Sync from SUSE:SLFO:Main openssh revision 80f1dfa5523715d1a8c3544a6ac6af74

0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch

@@ -0,0 +1,55 @@
+From 66aaa678dbe59aa21d0d9d89a3596ecedde0254b Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 30 Apr 2024 02:14:10 +0000
+Subject: [PATCH] upstream: correctly restore sigprocmask around ppoll()
+ reported
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+by Tõivo Leedjärv; ok deraadt@
+
+OpenBSD-Commit-ID: c0c0f89de5294a166578f071eade2501929c4686
+---
+ clientloop.c | 4 ++--
+ serverloop.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index be8bb5fc1f2..8ea2ada4216 100644
+--- a/clientloop.c
++++ b/clientloop.c
+#@@ -1,4 +1,4 @@
+#-/* $OpenBSD: clientloop.c,v 1.404 2024/04/30 02:10:49 djm Exp $ */
+#+/* $OpenBSD: clientloop.c,v 1.405 2024/04/30 02:14:10 djm Exp $ */
+# /*
+#  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+#  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1585,7 +1585,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+ 		client_wait_until_can_do_something(ssh, &pfd, &npfd_alloc,
+ 		    &npfd_active, channel_did_enqueue, &osigset,
+ 		    &conn_in_ready, &conn_out_ready);
+-		if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
++		if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
+ 			error_f("osigset sigprocmask: %s", strerror(errno));
+ 
+ 		if (quit_pending)
+diff --git a/serverloop.c b/serverloop.c
+index f3683c2e4a6..94c8943a616 100644
+--- a/serverloop.c
++++ b/serverloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: serverloop.c,v 1.237 2023/08/21 04:59:54 djm Exp $ */
++/* $OpenBSD: serverloop.c,v 1.238 2024/04/30 02:14:10 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -380,7 +380,7 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt)
+ 		wait_until_can_do_something(ssh, connection_in, connection_out,
+ 		    &pfd, &npfd_alloc, &npfd_active, &osigset,
+ 		    &conn_in_ready, &conn_out_ready);
+-		if (sigprocmask(SIG_UNBLOCK, &bsigset, &osigset) == -1)
++		if (sigprocmask(SIG_SETMASK, &osigset, NULL) == -1)
+ 			error_f("osigset sigprocmask: %s", strerror(errno));
+ 
+ 		if (received_sigterm) {

0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch

@@ -0,0 +1,32 @@
+From 9844aa2521ccfb1a2d73745680327b79e0574445 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 21 Feb 2024 05:57:34 +0000
+Subject: [PATCH] upstream: fix proxy multiplexing mode, broken when keystroke
+ timing
+
+obfuscation was added. GHPR#463 from montag451
+
+OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
+---
+ clientloop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index eb4902905fb..8ec36af94b3 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.402 2023/11/24 00:31:30 dtucker Exp $ */
++/* $OpenBSD: clientloop.c,v 1.403 2024/02/21 05:57:34 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -517,7 +517,7 @@ send_chaff(struct ssh *ssh)
+ {
+ 	int r;
+ 
+-	if ((ssh->kex->flags & KEX_HAS_PING) == 0)
++	if (ssh->kex == NULL || (ssh->kex->flags & KEX_HAS_PING) == 0)
+ 		return 0;
+ 	/* XXX probabilistically send chaff? */
+ 	/*

