am not implying to give any licenses to any patents or
+ * copyrights held by third parties, and the software includes parts that
+ * are not under my direct control. As far as I know, all included
+ * source code is used in accordance with the relevant license agreements
+ * and can be used freely for any purpose (the GNU license being the most
+ * restrictive); see below for details.
+
+ [However, none of that term is relevant at this point in time. All of
+ these restrictively licenced software components which he talks about
+ have been removed from OpenSSH, i.e.,
+
+ - RSA is no longer included, found in the OpenSSL library
+ - IDEA is no longer included, its use is deprecated
+ - DES is now external, in the OpenSSL library
+ - GMP is no longer used, and instead we call BN code from OpenSSL
+ - Zlib is now external, in a library
+ - The make-ssh-known-hosts script is no longer included
+ - TSS has been removed
+ - MD5 is now external, in the OpenSSL library
+ - RC4 support has been replaced with ARC4 support from OpenSSL
+ - Blowfish is now external, in the OpenSSL library
+
+ [The licence continues]
+
+ Note that any information and cryptographic algorithms used in this
+ software are publicly available on the Internet and at any major
+ bookstore, scientific library, and patent office worldwide. More
+ information can be found e.g. at "http://www.cs.hut.fi/crypto".
+
+ The legal status of this program is some combination of all these
+ permissions and restrictions. Use only at your own responsibility.
+ You will be responsible for any legal consequences yourself; I am not
+ making any claims whether possessing or using this is legal or not in
+ your country, and I am not taking any responsibility on your behalf.
+
+
+ NO WARRANTY
+
+ BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+ FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+ OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+ PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+ OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+ TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+ PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+ REPAIR OR CORRECTION.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+ REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+ INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+ OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+ TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGES.
+
+3)
+ ssh-keyscan was contributed by David Mazieres under a BSD-style
+ license.
+
+ * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
+ *
+ * Modification and redistribution in source and binary forms is
+ * permitted provided that due credit is given to the author and the
+ * OpenBSD project by leaving this copyright notice intact.
+
+4)
+ The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
+ and Paulo Barreto is in the public domain and distributed
+ with the following license:
+
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+5)
+ One component of the ssh source code is under a 3-clause BSD license,
+ held by the University of California, since we pulled these parts from
+ original Berkeley code.
+
+ * Copyright (c) 1983, 1990, 1992, 1993, 1995
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+
+6)
+ Remaining components of the software are provided under a standard
+ 2-term BSD licence with the following names as copyright holders:
+
+ Markus Friedl
+ Theo de Raadt
+ Niels Provos
+ Dug Song
+ Aaron Campbell
+ Damien Miller
+ Kevin Steves
+ Daniel Kouril
+ Wesley Griffin
+ Per Allansson
+ Nils Nordman
+ Simon Wilkinson
+
+ Portable OpenSSH additionally includes code from the following copyright
+ holders, also under the 2-term BSD license:
+
+ Ben Lindstrom
+ Tim Rice
+ Andre Lucas
+ Chris Adams
+ Corinna Vinschen
+ Cray Inc.
+ Denis Parker
+ Gert Doering
+ Jakob Schlyter
+ Jason Downs
+ Juha Yrjölä
+ Michael Stone
+ Networks Associates Technology, Inc.
+ Solar Designer
+ Todd C. Miller
+ Wayne Schroeder
+ William Jones
+ Darren Tucker
+ Sun Microsystems
+ The SCO Group
+ Daniel Walsh
+ Red Hat, Inc
+ Simon Vallet / Genoscope
+
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+8) Portable OpenSSH contains the following additional licenses:
+
+ a) md5crypt.c, md5crypt.h
+
+ * "THE BEER-WARE LICENSE" (Revision 42):
+ * <phk@login.dknet.dk> wrote this file. As long as you retain this
+ * notice you can do whatever you want with this stuff. If we meet
+ * some day, and you think this stuff is worth it, you can buy me a
+ * beer in return. Poul-Henning Kamp
+
+ b) snprintf replacement
+
+ * Copyright Patrick Powell 1995
+ * This code is based on code written by Patrick Powell
+ * (papowell@astart.com) It may be used for any purpose as long as this
+ * notice remains intact on all source code distributions
+
+ c) Compatibility code (openbsd-compat)
+
+ Apart from the previously mentioned licenses, various pieces of code
+ in the openbsd-compat/ subdirectory are licensed as follows:
+
+ Some code is licensed under a 3-term BSD license, to the following
+ copyright holders:
+
+ Todd C. Miller
+ Theo de Raadt
+ Damien Miller
+ Eric P. Allman
+ The Regents of the University of California
+ Constantin S. Svintsoff
+
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+
+ Some code is licensed under an ISC-style license, to the following
+ copyright holders:
+
+ Internet Software Consortium.
