Sync from SUSE:SLFO:Main openssh revision a671063fcb9bb4733f77682129b431c2

2024-11-04 17:28:24 +01:00 · 2024-11-04 17:28:24 +01:00 · 094cd910aa
commit 094cd910aa
parent 2b4415248e
42 changed files with 3051 additions and 1804 deletions
--- a/0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+++ b/0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
@ -0,0 +1,414 @@
 From 7c116ef927a8ef14d09065757f75560fa0ab79d0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
 Date: Tue, 17 Oct 2023 04:04:13 +0200
 Subject: [PATCH 1/6] auth: Add KbdintResult definition to define result values
 explicitly
 kbdint result vfunc may return various values, so use an enum to make it
 clearer what each result means without having to dig into the struct
 documentation.
 ---
 auth-bsdauth.c |  2 +-
 auth-pam.c     | 10 +++++-----
 auth.h         |  5 +++++
 auth2-chall.c  |  4 ++--
 4 files changed, 13 insertions(+), 8 deletions(-)
 diff --git a/auth-bsdauth.c b/auth-bsdauth.c
 index d124e994e77..ca41735debb 100644
 --- a/auth-bsdauth.c
 +++ b/auth-bsdauth.c
@@ -111,7 +111,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
 	authctxt->as = NULL;
 	debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
 -	return (authok == 0) ? -1 : 0;
 +	return (authok == 0) ? KbdintResultFailure : KbdintResultSuccess;
 }
 static void
 diff --git a/auth-pam.c b/auth-pam.c
 index b49d415e7c7..86137a1acdb 100644
 --- a/auth-pam.c
 +++ b/auth-pam.c
@@ -990,15 +990,15 @@ sshpam_respond(void *ctx, u_int num, char **resp)
 	switch (ctxt->pam_done) {
 	case 1:
 		sshpam_authenticated = 1;
 -		return (0);
 +		return KbdintResultSuccess;
 	case 0:
 		break;
 	default:
 -		return (-1);
 +		return KbdintResultFailure;
 	}
 	if (num != 1) {
 		error("PAM: expected one response, got %u", num);
 -		return (-1);
 +		return KbdintResultFailure;
 	}
 	if ((buffer = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
@@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
 	}
 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
 		sshbuf_free(buffer);
 -		return (-1);
 +		return KbdintResultFailure;
 	}
 	sshbuf_free(buffer);
 -	return (1);
 +	return KbdintResultAgain;
 }
 static void
 diff --git a/auth.h b/auth.h
 index 6d2d3976234..aac1e92d9cd 100644
 --- a/auth.h
 +++ b/auth.h
@@ -51,6 +51,7 @@ struct sshauthopt;
 typedef struct Authctxt Authctxt;
 typedef struct Authmethod Authmethod;
 typedef struct KbdintDevice KbdintDevice;
 +typedef int KbdintResult;
 struct Authctxt {
 	sig_atomic_t	 success;
@@ -111,6 +112,10 @@ struct Authmethod {
 # 	int	*enabled;
 	int	(*userauth)(struct ssh *, const char *);
 };
 +#define KbdintResultFailure -1
 +#define KbdintResultSuccess 0
 +#define KbdintResultAgain 1
 +
 /*
  * Keyboard interactive device:
  * init_ctx	returns: non NULL upon success
 diff --git a/auth2-chall.c b/auth2-chall.c
 index 021df829173..047d4e83c33 100644
 --- a/auth2-chall.c
 +++ b/auth2-chall.c
@@ -331,11 +331,11 @@ input_userauth_info_response(int type, u_int32_t seq, struct ssh *ssh)
 	free(response);
 	switch (res) {
 -	case 0:
 +	case KbdintResultSuccess:
 		/* Success! */
 		authenticated = authctxt->valid ? 1 : 0;
 		break;
 -	case 1:
 +	case KbdintResultAgain:
 		/* Authentication needs further interaction */
 		if (send_userauth_info_request(ssh) == 1)
 			authctxt->postponed = 1;
 From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
 Date: Mon, 16 Oct 2023 21:15:45 +0200
 Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status
 Makes things more readable and easier to extend
 ---
 auth-pam.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)
 diff --git a/auth-pam.c b/auth-pam.c
 index 86137a1acdb..21291631011 100644
 --- a/auth-pam.c
 +++ b/auth-pam.c
@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
 #define pthread_join	fake_pthread_join
 #endif
 +typedef int SshPamDone;
 +#define SshPamError -1
 +#define SshPamNone 0
 +#define SshPamAuthenticated 1
 +
 struct pam_ctxt {
 	sp_pthread_t	 pam_thread;
 	int		 pam_psock;
 	int		 pam_csock;
 -	int		 pam_done;
 +	SshPamDone	 pam_done;
 };
 static void sshpam_free_ctx(void *);
@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				**prompts = NULL;
 				*num = 0;
 				**echo_on = 0;
 -				ctxt->pam_done = -1;
 +				ctxt->pam_done = SshPamError;
 				free(msg);
 				sshbuf_free(buffer);
 				return 0;
@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				import_environments(buffer);
 				*num = 0;
 				**echo_on = 0;
 -				ctxt->pam_done = 1;
 +				ctxt->pam_done = SshPamAuthenticated;
 				free(msg);
 				sshbuf_free(buffer);
 				return (0);
@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
 			*num = 0;
 			**echo_on = 0;
 			free(msg);
 -			ctxt->pam_done = -1;
 +			ctxt->pam_done = SshPamError;
 			sshbuf_free(buffer);
 			return (-1);
 		}
@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
 	debug2("PAM: %s entering, %u responses", __func__, num);
 	switch (ctxt->pam_done) {
 -	case 1:
 +	case SshPamAuthenticated:
 		sshpam_authenticated = 1;
 		return KbdintResultSuccess;
 -	case 0:
 +	case SshPamNone:
 		break;
 	default:
 		return KbdintResultFailure;
 From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
 Date: Tue, 17 Oct 2023 04:35:17 +0200
 Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM
 messages
 ---
 auth-pam.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/auth-pam.c b/auth-pam.c
 index 21291631011..7a72e724adc 100644
 --- a/auth-pam.c
 +++ b/auth-pam.c
@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
 			break;
 		case PAM_ERROR_MSG:
 		case PAM_TEXT_INFO:
 +			debug3("PAM: Got message of type %d: %s",
 +			       PAM_MSG_MEMBER(msg, i, msg_style),
 +			       PAM_MSG_MEMBER(msg, i, msg));
 			if ((r = sshbuf_put_cstring(buffer,
 			    PAM_MSG_MEMBER(msg, i, msg))) != 0)
 				fatal("%s: buffer error: %s",
 From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
 Date: Tue, 17 Oct 2023 04:27:32 +0200
 Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to
 clients
 SSH keyboard-interactive authentication method supports instructions but
 sshd didn't show them until an user prompt was requested.
 This is quite inconvenient for various PAM modules that need to notify
 an user without requiring for their explicit input.
 So, properly implement RFC4256 making instructions to be shown to users
 when they are requested from PAM.
 Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
 ---
 auth-pam.c | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)
 diff --git a/auth-pam.c b/auth-pam.c
 index 7a72e724adc..b756f0e5221 100644
 --- a/auth-pam.c
 +++ b/auth-pam.c
@@ -140,6 +140,7 @@ typedef int SshPamDone;
 #define SshPamError -1
 #define SshPamNone 0
 #define SshPamAuthenticated 1
 +#define SshPamAgain 2
 struct pam_ctxt {
 	sp_pthread_t	 pam_thread;
@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
 	**prompts = NULL;
 	plen = 0;
 	*echo_on = xmalloc(sizeof(u_int));
 +	ctxt->pam_done = SshPamNone;
 +
 	while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
 		if (++nmesg > PAM_MAX_NUM_MSG)
 			fatal_f("too many query messages");
@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
 			return (0);
 		case PAM_ERROR_MSG:
 		case PAM_TEXT_INFO:
 -			/* accumulate messages */
 -			len = plen + mlen + 2;
 -			**prompts = xreallocarray(**prompts, 1, len);
 -			strlcpy(**prompts + plen, msg, len - plen);
 -			plen += mlen;
 -			strlcat(**prompts + plen, "\n", len - plen);
 -			plen++;
 -			free(msg);
 -			break;
 +			*num = 0;
 +			free(*info);
 +			*info = msg; /* Steal the message */
 +			msg = NULL;
 +			ctxt->pam_done = SshPamAgain;
 +			sshbuf_free(buffer);
 +			return (0);
 		case PAM_ACCT_EXPIRED:
 		case PAM_MAXTRIES:
 			if (type == PAM_ACCT_EXPIRED)
@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
 		return KbdintResultSuccess;
 	case SshPamNone:
 		break;
 +	case SshPamAgain:
 +		return KbdintResultAgain;
 	default:
 		return KbdintResultFailure;
 	}
 From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
 Date: Tue, 17 Oct 2023 06:12:03 +0200
 Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and
 instructions as utf-8
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 As per the previous server change now the keyboard-interactive service
 and instruction values could be reported as soon as they are available
 and so they're not prompts anymore and not parsed like them.
 While this was already supported by the SSH client, these messages were
 not properly written as the escaped sequences they contained were not
 correctly reported.
 So for example a message containing "\" was represented as "\\" and
 similarly for all the other C escape sequences.
 This was leading to more problems when it come to utf-8 chars, as they
 were only represented by their octal representation.
 This was easily testable by adding a line like the one below to the
 sshd PAM service:
  auth    requisite pam_echo.so Hello SSHD! Want some 🍕?
 Which was causing this to be written instead:
  Hello SSHD! Want some \360\237\215\225?
 To handle this, instead of simply using fmprintf, we're using the notifier
 in a way can be exposed to users in the proper format and UI.
 ---
 sshconnect2.c | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)
 diff --git a/sshconnect2.c b/sshconnect2.c
 index 5831a00c6d1..543431218c1 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
 	char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
 	char prompt[256];
 	const char *host;
 +	size_t info_len;
 	int r;
 	debug2("input_userauth_passwd_changereq");
@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
 		    "no authentication context");
 	host = options.host_key_alias ? options.host_key_alias : authctxt->host;
 -	if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
 +	if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
 		goto out;
 -	if (strlen(info) > 0)
 -		logit("%s", info);
 +	if (info_len > 0) {
 +		struct notifier_ctx *notifier = NULL;
 +		debug_f("input_userauth_passwd_changereq info: %s", info);
 +		notifier = notify_start(0, "%s", info);
 +		notify_complete(notifier, NULL);
 +	}
 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
 	Authctxt *authctxt = ssh->authctxt;
 	char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
 	char *display_prompt = NULL, *response = NULL;
 +	struct notifier_ctx *notifier = NULL;
 	u_char echo = 0;
 	u_int num_prompts, i;
 +	size_t name_len, inst_len;
 	int r;
 	debug2_f("entering");
@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
 	authctxt->info_req_seen = 1;
 -	if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
 -	    (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
 +	if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
 +	    (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
 		goto out;
 -	if (strlen(name) > 0)
 -		logit("%s", name);
 -	if (strlen(inst) > 0)
 -		logit("%s", inst);
 +	if (name_len > 0) {
 +		debug_f("kbd int name: %s", name);
 +		notifier = notify_start(0, "%s", name);
 +		notify_complete(notifier, NULL);
 +		notifier = NULL;
 +	}
 +	if (inst_len > 0) {
 +		debug_f("kbd int inst: %s", inst);
 +		notifier = notify_start(0, "%s", inst);
 +		notify_complete(notifier, NULL);
 +		notifier = NULL;
 +	}
 	if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
 		goto out;
 From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
 Date: Tue, 17 Oct 2023 06:05:59 +0200
 Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive
 device
 We were only checking if the prefix of a device name was matching what
 we had in the devices list, so if the device list contained "pam", then
 also the device "pam-foo" was matching.
 ---
 auth2-chall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/auth2-chall.c b/auth2-chall.c
 index 047d4e83c33..db658c9b4a7 100644
 --- a/auth2-chall.c
 +++ b/auth2-chall.c
@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
 			    "keyboard-interactive", devices[i]->name))
 				continue;
 			if (strncmp(kbdintctxt->devices, devices[i]->name,
 -			    len) == 0) {
 +			    len) == 0 && strlen(devices[i]->name) == len) {
 				kbdintctxt->device = devices[i];
 				kbdintctxt->devices_done |= 1 << i;
 			}
--- a/0001-fix-utmpx-ifdef.patch
+++ b/0001-fix-utmpx-ifdef.patch
@ -0,0 +1,36 @@
 From c7fda601186ff28128cfe3eab9c9c0622de096e1 Mon Sep 17 00:00:00 2001
 From: Christoph Ostarek <christoph@zededa.com>
 Date: Wed, 3 Jul 2024 12:46:59 +0200
 Subject: fix utmpx ifdef
 02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
 utmpx, but forgot to change the ifdef appropriately
 ---
 loginrec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/loginrec.c b/loginrec.c
 index 7460bb2c..45f13dee 100644
 --- a/loginrec.c
 +++ b/loginrec.c
@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
 void
 construct_utmpx(struct logininfo *li, struct utmpx *utx)
 {
 -# ifdef HAVE_ADDR_V6_IN_UTMP
 +# ifdef HAVE_ADDR_V6_IN_UTMPX
 	struct sockaddr_in6 *sa6;
 #  endif
 	memset(utx, '\0', sizeof(*utx));
@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
 	if (li->hostaddr.sa.sa_family == AF_INET)
 		utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
 # endif
 -# ifdef HAVE_ADDR_V6_IN_UTMP
 +# ifdef HAVE_ADDR_V6_IN_UTMPX
 	/* this is just a 128-bit IPv6 address */
 	if (li->hostaddr.sa.sa_family == AF_INET6) {
 		sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
 -- 
 cgit v1.2.3
--- a/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+++ b/0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
@ -1,55 +0,0 @@
 From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Tue, 30 Apr 2024 02:14:10 +0000
 Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
 reported
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 by Tõivo Leedjärv; ok deraadt@
 OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
 ---
 clientloop.c | 4 ++--
 serverloop.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
 index be8bb5fc1f2..8ea2ada4216 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 #@@ -1,4 +1,4 @@
 #-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
 #+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
 # /*
 #  * Author: Tatu Ylonen <ylo@cs.hut.fi>
 #  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
 		client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
 		    &npfd_active, channel_did_enqueue, &osigset,
 		    &conn_in_ready, &conn_out_ready);
 -		if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
 +		if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
 			error_f("osigset sigprocmask: %s", strerror(errno));
 		if (quit_pending)
 diff --git a/serverloop.c b/serverloop.c
 index f3683c2e4a6..94c8943a616 100644
 --- a/serverloop.c
 +++ b/serverloop.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
 +/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
 		wait_until_can_do_something(ssh, connection_in, connection_out,
 		    &pfd, &npfd_alloc, &npfd_active, &osigset,
 		    &conn_in_ready, &conn_out_ready);
 -		if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
 +		if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
 			error_f("osigset sigprocmask: %s", strerror(errno));
 		if (received_sigterm) {
--- a/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+++ b/0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
@ -1,32 +0,0 @@
 From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Wed, 21 Feb 2024 05:57:34 +0000
 Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
 timing
 obfuscation was added. GHPR#463 from montag451
 OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
 ---
 clientloop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
 index eb4902905fb..8ec36af94b3 100644
 --- a/clientloop.c
 +++ b/clientloop.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
 +/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
 {
 	int r;
 -	if ((ssh->kex->flags & KEX_HAS_PING) == 0)
 +	if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
 		return 0;
 	/* XXX probabilistically send chaff? */
 	/*
--- a/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+++ b/0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
@ -1,38 +0,0 @@
 From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Mon, 1 Jul 2024 04:31:17 +0000
 Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
 we
 can't rely on channel_did_enqueue to tell that there is data to send. This
 flag indicates that the channels code enqueued a packet on _this_ ppoll()
 iteration, not that data was enqueued in _any_ ppoll() iteration in the
 timeslice. ok markus@
 OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
 ---
 clientloop.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
 index 0b6f3c9be02..8ed8b1c3449 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 #@@ -1,4 +1,4 @@
 #-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
 #+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
 # /*
 #  * Author: Tatu Ylonen <ylo@cs.hut.fi>
 #  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
 		if (timespeccmp(&now, &chaff_until, >=)) {
 			/* Stop if there have been no keystrokes for a while */
 			stop_reason = "chaff time expired";
 -		} else if (timespeccmp(&now, &next_interval, >=)) {
 -			/* Otherwise if we were due to send, then send chaff */
 +		} else if (timespeccmp(&now, &next_interval, >=) &&
 +		    !ssh_packet_have_data_to_write(ssh)) {
 +			/* If due to send but have no data, then send chaff */
 			if (send_chaff(ssh))
 				nchaff++;
 		}
--- a/0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
+++ b/0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
@ -0,0 +1,291 @@
 From 66878e12a207fa9746dee3e2bdcca29b704cf035 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Wed, 25 Sep 2024 01:24:04 +0000
 Subject: upstream: fix regression introduced when I switched the "Match"
 criteria tokeniser to a more shell-like one. Apparently the old tokeniser
 (accidentally?) allowed "Match criteria=argument" as well as the "Match
 criteria argument" syntax that we tested for.
 People were using this syntax so this adds back support for
 "Match criteria=argument"
 bz3739 ok dtucker
 OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
 ---
 misc.c     | 23 ++++++++++++++++++++++-
 misc.h     |  3 ++-
 readconf.c | 28 +++++++++++++++++++++++-----
 servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++++---------------
 4 files changed, 89 insertions(+), 22 deletions(-)
 diff --git a/misc.c b/misc.c
 index afdf5142..1b4b55c5 100644
 --- a/misc.c
 +++ b/misc.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
 +/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005-2020 Damien Miller.  All rights reserved.
@@ -107,6 +107,27 @@ rtrim(char *s)
 	}
 }
 +/*
 + * returns pointer to character after 'prefix' in 's' or otherwise NULL
 + * if the prefix is not present.