0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch

@@ -0,0 +1,38 @@
+From 146c420d29d055cc75c8606327a1cf8439fe3a08 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 1 Jul 2024 04:31:17 +0000
+Subject: [PATCH] upstream: when sending ObscureKeystrokeTiming chaff packets,
+ we
+
+can't rely on channel_did_enqueue to tell that there is data to send. This
+flag indicates that the channels code enqueued a packet on _this_ ppoll()
+iteration, not that data was enqueued in _any_ ppoll() iteration in the
+timeslice. ok markus@
+
+OpenBSD-Commit-ID: 009b74fd2769b36b5284a0188ade182f00564136
+---
+ clientloop.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 0b6f3c9be02..8ed8b1c3449 100644
+--- a/clientloop.c
++++ b/clientloop.c
+#@@ -1,4 +1,4 @@
+#-/* $OpenBSD: clientloop.c,v 1.407 2024/05/17 06:42:04 jsg Exp $ */
+#+/* $OpenBSD: clientloop.c,v 1.408 2024/07/01 04:31:17 djm Exp $ */
+# /*
+#  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+#  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -607,8 +607,9 @@ obfuscate_keystroke_timing(struct ssh *ssh, struct timespec *timeout,
+ 		if (timespeccmp(&now, &chaff_until, >=)) {
+ 			/* Stop if there have been no keystrokes for a while */
+ 			stop_reason = "chaff time expired";
+-		} else if (timespeccmp(&now, &next_interval, >=)) {
+-			/* Otherwise if we were due to send, then send chaff */
++		} else if (timespeccmp(&now, &next_interval, >=) &&
++		    !ssh_packet_have_data_to_write(ssh)) {
++			/* If due to send but have no data, then send chaff */
+ 			if (send_chaff(ssh))
+ 				nchaff++;
+ 		}

README.SUSE

@@ -5,6 +5,13 @@ There are following changes in default settings of ssh client and server:
 
 * PAM authentication is enabled and mostly even required, do not turn it off.
 
+* In SLE15, root authentiation with password is enabled by default
+  (PermitRootLogin yes).
+  NOTE: this has security implications and is only done in order to not change
+  behaviour of the server in an update. We strongly suggest setting this option
+  either "prohibit-password" or even better to "no" (which disables direct
+  remote root login entirely).
+
 * DSA authentication is enabled by default for maximum compatibility.
   NOTE: do not use DSA authentication since it is being phased out for a reason
   - the size of DSA keys is limited by the standard to 1024 bits which cannot

fix-CVE-2024-6387.patch

@@ -0,0 +1,19 @@
+Index: openssh-9.6p1/log.c
+===================================================================
+--- openssh-9.6p1.orig/log.c
++++ openssh-9.6p1/log.c
+@@ -451,12 +451,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 

openssh-6.6p1-privsep-selinux.patch

@@ -114,7 +114,7 @@ Index: openssh-9.3p2/sshd.c
  	if (privsep_chroot) {
  		/* Change our root directory */
 @@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
- {
+ 
  #ifdef DISABLE_FD_PASSING
  	if (1) {
 +#elif defined(WITH_SELINUX)

openssh-7.7p1-allow_root_password_login.patch

@@ -0,0 +1,59 @@
+# HG changeset patch
+# Parent  af43d436bc7fe818dd976c923ad99b89051eb299
+Allow root login with password by default. While less secure than upstream
+default of forbidding access to the root account with a password, we are
+temporarily introducing this change to keep the default used in older OpenSSH
+versions shipped with SLE.
+
+Index: openssh-8.4p1/servconf.c
+===================================================================
+--- openssh-8.4p1.orig/servconf.c
++++ openssh-8.4p1/servconf.c
+@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption
+ 	if (options->login_grace_time == -1)
+ 		options->login_grace_time = 120;
+ 	if (options->permit_root_login == PERMIT_NOT_SET)
+-		options->permit_root_login = PERMIT_NO_PASSWD;
++		options->permit_root_login = PERMIT_YES;
+ 	if (options->ignore_rhosts == -1)
+ 		options->ignore_rhosts = 1;
+ 	if (options->ignore_user_known_hosts == -1)
+Index: openssh-8.4p1/sshd_config
+===================================================================
+--- openssh-8.4p1.orig/sshd_config
++++ openssh-8.4p1/sshd_config
+@@ -29,7 +29,7 @@
+ # Authentication:
+ 
+ #LoginGraceTime 2m
+-#PermitRootLogin prohibit-password
++PermitRootLogin yes
+ #StrictModes yes
+ #MaxAuthTries 6
+ #MaxSessions 10
+Index: openssh-8.4p1/sshd_config.0
+===================================================================
+--- openssh-8.4p1.orig/sshd_config.0
++++ openssh-8.4p1/sshd_config.0
+@@ -778,7 +778,7 @@ DESCRIPTION
+      PermitRootLogin
+              Specifies whether root can log in using ssh(1).  The argument
+              must be yes, prohibit-password, forced-commands-only, or no.  The
+-             default is prohibit-password.
++             default is yes.
+ 
+              If this option is set to prohibit-password (or its deprecated
+              alias, without-password), password and keyboard-interactive
+Index: openssh-8.4p1/sshd_config.5
+===================================================================
+--- openssh-8.4p1.orig/sshd_config.5
++++ openssh-8.4p1/sshd_config.5
+@@ -1331,7 +1331,7 @@ The argument must be
+ or
+ .Cm no .
+ The default is
+-.Cm prohibit-password .
++.Cm yes .
+ .Pp
+ If this option is set to
+ .Cm prohibit-password