+ Todd C. Miller
+ Reyk Floeter
+ Chad Mynhier
+
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ Some code is licensed under a MIT-style license to the following
+ copyright holders:
+
+ Free Software Foundation, Inc.
+
+ * Permission is hereby granted, free of charge, to any person obtaining a *
+ * copy of this software and associated documentation files (the *
+ * "Software"), to deal in the Software without restriction, including *
+ * without limitation the rights to use, copy, modify, merge, publish, *
+ * distribute, distribute with modifications, sublicense, and/or sell *
+ * copies of the Software, and to permit persons to whom the Software is *
+ * furnished to do so, subject to the following conditions: *
+ * *
+ * The above copyright notice and this permission notice shall be included *
+ * in all copies or substantial portions of the Software. *
+ * *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS *
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF *
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. *
+ * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, *
+ * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR *
+ * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR *
+ * THE USE OR OTHER DEALINGS IN THE SOFTWARE. *
+ * *
+ * Except as contained in this notice, the name(s) of the above copyright *
+ * holders shall not be used in advertising or otherwise to promote the *
+ * sale, use or other dealings in this Software without prior written *
+ * authorization. *
+ ****************************************************************************/
+
+
+------
+$OpenBSD: LICENCE,v 1.20 2017/04/30 23:26:16 djm Exp $
diff --git a/ssh_client/third_party/openssh-8.0/METADATA b/ssh_client/third_party/openssh-8.0/METADATA
new file mode 100644
index 0000000..575bae0
--- /dev/null
+++ b/ssh_client/third_party/openssh-8.0/METADATA
@@ -0,0 +1,14 @@
+name: "OpenSSH"
+description: "SSH and SFTP client"
+
+third_party {
+ url {
+ type: HOMEPAGE
+ value: "https://www.openssh.com/"
+ }
+ version: "8.0p1"
+ last_upgrade_date { year: 2019 month: 4 day: 18 }
+
+ local_modifications:
+ "See the patches in this directory for more details."
+}
diff --git a/ssh_client/third_party/openssh-8.0/build b/ssh_client/third_party/openssh-8.0/build
new file mode 100755
index 0000000..d525d4a
--- /dev/null
+++ b/ssh_client/third_party/openssh-8.0/build
@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# Copyright 2019 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""Build openssh package."""
+
+from __future__ import print_function
+
+import glob
+import logging
+import os
+import sys
+
+FILESDIR = os.path.dirname(os.path.realpath(__file__))
+sys.path.insert(0, os.path.join(FILESDIR, '..', '..', 'bin'))
+
+import ssh_client # pylint: disable=wrong-import-position
+
+
+ARCHIVES = ('%(p)s.tar.gz',)
+PATCHES = ('%(p)s.patch',)
+
+
+def src_configure(metadata):
+ """Configure the source."""