 + */
 +const char *
 +strprefix(const char *s, const char *prefix, int ignorecase)
 +{
 +	size_t prefixlen;
 +
 +	if ((prefixlen = strlen(prefix)) == 0)
 +		return s;
 +	if (ignorecase) {
 +		if (strncasecmp(s, prefix, prefixlen) != 0)
 +			return NULL;
 +	} else {
 +		if (strncmp(s, prefix, prefixlen) != 0)
 +			return NULL;
 +	}
 +	return s + prefixlen;
 +}
 +
 /* set/unset filedescriptor to non-blocking */
 int
 set_nonblock(int fd)
 diff --git a/misc.h b/misc.h
 index 11340389..efecdf1a 100644
 --- a/misc.h
 +++ b/misc.h
@@ -1,4 +1,4 @@
 -/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
 +/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,6 +56,7 @@ struct ForwardOptions {
 char	*chop(char *);
 void	 rtrim(char *);
 void	skip_space(char **);
 +const char *strprefix(const char *, const char *, int);
 char	*strdelim(char **);
 char	*strdelimw(char **);
 int	 set_nonblock(int);
 diff --git a/readconf.c b/readconf.c
 index 3d9cc6db..de42fb6f 100644
 --- a/readconf.c
 +++ b/readconf.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
 +/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
     struct passwd *pw, const char *host_arg, const char *original_host,
     int final_pass, int *want_final_pass, const char *filename, int linenum)
 {
 -	char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
 +	char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
 	const char *ruser;
 	int r, this_result, result = 1, attributes = 0, negate;
@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 	debug2("checking match for '%s' host %s originally %s",
 	    full_line, host, original_host);
 -	while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
 +	while ((oattrib = argv_next(acp, avp)) != NULL) {
 +		attrib = xstrdup(oattrib);
 		/* Terminate on comment */
 		if (*attrib == '#') {
 			argv_consume(acp);
@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 			    this_result ? "" : "not ", oattrib);
 			continue;
 		}
 +
 +		/* Keep this list in sync with below */
 +		if (strprefix(attrib, "host=", 1)  != NULL ||
 +		    strprefix(attrib, "originalhost=", 1) != NULL ||
 +		    strprefix(attrib, "user=", 1) != NULL ||
 +		    strprefix(attrib, "localuser=", 1) != NULL ||
 +		    strprefix(attrib, "localnetwork=", 1) != NULL ||
 +		    strprefix(attrib, "tagged=", 1) != NULL ||
 +		    strprefix(attrib, "exec=", 1) != NULL) {
 +			arg = strchr(attrib, '=');
 +			*(arg++) = '\0';
 +		} else {
 +			arg = argv_next(acp, avp);
 +		}
 +
 		/* All other criteria require an argument */
 -		if ((arg = argv_next(acp, avp)) == NULL ||
 -		    *arg == '\0' || *arg == '#') {
 +		if (arg == NULL || *arg == '\0' || *arg == '#') {
 			error("Missing Match criteria for %s", attrib);
 			result = -1;
 			goto out;
@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 		    criteria == NULL ? "" : criteria,
 		    criteria == NULL ? "" : "\"");
 		free(criteria);
 +		free(attrib);
 +		attrib = NULL;
 	}
 	if (attributes == 0) {
 		error("One or more attributes required for Match");
@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
  out:
 	if (result != -1)
 		debug2("match %sfound", result ? "" : "not ");
 +	free(attrib);
 	free(host);
 	return result;
 }
 diff --git a/servconf.c b/servconf.c
 index 89b8413e..dd774f46 100644
 --- a/servconf.c
 +++ b/servconf.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
 +/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
     int line, struct connection_info *ci)
 {
 	int result = 1, attributes = 0, port;
 -	char *arg, *attrib;
 +	char *arg, *attrib = NULL, *oattrib;
 	if (ci == NULL)
 		debug3("checking syntax for 'Match %s'", full_line);
@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 		    ci->laddress ? ci->laddress : "(null)", ci->lport);
 	}
 -	while ((attrib = argv_next(acp, avp)) != NULL) {
 +	while ((oattrib = argv_next(acp, avp)) != NULL) {
 +		attrib = xstrdup(oattrib);
 		/* Terminate on comment */
 		if (*attrib == '#') {
 			argv_consume(acp); /* mark all arguments consumed */
@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 			    *arg != '\0' && *arg != '#')) {
 				error("'all' cannot be combined with other "
 				    "Match attributes");
 -				return -1;
 +				result = -1;
 +				goto out;
 			}
 			if (arg != NULL && *arg == '#')
 				argv_consume(acp); /* consume remaining args */
 -			return 1;
 +			result = 1;
 +			goto out;
 		}
 		/* Criterion "invalid-user" also has no argument */
 		if (strcasecmp(attrib, "invalid-user") == 0) {
@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				debug("matched invalid-user at line %d", line);
 			continue;
 		}
 +
 +		/* Keep this list in sync with below */
 +		if (strprefix(attrib, "user=", 1) != NULL ||
 +		    strprefix(attrib, "group=", 1) != NULL ||
 +		    strprefix(attrib, "host=", 1) != NULL ||
 +		    strprefix(attrib, "address=", 1) != NULL ||
 +		    strprefix(attrib, "localaddress=", 1) != NULL ||
 +		    strprefix(attrib, "localport=", 1) != NULL ||
 +		    strprefix(attrib, "rdomain=", 1) != NULL) {
 +			arg = strchr(attrib, '=');
 +			*(arg++) = '\0';
 +		} else {
 +			arg = argv_next(acp, avp);
 +		}
 +
 		/* All other criteria require an argument */
 -		if ((arg = argv_next(acp, avp)) == NULL ||
 -		    *arg == '\0' || *arg == '#') {
 +		if (arg == NULL || *arg == '\0' || *arg == '#') {
 			error("Missing Match criteria for %s", attrib);
 -			return -1;
 +			result = -1;
 +			goto out;
 		}
 		if (strcasecmp(attrib, "user") == 0) {
 			if (ci == NULL || (ci->test && ci->user == NULL)) {
@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				match_test_missing_fatal("Group", "user");
 			switch (match_cfg_line_group(arg, line, ci->user)) {
 			case -1:
 -				return -1;
 +				result = -1;
 +				goto out;
 			case 0:
 				result = 0;
 			}
@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				result = 0;
 				break;
 			case -2:
 -				return -1;
 +				result = -1;
 +				goto out;
 			}
 		} else if (strcasecmp(attrib, "localaddress") == 0){
 			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				result = 0;
 				break;
 			case -2:
 -				return -1;
 +				result = -1;
 +				goto out;
 			}
 		} else if (strcasecmp(attrib, "localport") == 0) {
 			if ((port = a2port(arg)) == -1) {
 				error("Invalid LocalPort '%s' on Match line",
 				    arg);
 -				return -1;
 +				result = -1;
 +				goto out;
 			}
 			if (ci == NULL || (ci->test && ci->lport == -1)) {
 				result = 0;
@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
 				debug("user %.100s matched 'RDomain %.100s' at "
 				    "line %d", ci->rdomain, arg, line);
 		} else {
 -			error("Unsupported Match attribute %s", attrib);
 -			return -1;
 +			error("Unsupported Match attribute %s", oattrib);
 +			result = -1;
 +			goto out;
 		}
 +		free(attrib);
 +		attrib = NULL;
 	}
 	if (attributes == 0) {
 		error("One or more attributes required for Match");
 		return -1;
 	}
 -	if (ci != NULL)
 + out:
 +	if (ci != NULL && result != -1)
 		debug3("match %sfound", result ? "" : "not ");
 +	free(attrib);
 	return result;
 }
 -- 
 cgit v1.2.3
--- a/0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
+++ b/0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
@ -0,0 +1,65 @@
 From 19bcb2d90c6caf14abf386b644fb24eb7afab889 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Thu, 26 Sep 2024 23:55:08 +0000
 Subject: upstream: fix previous change to ssh_config Match, which broken on
 negated Matches; spotted by phessler@ ok deraadt@
 OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
 ---
 readconf.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
 diff --git a/readconf.c b/readconf.c
 index de42fb6f..9f559269 100644
 --- a/readconf.c
 +++ b/readconf.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
 +/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
     struct passwd *pw, const char *host_arg, const char *original_host,
     int final_pass, int *want_final_pass, const char *filename, int linenum)
 {
 -	char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
 +	char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
 	const char *ruser;
 	int r, this_result, result = 1, attributes = 0, negate;
@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 	debug2("checking match for '%s' host %s originally %s",
 	    full_line, host, original_host);
 -	while ((oattrib = argv_next(acp, avp)) != NULL) {
 -		attrib = xstrdup(oattrib);
 +	while ((attrib = argv_next(acp, avp)) != NULL) {
 +		attrib = oattrib = xstrdup(attrib);
 		/* Terminate on comment */
 		if (*attrib == '#') {
 			argv_consume(acp);
@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
 		    criteria == NULL ? "" : criteria,
 		    criteria == NULL ? "" : "\"");
 		free(criteria);
 -		free(attrib);
 -		attrib = NULL;
 +		free(oattrib);
 +		oattrib = attrib = NULL;
 	}
 	if (attributes == 0) {
 		error("One or more attributes required for Match");
@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
  out:
 	if (result != -1)
 		debug2("match %sfound", result ? "" : "not ");
 -	free(attrib);
 +	free(oattrib);
 	free(host);
 	return result;
 }
 -- 
 cgit v1.2.3
--- a/0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
+++ b/0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
@ -0,0 +1,94 @@
 From 11f348196b3fb51c3d8d1f4f36db9d73f03149ed Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sun, 27 Oct 2024 02:06:01 +0000
 Subject: upstream: fix ML-KEM768x25519 KEX on big-endian systems; spotted by
 jsg@ feedback/ok deraadt@
 OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
 ---
 libcrux_mlkem768_sha3.h |  8 +++++---
 mlkem768.sh             | 17 ++++++++++++-----
 2 files changed, 17 insertions(+), 8 deletions(-)
 diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
 index a82d60e8..b8ac1436 100644
 --- a/libcrux_mlkem768_sha3.h
 +++ b/libcrux_mlkem768_sha3.h
@@ -1,4 +1,5 @@
 -/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
 +/*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
 +
 /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
 /*
@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
 // CORE STUFF (conversions, endianness, ...)
 static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
 +  v = htole64(v);
   memcpy(buf, &v, sizeof(v));
 }
 static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
   uint64_t v;
   memcpy(&v, buf, sizeof(v));
 -  return v;
 +  return le64toh(v);
 }
 static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
   uint32_t v;
   memcpy(&v, buf, sizeof(v));
 -  return v;
 +  return le32toh(v);
 }
 static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
 diff --git a/mlkem768.sh b/mlkem768.sh
 index 2fdc2831..3d12b2ed 100644
 --- a/mlkem768.sh
 +++ b/mlkem768.sh
@@ -1,9 +1,10 @@
 #!/bin/sh
 -#       $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
 +#       $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
 #       Placed in the Public Domain.
 #
 -WANT_LIBCRUX_REVISION="origin/main"
 +#WANT_LIBCRUX_REVISION="origin/main"
 +WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
 FILES="
 	libcrux/libcrux-ml-kem/cg/eurydice_glue.h
@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
 echo '#define KRML_HOST_EPRINTF(...)'
 echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
 echo
 +
 for i in $FILES; do
 	echo "/* from $i */"
 	# Changes to all files:
@@ -56,11 +58,16 @@ for i in $FILES; do
 	    -e 's/[	 ]*$//' \
 	    $i | \
 	case "$i" in
 -	# XXX per-file handling goes here.
 +	*/libcrux-ml-kem/cg/eurydice_glue.h)
 +		# Replace endian functions with versions that work.
 +		perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1  v = htole64(v);\n\2/' |
 +		perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
 +		perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
 +		;;
 	# Default: pass through.
 	*)
 -	    cat
 -	    ;;
 +		cat
 +		;;
 	esac
 	echo
 done
 -- 
 cgit v1.2.3
--- a/fix-CVE-2024-6387.patch
+++ b/fix-CVE-2024-6387.patch
@ -1,19 +0,0 @@
 Index: openssh-9.6p1/log.c
 ===================================================================
 --- openssh-9.6p1.orig/log.c
 +++ openssh-9.6p1/log.c
@@ -451,12 +451,14 @@ void
 sshsigdie(const char *file, const char *func, int line, int showfunc,
     LogLevel level, const char *suffix, const char *fmt, ...)
 {
 +#if 0
 	va_list args;
 	va_start(args, fmt);
 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
 	    suffix, fmt, args);
 	va_end(args);
 +#endif
 	_exit(1);
 }
--- a/fix-missing-lz.patch
+++ b/fix-missing-lz.patch
@ -1,25 +0,0 @@
 Index: openssh-9.3p1/Makefile.in
 ===================================================================
 --- openssh-9.3p1.orig/Makefile.in
 +++ openssh-9.3p1/Makefile.in
@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
 -	$(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
 +	$(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
 	$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
 # FIPS tests
 cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
 -	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
 +	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
 -	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
 +	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
--- a/fix-x11-regression-bsc1229449.patch
+++ b/fix-x11-regression-bsc1229449.patch
@ -0,0 +1,56 @@
 Index: openssh-9.9p1/clientloop.c
 ===================================================================
 --- openssh-9.9p1.orig/clientloop.c
 +++ openssh-9.9p1/clientloop.c
@@ -663,9 +663,10 @@ obfuscate_keystroke_timing(struct ssh *s
 	if (just_started)
 		return 1;
 -	/* Don't arm output fd for poll until the timing interval has elapsed */
 +	/* Don't arm output fd for poll until the timing interval has elapsed... */
 	if (timespeccmp(&now, &next_interval, <))
 -		return 0;
 +		/* ...unless there's x11 communicattion happening */
 +		return x11_channel_used_recently(ssh);
 	/* Calculate number of intervals missed since the last check */
 	n = (now.tv_sec - next_interval.tv_sec) * 1000LL * 1000 * 1000;
 Index: openssh-9.9p1/channels.c
 ===================================================================
 --- openssh-9.9p1.orig/channels.c
 +++ openssh-9.9p1/channels.c
@@ -5352,3 +5352,22 @@ x11_request_forwarding_with_spoofing(str
 		fatal_fr(r, "send x11-req");
 	free(new_data);
 }
 +
 +/*
 + * Returns whether an x11 channel was used recently (less than a second ago)
 + */
 +int
 +x11_channel_used_recently(struct ssh *ssh) {
 +	u_int i;
 +	Channel *c;
 +	time_t lastused = 0;
 +
 +	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
 +	    c = ssh->chanctxt->channels[i];
 +	    if (c == NULL || c->ctype == NULL || c->lastused == 0 ||
 +		strcmp(c->ctype, "x11-connection"))
 +		continue;
 +	    lastused = c->lastused;
 +	}
 +	return (lastused != 0 && monotime() < lastused + 1);
 +}
 Index: openssh-9.9p1/channels.h
 ===================================================================
 --- openssh-9.9p1.orig/channels.h
 +++ openssh-9.9p1/channels.h
@@ -382,6 +382,7 @@ int	 x11_connect_display(struct ssh *);
 int	 x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
 void	 x11_request_forwarding_with_spoofing(struct ssh *, int,
 	    const char *, const char *, const char *, int);
 +int      x11_channel_used_recently(struct ssh *ssh);
 /* channel close */
--- a/logind_set_tty.patch
+++ b/logind_set_tty.patch
@ -14,11 +14,11 @@ index f0ea07e7b..35dcf45f1 100644
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
-+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ sshd-session$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHD_SESSION_OBJS)
- 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 	$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
 diff --git a/configure.ac b/configure.ac
 index a12c6f7ad..860df3379 100644
 --- a/configure.ac
@ -106,7 +106,7 @@ index 86caf83b2..8b413190b 100644
 #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
 	if (li->type == LTYPE_LOGIN &&
 	    !sys_auth_record_login(li->username,li->hostname,li->line,
-@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li)
+@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
 }
 #endif
@ -171,9 +171,12 @@ index 86caf83b2..8b413190b 100644
 +
 +  free(dbus_path);
 +
-+  if (sd_bus_flush(bus) < 0)
+  if (sd_bus_flush(bus) < 0) {
 +    sd_bus_unref(bus);
 +    return (0);
 +  }
 +
 +  sd_bus_unref(bus);
 +  return (1);
 +}
 +
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@ -104,10 +104,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
 #endif
 #ifdef LINUX_OOM_ADJUST
-Index: openssh-9.6p1/sshd.c
+Index: openssh-9.6p1/sshd-session.c
 ===================================================================
--- openssh-9.6p1.orig/sshd.c
+--- openssh-9.6p1.orig/sshd-session.c
-+++ openssh-9.6p1/sshd.c
+++ openssh-9.6p1/sshd-session.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
 	demote_sensitive_data(ssh);
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@ -16,70 +16,70 @@ Index: openssh-9.3p2/misc.c
 		if (env != NULL)
 			execve(av[0], av, env);
 		else
-Index: openssh-9.3p2/HOWTO.ssh-keycat
+#Index: openssh-9.3p2/HOWTO.ssh-keycat
-===================================================================
+#===================================================================
--- /dev/null
+#--- /dev/null
-+++ openssh-9.3p2/HOWTO.ssh-keycat
+#+++ openssh-9.3p2/HOWTO.ssh-keycat
-@@ -0,0 +1,12 @@
+#@@ -0,0 +1,12 @@
-+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+#+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
-+of an user in any environment. This includes environments with
+#+of an user in any environment. This includes environments with
-+polyinstantiation of home directories and SELinux MLS policy enabled.
+#+polyinstantiation of home directories and SELinux MLS policy enabled.
-+
+#+
-+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
+#+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
-+        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
+#+        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
-+        AuthorizedKeysCommandUser root
+#+        AuthorizedKeysCommandUser root
-+
+#+
-+Do not forget to enable public key authentication:
+#+Do not forget to enable public key authentication:
-+        PubkeyAuthentication yes
+#+        PubkeyAuthentication yes
-+
+#+
-+
+#+
-Index: openssh-9.3p2/Makefile.in
+#Index: openssh-9.3p2/Makefile.in
-===================================================================
+#===================================================================
--- openssh-9.3p2.orig/Makefile.in
+#--- openssh-9.3p2.orig/Makefile.in
-+++ openssh-9.3p2/Makefile.in
+#+++ openssh-9.3p2/Makefile.in
-@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
+#@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
- ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+# ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
- SFTP_SERVER=$(libexecdir)/sftp-server
+# SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+# SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-+SSH_KEYCAT=$(libexecdir)/ssh-keycat
+#+SSH_KEYCAT=$(libexecdir)/ssh-keycat
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+# SSHD_SESSION=$(libexecdir)/sshd-session
- SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+# SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+# SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
-@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
+#@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
- K5LIBS=@K5LIBS@
+# K5LIBS=@K5LIBS@
- GSSLIBS=@GSSLIBS@
+# GSSLIBS=@GSSLIBS@
- SSHDLIBS=@SSHDLIBS@
+# SSHDLIBS=@SSHDLIBS@
-+KEYCATLIBS=@KEYCATLIBS@
+#+KEYCATLIBS=@KEYCATLIBS@
- LIBEDIT=@LIBEDIT@
+# LIBEDIT=@LIBEDIT@
- LIBFIDO2=@LIBFIDO2@
+# LIBFIDO2=@LIBFIDO2@
- LIBWTMPDB=@LIBWTMPDB@
+# LIBWTMPDB=@LIBWTMPDB@
-@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@
+#@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
- 
+# 
- .SUFFIXES: .lo
+# .SUFFIXES: .lo
- 
+# 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+#-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+#+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
- 
+# 
- TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
+# TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
- 
+# 
-@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+#@@ -245,6 +247,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+# ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
+# 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
- 
+# 
-+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+#+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
-+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+#+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
-+
+#+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+# ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
+# 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
- 
+# 
-@@ -431,6 +436,7 @@ install-files:
+#@@ -431,6 +436,7 @@ install-files:
- 		$(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+# 		$(INSTALL) -m 0755 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
- 	fi
+# 	fi
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+# 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
-+	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+#+	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+# 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+# 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
+# 	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
 Index: openssh-9.3p2/openbsd-compat/port-linux.h
 ===================================================================
 --- openssh-9.3p2.orig/openbsd-compat/port-linux.h
@ -99,9 +99,9 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
 ===================================================================
 --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
 +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
-@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
+@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
 extern Authctxt *the_authctxt;
 extern int inetd_flag;
 extern int rexeced_flag;
 +/* Wrapper around is_selinux_enabled() to log its return value once only */
 +int
@ -129,14 +129,14 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
 {
 	const char *reqlvl;
 	char *role;
-@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void)
+@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
 	ssh_selinux_get_role_level(&role, &reqlvl);
 -	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
 +	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- 	if (inetd_flag && !rexeced_flag) {
+ 	if (inetd_flag) {
 		use_current = "1";
 	} else {
 		use_current = "";
@ -205,287 +205,287 @@ Index: openssh-9.3p2/platform.c
 #endif
 #ifdef USE_SOLARIS_PROJECTS
-Index: openssh-9.3p2/ssh-keycat.c
+#Index: openssh-9.3p2/ssh-keycat.c
-===================================================================
+#===================================================================
--- /dev/null
+#--- /dev/null
-+++ openssh-9.3p2/ssh-keycat.c
+#+++ openssh-9.3p2/ssh-keycat.c
-@@ -0,0 +1,241 @@
+#@@ -0,0 +1,241 @@
-+/*
+#+/*
-+ * Redistribution and use in source and binary forms, with or without
+#+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
+#+ * modification, are permitted provided that the following conditions
-+ * are met:
+#+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
+#+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, and the entire permission notice in its entirety,
+#+ *    notice, and the entire permission notice in its entirety,
-+ *    including the disclaimer of warranties.
+#+ *    including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
+#+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
+#+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
+#+ *    documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
+#+ * 3. The name of the author may not be used to endorse or promote
-+ *    products derived from this software without specific prior
+#+ *    products derived from this software without specific prior
-+ *    written permission.
+#+ *    written permission.
-+ *
+#+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
+#+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU Public License, in which case the provisions of the GPL are
+#+ * the GNU Public License, in which case the provisions of the GPL are
-+ * required INSTEAD OF the above restrictions.  (This clause is
+#+ * required INSTEAD OF the above restrictions.  (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
+#+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
+#+ * the restrictions contained in a BSD-style copyright.)
-+ *
+#+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+#+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+#+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+#+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+#+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+#+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+#+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+#+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+#+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+#+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+#+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+#+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
+#+ */
-+
+#+
-+/*
+#+/*
-+ * Copyright (c) 2011 Red Hat, Inc.