openssh-7.7p1-fips.patch

@@ -39,7 +39,7 @@ Index: openssh-9.6p1/cipher.c
  #ifdef WITH_OPENSSL
  #ifndef OPENSSL_NO_DES
  	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-@@ -110,8 +113,52 @@ static const struct sshcipher ciphers[]
+@@ -110,8 +113,50 @@ static const struct sshcipher ciphers[]
  	{ NULL,			0, 0, 0, 0, 0, NULL }
  };
  
@@ -53,12 +53,10 @@ Index: openssh-9.6p1/cipher.c
 +	{ "aes128-ctr",		16, 16, 0, 0, 0, EVP_aes_128_ctr },
 +	{ "aes192-ctr",		16, 24, 0, 0, 0, EVP_aes_192_ctr },
 +	{ "aes256-ctr",		16, 32, 0, 0, 0, EVP_aes_256_ctr },
-+# ifdef OPENSSL_HAVE_EVPGCM
 +	{ "aes128-gcm@openssh.com",
 +				16, 16, 12, 16, 0, EVP_aes_128_gcm },
 +	{ "aes256-gcm@openssh.com",
 +				16, 32, 12, 16, 0, EVP_aes_256_gcm },
-+# endif /* OPENSSL_HAVE_EVPGCM */
 +#else
 +	{ "aes128-ctr",		16, 16, 0, 0, CFLAG_AESCTR, NULL },
 +	{ "aes192-ctr",		16, 24, 0, 0, CFLAG_AESCTR, NULL },

openssh-7.7p1-ldap.patch

@@ -335,7 +335,7 @@ Index: openssh-8.9p1/ldap-helper.c
 ===================================================================
 --- /dev/null
 +++ openssh-8.9p1/ldap-helper.c
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,156 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
@@ -369,6 +369,7 @@ Index: openssh-8.9p1/ldap-helper.c
 +#include "ldapbody.h"
 +#include <string.h>
 +#include <unistd.h>
++#include <stdlib.h>
 +
 +static int config_debug = 0;
 +int config_exclusive_config_file = 0;
@@ -1175,7 +1176,7 @@ Index: openssh-8.9p1/ldapconf.c
 ===================================================================
 --- /dev/null
 +++ openssh-8.9p1/ldapconf.c
-@@ -0,0 +1,711 @@
+@@ -0,0 +1,712 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
 + * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
@@ -1209,6 +1210,7 @@ Index: openssh-8.9p1/ldapconf.c
 +#include "ldapconf.h"
 +#include <unistd.h>
 +#include <string.h>
++#include <stdlib.h>
 +
 +/* Keyword tokens. */
 +

openssh-8.0p1-gssapi-keyex.patch

@@ -151,7 +151,7 @@ Index: openssh-9.6p1/auth2-gss.c
 + * The 'gssapi_keyex' userauth mechanism.
 + */
 +static int
-+userauth_gsskeyex(struct ssh *ssh)
++userauth_gsskeyex(struct ssh *ssh, const char *method)
 +{
 +	Authctxt *authctxt = ssh->authctxt;
 +	int r, authenticated = 0;
@@ -213,12 +213,13 @@ Index: openssh-9.6p1/auth2-gss.c
  	else
  		logit("GSSAPI MIC check failed");
  
-@@ -333,6 +377,12 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -333,6 +377,13 @@ input_gssapi_mic(int type, u_int32_t ple
  	return 0;
  }
  