+ if os.path.exists('Makefile'):
+ logging.info('Makefile exists; skipping ./configure step')
+ return
+
+ env = ssh_client.pnacl_env()
+
+ EXTRA_LIBS = ['-lcrypto']
+ EXTRA_CFLAGS = [
+ '-DHAVE_SIGACTION',
+ '-DHAVE_TRUNCATE',
+ '-DHAVE_SETSID',
+ '-DHAVE_GETNAMEINFO',
+ '-DHAVE_GETADDRINFO',
+ '-DHAVE_GETCWD',
+ '-DHAVE_STATVFS',
+ '-DHAVE_FSTATVFS',
+ '-DHAVE_ENDGRENT',
+ '-DHAVE_FD_MASK',
+ '-include', 'sys/cdefs.h',
+ '-I%s' % (os.path.join(env['SYSROOT_INCDIR'], 'glibc-compat'),),
+ ]
+
+ EXTRA_CONFIGURE_FLAGS = [
+ # Log related settings.
+ '--disable-lastlog',
+ '--disable-utmp',
+ '--disable-utmpx',
+ '--disable-wtmp',
+ '--disable-wtmpx',
+ '--disable-pututline',
+ '--disable-pututxline',
+
+ # Various toolchain settings.
+ '--without-rpath',
+ '--without-Werror',
+
+ # Features we don't use.
+ '--without-audit',
+ '--without-libedit',
+ '--without-pam',
+ '--without-sandbox',
+ '--without-selinux',
+ '--without-shadow',
+ '--without-ssl-engine',
+
+ # Features we want.
+ # OpenSSL is needed for DSA/RSA key support.
+ '--with-openssl',
+ '--with-ldns',
+ '--with-zlib',
+ '--without-zlib-version-check',
+
+ # These don't work with newlib (used in PNaCl).
+ '--without-stackprotect',
+ '--without-hardening',
+
+ # Disable inet funcs we don't rely upon.
+ 'ac_cv_func_inet_aton=no',
+ 'ac_cv_func_inet_ntoa=no',
+ 'ac_cv_func_inet_ntop=no',
+ ]
+
+ cmd = [
+ './configure',
+ '--host=nacl',
+ # The prefix path matches what is used at runtime.
+ '--prefix=/',
+ '--cache-file=../config.cache',
+ 'CFLAGS=%s' % (' '.join(EXTRA_CFLAGS),),
+ 'LIBS=%s' % (' '.join(EXTRA_LIBS),),
+ ]
+ ssh_client.run(cmd + EXTRA_CONFIGURE_FLAGS, env=env)
+
+ # Build the html man pages. Since we're hooking the Makefile, we need can
+ # do this only after we've run configure.
+ with open('Makefile', 'ab') as f:
+ f.writelines([
+ b'html: $(MANPAGES_IN:%=%.html)\n',
+ b'%.html: %\n',
+ (b'\tmandoc -Thtml -I os=' + metadata['p'].encode('utf-8') +
+ b' -O man=%N.%S.html $< >$@.tmp\n'),
+ b'\tmv $@.tmp $@\n',
+ ])
+
+
+def src_compile(_metadata):
+ """Compile the source."""
+ # These are the few objects we care about for our tools.
+ objects = [
+ 'ssh.o', 'readconf.o', 'clientloop.o', 'sshtty.o', 'sshconnect.o',
+ 'sshconnect2.o', 'mux.o',
+ ]
+
+ targets = objects + [
+ # These are internal ssh libs that the objects above might use.
+ 'libssh.a',
+ 'openbsd-compat/libopenbsd-compat.a',
+
+ # The documentation we'll ship later on.
+ 'html',
+ ]
+
+ env = ssh_client.pnacl_env()
+ ssh_client.emake(*targets, env=env)
+ ssh_client.run([env['AR'], 'rcs', 'libopenssh.a'] + objects)
+
+
+def src_install(_metadata):
+ """Install the package."""