+#+ * Copyright (c) 2011 Red Hat, Inc.
-+ * Written by Tomas Mraz <tmraz@redhat.com>
+#+ * Written by Tomas Mraz <tmraz@redhat.com>
-+*/
+#+*/
-+
+#+
-+#define _GNU_SOURCE
+#+#define _GNU_SOURCE
-+
+#+
-+#include "config.h"
+#+#include "config.h"
-+#include <stdio.h>
+#+#include <stdio.h>
-+#include <stdlib.h>
+#+#include <stdlib.h>
-+#include <string.h>
+#+#include <string.h>
-+#include <sys/types.h>
+#+#include <sys/types.h>
-+#include <sys/stat.h>
+#+#include <sys/stat.h>
-+#include <pwd.h>
+#+#include <pwd.h>
-+#include <fcntl.h>
+#+#include <fcntl.h>
-+#include <unistd.h>
+#+#include <unistd.h>
-+#ifdef HAVE_STDINT_H
+#+#ifdef HAVE_STDINT_H
-+#include <stdint.h>
+#+#include <stdint.h>
-+#endif
+#+#endif
-+
+#+
-+#include <security/pam_appl.h>
+#+#include <security/pam_appl.h>
-+
+#+
-+#include "uidswap.h"
+#+#include "uidswap.h"
-+#include "misc.h"
+#+#include "misc.h"
-+
+#+
-+#define ERR_USAGE 1
+#+#define ERR_USAGE 1
-+#define ERR_PAM_START 2
+#+#define ERR_PAM_START 2
-+#define ERR_OPEN_SESSION 3
+#+#define ERR_OPEN_SESSION 3
-+#define ERR_CLOSE_SESSION 4
+#+#define ERR_CLOSE_SESSION 4
-+#define ERR_PAM_END 5
+#+#define ERR_PAM_END 5
-+#define ERR_GETPWNAM 6
+#+#define ERR_GETPWNAM 6
-+#define ERR_MEMORY 7
+#+#define ERR_MEMORY 7
-+#define ERR_OPEN 8
+#+#define ERR_OPEN 8
-+#define ERR_FILE_MODE 9
+#+#define ERR_FILE_MODE 9
-+#define ERR_FDOPEN 10
+#+#define ERR_FDOPEN 10
-+#define ERR_STAT 11
+#+#define ERR_STAT 11
-+#define ERR_WRITE 12
+#+#define ERR_WRITE 12
-+#define ERR_PAM_PUTENV 13
+#+#define ERR_PAM_PUTENV 13
-+#define BUFLEN 4096
+#+#define BUFLEN 4096
-+
+#+
-+/* Just ignore the messages in the conversation function */
+#+/* Just ignore the messages in the conversation function */
-+static int
+#+static int
-+dummy_conv(int num_msg, const struct pam_message **msgm,
+#+dummy_conv(int num_msg, const struct pam_message **msgm,
-+	   struct pam_response **response, void *appdata_ptr)
+#+	   struct pam_response **response, void *appdata_ptr)
-+{
+#+{
-+	struct pam_response *rsp;
+#+	struct pam_response *rsp;
-+
+#+
-+	(void)msgm;
+#+	(void)msgm;
-+	(void)appdata_ptr;
+#+	(void)appdata_ptr;
-+
+#+
-+	if (num_msg <= 0)
+#+	if (num_msg <= 0)
-+		return PAM_CONV_ERR;
+#+		return PAM_CONV_ERR;
-+
+#+
-+	/* Just allocate the array as empty responses */
+#+	/* Just allocate the array as empty responses */
-+	rsp = calloc (num_msg, sizeof (struct pam_response));
+#+	rsp = calloc (num_msg, sizeof (struct pam_response));
-+	if (rsp == NULL)
+#+	if (rsp == NULL)
-+		return PAM_CONV_ERR;
+#+		return PAM_CONV_ERR;
-+
+#+
-+	*response = rsp;
+#+	*response = rsp;
-+	return PAM_SUCCESS;
+#+	return PAM_SUCCESS;
-+}
+#+}
-+
+#+
-+static struct pam_conv conv = {
+#+static struct pam_conv conv = {
-+	dummy_conv,
+#+	dummy_conv,
-+	NULL
+#+	NULL
-+};
+#+};
-+
+#+
-+char *
+#+char *
-+make_auth_keys_name(const struct passwd *pwd)
+#+make_auth_keys_name(const struct passwd *pwd)
-+{
+#+{
-+	char *fname;
+#+	char *fname;
-+
+#+
-+	if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
+#+	if (asprintf(&fname, "%s/.ssh/authorized_keys", pwd->pw_dir) < 0)
-+		return NULL;
+#+		return NULL;
-+
+#+
-+	return fname;
+#+	return fname;
-+}
+#+}
-+
+#+
-+int
+#+int
-+dump_keys(const char *user)
+#+dump_keys(const char *user)
-+{
+#+{
-+	struct passwd *pwd;
+#+	struct passwd *pwd;
-+	int fd = -1;
+#+	int fd = -1;
-+	FILE *f = NULL;
+#+	FILE *f = NULL;
-+	char *fname = NULL;
+#+	char *fname = NULL;
-+	int rv = 0;
+#+	int rv = 0;
-+	char buf[BUFLEN];
+#+	char buf[BUFLEN];
-+	size_t len;
+#+	size_t len;
-+	struct stat st;
+#+	struct stat st;
-+
+#+
-+	if ((pwd = getpwnam(user)) == NULL) {
+#+	if ((pwd = getpwnam(user)) == NULL) {
-+		return ERR_GETPWNAM;
+#+		return ERR_GETPWNAM;
-+	}
+#+	}
-+
+#+
-+	if ((fname = make_auth_keys_name(pwd)) == NULL) {
+#+	if ((fname = make_auth_keys_name(pwd)) == NULL) {
-+		return ERR_MEMORY;
+#+		return ERR_MEMORY;
-+	}
+#+	}
-+
+#+
-+	temporarily_use_uid(pwd);
+#+	temporarily_use_uid(pwd);
-+
+#+
-+	if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
+#+	if ((fd = open(fname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < 0) {
-+		rv = ERR_OPEN;
+#+		rv = ERR_OPEN;
-+		goto fail;
+#+		goto fail;
-+	}
+#+	}
-+
+#+
-+	if (fstat(fd, &st) < 0) {
+#+	if (fstat(fd, &st) < 0) {
-+		rv = ERR_STAT;
+#+		rv = ERR_STAT;
-+		goto fail;
+#+		goto fail;
-+	}
+#+	}
-+
+#+
-+	if (!S_ISREG(st.st_mode) || 
+#+	if (!S_ISREG(st.st_mode) || 
-+		(st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
+#+		(st.st_uid != pwd->pw_uid && st.st_uid != 0)) {
-+		rv = ERR_FILE_MODE;
+#+		rv = ERR_FILE_MODE;
-+		goto fail;
+#+		goto fail;
-+	}
+#+	}
-+
+#+
-+	unset_nonblock(fd);
+#+	unset_nonblock(fd);
-+
+#+
-+	if ((f = fdopen(fd, "r")) == NULL) {
+#+	if ((f = fdopen(fd, "r")) == NULL) {
-+		rv = ERR_FDOPEN;
+#+		rv = ERR_FDOPEN;
-+		goto fail;
+#+		goto fail;
-+	}
+#+	}
-+
+#+
-+	fd = -1;
+#+	fd = -1;
-+
+#+
-+	while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
+#+	while ((len = fread(buf, 1, sizeof(buf), f)) > 0) {
-+		rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
+#+		rv = fwrite(buf, 1, len, stdout) != len ? ERR_WRITE : 0;
-+	}
+#+	}
-+
+#+
-+fail:
+#+fail:
-+	if (fd != -1)
+#+	if (fd != -1)
-+		close(fd);
+#+		close(fd);
-+	if (f != NULL)
+#+	if (f != NULL)
-+		fclose(f);
+#+		fclose(f);
-+	free(fname);
+#+	free(fname);
-+	restore_uid();
+#+	restore_uid();
-+	return rv;
+#+	return rv;
-+}
+#+}
-+
+#+
-+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
+#+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
-+	"SELINUX_LEVEL_REQUESTED",
+#+	"SELINUX_LEVEL_REQUESTED",
-+	"SELINUX_USE_CURRENT_RANGE"
+#+	"SELINUX_USE_CURRENT_RANGE"
-+};
+#+};
-+
+#+
-+extern char **environ;
+#+extern char **environ;
-+
+#+
-+int
+#+int
-+set_pam_environment(pam_handle_t *pamh)
+#+set_pam_environment(pam_handle_t *pamh)
-+{
+#+{
-+	int i;
+#+	int i;
-+	size_t j;
+#+	size_t j;
-+
+#+
-+	for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
+#+	for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
-+		int len = strlen(env_names[j]);
+#+		int len = strlen(env_names[j]);
-+
+#+
-+		for (i = 0; environ[i] != NULL; ++i) {
+#+		for (i = 0; environ[i] != NULL; ++i) {
-+			if (strncmp(env_names[j], environ[i], len) == 0 &&
+#+			if (strncmp(env_names[j], environ[i], len) == 0 &&
-+			    environ[i][len] == '=') {
+#+			    environ[i][len] == '=') {
-+				if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
+#+				if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
-+					return ERR_PAM_PUTENV;
+#+					return ERR_PAM_PUTENV;
-+			}
+#+			}
-+		}
+#+		}
-+	}
+#+	}
-+
+#+
-+	return 0;
+#+	return 0;
-+}
+#+}
-+
+#+
-+int
+#+int
-+main(int argc, char *argv[])
+#+main(int argc, char *argv[])
-+{
+#+{
-+	pam_handle_t *pamh = NULL;
+#+	pam_handle_t *pamh = NULL;
-+	int retval;
+#+	int retval;
-+	int ev = 0;
+#+	int ev = 0;
-+
+#+
-+	if (argc != 2) {
+#+	if (argc != 2) {
-+		fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
+#+		fprintf(stderr, "Usage: %s <user-name>\n", argv[0]);
-+		return ERR_USAGE;
+#+		return ERR_USAGE;
-+	}
+#+	}
-+
+#+
-+	retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
+#+	retval = pam_start("ssh-keycat", argv[1], &conv, &pamh);
-+	if (retval != PAM_SUCCESS) {
+#+	if (retval != PAM_SUCCESS) {
-+		return ERR_PAM_START;
+#+		return ERR_PAM_START;
-+	}
+#+	}
-+
+#+
-+	ev = set_pam_environment(pamh);
+#+	ev = set_pam_environment(pamh);
-+	if (ev != 0)
+#+	if (ev != 0)
-+		goto finish;
+#+		goto finish;
-+
+#+
-+	retval = pam_open_session(pamh, PAM_SILENT);
+#+	retval = pam_open_session(pamh, PAM_SILENT);
-+	if (retval != PAM_SUCCESS) {
+#+	if (retval != PAM_SUCCESS) {
-+		ev = ERR_OPEN_SESSION;
+#+		ev = ERR_OPEN_SESSION;
-+		goto finish;
+#+		goto finish;
-+	}
+#+	}
-+
+#+
-+	ev = dump_keys(argv[1]);
+#+	ev = dump_keys(argv[1]);
-+
+#+
-+	retval = pam_close_session(pamh, PAM_SILENT);
+#+	retval = pam_close_session(pamh, PAM_SILENT);
-+	if (retval != PAM_SUCCESS) {
+#+	if (retval != PAM_SUCCESS) {
-+		ev = ERR_CLOSE_SESSION;
+#+		ev = ERR_CLOSE_SESSION;
-+	}
+#+	}
-+
+#+
-+finish:
+#+finish:
-+	retval = pam_end (pamh,retval);
+#+	retval = pam_end (pamh,retval);
-+	if (retval != PAM_SUCCESS) {
+#+	if (retval != PAM_SUCCESS) {
-+		ev = ERR_PAM_END;
+#+		ev = ERR_PAM_END;
-+	}
+#+	}
-+	return ev;
+#+	return ev;
-+}
+#+}
-Index: openssh-9.3p2/configure.ac
+#Index: openssh-9.3p2/configure.ac
-===================================================================
+#===================================================================
--- openssh-9.3p2.orig/configure.ac
+#--- openssh-9.3p2.orig/configure.ac
-+++ openssh-9.3p2/configure.ac
+#+++ openssh-9.3p2/configure.ac
-@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
+#@@ -3632,6 +3632,7 @@ AC_ARG_WITH([pam],
- 			PAM_MSG="yes"
+# 			PAM_MSG="yes"
- 
+# 
- 			SSHDLIBS="$SSHDLIBS -lpam"
+# 			SSHDLIBS="$SSHDLIBS -lpam"
-+			KEYCATLIBS="$KEYCATLIBS -lpam"
+#+			KEYCATLIBS="$KEYCATLIBS -lpam"
- 			AC_DEFINE([USE_PAM], [1],
+# 			AC_DEFINE([USE_PAM], [1],
- 				[Define if you want to enable PAM support])
+# 				[Define if you want to enable PAM support])
- 
+# 
-@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
+#@@ -3642,6 +3643,7 @@ AC_ARG_WITH([pam],
- 					;;
+# 					;;
- 				*)
+# 				*)
- 					SSHDLIBS="$SSHDLIBS -ldl"
+# 					SSHDLIBS="$SSHDLIBS -ldl"
-+					KEYCATLIBS="$KEYCATLIBS -ldl"
+#+					KEYCATLIBS="$KEYCATLIBS -ldl"
- 					;;
+# 					;;
- 				esac
+# 				esac
- 			fi
+# 			fi
-@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
+#@@ -4875,6 +4877,7 @@ AC_ARG_WITH([selinux],
- 	fi ]
+# 	fi ]
- )
+# )
- AC_SUBST([SSHDLIBS])
+# AC_SUBST([SSHDLIBS])
-+AC_SUBST([KEYCATLIBS])
+#+AC_SUBST([KEYCATLIBS])
- 
+# 
- # Check whether user wants Kerberos 5 support
+# # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
+# KRB5_MSG="no"
-@@ -5905,6 +5908,9 @@ fi
+#@@ -5905,6 +5908,9 @@ fi
- if test ! -z "${SSHDLIBS}"; then
+# if test ! -z "${SSHDLIBS}"; then
- echo "         +for sshd: ${SSHDLIBS}"
+# echo "         +for sshd: ${SSHDLIBS}"
- fi
+# fi
-+if test ! -z "${KEYCATLIBS}"; then
+#+if test ! -z "${KEYCATLIBS}"; then
-+echo "   +for ssh-keycat: ${KEYCATLIBS}"
+#+echo "   +for ssh-keycat: ${KEYCATLIBS}"
-+fi
+#+fi
- 
+# 
- echo ""
+# echo ""
- 
+# 
--- a/openssh-6.6p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@ -52,7 +52,7 @@ Index: openssh-9.3p2/session.c
 	platform_setusercontext(pw);
 -	if (platform_privileged_uidswap()) {
-+	if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
+	if (platform_privileged_uidswap() && !is_child) {
 #ifdef HAVE_LOGIN_CAP
 		if (setusercontext(lc, pw, pw->pw_uid,
 		    (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@ -98,11 +98,11 @@ Index: openssh-9.3p2/session.c
 		exit(sftp_server_main(i, argv, s->pw));
 	}
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.3p2/sshd-session.c
 ===================================================================
--- openssh-9.3p2.orig/sshd.c
+--- openssh-9.3p2.orig/sshd-session.c
-+++ openssh-9.3p2/sshd.c
+++ openssh-9.3p2/sshd-session.c
-@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh)
+@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data(ssh);
@ -113,13 +113,12 @@ Index: openssh-9.3p2/sshd.c
 	/* Demote the child */
 	if (privsep_chroot) {
 		/* Change our root directory */
-@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
+@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
- 
+ 	 * fd passing, as AFAIK PTY allocation on this platform doesn't require
- #ifdef DISABLE_FD_PASSING
+ 	 * special privileges to begin with.