 +Authmethod method_gsskeyex = {
 +	"gssapi-keyex",
++	"NULL",
 +	userauth_gsskeyex,
 +	&options.gss_authentication
 +};

openssh-9.6p1-crypto-policies-man.patch

@@ -0,0 +1,648 @@
+Index: openssh-9.6p1/ssh_config.5
+===================================================================
+--- openssh-9.6p1.orig/ssh_config.5
++++ openssh-9.6p1/ssh_config.5
+@@ -403,17 +403,14 @@ A single argument of
+ causes no CNAMEs to be considered for canonicalization.
+ This is the default behaviour.
+ .It Cm CASignatureAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies which algorithms are allowed for signing of certificates
+ by certificate authorities (CAs).
+-The default is:
+-.Bd -literal -offset indent
+-ssh-ed25519,ecdsa-sha2-nistp256,
+-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+-.Pp
+ If the specified list begins with a
+ .Sq +
+ character, then the specified algorithms will be appended to the default set
+@@ -542,20 +539,26 @@ If the option is set to
+ (the default),
+ the check will not be executed.
+ .It Cm Ciphers
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the ciphers allowed and their order of preference.
+ Multiple ciphers must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified ciphers will be appended to the default set
+-instead of replacing them.
++character, then the specified ciphers will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified ciphers (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified ciphers will be placed at the head of the
+-default set.
++built-in openssh default set.
+ .Pp
+ The supported ciphers are:
+ .Bd -literal -offset indent
+@@ -571,13 +574,6 @@ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+ .Ed
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-chacha20-poly1305@openssh.com,
+-aes128-ctr,aes192-ctr,aes256-ctr,
+-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+-.Ed
+-.Pp
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+ .It Cm ClearAllForwardings
+@@ -979,6 +975,12 @@ command line will be passed untouched to
+ The default is
+ .Dq no .
+ .It Cm GSSAPIKexAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ The list of key exchange algorithms that are offered for GSSAPI
+ key exchange. Possible values are
+ .Bd -literal -offset 3n
+@@ -991,9 +993,8 @@ gss-nistp256-sha256-,
+ gss-curve25519-sha256-
+ .Ed
+ .Pp
+-The default is
+-.Dq gss-gex-sha1-,gss-group14-sha1- .
+ This option only applies to protocol version 2 connections using GSSAPI.
++.Pp
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+@@ -1012,36 +1013,26 @@ will not be converted automatically,
+ but may be manually hashed using
+ .Xr ssh-keygen 1 .
+ .It Cm HostbasedAcceptedAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the signature algorithms that will be used for hostbased
+ authentication as a comma-separated list of patterns.
+ Alternately if the specified list begins with a
+ .Sq +
+ character, then the specified signature algorithms will be appended
+-to the default set instead of replacing them.
++to the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified signature algorithms (including wildcards)
+-will be removed from the default set instead of replacing them.
++will be removed from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified signature algorithms will be placed
+-at the head of the default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
++at the head of the built-in openssh default set.
+ .Pp
+ The
+ .Fl Q
+@@ -1094,6 +1085,17 @@ to prefer their algorithms.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostKeyAlgorithms .
++.Pp
++The proposed
++.Cm HostKeyAlgorithms
++during KEX are limited to the set of algorithms that is defined in
++.Cm PubkeyAcceptedAlgorithms
++and therefore they are indirectly affected by system-wide
++.Xr crypto_policies 7 .
++.Xr crypto_policies 7 can not handle the list of host key algorithms directly
++as doing so would break the order given by the
++.Pa known_hosts
++file.
+ .It Cm HostKeyAlias
+ Specifies an alias that should be used instead of the
+ real host name when looking up or saving the host key
+@@ -1311,31 +1313,26 @@ it may be zero or more of:
+ and
+ .Cm pam .
+ .It Cm KexAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the available KEX (Key Exchange) algorithms.
+ Multiple algorithms must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
++character, then the specified methods will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+-The default is:
+-.Bd -literal -offset indent
+-sntrup761x25519-sha512@openssh.com,
+-curve25519-sha256,curve25519-sha256@libssh.org,
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+-diffie-hellman-group-exchange-sha256,
+-diffie-hellman-group16-sha512,
+-diffie-hellman-group18-sha512,