+ for lib in ('libopenssh.a', 'libssh.a',
+ 'openbsd-compat/libopenbsd-compat.a'):
+ ssh_client.copy(lib,
+ os.path.join(ssh_client.OUTPUT, os.path.basename(lib)))
+
+ plugin_docs = os.path.join(ssh_client.OUTPUT, 'plugin', 'docs')
+ os.makedirs(plugin_docs, exist_ok=True)
+ for path in glob.glob('*.[0-9].html'):
+ ssh_client.copy(path, os.path.join(plugin_docs, path))
+
+
+ssh_client.build_package(sys.modules[__name__])
diff --git a/ssh_client/third_party/openssh-8.0/openssh-8.0p1.patch b/ssh_client/third_party/openssh-8.0/openssh-8.0p1.patch
new file mode 100644
index 0000000..a9c8a93
--- /dev/null
+++ b/ssh_client/third_party/openssh-8.0/openssh-8.0p1.patch
@@ -0,0 +1,105 @@
+--- a/channels.h
++++ b/channels.h
+@@ -188,9 +188,9 @@ struct Channel {
+
+ /* default window/packet sizes for tcp/x11-fwd-channel */
+ #define CHAN_SES_PACKET_DEFAULT (32*1024)
+-#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
++#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
+ #define CHAN_TCP_PACKET_DEFAULT (32*1024)
+-#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
++#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
+ #define CHAN_X11_PACKET_DEFAULT (16*1024)
+ #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
+
+--- a/ssh.c
++++ b/ssh.c
+@@ -577,7 +577,7 @@ set_addrinfo_port(struct addrinfo *addrs, int port)
+ * Main program for the ssh client.
+ */
+ int
+-main(int ac, char **av)
++ssh_main(int ac, char **av, const char *subsystem)
+ {
+ struct ssh *ssh = NULL;
+ int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+@@ -1038,6 +1038,21 @@ main(int ac, char **av)
+ if ((command = sshbuf_new()) == NULL)
+ fatal("sshbuf_new failed");
+
++ if (subsystem) {
++ /*
++ * Hijack the codeflow now that we're done parsing the command line.
++ * We want all the flags, but none of the command line. Unless they
++ * passed in -s themselves.
++ */
++ if (!subsystem_flag) {
++ subsystem_flag = 1;
++ av = xcalloc(2, sizeof(*av));
++ av[0] = subsystem;
++ av[1] = NULL;
++ ac = 1;
++ }
++ }
++
+ /*
+ * Save the command to execute on the remote host in a buffer. There
+ * is no limit on the length of the command, except by the maximum
+
+We hack the agent code to use a fake IP address which the plugin watches for.
+We should have the plugin deal with AF_UNIX requests instead, then we won't
+have to hack up OpenSSH.
+
+--- a/authfd.c
++++ b/authfd.c
+@@ -88,7 +88,10 @@ ssh_get_authentication_socket(int *fdp)
+ {
+ const char *authsocket;
+ int sock, oerrno;
+- struct sockaddr_un sunaddr;
++ struct sockaddr_in sunaddr;
++
++ /* Magic value. Keep in sync with //ssh_client/src/file_system.cc */
++ static const int kSshAgentFakeIP = 0x7F010203;
+
+ if (fdp != NULL)
+ *fdp = -1;
+@@ -98,10 +101,10 @@ ssh_get_authentication_socket(int *fdp)
+ return SSH_ERR_AGENT_NOT_PRESENT;
+
+ memset(&sunaddr, 0, sizeof(sunaddr));
+- sunaddr.sun_family = AF_UNIX;
+- strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
++ sunaddr.sin_family = AF_INET;
++ sunaddr.sin_addr.s_addr = htonl(kSshAgentFakeIP);
+
+- if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
++ if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ return SSH_ERR_SYSTEM_ERROR;
+
+ /* close on exec */
+
+the bind_permitted() check doesn't work well in the nacl env. leave it to the
+host os to do the actual check and deny/permit as makes sense.
+
+daemonized() relies on funcs we don't implement (because we don't need them),
+and this func is only used in sshd. disable it to avoid link failures.
+
+--- a/misc.c
++++ b/misc.c
+@@ -1576,6 +1576,7 @@ forward_equals(const struct Forward *a, const struct Forward *b)
+ return 1;
+ }
+
++#if !defined(__pnacl__) && !defined(__nacl__)
+ /* returns 1 if process is already daemonized, 0 otherwise */
+ int
+ daemonized(void)
+@@ -1593,6 +1594,7 @@ daemonized(void)
+ debug3("already daemonized");
+ return 1;
+ }
++#endif
+
+
+ /*