- 	if (1) {
+ 	 */
-+#elif defined(WITH_SELINUX)
+-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
-+	if (0) {
+#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
-+		/* even root user can be confined by SELinux */
+ 	skip_privdrop = 1;
 #else
 	if (authctxt->pw->pw_uid == 0) {
 #endif
--- a/openssh-7.6p1-cleanup-selinux.patch
+++ b/openssh-7.6p1-cleanup-selinux.patch
@ -9,16 +9,16 @@ Index: openssh-9.3p2/auth2-pubkey.c
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
 extern struct authmethod_cfg methodcfg_pubkey;
 static char *
 format_key(const struct sshkey *key)
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
 	if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
 	    ac, av, &f,
 	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
 -	    runas_pw, temporarily_use_uid, restore_uid)) == 0)
 +	    runas_pw, temporarily_use_uid, restore_uid,
-+	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
+	    inetd_flag, the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
@ -28,7 +28,7 @@ Index: openssh-9.3p2/auth2-pubkey.c
 	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
 -	    runas_pw, temporarily_use_uid, restore_uid)) == 0)
 +	    runas_pw, temporarily_use_uid, restore_uid,
-+	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
+	    inetd_flag, the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
@ -87,14 +87,13 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
 ===================================================================
 --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
 +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
-@@ -49,11 +49,6 @@
+@@ -49,10 +49,6 @@
 #include <unistd.h>
 #endif
 -extern ServerOptions options;
 -extern Authctxt *the_authctxt;
 -extern int inetd_flag;
 -extern int rexeced_flag;
 -
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
@ -133,7 +132,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
 	if (r == 0) {
 		/* If launched from xinetd, we must use current level */
-		if (inetd_flag && !rexeced_flag) {
+-		if (inetd_flag) {
 +		if (inetd) {
 			security_context_t sshdsc=NULL;
@ -157,7 +156,7 @@ Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
 	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
-	if (inetd_flag && !rexeced_flag) {
+-	if (inetd_flag) {
 +	if (inetd) {
 		use_current = "1";
 	} else {
@ -222,56 +221,46 @@ Index: openssh-9.3p2/platform.c
 ===================================================================
 --- openssh-9.3p2.orig/platform.c
 +++ openssh-9.3p2/platform.c
-@@ -34,6 +34,9 @@
+@@ -34,6 +34,8 @@
 #include "openbsd-compat/openbsd-compat.h"
 extern int use_privsep;
 extern ServerOptions options;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
- void
+ /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
- platform_pre_listen(void)
+ int
-@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru
+@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
 	}
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
 -	sshd_selinux_setup_exec_context(pw->pw_name);
 +	sshd_selinux_setup_exec_context(pw->pw_name,
-+	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
+	    inetd_flag, do_pam_putenv, the_authctxt,
 +	    options.use_pam);
 #endif
 }
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.3p2/sshd-session.c
 ===================================================================
--- openssh-9.3p2.orig/sshd.c
+--- openssh-9.3p2.orig/sshd-session.c
-+++ openssh-9.3p2/sshd.c
+++ openssh-9.3p2/sshd-session.c
@@ -166,7 +166,7 @@ int debug_flag = 0;
- static int test_flag = 0;
+ int debug_flag = 0;
 /* Flag indicating that the daemon is being started from inetd. */
 -static int inetd_flag = 0;
 +int inetd_flag = 0;
- /* Flag indicating that sshd should not detach and become a daemon. */
+ /* debug goes to stderr unless inetd_flag is set */
- static int no_daemon_flag = 0;
+ static int log_stderr = 0;
@@ -179,7 +179,7 @@ static char **saved_argv;
 static int saved_argc;
 /* re-exec */
 -static int rexeced_flag = 0;
 +int rexeced_flag = 0;
 static int rexec_flag = 1;
 static int rexec_argc = 0;
 static char **rexec_argv;
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
 	}
 #endif
 #ifdef WITH_SELINUX
 -	sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
 +	sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
-+	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
+	    inetd_flag, do_pam_putenv, the_authctxt,
 +	    options.use_pam);
 #endif
 #ifdef USE_PAM
--- a/openssh-7.7p1-cavstest-ctr.patch
+++ b/openssh-7.7p1-cavstest-ctr.patch
@ -7,7 +7,7 @@ Index: openssh-8.8p1/Makefile.in
 --- openssh-8.8p1.orig/Makefile.in
 +++ openssh-8.8p1/Makefile.in
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSHD_SESSION=$(libexecdir)/sshd-session
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 +CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
 STRIP_OPT=@STRIP_OPT@
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
 +TARGETS += cavstest-ctr$(EXEEXT)
 +
@ -29,7 +29,7 @@ Index: openssh-8.8p1/Makefile.in
 +# FIPS tests
 +cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
-+	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 +
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
--- a/openssh-7.7p1-cavstest-kdf.patch
+++ b/openssh-7.7p1-cavstest-kdf.patch
@ -16,7 +16,7 @@ Index: openssh-8.8p1/Makefile.in
 STRIP_OPT=@STRIP_OPT@
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
 -TARGETS += cavstest-ctr$(EXEEXT)
 +TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@ -25,10 +25,10 @@ Index: openssh-8.8p1/Makefile.in
 	ssh-xmss.o \
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
 cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
- 	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ 	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 +cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
-+	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 +
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -389,17 +389,17 @@ Index: openssh-9.6p1/hmac.c
 	    ssh_hmac_update(ctx, m, mlen) < 0 ||
 Index: openssh-9.6p1/kex.c
 ===================================================================
--- openssh-9.6p1.orig/kex.c
+--- openssh-9.6p1.orig/kex-names.c
-+++ openssh-9.6p1/kex.c
+++ openssh-9.6p1/kex-names.c
@@ -64,6 +64,8 @@
- #include "digest.h"
+ #include "ssherr.h"
 #include "xmalloc.h"
 +#include "fips.h"
 +
- /* prototype */
+ struct kexalg {
- static int kex_choose_conf(struct ssh *, uint32_t seq);
+ 	char *name;
- static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+ 	u_int type;
@@ -87,7 +89,7 @@ struct kexalg {
 	int ec_nid;
 	int hash_alg;
@ -647,8 +647,8 @@ Index: openssh-9.6p1/servconf.c
 #include "digest.h"
 +#include "fips.h"
- static void add_listen_addr(ServerOptions *, const char *,
+ #if !defined(SSHD_PAM_SERVICE)
-     const char *, int);
+ # define SSHD_PAM_SERVICE		"sshd"
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
 	return o == NULL || strcasecmp(o, "none") == 0;
 }
@ -754,7 +754,7 @@ Index: openssh-9.6p1/ssh-keygen.c
@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
 		key_type_name = DEFAULT_KEY_TYPE_NAME;
- 	type = sshkey_type_from_name(key_type_name);
+ 	type = sshkey_type_from_shortname(key_type_name);
 +
 +	/* protocol v1 is not allowed in FIPS mode, DSA is not acceptable because
 +	 * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
@ -785,8 +785,8 @@ Index: openssh-9.6p1/sshd.c
 --- openssh-9.6p1.orig/sshd.c
 +++ openssh-9.6p1/sshd.c
@@ -128,6 +128,8 @@
 #include "addr.h"
 #include "srclimit.h"
 #include "dh.h"
 +#include "fips.h"
 +
--- a/openssh-7.7p1-fips_checks.patch
+++ b/openssh-7.7p1-fips_checks.patch
@ -459,13 +459,13 @@ Index: openssh-8.8p1/sshd.c
 --- openssh-8.8p1.orig/sshd.c
 +++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
- 	struct connection_info *connection_info = NULL;
+ 	struct connection_info connection_info;
 	sigset_t sigmask;
 +	/* initialize fips - can go before ssh_malloc_init(), since that is a
 +	 * OpenBSD-only thing (as of OpenSSH 7.6p1) */
 +	fips_ssh_init();
 +
 	memset(&connection_info, 0, sizeof(connection_info));
 #ifdef HAVE_SECUREWARE
 	(void)set_auth_parameters(ac, av);
 #endif
--- a/openssh-7.7p1-ldap.patch
+++ b/openssh-7.7p1-ldap.patch
@ -128,7 +128,7 @@ Index: openssh-8.9p1/Makefile.in
 --- openssh-8.9p1.orig/Makefile.in
 +++ openssh-8.9p1/Makefile.in
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSHD_SESSION=$(libexecdir)/sshd-session
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -168,7 +168,7 @@ Index: openssh-8.9p1/Makefile.in
 	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -421,6 +429,10 @@ install-files:
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+	$(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
 +	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
--- a/openssh-7.7p1-pam_check_locks.patch
+++ b/openssh-7.7p1-pam_check_locks.patch
@ -32,17 +32,17 @@ Index: openssh-8.8p1/servconf.c
 --- openssh-8.8p1.orig/servconf.c
 +++ openssh-8.8p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
 	/* Portable-specific options */
 	options->use_pam = -1;
 	options->pam_service_name = NULL;
 +	options->use_pam_check_locks = -1;
 	/* Standard Options */
 	options->num_ports = 0;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
 	/* Portable-specific options */
 	if (options->use_pam == -1)
 		options->use_pam = 0;
 	if (options->pam_service_name == NULL)
 		options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
 +	if (options->use_pam_check_locks == -1)
 +		options->use_pam_check_locks = 0;
@ -52,26 +52,27 @@ Index: openssh-8.8p1/servconf.c
 typedef enum {
 	sBadOption,		/* == unknown option */
 	/* Portable-specific options */
-	sUsePAM,
+-	sUsePAM, sPAMServiceName,
-+	sUsePAM, sUsePAMChecklocks,
+	sUsePAM, sPAMServiceName, sUsePAMChecklocks,
 	/* Standard Options */
 	sPort, sHostKeyFile, sLoginGraceTime,
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-@@ -535,8 +538,10 @@ static struct {
+@@ -535,9 +538,11 @@ static struct {
 	/* Portable-specific options */
 #ifdef USE_PAM
 	{ "usepam", sUsePAM, SSHCFG_GLOBAL },
 	{ "pamservicename", sPAMServiceName, SSHCFG_ALL },
 +	{ "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
 #else
 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
 	{ "pamservicename", sUnsupported, SSHCFG_ALL },
 +	{ "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
 #endif
 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
 	/* Standard Options */
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
- 	case sUsePAM:
+ 		if (*activep && *charptr == NULL)
- 		intptr = &options->use_pam;
+ 			*charptr = xstrdup(arg);
- 		goto parse_flag;
+ 		break;
 +	case sUsePAMChecklocks:
 +		intptr = &options->use_pam_check_locks;
 +		goto parse_flag;
@ -83,9 +84,9 @@ Index: openssh-8.8p1/servconf.h
 --- openssh-8.8p1.orig/servconf.h
 +++ openssh-8.8p1/servconf.h
@@ -200,6 +200,7 @@ typedef struct {
 	char   *adm_forced_command;
 	int	use_pam;		/* Enable auth via PAM */
 	char   *pam_service_name;
 +	int	use_pam_check_locks;	/* internally check for locked accounts even when using PAM */
 	int	permit_tun;
--- a/openssh-7.7p1-systemd-notify.patch
+++ b/openssh-7.7p1-systemd-notify.patch
@ -61,7 +61,7 @@ Index: openssh-8.8p1/sshd.c
 +
 #include "xmalloc.h"
 #include "ssh.h"
- #include "ssh2.h"
+ #include "sshpty.h"
@@ -308,6 +312,10 @@ sighup_handler(int sig)
 static void
 sighup_restart(void)
@ -84,4 +84,4 @@ Index: openssh-8.8p1/sshd.c
 +
 		/* Accept a connection and return in a forked child */
 		server_accept_loop(&sock_in, &sock_out,
- 		    &newsock, config_s);
+ 		    &newsock, config_s, log_stderr);
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -1,8 +1,7 @@
-Index: openssh-9.6p1/auth2.c
+diff -up openssh/auth2.c.role-mls openssh/auth2.c
-===================================================================
+--- openssh/auth2.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth2.c
+++ openssh/auth2.c	2018-08-22 11:14:56.815430916 +0200
-+++ openssh-9.6p1/auth2.c
+@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ssh->authctxt;
 	Authmethod *m = NULL;
 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
@ -12,7 +11,7 @@ Index: openssh-9.6p1/auth2.c
 	int r, authenticated = 0;
 	double tstart = monotime_double();
-@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
+@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -24,36 +23,32 @@ Index: openssh-9.6p1/auth2.c
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
-@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
+@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
- 		    use_privsep ? " [net]" : "");
+ 		setproctitle("%s [net]", authctxt->valid ? user : "unknown");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 -		if (use_privsep)
 +#ifdef WITH_SELINUX
 +		authctxt->role = role ? xstrdup(role) : NULL;
 +#endif
 +		if (use_privsep) {
 		mm_inform_authserv(service, style);
 +#ifdef WITH_SELINUX
 +         	mm_inform_authrole(role);
 +#endif
 +		}
 		userauth_banner(ssh);
 		if ((r = kex_server_update_ext_info(ssh)) != 0)
 			fatal_fr(r, "kex_server_update_ext_info failed");
-Index: openssh-9.6p1/auth2-gss.c
+diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
-===================================================================
+--- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth2-gss.c
+++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200
-+++ openssh-9.6p1/auth2-gss.c
+@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ssh->authctxt;
 	Gssctxt *gssctxt;
 	int r, authenticated = 0;
 +	char *micuser;
 	struct sshbuf *b;
 	gss_buffer_desc mic, gssbuf;
- 	const char *displayname;
+ 	u_char *p;
-@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
 		fatal_f("sshbuf_new failed");
 	mic.value = p;
 	mic.length = len;
@ -68,7 +63,7 @@ Index: openssh-9.6p1/auth2-gss.c
 	    "gssapi-with-mic", ssh->kex->session_id);
 	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
-@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	sshbuf_free(b);
@ -76,12 +71,11 @@ Index: openssh-9.6p1/auth2-gss.c
 +		free(micuser);
 	free(mic.value);
- 	if ((!use_privsep || mm_is_monitor()) &&
+ 	authctxt->postponed = 0;
-Index: openssh-9.6p1/auth2-hostbased.c
+diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
-===================================================================
+--- openssh/auth2-hostbased.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth2-hostbased.c
+++ openssh/auth2-hostbased.c	2018-08-22 11:14:56.816430924 +0200
-+++ openssh-9.6p1/auth2-hostbased.c
+@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
 	/* reconstruct packet */
 	if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
 	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
@ -98,11 +92,10 @@ Index: openssh-9.6p1/auth2-hostbased.c
 	    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
 	    (r = sshbuf_put_cstring(b, method)) != 0 ||
 	    (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
-Index: openssh-9.6p1/auth2-pubkey.c
+diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
-===================================================================
+--- openssh/auth2-pubkey.c.role-mls	2018-08-22 11:14:56.816430924 +0200
--- openssh-9.6p1.orig/auth2-pubkey.c
+++ openssh/auth2-pubkey.c	2018-08-22 11:17:07.331483958 +0200
-+++ openssh-9.6p1/auth2-pubkey.c
+@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
 			goto done;
 		}
 		/* reconstruct packet */
@ -121,10 +114,9 @@ Index: openssh-9.6p1/auth2-pubkey.c
 		if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 		    (r = sshbuf_put_cstring(b, userstyle)) != 0 ||
 		    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
-Index: openssh-9.6p1/auth.h
+diff -up openssh/auth.h.role-mls openssh/auth.h
-===================================================================
+--- openssh/auth.h.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth.h
+++ openssh/auth.h	2018-08-22 11:14:56.816430924 +0200
 +++ openssh-9.6p1/auth.h
@@ -65,6 +65,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
@ -135,11 +127,10 @@ Index: openssh-9.6p1/auth.h
 	/* Method lists for multiple authentication */
 	char		**auth_methods;	/* modified from server config */
-Index: openssh-9.6p1/auth-pam.c
+diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
-===================================================================
+--- openssh/auth-pam.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth-pam.c
+++ openssh/auth-pam.c	2018-08-22 11:14:56.816430924 +0200
-+++ openssh-9.6p1/auth-pam.c
+@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
@ -148,24 +139,22 @@ Index: openssh-9.6p1/auth-pam.c
 {
 	int ret = 1;
 	char *compound;
-Index: openssh-9.6p1/auth-pam.h
+diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
-===================================================================
+--- openssh/auth-pam.h.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/auth-pam.h
+++ openssh/auth-pam.h	2018-08-22 11:14:56.817430932 +0200
 +++ openssh-9.6p1/auth-pam.h
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
 void do_pam_session(struct ssh *);
- void do_pam_setcred(int );
+ void do_pam_setcred(void);
 void do_pam_chauthtok(void);
 -int do_pam_putenv(char *, char *);
 +int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
-Index: openssh-9.6p1/misc.c
+diff -up openssh/misc.c.role-mls openssh/misc.c
-===================================================================
+--- openssh/misc.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/misc.c
+++ openssh/misc.c	2018-08-22 11:14:56.817430932 +0200
-+++ openssh-9.6p1/misc.c
+@@ -542,6 +542,7 @@ char *
@@ -771,6 +771,7 @@ char *
 colon(char *cp)
 {
 	int flag = 0;
@ -173,7 +162,7 @@ Index: openssh-9.6p1/misc.c
 	if (*cp == ':')		/* Leading colon is part of file name. */
 		return NULL;
-@@ -786,6 +787,13 @@ colon(char *cp)
+@@ -557,6 +558,13 @@ colon(char *cp)
 			return (cp);
 		if (*cp == '/')
 			return NULL;
@ -187,11 +176,10 @@ Index: openssh-9.6p1/misc.c
 	}
 	return NULL;
 }
-Index: openssh-9.6p1/monitor.c
+diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
-===================================================================
+--- openssh-8.6p1/monitor.c.role-mls	2021-04-16 05:55:25.000000000 +0200
--- openssh-9.6p1.orig/monitor.c
+++ openssh-8.6p1/monitor.c	2021-05-21 14:21:56.719414087 +0200
-+++ openssh-9.6p1/monitor.c
+@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
 int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
 int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
 int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@ -201,7 +189,7 @@ Index: openssh-9.6p1/monitor.c
 int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
 int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
 int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -211,7 +199,7 @@ Index: openssh-9.6p1/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
+@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
 	/* Allow service/style information on the auth context */
 	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -221,7 +209,7 @@ Index: openssh-9.6p1/monitor.c
 	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 #ifdef USE_PAM
-@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
+@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
 	return found;
 }
@ -248,7 +236,7 @@ Index: openssh-9.6p1/monitor.c
 int
 mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
 {
-@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
+@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
 	struct sshbuf *b;
 	struct sshkey *hostkey = NULL;
 	const u_char *p;
@ -257,7 +245,7 @@ Index: openssh-9.6p1/monitor.c
 	size_t len;
 	u_char type;
 	int hostbound = 0, r, fail = 0;
-@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
+@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
 		fatal_fr(r, "parse userstyle");
@ -266,7 +254,7 @@ Index: openssh-9.6p1/monitor.c
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
+@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
 {
 	struct sshbuf *b;
 	const u_char *p;
@ -275,7 +263,7 @@ Index: openssh-9.6p1/monitor.c
 	size_t len;
 	int r, fail = 0;
 	u_char type;
-@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
+@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
 		fatal_fr(r, "parse userstyle");
@ -284,10 +272,9 @@ Index: openssh-9.6p1/monitor.c
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-Index: openssh-9.6p1/monitor.h
+diff -up openssh/monitor.h.role-mls openssh/monitor.h
-===================================================================
+--- openssh/monitor.h.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/monitor.h
+++ openssh/monitor.h	2018-08-22 11:14:56.818430941 +0200
 +++ openssh-9.6p1/monitor.h
@@ -55,6 +55,10 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
 	MONITOR_REQ_TERM = 50,
@ -299,11 +286,10 @@ Index: openssh-9.6p1/monitor.h
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
 	MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-Index: openssh-9.6p1/monitor_wrap.c
+diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
-===================================================================
+--- openssh/monitor_wrap.c.role-mls	2018-08-22 11:14:56.818430941 +0200
--- openssh-9.6p1.orig/monitor_wrap.c
+++ openssh/monitor_wrap.c	2018-08-22 11:21:47.938747968 +0200
-+++ openssh-9.6p1/monitor_wrap.c
+@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
 	sshbuf_free(m);
 }
@ -331,11 +317,10 @@ Index: openssh-9.6p1/monitor_wrap.c
 /* Do the password authentication */
 int
 mm_auth_password(struct ssh *ssh, char *password)
-Index: openssh-9.6p1/monitor_wrap.h
+diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
-===================================================================
+--- openssh/monitor_wrap.h.role-mls	2018-08-22 11:14:56.818430941 +0200
--- openssh-9.6p1.orig/monitor_wrap.h
+++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
-+++ openssh-9.6p1/monitor_wrap.h
+@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
     const u_char *, size_t, const char *, const char *,