+-diffie-hellman-group14-sha256,
+-diffie-hellman-group14-sha1
+-.Ed
++built-in openssh default set.
+ .Pp
+ The list of available key exchange algorithms may also be obtained using
+ .Qq ssh -Q kex .
+@@ -1445,37 +1442,34 @@ function, and all code in the
+ file.
+ This option is intended for debugging and no overrides are enabled by default.
+ .It Cm MACs
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the MAC (message authentication code) algorithms
+ in order of preference.
+ The MAC algorithm is used for data integrity protection.
+ Multiple algorithms must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
++character, then the specified algorithms will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
++built-in openssh default set.
+ .Pp
+ The algorithms that contain
+ .Qq -etm
+ calculate the MAC after encryption (encrypt-then-mac).
+ These are considered safer and their use recommended.
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+-hmac-sha1-etm@openssh.com,
+-umac-64@openssh.com,umac-128@openssh.com,
+-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+-.Ed
+-.Pp
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+ .It Cm NoHostAuthenticationForLocalhost
+@@ -1666,39 +1660,32 @@ instead of continuing to execute and pas
+ The default is
+ .Cm no .
+ .It Cm PubkeyAcceptedAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the signature algorithms that will be used for public key
+ authentication as a comma-separated list of patterns.
+ If the specified list begins with a
+ .Sq +
+-character, then the algorithms after it will be appended to the default
+-instead of replacing it.
++character, then the algorithms after it will be appended to the built-in
++openssh default instead of replacing it.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
++built-in openssh default set.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
++.Pp
++This option affects also
++.Cm HostKeyAlgorithms
+ .It Cm PubkeyAuthentication
+ Specifies whether to try public key authentication.
+ The argument to this keyword must be
+@@ -2395,7 +2382,9 @@ This file provides the vendor defaults a
+ configuration file does not exist.
+ .El
+ .Sh SEE ALSO
+-.Xr ssh 1
++.Xr ssh 1 ,
++.Xr crypto-policies 7 ,
++.Xr update-crypto-policies 8
+ .Sh AUTHORS
+ .An -nosplit
+ OpenSSH is a derivative of the original and free
+Index: openssh-9.6p1/sshd_config.5
+===================================================================
+--- openssh-9.6p1.orig/sshd_config.5
++++ openssh-9.6p1/sshd_config.5
+@@ -381,17 +381,14 @@ If the argument is
+ then no banner is displayed.
+ By default, no banner is displayed.
+ .It Cm CASignatureAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies which algorithms are allowed for signing of certificates
+ by certificate authorities (CAs).
+-The default is:
+-.Bd -literal -offset indent
+-ssh-ed25519,ecdsa-sha2-nistp256,
+-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+-.Pp
+ If the specified list begins with a
+ .Sq +
+ character, then the specified algorithms will be appended to the default set
+@@ -527,20 +524,26 @@ The default is
+ indicating not to
+ .Xr chroot 2 .
+ .It Cm Ciphers
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the ciphers allowed.
+ Multiple ciphers must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified ciphers will be appended to the default set
+-instead of replacing them.
++character, then the specified ciphers will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified ciphers (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified ciphers will be placed at the head of the
+-default set.
++built-in openssh default set.
+ .Pp
+ The supported ciphers are:
+ .Pp
+@@ -567,13 +570,6 @@ aes256-gcm@openssh.com
+ chacha20-poly1305@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-chacha20-poly1305@openssh.com,
+-aes128-ctr,aes192-ctr,aes256-ctr,
+-aes128-gcm@openssh.com,aes256-gcm@openssh.com
+-.Ed
+-.Pp
+ The list of available ciphers may also be obtained using
+ .Qq ssh -Q cipher .
+ .It Cm ClientAliveCountMax
+@@ -764,52 +760,45 @@ For this to work
+ .Cm GSSAPIKeyExchange
+ needs to be enabled in the server and also used by the client.
+ .It Cm GSSAPIKexAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ The list of key exchange algorithms that are accepted by GSSAPI
+ key exchange. Possible values are
+ .Bd -literal -offset 3n
+-gss-gex-sha1-,
+-gss-group1-sha1-,
+-gss-group14-sha1-,
+-gss-group14-sha256-,
+-gss-group16-sha512-,
+-gss-nistp256-sha256-,
++gss-gex-sha1-
++gss-group1-sha1-
++gss-group14-sha1-
++gss-group14-sha256-
++gss-group16-sha512-
++gss-nistp256-sha256-
+ gss-curve25519-sha256-
+ .Ed
+-.Pp
+-The default is
+-.Dq gss-gex-sha1-,gss-group14-sha1- .