     const char *, u_int compat);
 void mm_inform_authserv(char *, char *);
@ -345,11 +330,10 @@ Index: openssh-9.6p1/monitor_wrap.h
 struct passwd *mm_getpwnamallow(struct ssh *, const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct ssh *, char *);
-Index: openssh-9.6p1/openbsd-compat/Makefile.in
+diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
-===================================================================
+--- openssh/openbsd-compat/Makefile.in.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/openbsd-compat/Makefile.in
+++ openssh/openbsd-compat/Makefile.in	2018-08-22 11:14:56.819430949 +0200
-+++ openssh-9.6p1/openbsd-compat/Makefile.in
+@@ -92,7 +92,8 @@ PORTS=	port-aix.o \
@@ -100,7 +100,8 @@ PORTS=	port-aix.o \
 	port-prngd.o \
 	port-solaris.o \
 	port-net.o \
@ -359,11 +343,10 @@ Index: openssh-9.6p1/openbsd-compat/Makefile.in
 .c.o:
 	$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
-Index: openssh-9.6p1/openbsd-compat/port-linux.c
+diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
-===================================================================
+--- openssh/openbsd-compat/port-linux.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/openbsd-compat/port-linux.c
+++ openssh/openbsd-compat/port-linux.c	2018-08-22 11:14:56.819430949 +0200
-+++ openssh-9.6p1/openbsd-compat/port-linux.c
+@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
 	return sc;
 }
@ -401,7 +384,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.c
 /* Set the TTY context for the specified user */
 void
 ssh_selinux_setup_pty(char *pwname, const char *tty)
-@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
 	debug3("%s: setting TTY context on %s", __func__, tty);
@ -414,10 +397,9 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.c
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
-Index: openssh-9.6p1/openbsd-compat/port-linux.h
+diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
-===================================================================
+--- openssh/openbsd-compat/port-linux.h.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/openbsd-compat/port-linux.h
+++ openssh/openbsd-compat/port-linux.h	2018-08-22 11:14:56.819430949 +0200
 +++ openssh-9.6p1/openbsd-compat/port-linux.h
@@ -20,9 +20,10 @@
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
@ -430,11 +412,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux.h
 #endif
 #ifdef LINUX_OOM_ADJUST
-Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
+diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
-===================================================================
+--- openssh/openbsd-compat/port-linux-sshd.c.role-mls	2018-08-22 11:14:56.819430949 +0200
--- /dev/null
+++ openssh/openbsd-compat/port-linux-sshd.c	2018-08-22 11:14:56.819430949 +0200
-+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
+@@ -0,0 +1,420 @@
@@ -0,0 +1,421 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
 + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -488,7 +469,6 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
 +extern ServerOptions options;
 +extern Authctxt *the_authctxt;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +
 +/* Send audit message */
 +static int
@ -694,7 +674,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
 +
 +	if (r == 0) {
 +		/* If launched from xinetd, we must use current level */
-+		if (inetd_flag && !rexeced_flag) {
+		if (inetd_flag) {
 +			security_context_t sshdsc=NULL;
 +
 +			if (getcon_raw(&sshdsc) < 0)
@ -768,7 +748,7 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
 +
 +	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
 +
-+	if (inetd_flag && !rexeced_flag) {
+	if (inetd_flag) {
 +		use_current = "1";
 +	} else {
 +		use_current = "";
@ -856,11 +836,10 @@ Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
 +#endif
 +#endif
 +
-Index: openssh-9.6p1/platform.c
+diff -up openssh/platform.c.role-mls openssh/platform.c
-===================================================================
+--- openssh/platform.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/platform.c
+++ openssh/platform.c	2018-08-22 11:14:56.819430949 +0200
-+++ openssh-9.6p1/platform.c
+@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
 	}
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
@ -869,11 +848,10 @@ Index: openssh-9.6p1/platform.c
 #endif
 }
-Index: openssh-9.6p1/sshd.c
+diff -up openssh/sshd.c.role-mls openssh/sshd.c
-===================================================================
+--- openssh/sshd-session.c.role-mls	2018-08-20 07:57:29.000000000 +0200
--- openssh-9.6p1.orig/sshd.c
+++ openssh/sshd-session.c	2018-08-22 11:14:56.820430957 +0200
-+++ openssh-9.6p1/sshd.c
+@@ -2186,6 +2186,9 @@ main(int ac, char **av)
@@ -2387,6 +2387,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
@ -882,4 +860,4 @@ Index: openssh-9.6p1/sshd.c
 +#endif
 #ifdef USE_PAM
 	if (options.use_pam) {
- 		do_pam_setcred(1);
+ 		do_pam_setcred();
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
--- a/openssh-8.1p1-audit.patch
+++ b/openssh-8.1p1-audit.patch
@ -3,7 +3,7 @@ Index: openssh-8.9p1/Makefile.in
 --- openssh-8.9p1.orig/Makefile.in
 +++ openssh-8.9p1/Makefile.in
@@ -116,7 +116,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- 	kexsntrup761x25519.o sntrup761.o kexgen.o \
+ 	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
 	kexgssc.o \
 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
 -	sshbuf-io.o
@ -236,7 +236,7 @@ Index: openssh-8.9p1/audit-linux.c
 /* Below is the sshd audit API code */
 void
-@@ -76,49 +176,210 @@ audit_connection_from(const char *host,
+@@ -76,49 +176,211 @@ audit_connection_from(const char *host,
 	/* not implemented */
 }
@ -315,6 +315,7 @@ Index: openssh-8.9p1/audit-linux.c
 	case SSH_AUTH_FAIL_PASSWD:
 +		if (options.use_pam)
 +			break;
 +	/* Fallthrough */
 +	case SSH_LOGIN_EXCEED_MAXTRIES:
 	case SSH_AUTH_FAIL_KBDINT:
 	case SSH_AUTH_FAIL_PUBKEY:
@ -451,7 +452,7 @@ Index: openssh-8.9p1/audit-linux.c
 +	}
 +	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
 +			buf, NULL,
-+			listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh),
+			ssh_remote_ipaddr(ssh), /*FIXME listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh) */
 +			NULL, 1);
 +	audit_close(audit_fd);
 +	/* do not abort if the error is EPERM and sshd is run as non root user */
@ -518,19 +519,19 @@ Index: openssh-8.9p1/audit.c
 +void
 +audit_unsupported(struct ssh *ssh, int what)
 +{
-+	PRIVSEP(audit_unsupported_body(ssh, what));
+	mm_audit_unsupported_body(ssh, what);
 +}
 +
 +void
 +audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs)
 +{
-+	PRIVSEP(audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid()));
+	mm_audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid());
 +}
 +
 +void
 +audit_session_key_free(struct ssh *ssh, int ctos)
 +{
-+	PRIVSEP(audit_session_key_free_body(ssh, ctos, getpid(), getuid()));
+	mm_audit_session_key_free_body(ssh, ctos, getpid(), getuid());
 +}
 +
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
@ -778,18 +779,18 @@ Index: openssh-8.9p1/auth.h
 +    const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
 /* Key / cert options linkage to auth layer */
- const struct sshauthopt *auth_options(struct ssh *);
+ int	 auth_activate_options(struct ssh *, struct sshauthopt *);
 Index: openssh-8.9p1/auth2-hostbased.c
 ===================================================================
 --- openssh-8.9p1.orig/auth2-hostbased.c
 +++ openssh-8.9p1/auth2-hostbased.c
@@ -149,7 +149,7 @@ userauth_hostbased(struct ssh *ssh, cons
 	authenticated = 0;
- 	if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
+ 	if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
- 	    chost, key)) &&
+ 	    chost, key) &&
-	    PRIVSEP(sshkey_verify(key, sig, slen,
+-	    mm_sshkey_verify(key, sig, slen,
-+	    PRIVSEP(hostbased_key_verify(ssh, key, sig, slen,
+	    mm_hostbased_key_verify(ssh, key, sig, slen,
- 	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0)
+ 	    sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
 		authenticated = 1;
@@ -166,6 +166,19 @@ done:
@ -819,12 +820,12 @@ Index: openssh-8.9p1/auth2-pubkey.c
@@ -223,7 +223,7 @@ userauth_pubkey(struct ssh *ssh, const c
 		/* test for correct signature */
 		authenticated = 0;
- 		if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
+ 		if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
-		    PRIVSEP(sshkey_verify(key, sig, slen,
+-		    mm_sshkey_verify(key, sig, slen,
-+		    PRIVSEP(user_key_verify(ssh, key, sig, slen,
+		    mm_user_key_verify(ssh, key, sig, slen,
 		    sshbuf_ptr(b), sshbuf_len(b),
 		    (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
- 		    ssh->compat, &sig_details)) == 0) {
+ 		    ssh->compat, &sig_details) == 0) {
@@ -316,6 +316,19 @@ done:
 	return authenticated;
 }
@ -854,7 +855,7 @@ Index: openssh-8.9p1/auth2.c
 			/* Invalid user, fake password information */
 			authctxt->pw = fakepw();
 -#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(ssh, SSH_INVALID_USER));
+-			mm_audit_event(ssh, SSH_INVALID_USER);
 -#endif
 		}
 #ifdef USE_PAM
@ -939,8 +940,8 @@ Index: openssh-8.9p1/kex.c
 #include "xmalloc.h"
 +#include "audit.h"
- #ifdef GSSAPI
+ /* prototype */
- #include "ssh-gss.h"
+ static int kex_choose_conf(struct ssh *, uint32_t seq);
@@ -879,12 +880,16 @@ kex_start_rekex(struct ssh *ssh)
 }
@ -1124,7 +1125,7 @@ Index: openssh-8.9p1/monitor.c
 extern struct sshbuf *loginmsg;
 extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
-+extern void destroy_sensitive_data(struct ssh *, int);
+extern void destroy_sensitive_data(struct ssh *);
 +
 /* State exported from the child */
 static struct sshbuf *child_state;
@ -1257,7 +1258,7 @@ Index: openssh-8.9p1/monitor.c
 		sshpam_cleanup();
 #endif
-+	destroy_sensitive_data(ssh, 0);
+	destroy_sensitive_data(ssh);
 +
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
@ -1301,12 +1302,12 @@ Index: openssh-8.9p1/monitor.c
 +	debug3("%s entering", __func__);
 +	if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
 +	    (r = sshbuf_get_string(m, &cmd, &len)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	s = session_by_id(handle);
 +	if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
 +	    strcmp(s->command, cmd) != 0)
-+		fatal("%s: invalid handle", __func__);
+		fatal_f("invalid handle");
 +	mm_session_close(ssh, s);
 	free(cmd);
 	return (0);
@ -1349,7 +1350,7 @@ Index: openssh-8.9p1/monitor.c
 +	int what, r;
 +
 +	if ((r = sshbuf_get_u32(m, &what)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	audit_unsupported_body(ssh, what);
 +
@ -1374,10 +1375,10 @@ Index: openssh-8.9p1/monitor.c
 +	    (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
 +	    (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
 +	    (r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	pid = (pid_t) tmp;
 +	if ((r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	uid = (pid_t) tmp;
 +
 +	audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
@ -1402,10 +1403,10 @@ Index: openssh-8.9p1/monitor.c
 +
 +	if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
 +	    (r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	pid = (pid_t) tmp;
 +	if ((r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	uid = (uid_t) tmp;
 +
 +	audit_session_key_free_body(ssh, ctos, pid, uid);
@ -1427,10 +1428,10 @@ Index: openssh-8.9p1/monitor.c
 +
 +	if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
 +	    (r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	pid = (pid_t) tmp;
 +	if ((r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	uid = (uid_t) tmp;
 +
 +	audit_destroy_sensitive_data(ssh, fp, pid, uid);
@ -1526,7 +1527,7 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
 +
 +	if ((r = sshbuf_get_u32(m, &handle)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	sshbuf_free(m);
 +
 +	return (handle);
@ -1541,19 +1542,19 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	debug3("%s entering command %s", __func__, command);
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, handle)) != 0 ||
 +	    (r = sshbuf_put_cstring(m, command)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
 	sshbuf_free(m);
 }
 #endif /* SSH_AUDIT_EVENTS */
-@@ -1074,3 +1114,130 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
+@@ -1217,3 +1257,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
 	return &ci;
 }
 #endif /* GSSAPI */
 +#ifdef SSH_AUDIT_EVENTS
 +void
 +mm_audit_unsupported_body(struct ssh *ssh, int what)
@ -1562,9 +1563,9 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, what)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -1581,7 +1582,7 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
 +	    (r = sshbuf_put_cstring(m, cipher)) != 0 ||
 +	    (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
@ -1589,7 +1590,7 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	    (r = sshbuf_put_cstring(m, fps)) != 0 ||
 +	    (r = sshbuf_put_u64(m, pid)) != 0 ||
 +	    (r = sshbuf_put_u64(m, uid)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
@ -1605,11 +1606,11 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
 +	    (r = sshbuf_put_u64(m, pid)) != 0 ||
 +	    (r = sshbuf_put_u64(m, uid)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
@ -1624,62 +1625,15 @@ Index: openssh-8.9p1/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
 +	    (r = sshbuf_put_u64(m, pid)) != 0 ||
 +	    (r = sshbuf_put_u64(m, uid)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
 +	sshbuf_free(m);
 +}
 +
 +int mm_forward_audit_messages(int fdin)
 +{
 +	u_char buf[4];
 +	u_int blen, msg_len;
 +	struct sshbuf *m;
 +	int ret = 0;
 +
 +	debug3("%s: entering", __func__);
 +	m = sshbuf_new();
 +	do {
 +		int r;
 +
 +		blen = atomicio(read, fdin, buf, sizeof(buf));
 +		if (blen == 0) /* closed pipe */
 +			break;
 +		if (blen != sizeof(buf)) {
 +			error("%s: Failed to read the buffer from child", __func__);
 +			ret = -1;
 +			break;
 +		}
 +
 +		msg_len = get_u32(buf);
 +		if (msg_len > 256 * 1024)
 +			fatal("%s: read: bad msg_len %d", __func__, msg_len);
 +		sshbuf_reset(m);
 +		if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
 +			fatal("%s: buffer error: %s", __func__, ssh_err(r));
 +		if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
 +			error("%s: Failed to read the the buffer conent from the child", __func__);
 +			ret = -1;
 +			break;
 +		}
 +		if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || 
 +		    atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
 +			error("%s: Failed to write the messag to the monitor", __func__);
 +			ret = -1;
 +			break;
 +		}
 +	} while (1);
 +	sshbuf_free(m);
 +	return ret;
 +}
 +void mm_set_monitor_pipe(int fd)
 +{
 +	pmonitor->m_recvfd = fd;
 +}
 +#endif /* SSH_AUDIT_EVENTS */
 Index: openssh-8.9p1/monitor_wrap.h
 ===================================================================
@ -1695,8 +1649,8 @@ Index: openssh-8.9p1/monitor_wrap.h
 +int mm_user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
     const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
- #ifdef GSSAPI
+ void mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m);
-@@ -83,7 +85,14 @@ void mm_sshpam_free_ctx(void *);
+@@ -83,7 +85,12 @@ void mm_sshpam_free_ctx(void *);
 #ifdef SSH_AUDIT_EVENTS
 #include "audit.h"
 void mm_audit_event(struct ssh *, ssh_audit_event_t);
@ -1707,8 +1661,6 @@ Index: openssh-8.9p1/monitor_wrap.h
 +void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
 +void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
 +void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
 +int mm_forward_audit_messages(int);
 +void mm_set_monitor_pipe(int);
 #endif
 struct Session;
@ -1738,12 +1690,7 @@ Index: openssh-8.9p1/packet.c
 /*
  * Returns the IP-address of the remote host as a string.  The returned
  * string must not be freed.
-@@ -579,26 +587,23 @@ ssh_packet_rdomain_in(struct ssh *ssh)
+@@ -579,22 +587,19 @@ ssh_packet_rdomain_in(struct ssh *ssh)
 /* Closes the connection and clears and frees internal data structures. */
 static void
 -ssh_packet_close_internal(struct ssh *ssh, int do_close)
 +ssh_packet_close_internal(struct ssh *ssh, int do_close, int do_audit)
 {
 	struct session_state *state = ssh->state;
 	u_int mode;
@ -1775,7 +1722,7 @@ Index: openssh-8.9p1/packet.c
 #endif	/* WITH_ZLIB */
 	cipher_free(state->send_context);
 	cipher_free(state->receive_context);
-+	if (do_audit && had_keys && state->server_side) {
+	if (had_keys && state->server_side) {
 +		/* Assuming this is called only from privsep child */
 +		audit_session_key_free(ssh, MODE_MAX);
 +	}
@ -1790,28 +1737,6 @@ Index: openssh-8.9p1/packet.c
 		free(ssh->local_ipaddr);
 		ssh->local_ipaddr = NULL;
 		free(ssh->remote_ipaddr);
@@ -650,13 +665,19 @@ ssh_packet_close_internal(struct ssh *ss
 void
 ssh_packet_close(struct ssh *ssh)
 {
 -	ssh_packet_close_internal(ssh, 1);
 +	ssh_packet_close_internal(ssh, 1, 1);
 }
 void
 ssh_packet_clear_keys(struct ssh *ssh)
 {
 -	ssh_packet_close_internal(ssh, 0);
 +	ssh_packet_close_internal(ssh, 0, 1);
 +}
 +
 +void
 +ssh_packet_clear_keys_noaudit(struct ssh *ssh)
 +{
 +	ssh_packet_close_internal(ssh, 0, 0);
 }
 /* Sets remote side protocol flags. */
@@ -892,6 +913,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
 		    (unsigned long long)state->p_send.bytes,
 		    (unsigned long long)state->p_send.blocks);
@ -1820,7 +1745,7 @@ Index: openssh-8.9p1/packet.c
 		state->newkeys[mode] = NULL;
 	}
 	/* note that both bytes and the seqnr are not reset */
-@@ -2183,6 +2205,73 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2183,6 +2205,72 @@ ssh_packet_get_output(struct ssh *ssh)
 	return (void *)ssh->state->output;
 }
@ -1850,9 +1775,8 @@ Index: openssh-8.9p1/packet.c
 +		return;
 +
 +	cipher_free(state->receive_context);
 +	state->receive_context = NULL;
 +	cipher_free(state->send_context);
-+	state->send_context = NULL;
+	state->send_context = state->receive_context = NULL;
 +
 +	sshbuf_free(state->input);
 +	state->input = NULL;
@ -1898,14 +1822,6 @@ Index: openssh-8.9p1/packet.h
 ===================================================================
 --- openssh-8.9p1.orig/packet.h
 +++ openssh-8.9p1/packet.h
@@ -102,6 +102,7 @@ int      ssh_packet_get_connection_out(s
 void     ssh_packet_close(struct ssh *);
 void	 ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
 void	 ssh_packet_clear_keys(struct ssh *);
 +void     ssh_packet_clear_keys_noaudit(struct ssh *);
 void	 ssh_clear_newkeys(struct ssh *, int);
 int	 ssh_packet_is_rekeying(struct ssh *);
@@ -220,4 +221,5 @@ const u_char	*sshpkt_ptr(struct ssh *, s
 # undef EC_POINT
 #endif
@ -1921,22 +1837,11 @@ Index: openssh-8.9p1/session.c
 extern u_int utmp_len;
 extern int startup_pipe;
 -extern void destroy_sensitive_data(void);
-+extern void destroy_sensitive_data(struct ssh *, int);
+extern void destroy_sensitive_data(struct ssh *);
 extern struct sshbuf *loginmsg;
 extern struct sshauthopt *auth_opts;
 extern char *tun_fwd_ifnames; /* serverloop.c */
-@@ -157,6 +157,10 @@ static Session *sessions = NULL;
+@@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
 login_cap_t *lc;
 #endif
 +#ifdef SSH_AUDIT_EVENTS
 +int paudit[2];
 +#endif
 +
 static int is_child = 0;
 static int in_chroot = 0;
@@ -642,6 +646,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
 	/* Parent.  Close the slave side of the pseudo tty. */
 	close(ttyfd);
@ -1951,85 +1856,42 @@ Index: openssh-8.9p1/session.c
 	/* Enter interactive session. */
 	s->ptymaster = ptymaster;
 	ssh_packet_set_interactive(ssh, 1,
-@@ -706,15 +718,21 @@ do_exec(struct ssh *ssh, Session *s, con
+@@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
 	    s->self);
 #ifdef SSH_AUDIT_EVENTS
 +	if (s->command != NULL || s->command_handle != -1)
 +		fatal("do_exec: command already set");
 	if (command != NULL)
-		PRIVSEP(audit_run_command(command));
+-		mm_audit_run_command(command);
 +		s->command = xstrdup(command);
 	else if (s->ttyfd == -1) {
 		char *shell = s->pw->pw_shell;
 		if (shell[0] == '\0')	/* empty shell means /bin/sh */
 			shell =_PATH_BSHELL;
-		PRIVSEP(audit_run_command(shell));
+-		mm_audit_run_command(shell);
 +		s->command = xstrdup(shell);
 	}
 +	if (s->command != NULL && s->ptyfd == -1)
-+		s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
+		s->command_handle = mm_audit_run_command(ssh, s->command);
 +	if (pipe(paudit) < 0)
 +		fatal("pipe: %s", strerror(errno));
 #endif
 	if (s->ttyfd != -1)
 		ret = do_exec_pty(ssh, s, command);
-@@ -730,6 +748,20 @@ do_exec(struct ssh *ssh, Session *s, con
+@@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
 	 */
 	sshbuf_reset(loginmsg);
 +#ifdef SSH_AUDIT_EVENTS
 +	close(paudit[1]);
 +	if (use_privsep && ret == 0) {
 +		/*
 +		 * Read the audit messages from forked child and send them
 +		 * back to monitor. We don't want to communicate directly,
 +		 * because the messages might get mixed up.
 +		 * Continue after the pipe gets closed (all messages sent).
 +		 */
 +		ret = mm_forward_audit_messages(paudit[0]);
 +	}
 +	close(paudit[0]);
 +#endif /* SSH_AUDIT_EVENTS */
 +
 	return ret;
 }
@@ -1530,11 +1562,30 @@ do_child(struct ssh *ssh, Session *s, co
 	int env_size;
 	int r = 0;
 +#ifdef SSH_AUDIT_EVENTS
 +	int pparent = paudit[1];
 +	close(paudit[0]);
 +	/* Hack the monitor pipe to avoid race condition with parent */
 +	if (use_privsep)
 +		mm_set_monitor_pipe(pparent);
 +#endif
 +
 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
 	/* remove hostkey from the child's memory */
 -	destroy_sensitive_data();
-	ssh_packet_clear_keys(ssh);
+	destroy_sensitive_data(ssh);
-+	destroy_sensitive_data(ssh, use_privsep);
+ 	ssh_packet_clear_keys(ssh);
-+	ssh_packet_clear_keys_noaudit(ssh);
+	/* Don't audit this - both us and the parent would be talking to the
-+	/*
+	   monitor over a single socket, with no synchronization. */
 +	 * We can audit this, because we hacked the pipe to direct the
 +	 * messages over postauth child. But this message requires an answer
 +	 * which we can't do using a one-way pipe.
 +	 */
 +	packet_destroy_all(ssh, 0, 1);
 +
 +#ifdef SSH_AUDIT_EVENTS
 +	/* Notify parent that we are done */
 +	close(pparent);
 +#endif
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
-@@ -1743,6 +1794,9 @@ session_unused(int id)
+@@ -1763,6 +1778,9 @@ session_unused(int id)
 	sessions[id].ttyfd = -1;
 	sessions[id].ptymaster = -1;
 	sessions[id].x11_chanids = NULL;
@ -2039,7 +1901,7 @@ Index: openssh-8.9p1/session.c
 	sessions[id].next_unused = sessions_first_unused;
 	sessions_first_unused = id;
 }
-@@ -1822,6 +1876,19 @@ session_open(Authctxt *authctxt, int cha
+@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
 }
 Session *
@ -2050,7 +1912,7 @@ Index: openssh-8.9p1/session.c
 +		if (s->used)
 +			return s;
 +	}
-+	debug("%s: unknown id %d", __func__, id);
+	debug_f("unknown id %d", id);
 +	session_dump();
 +	return NULL;
 +}
@ -2059,7 +1921,7 @@ Index: openssh-8.9p1/session.c
 session_by_tty(char *tty)
 {
 	int i;
-@@ -2429,6 +2496,32 @@ session_exit_message(struct ssh *ssh, Se
+@@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
 		chan_write_failed(ssh, c);
 }
@ -2081,7 +1943,7 @@ Index: openssh-8.9p1/session.c
 +{
 +	if (s->command != NULL) {
 +		if (s->command_handle != -1)
-+			PRIVSEP(audit_end_command(ssh, s->command_handle, s->command));
+			mm_audit_end_command(ssh, s->command_handle, s->command);
 +		free(s->command);
 +		s->command = NULL;
 +		s->command_handle = -1;
@ -2092,7 +1954,7 @@ Index: openssh-8.9p1/session.c
 void
 session_close(struct ssh *ssh, Session *s)
 {
-@@ -2470,6 +2563,10 @@ session_close(struct ssh *ssh, Session *
+@@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
 	if (s->ttyfd != -1)
 		session_pty_cleanup(s);
@ -2103,7 +1965,7 @@ Index: openssh-8.9p1/session.c
 	free(s->term);
 	free(s->display);
 	free(s->x11_chanids);
-@@ -2544,14 +2641,14 @@ session_close_by_channel(struct ssh *ssh
+@@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
 }
 void
@ -2120,7 +1982,7 @@ Index: openssh-8.9p1/session.c
 			else
 				session_close(ssh, s);
 		}
-@@ -2677,6 +2774,15 @@ do_authenticated2(struct ssh *ssh, Authc
+@@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
 	server_loop2(ssh, authctxt);
 }
@ -2136,10 +1998,10 @@ Index: openssh-8.9p1/session.c
 void
 do_cleanup(struct ssh *ssh, Authctxt *authctxt)
 {
-@@ -2740,7 +2846,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
+@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
 	 * or if running in monitor.
 	 */
- 	if (!use_privsep || mm_is_monitor())
+ 	if (mm_is_monitor())
 -		session_destroy_all(ssh, session_pty_cleanup2);
 +		session_destroy_all(ssh, do_cleanup_one_session);
 }
@ -2180,26 +2042,7 @@ Index: openssh-8.9p1/sshd.c
 ===================================================================
 --- openssh-8.9p1.orig/sshd.c
 +++ openssh-8.9p1/sshd.c
-@@ -125,6 +125,7 @@
+@@ -219,6 +219,15 @@ close_listen_socks(void)
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
 +#include "audit.h"
 #include "ssh-sandbox.h"
 #include "auth-options.h"
 #include "version.h"
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
 struct passwd *privsep_pw = NULL;
 /* Prototypes for various functions defined later in this file. */
 -void destroy_sensitive_data(void);
 -void demote_sensitive_data(void);
 +void destroy_sensitive_data(struct ssh *, int);
 +void demote_sensitive_data(struct ssh *);
 static void do_ssh2_kex(struct ssh *);
 static char *listener_proctitle;
@@ -284,6 +285,15 @@ close_listen_socks(void)
 	num_listen_socks = 0;
 }
@ -2209,14 +2052,45 @@ Index: openssh-8.9p1/sshd.c
 + */
 +int listening_for_clients(void)
 +{
-+	return num_listen_socks >= 0;
+	return num_listen_socks > 0;
 +}
 +
 /* Allocate and initialise the children array */
 static void
- close_startup_pipes(void)
+ child_alloc(void)
- {
+@@ -897,6 +906,7 @@ server_accept_loop(int *sock_in, int *so
-@@ -382,18 +392,45 @@ grace_alarm_handler(int sig)
+ 		if (received_sigterm) {
- 	    ssh_remote_port(the_active_state));
+ 			logit("Received signal %d; terminating.",
 			    (int) received_sigterm);
 +                       /* destroy_sensitive_data(ssh, 0); FIXME */
 			close_listen_socks();
 			if (options.pid_file != NULL)
 				unlink(options.pid_file);
 Index: openssh-8.9p1/sshd-session.c
 ===================================================================
 --- openssh-8.9p1.orig/sshd-session.c
 +++ openssh-8.9p1/sshd-session.c
@@ -125,6 +125,7 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
 +#include "audit.h"
 #include "ssh-sandbox.h"
 #include "auth-options.h"
 #include "version.h"
@@ -265,8 +266,8 @@ struct sshbuf *loginmsg;
 struct sshbuf *loginmsg;
 /* Prototypes for various functions defined later in this file. */
 -void destroy_sensitive_data(void);
 -void demote_sensitive_data(void);
 +void destroy_sensitive_data(struct ssh *);
 +void demote_sensitive_data(struct ssh *);
 static void do_ssh2_kex(struct ssh *);
 /*
@@ -382,18 +383,40 @@ grace_alarm_handler(int sig)
 	_exit(EXIT_LOGIN_GRACE);
 }
 -/* Destroy the host and server keys.  They will no longer be needed. */
@ -2226,7 +2100,7 @@ Index: openssh-8.9p1/sshd.c
 + */
 void
 -destroy_sensitive_data(void)
-+destroy_sensitive_data(struct ssh *ssh, int privsep)
+destroy_sensitive_data(struct ssh *ssh)
 {
 	u_int i;
 +#ifdef SSH_AUDIT_EVENTS
@ -2248,12 +2122,7 @@ Index: openssh-8.9p1/sshd.c
 			sensitive_data.host_keys[i] = NULL;
 +			if (fp != NULL) {
 +#ifdef SSH_AUDIT_EVENTS
-+				if (privsep)
+				audit_destroy_sensitive_data(ssh, fp, pid, uid);
 +					PRIVSEP(audit_destroy_sensitive_data(ssh, fp,
 +						pid, uid));
 +				else
 +					audit_destroy_sensitive_data(ssh, fp,
 +						pid, uid);
 +#endif
 +				free(fp);
 +			}
@ -2264,7 +2133,7 @@ Index: openssh-8.9p1/sshd.c
 			sshkey_free(sensitive_data.host_certificates[i]);
 			sensitive_data.host_certificates[i] = NULL;
 		}
-@@ -402,20 +439,38 @@ destroy_sensitive_data(void)
+@@ -402,20 +430,38 @@ destroy_sensitive_data(void)
 /* Demote private to public keys for network child */
 void
@ -2304,7 +2173,7 @@ Index: openssh-8.9p1/sshd.c
 		}
 		/* Certs do not need demotion */
 	}
-@@ -443,7 +498,7 @@ reseed_prngs(void)
+@@ -443,7 +489,7 @@ reseed_prngs(void)
 }
 static void
@ -2313,7 +2182,7 @@ Index: openssh-8.9p1/sshd.c
 {
 	gid_t gidset[1];
-@@ -458,7 +513,7 @@ privsep_preauth_child(void)
+@@ -458,7 +504,7 @@ privsep_preauth_child(void)
 	reseed_prngs();
 	/* Demote the private keys to public keys. */
@ -2322,16 +2191,16 @@ Index: openssh-8.9p1/sshd.c
 	/* Demote the child */
 	if (privsep_chroot) {
-@@ -493,7 +548,7 @@ privsep_preauth(struct ssh *ssh)
+@@ -493,7 +539,7 @@ privsep_preauth(struct ssh *ssh)
 	pmonitor->m_pkex = &ssh->kex;
 	if (use_privsep == PRIVSEP_ON)
 	box = ssh_sandbox_init(pmonitor);
 -	pid = fork();
 +	pmonitor->m_pid = pid = fork();
 	if (pid == -1) {
 		fatal("fork of unprivileged child failed");
 	} else if (pid != 0) {
-@@ -538,7 +593,7 @@ privsep_preauth(struct ssh *ssh)
+@@ -538,7 +584,7 @@ privsep_preauth(struct ssh *ssh)
 		/* Arrange for logging to be sent to the monitor */
 		set_log_handler(mm_log_handler, pmonitor);
@ -2340,7 +2209,7 @@ Index: openssh-8.9p1/sshd.c
 		setproctitle("%s", "[net]");
 		if (box != NULL)
 			ssh_sandbox_child(box);
-@@ -582,7 +637,7 @@ privsep_postauth(struct ssh *ssh, Authct
+@@ -582,7 +628,7 @@ privsep_postauth(struct ssh *ssh, Authct
 	pmonitor->m_sendfd = -1;
 	/* Demote the private keys to public keys. */
@ -2349,43 +2218,17 @@ Index: openssh-8.9p1/sshd.c
 	reseed_prngs();
-@@ -1136,7 +1191,7 @@ server_listen(void)
+@@ -2311,6 +2358,9 @@ main(int ac, char **av)
  * from this function are in a forked subprocess.
  */
 static void
 -server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
 {
 	struct pollfd *pfd = NULL;
 	int i, j, ret, npfd;
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
 		if (received_sigterm) {
 			logit("Received signal %d; terminating.",
 			    (int) received_sigterm);
 +			destroy_sensitive_data(ssh, 0);
 			close_listen_socks();
 			if (options.pid_file != NULL)
 				unlink(options.pid_file);
@@ -2088,7 +2144,7 @@ main(int ac, char **av)
 #endif
 		/* Accept a connection and return in a forked child */
 -		server_accept_loop(&sock_in, &sock_out,
 +		server_accept_loop(ssh, &sock_in, &sock_out,
 		    &newsock, config_s);
 	}
@@ -2311,6 +2367,9 @@ main(int ac, char **av)
 	do_authenticated(ssh, authctxt);
 	/* The connection has been terminated. */
 +	packet_destroy_all(ssh, 1, 1);
-+	destroy_sensitive_data(ssh, 1);
+	destroy_sensitive_data(ssh);
 +
 	ssh_packet_get_bytes(ssh, &ibytes, &obytes);
 	verbose("Transferred: sent %llu, received %llu bytes",
 	    (unsigned long long)obytes, (unsigned long long)ibytes);
-@@ -2491,6 +2550,15 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2491,6 +2541,15 @@ do_ssh2_kex(struct ssh *ssh)
 void
 cleanup_exit(int i)
 {
@ -2398,32 +2241,35 @@ Index: openssh-8.9p1/sshd.c
 +	if (in_cleanup)
 +		_exit(i);
 +	in_cleanup = 1;
 	extern int auth_attempted; /* monitor.c */
 	if (the_active_state != NULL && the_authctxt != NULL) {
- 		do_cleanup(the_active_state, the_authctxt);
+@@ -2525,7 +2593,9 @@ cleanup_exit(int i)
 		if (use_privsep && privsep_is_preauth &&
@@ -2503,9 +2571,16 @@ cleanup_exit(int i)
 	}
 		}
 	}
 +	is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
 +	if (sensitive_data.host_keys != NULL && the_active_state != NULL)
 +		destroy_sensitive_data(the_active_state, is_privsep_child);
 +	if (the_active_state != NULL)
 +		packet_destroy_all(the_active_state, 1, is_privsep_child);
 #ifdef SSH_AUDIT_EVENTS
 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
-	if (the_active_state != NULL && (!use_privsep || mm_is_monitor()))
+-	if (the_active_state != NULL && mm_is_monitor())
 +       if (the_active_state != NULL &&
 +           (the_authctxt == NULL || !the_authctxt->authenticated) &&
-+	    (!use_privsep || mm_is_monitor()))
+           mm_is_monitor())
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
- 	_exit(i);
+ 	/* Override default fatal exit value when auth was attempted */
 Index: openssh-8.9p1/sshkey.c
 ===================================================================
 --- openssh-8.9p1.orig/sshkey.c
 +++ openssh-8.9p1/sshkey.c
-@@ -400,6 +400,38 @@ sshkey_type_is_valid_ca(int type)
+@@ -35,6 +35,9 @@ sshkey_type_is_valid_ca(int type)
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 +# include <openssl/core_names.h>
 +# endif
 #endif
 #include "crypto_api.h"
@@ -400,6 +403,53 @@ sshkey_type_is_valid_ca(int type)
 }
 int
@ -2431,23 +2277,38 @@ Index: openssh-8.9p1/sshkey.c
 +{
 +      switch (k->type) {
 +#ifdef WITH_OPENSSL
 +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 +      case KEY_RSA_CERT:
-+      case KEY_RSA: {
+      case KEY_RSA:
-+              const BIGNUM *d;
+      case KEY_ECDSA_CERT:
-+              RSA_get0_key(k->rsa, NULL, NULL, &d);
+      case KEY_ECDSA: {
 +              BIGNUM *d = NULL;
 +              EVP_PKEY_get_bn_param(k->pkey, OSSL_PKEY_PARAM_PRIV_KEY, &d);
 +              return d != NULL;
 +          }
-+      case KEY_DSA_CERT:
+# else /* OPENSSL < 3.0.0 */
-+      case KEY_DSA: {
+      case KEY_RSA_CERT:
-+              const BIGNUM *priv_key;
+      case KEY_RSA: {
-+              DSA_get0_key(k->dsa, NULL, &priv_key);
+              const BIGNUM *d = NULL;
-+              return priv_key != NULL;
+              RSA *rsakey = EVP_PKEY_get0_RSA(k->pkey);
 +              if (rsakey)
 +                  RSA_get0_key(rsakey, NULL, NULL, &d);
 +              return d != NULL;
 +          }
 +#  ifdef OPENSSL_HAS_ECC
 +      case KEY_ECDSA_CERT:
-+      case KEY_ECDSA:
+      case KEY_ECDSA: {
-+              return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+              EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(k->pkey);
 +              return (eckey != NULL) && (EC_KEY_get0_private_key(eckey) != NULL);
 +          }
 +#  endif /* OPENSSL_HAS_ECC */
 +# endif /* OPENSSL < 3.0.0 */
 +      case KEY_DSA_CERT:
 +      case KEY_DSA: {
 +              const BIGNUM *priv_key = NULL;
 +              DSA_get0_key(k->dsa, NULL, &priv_key);
 +              return priv_key != NULL;
 +          }
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:
@ -2467,9 +2328,9 @@ Index: openssh-8.9p1/sshkey.h
 --- openssh-8.9p1.orig/sshkey.h
 +++ openssh-8.9p1/sshkey.h
@@ -189,6 +189,7 @@ int		 sshkey_shield_private(struct sshke
 int		 sshkey_unshield_private(struct sshkey *);
 int	 sshkey_type_from_name(const char *);
 int	 sshkey_type_from_shortname(const char *);
 +int	 sshkey_is_private(const struct sshkey *);
 int	 sshkey_is_cert(const struct sshkey *);
 int	 sshkey_is_sk(const struct sshkey *);
--- a/openssh-8.4p1-vendordir.patch
+++ b/openssh-8.4p1-vendordir.patch
@ -123,28 +123,21 @@ Index: openssh-8.9p1/sshd.c
 ===================================================================
 --- openssh-8.9p1.orig/sshd.c
 +++ openssh-8.9p1/sshd.c
-@@ -148,7 +148,7 @@ extern char *__progname;
+@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
 ServerOptions options;
 /* Name of the server configuration file. */
 -char *config_file_name = _PATH_SERVER_CONFIG_FILE;
 +char *config_file_name = NULL;
 /*
  * Debug mode flag.  This can be set on the command line.  If debug
@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
 int
 main(int ac, char **av)
 {
 +	struct stat st;
 	struct ssh *ssh = NULL;
 	extern char *optarg;
 	extern int optind;
 	int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
 -	char *config_file_name = _PATH_SERVER_CONFIG_FILE;
 +	char *config_file_name = NULL;
 +	struct stat st;
 	int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
 	int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
 	int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
- 			 */
+ 	/* Fetch our configuration */
- 			(void)atomicio(vwrite, startup_pipe, "\0", 1);
+ 	if ((cfg = sshbuf_new()) == NULL)
- 		}
+ 		fatal("sshbuf_new config failed");
-+	} else if (config_file_name == NULL) {
+	if (config_file_name == NULL) {
 +	        /* If only the vendor configuration file exists, use that.
 +		 * Else use the standard configuration file.
 +		 */
@ -157,11 +150,12 @@ Index: openssh-8.9p1/sshd.c
 +			config_file_name = _PATH_SERVER_CONFIG_FILE;
 +		}
 +		load_server_config(config_file_name, cfg);
- 	} else if (strcasecmp(config_file_name, "none") != 0)
+-	if (strcasecmp(config_file_name, "none") != 0)
 + 	} else if (strcasecmp(config_file_name, "none") != 0)
 +	        /* load config specified on commandline */
 		load_server_config(config_file_name, cfg);
- 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
+ 	parse_server_config(&options, config_file_name, cfg,
 Index: openssh-8.9p1/sshd_config.5
 ===================================================================
 --- openssh-8.9p1.orig/sshd_config.5
--- a/openssh-9.6p1-crypto-policies-man.patch
+++ b/openssh-9.6p1-crypto-policies-man.patch
@ -84,13 +84,14 @@ Index: openssh-9.6p1/ssh_config.5
 The list of key exchange algorithms that are offered for GSSAPI
 key exchange. Possible values are
 .Bd -literal -offset 3n
-@@ -991,9 +993,8 @@ gss-nistp256-sha256-,
+@@ -991,10 +993,8 @@ gss-nistp256-sha256-,
 gss-curve25519-sha256-
 .Ed
 .Pp
 -The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
- This option only applies to protocol version 2 connections using GSSAPI.
+-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 This option only applies to connections using GSSAPI.
 +.Pp
 .It Cm HashKnownHosts
 Indicates that
@ -159,7 +160,7 @@ Index: openssh-9.6p1/ssh_config.5
 .It Cm HostKeyAlias
 Specifies an alias that should be used instead of the
 real host name when looking up or saving the host key
-@@ -1311,31 +1313,26 @@ it may be zero or more of:
+@@ -1311,37 +1313,30 @@ it may be zero or more of:
 and
 .Cm pam .
 .It Cm KexAlgorithms
@ -169,8 +170,12 @@ Index: openssh-9.6p1/ssh_config.5
 +existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
- Specifies the available KEX (Key Exchange) algorithms.
+ Specifies the permitted KEX (Key Exchange) algorithms that will be used and
 their preference order.
 The selected algorithm will be the first algorithm in this list that
 the server also supports.
 Multiple algorithms must be comma-separated.
 .Pp
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
@ -186,9 +191,11 @@ Index: openssh-9.6p1/ssh_config.5
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 -.Pp
 -The default is:
 -.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
+-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
 -mlkem768x25519-sha256,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -199,7 +206,7 @@ Index: openssh-9.6p1/ssh_config.5
 -.Ed
 +built-in openssh default set.
 .Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
@@ -1445,37 +1442,34 @@ function, and all code in the
 file.
@ -386,7 +393,7 @@ Index: openssh-9.6p1/sshd_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClientAliveCountMax
-@@ -764,52 +760,45 @@ For this to work
+@@ -764,53 +760,45 @@ For this to work
 .Cm GSSAPIKeyExchange
 needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIKexAlgorithms
@ -415,8 +422,9 @@ Index: openssh-9.6p1/sshd_config.5
 .Ed
 -.Pp
 -The default is
-.Dq gss-gex-sha1-,gss-group14-sha1- .
+-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
- This option only applies to protocol version 2 connections using GSSAPI.
+-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
@ -492,7 +500,7 @@ Index: openssh-9.6p1/sshd_config.5
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
-@@ -1027,20 +1006,26 @@ file on logout.
+@@ -1027,24 +1006,30 @@ file on logout.
 The default is
 .Cm yes .
 .It Cm KexAlgorithms
@ -502,9 +510,13 @@ Index: openssh-9.6p1/sshd_config.5
 +existing policies with sub-policies are present in manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
- Specifies the available KEX (Key Exchange) algorithms.
+ Specifies the permitted KEX (Key Exchange) algorithms that the server will
 offer to clients.
 The ordering of this list is not important, as the client specifies the
 preference order.
 Multiple algorithms must be comma-separated.
- Alternately if the specified list begins with a
+ .Pp
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
@ -520,16 +532,17 @@ Index: openssh-9.6p1/sshd_config.5
 character, then the specified algorithms will be placed at the head of the
 -default set.
 +built-in openssh default set.
 .Pp
 The supported algorithms are:
 .Pp
- .Bl -item -compact -offset indent
+@@ -1072,17 +1057,6 @@ ecdh-sha2-nistp521
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
+-sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
 -mlkem768x25519-sha256,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -537,7 +550,7 @@ Index: openssh-9.6p1/sshd_config.5
 -diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 -.Ed
 -.Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
 .Qq ssh -Q KexAlgorithms .
 .It Cm ListenAddress
@@ -1167,21 +1142,27 @@ function, and all code in the
--- a/openssh-9.6p1.tar.gz
+++ b/openssh-9.6p1.tar.gz
--- a/openssh-9.6p1.tar.gz.asc
+++ b/openssh-9.6p1.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
 YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
 rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
 0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
 N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
 sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
 zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
 I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
 UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
 iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
 xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
 la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
 =G9YA
 -----END PGP SIGNATURE-----
--- a/openssh-9.9p1.tar.gz
+++ b/openssh-9.9p1.tar.gz
--- a/openssh-9.9p1.tar.gz.asc
+++ b/openssh-9.9p1.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmbspccACgkQKj9BTnNg
 YLppxRAAv7eU/Xd2w9MX9vWQdhugiPByEcKg7KuKXUUs9xJGy+HbLqPqUCvn1UW6
 qodKoSAdeBuSB7AjzuIQ1lTVX7C67OmZaVPRq25ar5b+Wq4SSlv23KMRq0b4EVyw
 pOW6R9tsxqYBwYaiXQ50APcYL8SpepnGU+b/iR15f7q3SU2XMVVtkVb149UdLOqK
 smfurbDGwUKFb2Q009MUfEV/d9zq31tdSjphvkqAXCcmxc8siuOYWYcByuysie+m
 NpaOpee0047L5JIxNSLsa2yZrJZhClP8LbTCH1Vfwr7l0KE5nvL2qAtPKI2XxGQC
 3jXrDLzp10RFxV8sCym+QlY9pZyzGj9d3G7vCHtxWGQ1Y0Qt+xs18OeBpjiehRhl
 WM3Y+cjoN35jBaGhOoHdh3ePZQdTUyZ16aSv0h/cUHOohiM7i/4XW+dQtkqsJsw4
 a81O0E64WrL8ho3Ju9mwcVZ9A0aEaftJsmJPDB+qYBjF/i7xcnH32LginzP5pel7
 /W0aS2C1ZNo3QKHezI6IA9MyENMZiAMy2ybvfmN0HgLBaBY1plJ8a5GvMwJc+Qwh
 iCHLCQ6Qgf/1hh+F6liTXnhtedtFHneJdyqvd7XOoardDEipZjxcnGa4HthbDFU+
 8XdHKnWWhn4BLA+y7KB3ZGURniQK+qibwkF6J63CuMU+LmG+bvQ=
 =Ukrb
 -----END PGP SIGNATURE-----
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Update to openssh 9.9p1:
  * No changes for askpass, see main package changelog for
    details.
 -------------------------------------------------------------------
 Thu Aug  1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Update to openssh 9.8p1:
  * No changes for askpass, see main package changelog for
    details.
 -------------------------------------------------------------------
 Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssh-askpass-gnome
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,7 +18,7 @@
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        9.6p1
+Version:        9.9p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause
--- a/openssh-mitigate-lingering-secrets.patch
+++ b/openssh-mitigate-lingering-secrets.patch
@ -207,9 +207,9 @@ Index: openssh-9.3p2/packet.h
 --- openssh-9.3p2.orig/packet.h
 +++ openssh-9.3p2/packet.h
@@ -103,6 +103,7 @@ void     ssh_packet_close(struct ssh *);
 void     ssh_packet_close(struct ssh *);
 void	 ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
 void	 ssh_packet_clear_keys(struct ssh *);
 void     ssh_packet_clear_keys_noaudit(struct ssh *);
 +void	 ssh_clear_curkeys(struct ssh *, int);
 void	 ssh_clear_newkeys(struct ssh *, int);
@ -264,12 +264,12 @@ Index: openssh-9.3p2/sshbuf.h
 /* Macros for decoding/encoding integers */
 #define PEEK_U64(p) \
 	(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.3p2/sshd-session.c
 ===================================================================
--- openssh-9.3p2.orig/sshd.c
+--- openssh-9.3p2.orig/sshd-session.c
-+++ openssh-9.3p2/sshd.c
+++ openssh-9.3p2/sshd-session.c
-@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *);
+@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
- static char *listener_proctitle;
+ static void do_ssh2_kex(struct ssh *);
 /*
 + * Clear some stack space. This is a bit naive, but hopefully helps mitigate
@ -285,10 +285,10 @@ Index: openssh-9.3p2/sshd.c
 +}
 +
 +/*
-  * Close all listening sockets
+  * Signal handler for the alarm after the login grace period has expired.
-  */
+  * As usual, this may only take signal-safe actions, even though it is
- static void
+  * terminal.
-@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh,
+@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
 			sensitive_data.host_certificates[i] = NULL;
 		}
 	}
@ -297,32 +297,32 @@ Index: openssh-9.3p2/sshd.c
 }
 /* Demote private to public keys for network child */
-@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh)
+@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
 static void
 privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
 {
 	int skip_privdrop = 0;
 +	clobber_stack();
 +
- #ifdef DISABLE_FD_PASSING
+ 	/*
- 	if (1) {
+ 	 * Hack for systems that don't support FD passing: retain privileges
- #else
+ 	 * in the post-auth privsep process so it can allocate PTYs directly.
-@@ -2360,6 +2377,7 @@ main(int ac, char **av)
+@@ -1354,6 +1356,7 @@ main(int ac, char **av)
- 	if (use_privsep) {
+ 	 */
 	mm_send_keystate(ssh, pmonitor);
 	ssh_packet_clear_keys(ssh);
 +	clobber_stack();
 	exit(0);
 	}
-@@ -2436,6 +2454,7 @@ main(int ac, char **av)
+  authenticated:
- 	if (use_privsep)
+@@ -1431,6 +1434,7 @@ main(int ac, char **av)
 	mm_terminate();
 +	clobber_stack();
 	exit(0);
 }
-@@ -2596,8 +2615,10 @@ cleanup_exit(int i)
+@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
 	/* cleanup_exit can be called at the very least from the privsep
 	   wrappers used for auditing.  Make sure we don't recurse
 	   indefinitely. */
@ -332,13 +332,14 @@ Index: openssh-9.3p2/sshd.c
 		_exit(i);
 +	}
 	in_cleanup = 1;
- 	if (the_active_state != NULL && the_authctxt != NULL) {
+ 	extern int auth_attempted; /* monitor.c */
- 		do_cleanup(the_active_state, the_authctxt);
+ 
-@@ -2623,5 +2644,7 @@ cleanup_exit(int i)
+@@ -1604,6 +1610,8 @@ cleanup_exit(int i)
- 	    (!use_privsep || mm_is_monitor()))
+            mm_is_monitor())
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
 +
 +	clobber_stack();
- 	_exit(i);
+ 	/* Override default fatal exit value when auth was attempted */
- }
+ 	if (i == 255 && auth_attempted)
 		_exit(EXIT_AUTH_ATTEMPTED);
--- a/openssh-reenable-dh-group14-sha1-default.patch
+++ b/openssh-reenable-dh-group14-sha1-default.patch
@ -25,7 +25,7 @@ Index: openssh-8.9p1/ssh_config.5
 +diffie-hellman-group14-sha1
 .Ed
 .Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
 Index: openssh-8.9p1/sshd_config.5
 ===================================================================
 --- openssh-8.9p1.orig/sshd_config.5
@ -38,4 +38,4 @@ Index: openssh-8.9p1/sshd_config.5
 +diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
 .Ed
 .Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,515 @@
 -------------------------------------------------------------------
 Mon Oct 28 11:18:04 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Don't force using gcc11 on SLFO/ALP which have a newer version.
 -------------------------------------------------------------------
 Mon Oct 28 10:29:33 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Add patches from upstream:
  - To fix a copy&paste oversight in an ifdef :
  * 0001-fix-utmpx-ifdef.patch
  - To fix a regression introduced when the "Match" criteria
    tokenizer was modified since it stopped supporting the
    "Match criteria=argument" format:
  * 0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
  - To fix the previous patch which broke on negated Matches:
  * 0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
  - To fix the ML-KEM768x25519 kex algorithm on big-endian systems:
  * 0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
 -------------------------------------------------------------------
 Mon Oct 14 15:06:19 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Use %{with ...} instead of 0%{with ...}
 -------------------------------------------------------------------
 Fri Oct 11 09:28:30 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Add a patch to fix a regression introduced in 9.6 that makes X11
  forwarding very slow. Submitted to upstream in
  https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4 . Fixes
  bsc#1229449:
  * fix-x11-regression-bsc1229449.patch
 - Remove empty line at the end of sshd-sle.pamd (bsc#1227456)
 -------------------------------------------------------------------
 Wed Sep 25 10:45:17 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Add a const to the openssl 1.1/RSA section of sshkey_is_private
  to keep it similar to what it used before the 9.9 rebase:
  * openssh-8.1p1-audit.patch
 - Add a openssl11 bcond to the spec file for the SLE12 case
  instead of checking suse_version in different parts.
 - Move conditional patches to a number >= 1000.
 -------------------------------------------------------------------
 Mon Sep 23 06:16:59 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Update to openssh 9.9p1:
  = Future deprecation notice
  * OpenSSH plans to remove support for the DSA signature algorithm
    in early 2025. This release disables DSA by default at compile
    time. DSA, as specified in the SSHv2 protocol, is inherently
    weak - being limited to a 160 bit private key and use of the
    SHA1 digest. Its estimated security level is only 80 bits
    symmetric equivalent.
    OpenSSH has disabled DSA keys by default since 2015 but has
    retained run-time optional support for them. DSA was the only
    mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
    because alternative algorithms were encumbered by patents when
    the SSHv2 protocol was specified.
    This has not been the case for decades at this point and better
    algorithms are well supported by all actively-maintained SSH
    implementations. We do not consider the costs of maintaining
    DSA in OpenSSH to be justified and hope that removing it from
    OpenSSH can accelerate its wider deprecation in supporting
    cryptography libraries.
  = Potentially-incompatible changes
  * ssh(1): remove support for pre-authentication compression.
    OpenSSH has only supported post-authentication compression in
    the server for some years. Compression before authentication
    significantly increases the attack surface of SSH servers and
    risks creating oracles that reveal information about
    information sent during authentication.
  * ssh(1), sshd(8): processing of the arguments to the "Match"
    configuration directive now follows more shell-like rules for
    quoted strings, including allowing nested quotes and \-escaped
    characters. If configurations contained workarounds for the
    previous simplistic quote handling then they may need to be
    adjusted. If this is the case, it's most likely to be in the
    arguments to a "Match exec" confition. In this case, moving the
    command to be evaluated from the Match line to an external
    shell script is easiest way to preserve compatibility with both
    the old and new versions.
  = New features
  * ssh(1), sshd(8): add support for a new hybrid post-quantum key
    exchange based on the FIPS 203 Module-Lattice Key Enapsulation
    mechanism (ML-KEM) combined with X25519 ECDH as described by
    https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
    This algorithm "mlkem768x25519-sha256" is available by default.
  * ssh(1): the ssh_config "Include" directive can now expand
    environment as well as the same set of %-tokens "Match Exec"
    supports.
  * sshd(8): add a sshd_config "RefuseConnection" option that, if
    set will terminate the connection at the first authentication
    request.
  * sshd(8): add a "refuseconnection" penalty class to sshd_config
    PerSourcePenalties that is applied when a connection is dropped
    by the new RefuseConnection keyword.
  * sshd(8): add a "Match invalid-user" predicate to sshd_config
    Match options that matches when the target username is not
    valid on the server.
  * ssh(1), sshd(8): update the Streamlined NTRUPrime code to a
    substantially faster implementation.
  * ssh(1), sshd(8): the hybrid Streamlined NTRUPrime/X25519 key
    exchange algorithm now has an IANA-assigned name in addition to
    the "@openssh.com" vendor extension name. This algorithm is now
    also available under this name "sntrup761x25519-sha512"
  * ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
    included in core dump files for most of their lifespans. This
    is in addition to pre-existing controls in ssh-agent(1) and
    sshd(8) that prevented coredumps. This feature is supported on
    OpenBSD, Linux and FreeBSD.
  * All: convert key handling to use the libcrypto EVP_PKEY API,
    with the exception of DSA.
  * sshd(8): add a random amount of jitter (up to 4 seconds) to the
    grace login time to make its expiry unpredictable.
  = Bugfixes
  * sshd(8): relax absolute path requirement back to what it was
    prior to OpenSSH 9.8, which incorrectly required that sshd was
    started with an absolute path in inetd mode. bz3717
  * sshd(8): fix regression introduced in openssh-9.8 that swapped
    the order of source and destination addresses in some sshd log
    messages.
  * sshd(8): do not apply authorized_keys options when signature
    verification fails. Prevents more restrictive key options being
    incorrectly applied to subsequent keys in authorized_keys.
    bz3733
  * ssh-keygen(1): include pathname in some of ssh-keygen's
    passphrase prompts. Helps the user know what's going on when
    ssh-keygen is invoked via other tools. Requested in GHPR503
  * ssh(1), ssh-add(1): make parsing user@host consistently look
    for the last '@' in the string rather than the first. This
    makes it possible to more consistently use usernames that
    contain '@' characters.
  * ssh(1), sshd(8): be more strict in parsing key type names. Only
    allow short names (e.g "rsa") in user-interface code and
    require full SSH protocol names (e.g. "ssh-rsa") everywhere
    else. bz3725
  * regress: many performance and correctness improvements to the
    re-keying regression test.
  * ssh-keygen(1): clarify that ed25519 is the default key type
    generated and clarify that rsa-sha2-512 is the default
    signature scheme when RSA is in use. GHPR505
  * sshd(8): fix minor memory leak in Subsystem option parsing;
    GHPR515
  * All: additional hardening and consistency checks for the sshbuf
    code.
  * sshd(8): reduce default logingrace penalty to ensure that a
    single forgotton login that times out will be below the penalty
    threshold.
  * ssh(1): fix proxy multiplexing (-O proxy) bug. If a mux started
    with ControlPersist then later has a forwarding added using mux
    proxy connection and the forwarding was used, then when the mux
    proxy session terminated, the mux master process would issue a
    bad message that terminated the connection.
  = Portability
  * sync contrib/ssh-copy-id to the latest upstream version.
  * regress: improve portablility for some awk(1) usage
    (e.g. Solaris)
  * In the contrib/redhat RPM spec file, without_openssl was
    previously incorrectly enabled unconditionally.
  * sshd(8) restore audit call before exit that regressed in
    openssh-9.8. Fixes an issue where the SSH_CONNECTION_ABANDON
    event was not recorded.
  * sshd(8): add support for class-imposed loging restrictions on
    FreeBSD. Allowing auth_hostok(3) and auth_timeok(3) to control
    logins.
  * Build fixes for Musl libc.
  * Fix detection of setres*id on GNU/Hurd
 - Drop patches that were already merged by upstream:
  * fix-memleak-in-process_server_config_line_depth.patch
  * fix-audit-fail-attempt.patch
 - Rebase patch with significant changes:
  * openssh-8.1p1-audit.patch
 - Rebase patches with context or trivial changes:
  * openssh-7.7p1-fips.patch
  * openssh-8.0p1-gssapi-keyex.patch
  * openssh-9.6p1-crypto-policies-man.patch
  * openssh-mitigate-lingering-secrets.patch
 - Several spec file fixes so the package builds and can be
  installed in SLE 15 SP5 and SLE 12 SP5
 - Use gcc11 when building in SLE12 and SLE15.
 -------------------------------------------------------------------
 Thu Sep 12 07:43:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Drop most of openssh-6.6p1-keycat.patch (actually, it was just
  commented out). The keycat binary isn't really installed nor
  supported, so we can drop it, except for the code that is used
  by other SELinux patches, which is what I kept from that patch
  (boo#1229072).
 - Add patch submitted to upstream to fix RFC4256 implementation
  so that keyboard-interactive authentication method can send
  instructions and sshd shows them to users even before a prompt
  is requested. This fixes MFA push notifications (boo#1229010).
  * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
 -------------------------------------------------------------------
 Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Add patch to fix sshd not logging in the audit failed login
  attempts (submitted to upstream in
  https://github.com/openssh/openssh-portable/pull/516):
  * fix-audit-fail-attempt.patch
 - Use --enable-dsa-keys when building openssh. It's required if
  the user sets the crypto-policy mode to LEGACY, where DSA keys
  should be allowed. The option was added by upstream in 9.7 and
  set to disabled by default.
 - These two changes fix 2 of the 3 issues reported in bsc#1229650.
 -------------------------------------------------------------------
 Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Fix a dbus connection leaked in the logind patch that was
  missing a sd_bus_unref call (found by Matthias Gerstner):
  * logind_set_tty.patch
 - Add a patch that fixes a small memory leak when parsing the
  subsystem configuration option:
  * fix-memleak-in-process_server_config_line_depth.patch
 -------------------------------------------------------------------
 Thu Aug  1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Update to openssh 9.8p1:
  = Security
  * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
    A critical vulnerability in sshd(8) was present in Portable
    OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
    allow arbitrary code execution with root privileges.
    Successful exploitation has been demonstrated on 32-bit
    Linux/glibc systems with ASLR. Under lab conditions, the attack
    requires on average 6-8 hours of continuous connections up to
    the maximum the server will accept. Exploitation on 64-bit
    systems is believed to be possible but has not been
    demonstrated at this time. It's likely that these attacks will
    be improved upon.
    Exploitation on non-glibc systems is conceivable but has not
    been examined. Systems that lack ASLR or users of downstream
    Linux distributions that have modified OpenSSH to disable
    per-connection ASLR re-randomisation (yes - this is a thing, no
    - we don't understand why) may potentially have an easier path
    to exploitation. OpenBSD is not vulnerable.
    We thank the Qualys Security Advisory Team for discovering,
    reporting and demonstrating exploitability of this problem, and
    for providing detailed feedback on additional mitigation
    measures.
  * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
    CVE-2024-39894).
    In OpenSSH version 9.5 through 9.7 (inclusive), when connected
    to an OpenSSH server version 9.5 or later, a logic error in the
    ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
    this feature ineffective - a passive observer could still
    detect which network packets contained real keystrokes when the
    countermeasure was active because both fake and real keystroke
    packets were being sent unconditionally.
    This bug was found by Philippos Giavridis and also
    independently by Jacky Wei En Kung, Daniel Hugenroth and
    Alastair Beresford of the University of Cambridge Computer Lab.
    Worse, the unconditional sending of both fake and real
    keystroke packets broke another long-standing timing attack
    mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
    echo packets for traffic received on TTYs in echo-off mode,
    such as when entering a password into su(8) or sudo(8). This
    bug rendered these fake keystroke echoes ineffective and could
    allow a passive observer of a SSH session to once again detect
    when echo was off and obtain fairly limited timing information
    about keystrokes in this situation (20ms granularity by
    default).
    This additional implication of the bug was identified by
    Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
    we thank them for their detailed analysis.
    This bug does not affect connections when
    ObscureKeystrokeTiming was disabled or sessions where no TTY
    was requested.
  = Future deprecation notice
  * OpenSSH plans to remove support for the DSA signature algorithm
    in early 2025. This release disables DSA by default at compile
    time.
    DSA, as specified in the SSHv2 protocol, is inherently weak -
    being limited to a 160 bit private key and use of the SHA1
    digest. Its estimated security level is only 80 bits symmetric
    equivalent.
    OpenSSH has disabled DSA keys by default since 2015 but has
    retained run-time optional support for them. DSA was the only
    mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
    because alternative algorithms were encumbered by patents when
    the SSHv2 protocol was specified.
    This has not been the case for decades at this point and better
    algorithms are well supported by all actively-maintained SSH
    implementations. We do not consider the costs of maintaining
    DSA in OpenSSH to be justified and hope that removing it from
    OpenSSH can accelerate its wider deprecation in supporting
    cryptography libraries.
    This release, and its deactivation of DSA by default at
    compile-time, marks the second step in our timeline to finally
    deprecate DSA. The final step of removing DSA support entirely
    is planned for the first OpenSSH release of 2025.
    DSA support may be re-enabled in OpenBSD by setting
    "DSAKEY=yes" in Makefile.inc. To enable DSA support in
    portable OpenSSH, pass the "--enable-dsa-keys" option to
    configure.
  = Potentially-incompatible changes
  * all: as mentioned above, the DSA signature algorithm is now
    disabled at compile time.
  * sshd(8): the server will now block client addresses that
    repeatedly fail authentication, repeatedly connect without ever
    completing authentication or that crash the server. See the
    discussion of PerSourcePenalties below for more information.
    Operators of servers that accept connections from many users,
    or servers that accept connections from addresses behind NAT or
    proxies may need to consider these settings.
  * sshd(8): the server has been split into a listener binary,
    sshd(8), and a per-session binary "sshd-session". This allows
    for a much smaller listener binary, as it no longer needs to
    support the SSH protocol. As part of this work, support for
    disabling privilege separation (which previously required code
    changes to disable) and disabling re-execution of sshd(8) has
    been removed. Further separation of sshd-session into
    additional, minimal binaries is planned for the future.
  * sshd(8): several log messages have changed. In particular, some
    log messages will be tagged with as originating from a process
    named "sshd-session" rather than "sshd".
  * ssh-keyscan(1): this tool previously emitted comment lines
    containing the hostname and SSH protocol banner to standard
    error. This release now emits them to standard output, but adds
    a new "-q" flag to silence them altogether.
  * sshd(8): (portable OpenSSH only) sshd will no longer use
    argv[0] as the PAM service name. A new "PAMServiceName"
    sshd_config(5) directive allows selecting the service name at
    runtime. This defaults to "sshd". bz2101
  * (portable OpenSSH only) Automatically-generated files, such as
    configure, config.h.in, etc will now be checked in to the
    portable OpenSSH git release branch (e.g. V_9_8). This should
    ensure that the contents of the signed release branch exactly
    match the contents of the signed release tarball.
  = New features
  * sshd(8): as described above, sshd(8) will now penalise client
    addresses that, for various reasons, do not successfully
    complete authentication. This feature is controlled by a new
    sshd_config(5) PerSourcePenalties option and is on by default.
    sshd(8) will now identify situations where the session did not
    authenticate as expected. These conditions include when the
    client repeatedly attempted authentication unsucessfully
    (possibly indicating an attack against one or more accounts,
    e.g. password guessing), or when client behaviour caused sshd
    to crash (possibly indicating attempts to exploit bugs in
    sshd).
    When such a condition is observed, sshd will record a penalty
    of some duration (e.g. 30 seconds) against the client's
    address. If this time is above a minimum configurable
    threshold, then all connections from the client address will be
    refused (along with any others in the same
    PerSourceNetBlockSize CIDR range) until the penalty expire.
    Repeated offenses by the same client address will accrue
    greater penalties, up to a configurable maximum. Address ranges
    may be fully exempted from penalties, e.g. to guarantee access
    from a set of trusted management addresses, using the new
    sshd_config(5) PerSourcePenaltyExemptList option.
    We hope these options will make it significantly more difficult
    for attackers to find accounts with weak/guessable passwords or
    exploit bugs in sshd(8) itself. This option is enabled by
    default.
  * ssh(8): allow the HostkeyAlgorithms directive to disable the
    implicit fallback from certificate host key to plain host keys.
  = Bugfixes
  * misc: fix a number of inaccuracies in the PROTOCOL.*
    documentation files. GHPR430 GHPR487
  * all: switch to strtonum(3) for more robust integer parsing in
    most places.
  * ssh(1), sshd(8): correctly restore sigprocmask around ppoll()
  * ssh-keysign(8): stricter validation of messaging socket fd
    GHPR492
  * sftp(1): flush stdout after writing "sftp>" prompt when not
    using editline. GHPR480
  * sftp-server(8): fix home-directory extension implementation,
    it previously always returned the current user's home directory
    contrary to the spec. GHPR477
  * ssh-keyscan(1): do not close stdin to prevent error messages
    when stdin is read multiple times. E.g.
    echo localhost | ssh-keyscan -f - -f -
  * regression tests: fix rekey test that was testing the same KEX
    algorithm repeatedly instead of testing all of them. bz3692
  * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms
    directive documentation, especially around what is supported
    vs available. bz3701.
  = Portability
  * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
    unconditionally. The previous behaviour was to expose it only
    when particular authentication methods were in use.
  * build: fix OpenSSL ED25519 support detection. An incorrect
    function signature in configure.ac previously prevented
    enabling the recently added support for ED25519 private keys in
    PEM PKCS8 format.
  * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
    environment variable to enable SSH_ASKPASS, similarly to the
    X11 DISPLAY environment variable. GHPR479
  * build: improve detection of the -fzero-call-used-regs compiler
    flag. bz3673.
  * build: relax OpenSSL version check to accept all OpenSSL 3.x
    versions.
  * sshd(8): add support for notifying systemd on server listen and
    reload, using a standalone implementation that doesn't depend
    on libsystemd. bz2641
 - Update to openssh 9.7p1:
  = New features
  * ssh(1), sshd(8): add a "global" ChannelTimeout type that
    watches all open channels and will close all open channels if
    there is no traffic on any of them for the specified interval.
    This is in addition to the existing per-channel timeouts added
    recently.
    This supports situations like having both session and x11
    forwarding channels open where one may be idle for an extended
    period but the other is actively used. The global timeout could
    close both channels when both have been idle for too long.
  * All: make DSA key support compile-time optional, defaulting to
    on.
  = Bugfixes
  * sshd(8): don't append an unnecessary space to the end of
    subsystem arguments (bz3667)
  * ssh(1): fix the multiplexing "channel proxy" mode, broken when
    keystroke timing obfuscation was added. (GHPR#463)
  * ssh(1), sshd(8): fix spurious configuration parsing errors when
    options that accept array arguments are overridden (bz3657).
  * ssh-agent(1): fix potential spin in signal handler (bz3670)
  * Many fixes to manual pages and other documentation, including
    GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
  * Greatly improve interop testing against PuTTY.
  = Portability
  * Improve the error message when the autoconf OpenSSL header
    check fails (bz#3668)
  * Improve detection of broken toolchain -fzero-call-used-regs
    support (bz3645).
  * Fix regress/misc/fuzz-harness fuzzers and make them compile
    without warnings when using clang16
 - Use gcc-11 in SLE to avoid a "parameter name omitted" error
 - Rebase patches:
  * logind_set_tty.patch
  * openssh-6.6.1p1-selinux-contexts.patch
  * openssh-6.6p1-keycat.patch
  * openssh-6.6p1-privsep-selinux.patch
  * openssh-7.6p1-cleanup-selinux.patch
  * openssh-7.7p1-cavstest-ctr.patch
  * openssh-7.7p1-cavstest-kdf.patch
  * openssh-7.7p1-fips.patch
  * openssh-7.7p1-fips_checks.patch
  * openssh-7.7p1-ldap.patch
  * openssh-7.7p1-pam_check_locks.patch
  * openssh-7.7p1-systemd-notify.patch
  * openssh-7.8p1-role-mls.patch
  * openssh-8.0p1-gssapi-keyex.patch
  * openssh-8.1p1-audit.patch
  * openssh-8.4p1-vendordir.patch
  * openssh-9.6p1-crypto-policies-man.patch
  * openssh-mitigate-lingering-secrets.patch
  * openssh-reenable-dh-group14-sha1-default.patch
  * wtmpdb.patch
 - Thanks to Fedora developers for an initial version of the
  rebase of the following patches:
  * openssh-8.0p1-gssapi-keyex.patch
  * openssh-7.8p1-role-mls.patch
  * openssh-8.1p1-audit.patch
 - Remove patches that are already included in 9.8p1:
  * fix-CVE-2024-6387.patch
  * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
  * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
  * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
 - Remove patch that is now merged into
  openssh-7.7p1-cavstest-ctr.patch and
  openssh-7.7p1-cavstest-kdf.patch where it belongs:
  * fix-missing-lz.patch
 -------------------------------------------------------------------
 Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Add sshd.socket and sshd@.service units as alternative to the
  sshd.service that makes systemd listen to the ssh port
  and run sshd per incoming connection. To enable this,
  disable sshd.service and enable sshd.socket . If you want to
  use a non standard sshd port with sshd.socket you can do
  "systemctl edit sshd.socket" and add something like:
  [Socket] 
  ListenStream=8022
  which listens on port 8022 as well as on port 22. If you want
  to reset the list of listened ports and just use 8022, use:
  [Socket] 
  ListenStream=
  ListenStream=8022
 - To enable a vsock listener in sshd (which allows to connect to
  libvirt VMs), the systemd-experimental package needs to be
  installed in the guest system, the libvirt-ssh-proxy package
  needs to be installed in the host and the vm needs to have
  vsock support (in virt-manager, click in "Add hardware" and
  add "VSOCK VirtIO").
 -------------------------------------------------------------------
 Fri Jul  5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
--- a/openssh.spec
+++ b/openssh.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssh
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -34,12 +34,24 @@
 %bcond_without allow_root_password_login_by_default
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
 %bcond_without crypto_policies
 %else
 %bcond_with crypto_policies
 %endif
 %if 0%{?suse_version} < 1500
 %bcond_without openssl11
 %else
 %bcond_with openssl11
 %endif
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        9.6p1
+Version:        9.9p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@ -61,6 +73,8 @@ Source12:       cavs_driver-ssh.pl
 Source13:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
 Source14:       sysusers-sshd.conf
 Source15:       sshd-sle.pamd
 Source16:       sshd@.service
 Source17:       sshd.socket
 Patch1:         openssh-7.7p1-X11_trusted_forwarding.patch
 Patch3:         openssh-7.7p1-enable_PAM_by_default.patch
 Patch4:         openssh-7.7p1-eal3.patch
@ -119,35 +133,53 @@ Patch50:        openssh-openssl-3.patch
 Patch51:        wtmpdb.patch
 Patch52:        logind_set_tty.patch
 Patch54:        openssh-mitigate-lingering-secrets.patch
 Patch100:       fix-missing-lz.patch
 Patch102:       openssh-7.8p1-role-mls.patch
 Patch103:       openssh-6.6p1-privsep-selinux.patch
 Patch104:       openssh-6.6p1-keycat.patch
 Patch105:       openssh-6.6.1p1-selinux-contexts.patch
 Patch106:       openssh-7.6p1-cleanup-selinux.patch
 # 200 - 300  --  Patches submitted to upstream
 # PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
 Patch200:       0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
 # PATCH-FIX-UPSTREAM -- https://bugzilla.mindrot.org/show_bug.cgi?id=3655#c4
 Patch201:       fix-x11-regression-bsc1229449.patch
 # PATCH-FIX-UPSTREAM -- From the V_9_9 branch
 Patch202:       0001-fix-utmpx-ifdef.patch
 # PATCH-FIX-UPSTREAM -- From the V_9_9 branch
 Patch203:       0002-upstream-fix-regression-introduced-when-I-switched-the-Match.patch
 # PATCH-FIX-UPSTREAM -- From the V_9_9 branch
 Patch204:       0003-upstream-fix-previous-change-to-ssh_config-Match_-which-broken-on.patch
 # PATCH-FIX-UPSTREAM -- From the V_9_9 branch
 Patch205:       0004-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-systems-spotted-by.patch
 # 1000 - 2000  --  Conditional patches
 %if %{with crypto_policies}
 # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
-Patch107:       openssh-9.6p1-crypto-policies.patch
+Patch1000:      openssh-9.6p1-crypto-policies.patch
-Patch108:       openssh-9.6p1-crypto-policies-man.patch
+Patch1001:      openssh-9.6p1-crypto-policies-man.patch
-# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
+%endif
-Patch109:       fix-CVE-2024-6387.patch
+%if %{with allow_root_password_login_by_default}
-# PATCH-FIX-UPSTREAM 
+# PATCH-FIX-SLE Allow root login with password by default (for SLE12 and SLE15)
-Patch110:       0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+Patch1002:      openssh-7.7p1-allow_root_password_login.patch
 # PATCH-FIX-UPSTREAM 
 Patch111:       0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
 # PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
 Patch112:       0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
 %if 0%{with allow_root_password_login_by_default}
 Patch1000:      openssh-7.7p1-allow_root_password_login.patch
 %endif
 BuildRequires:  audit-devel
 BuildRequires:  automake
 %if 0%{?suse_version} < 1600
 BuildRequires:  gcc11
 %endif
 BuildRequires:  groff
 BuildRequires:  libedit-devel
 BuildRequires:  libselinux-devel
 %if %{with ldap}
 BuildRequires:  openldap2-devel
 %endif
 %if %{with openssl11}
 BuildRequires:  libopenssl-1_1-devel
 BuildRequires:  openssl-1_1
 %else
 BuildRequires:  openssl-devel
 %endif
 BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
@ -157,7 +189,7 @@ BuildRequires:  sysuser-shadow
 BuildRequires:  sysuser-tools
 Requires:       %{name}-clients = %{version}-%{release}
 Requires:       %{name}-server = %{version}-%{release}
-%if 0%{?suse_version} >= 1550
+%if 0%{?suse_version} >= 1550 || 0%{?suse_version} < 1500 
 BuildRequires:  pkgconfig(krb5)
 %else
 BuildRequires:  krb5-mini-devel
@ -203,14 +235,16 @@ clients.
 Summary:        SSH (Secure Shell) server
 Group:          Productivity/Networking/SSH
 Requires:       %{name}-common = %{version}-%{release}
 %if %{with crypto_policies}
 Requires:       crypto-policies >= 20220824
 %endif
 Recommends:     audit
 Requires(pre):  findutils
 Requires(pre):  grep
 Requires(post): %fillup_prereq
 Requires(post): permissions
 Provides:       openssh:%{_sbindir}/sshd
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 # For a brief period of time this package existed in SLE/Leap.
 # It was removed before GM but some people might have it from
 # a beta distribution version (boo#1227350)
@ -230,7 +264,7 @@ also be forwarded over the secure channel.
 This package contains the Secure Shell daemon, which allows clients to
 securely connect to your server.
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 %package server-config-disallow-rootlogin
 Summary:        Config to disallow password root logins to sshd
 Group:          Productivity/Networking/SSH
@ -259,7 +293,9 @@ ssh-copy-id(1).
 %package clients
 Summary:        SSH (Secure Shell) client applications
 Group:          Productivity/Networking/SSH
 %if %{with crypto_policies}
 Requires:       crypto-policies >= 20220824
 %endif
 Requires:       %{name}-common = %{version}-%{release}
 Provides:       openssh:%{_bindir}/ssh
@ -328,6 +364,9 @@ sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
    )
 %build
 %if 0%{?suse_version} < 1600
 export CC=gcc-11
 %endif
 autoreconf -fiv
 %ifarch s390 s390x %{sparc}
 PIEFLAGS="-fPIE"
@ -368,6 +407,7 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
    --disable-lastlog \
    --with-logind \
 %endif
    --enable-dsa-keys \
    --with-security-key-builtin \
    --target=%{_target_cpu}-suse-linux
@ -392,6 +432,8 @@ install -d -m 755 %{buildroot}%{_sysconfdir}/slp.reg.d/
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
 %endif
 install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
 install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
 install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
 ln -s service %{buildroot}%{_sbindir}/rcsshd
 install -d -m 755 %{buildroot}%{_fillupdir}
 install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
@ -400,7 +442,7 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
 %else
 echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
@ -412,19 +454,21 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
 mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
 %else
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %endif
 %endif
 %if %{with crypto_policies}
 install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %if %{defined _distconfdir}
 install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %else
 install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %endif
 %endif
 %if 0%{?suse_version} < 1550
 # install firewall definitions
@ -443,9 +487,6 @@ install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
 rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
 #rm -r %{buildroot}/usr/lib/debug/.build-id
 # the hmac hashes - taken from openssl
 #
 # re-define the __os_install_post macro: the macro strips
@ -453,13 +494,19 @@ rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
 #
 # this shows up earlier because otherwise the %%expand of
 # the macro is too late.
 %if %{with openssl11}
 %define opensslbin openssl-1_1
 %else
 %define opensslbin openssl
 %endif
 %{expand:%%global __os_install_post {%__os_install_post
 for b in \
        %{_bindir}/ssh \
        %{_sbindir}/sshd \
        %{_libexecdir}/ssh/sftp-server \
        ; do
-    openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
+    %{opensslbin} dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX}
 done
 }}
@ -471,12 +518,13 @@ test -f /etc/pam.d/sshd.rpmsave && mv -v /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
 test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||:
 %endif
-%service_add_pre sshd.service
+%service_add_pre sshd.service sshd.socket
 %post server
 %{fillup_only -n ssh}
-%service_add_post sshd.service
+%service_add_post sshd.service sshd.socket
 %if %{with crypto_policies}
 %if ! %{defined _distconfdir}
 test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
@ -485,20 +533,22 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
    echo "/etc/ssh/sshd_config :"
    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
 %endif
 %endif
 %preun server
-%service_del_preun sshd.service
+%service_del_preun sshd.service sshd.socket
 %postun server
 # The openssh-fips trigger script for openssh will normally restart sshd once
 # it gets installed, so only restart the service here if openssh-fips is not
 # present.
 if rpm -q openssh-fips >/dev/null 2>/dev/null; then
-%service_del_postun_without_restart sshd.service
+%service_del_postun_without_restart sshd.service sshd.socket
 else
-%service_del_postun sshd.service
+%service_del_postun sshd.service sshd.socket
 fi
 %if %{with crypto_policies}
 %if ! %{defined _distconfdir}
 %post server-config-disallow-rootlogin
 test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
@ -508,6 +558,7 @@ test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.c
    echo "the following line is added at the start of /etc/ssh/sshd_config :"
    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
 %endif
 %endif
 %if %{defined _distconfdir}
 %posttrans server
@ -522,6 +573,7 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
 %endif
 %if %{with crypto_policies}
 %if ! %{defined _distconfdir}
 %post clients
 test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
@ -531,6 +583,7 @@ test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.con
    echo "/etc/ssh/ssh_config :"
    echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
 %endif
 %endif
 %if %{defined _distconfdir}
 %posttrans clients
@ -578,17 +631,22 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
 %if %{with crypto_policies}
 %if %{defined _distconfdir}
 %attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %else
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %endif
 %endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
 %attr(0644,root,root) %{_unitdir}/sshd@.service
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_sysusersdir}/sshd.conf
 %attr(0444,root,root) %{_mandir}/man5/sshd_config*
 %attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
 %attr(0444,root,root) %{_mandir}/man8/sshd.8*
 %attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
 %attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
 %if 0%{?suse_version} < 1600
 %dir %{_sysconfdir}/slp.reg.d
 %config %{_sysconfdir}/slp.reg.d/ssh.reg
@ -600,7 +658,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %config %{_fwdefdir}/sshd
 %endif
-%if 0%{with allow_root_password_login_by_default}
+%if %{with allow_root_password_login_by_default}
 %files server-config-disallow-rootlogin
 %if %{defined _distconfdir}
 %{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
@ -617,8 +675,10 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %endif
 %files clients
 %if %{with crypto_policies}
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %endif
 %if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
 %else
--- a/sshd-sle.pamd
+++ b/sshd-sle.pamd
@ -8,4 +8,3 @@ session     required    pam_loginuid.so
 session     optional    pam_keyinit.so   force revoke
 session     include     common-session
 session     optional    pam_motd.so
--- a/sshd.socket
+++ b/sshd.socket
@ -0,0 +1,11 @@
 [Unit]
 Description=OpenSSH Server Socket
 Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
 [Install]
 WantedBy=sockets.target
--- a/sshd@.service
+++ b/sshd@.service
@ -0,0 +1,11 @@
 [Unit]
 Description=OpenSSH Per-Connection Server Daemon
 Documentation=man:systemd-ssh-generator(8) man:sshd(8)
 After=network.target
 [Service]
 EnvironmentFile=-/etc/sysconfig/ssh
 ExecStartPre=/usr/sbin/sshd-gen-keys-start
 ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
 ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
 StandardInput=socket
--- a/wtmpdb.patch
+++ b/wtmpdb.patch
@ -174,12 +174,16 @@ diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
 AR=@AR@
 AWK=@AWK@
 RANLIB=@RANLIB@
-@@ -212,7 +213,7 @@
+@@ -212,10 +213,10 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS)
-+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
 sshd-session$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHD_SESSION_OBJS)
 -	$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
 +	$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)