+ This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HostbasedAcceptedAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the signature algorithms that will be accepted for hostbased
+ authentication as a list of comma-separated patterns.
+ Alternately if the specified list begins with a
+ .Sq +
+ character, then the specified signature algorithms will be appended to
+-the default set instead of replacing them.
++the built-in openssh set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified signature algorithms (including wildcards)
+-will be removed from the default set instead of replacing them.
++will be removed from the built-in openssh set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified signature algorithms will be placed at
+-the head of the default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
++the head of the built-in openssh default set.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostbasedAcceptedAlgorithms .
+@@ -876,25 +865,15 @@ is specified, the location of the socket
+ .Ev SSH_AUTH_SOCK
+ environment variable.
+ .It Cm HostKeyAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the host key signature algorithms
+ that the server offers.
+ The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
+-.Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q HostKeyAlgorithms .
+ .It Cm IgnoreRhosts
+@@ -1027,20 +1006,26 @@ file on logout.
+ The default is
+ .Cm yes .
+ .It Cm KexAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the available KEX (Key Exchange) algorithms.
+ Multiple algorithms must be comma-separated.
+ Alternately if the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
++character, then the specified methods will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
++built-in openssh default set.
+ The supported algorithms are:
+ .Pp
+ .Bl -item -compact -offset indent
+@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
+ sntrup761x25519-sha512@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-sntrup761x25519-sha512@openssh.com,
+-curve25519-sha256,curve25519-sha256@libssh.org,
+-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
+-diffie-hellman-group-exchange-sha256,
+-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
+-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
+-.Ed
+-.Pp
+ The list of available key exchange algorithms may also be obtained using
+ .Qq ssh -Q KexAlgorithms .
+ .It Cm ListenAddress
+@@ -1167,21 +1142,27 @@ function, and all code in the
+ file.
+ This option is intended for debugging and no overrides are enabled by default.
+ .It Cm MACs
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the available MAC (message authentication code) algorithms.
+ The MAC algorithm is used for data integrity protection.
+ Multiple algorithms must be comma-separated.
+ If the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
++character, then the specified algorithms will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
++built-in openssh default set.
+ .Pp
+ The algorithms that contain
+ .Qq -etm
+@@ -1224,15 +1205,6 @@ umac-64-etm@openssh.com
+ umac-128-etm@openssh.com
+ .El
+ .Pp
+-The default is:
+-.Bd -literal -offset indent
+-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
+-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
+-hmac-sha1-etm@openssh.com,
+-umac-64@openssh.com,umac-128@openssh.com,
+-hmac-sha2-256,hmac-sha2-512,hmac-sha1
+-.Ed
+-.Pp
+ The list of available MAC algorithms may also be obtained using
+ .Qq ssh -Q mac .
+ .It Cm Match
+@@ -1614,36 +1586,26 @@ or equivalent.)
+ The default is
+ .Cm yes .
+ .It Cm PubkeyAcceptedAlgorithms
++The default is handled system-wide by
++.Xr crypto-policies 7 .
++Information about defaults, how to modify the defaults and how to customize
++existing policies with sub-policies are present in manual page
++.Xr update-crypto-policies 8 .
++.Pp
+ Specifies the signature algorithms that will be accepted for public key
+ authentication as a list of comma-separated patterns.
+ Alternately if the specified list begins with a
+ .Sq +
+-character, then the specified algorithms will be appended to the default set
+-instead of replacing them.
++character, then the specified algorithms will be appended to the built-in
++openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq -
+ character, then the specified algorithms (including wildcards) will be removed
+-from the default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
+ If the specified list begins with a
+ .Sq ^
+ character, then the specified algorithms will be placed at the head of the
+-default set.
+-The default for this option is:
+-.Bd -literal -offset 3n
+-ssh-ed25519-cert-v01@openssh.com,
+-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-ecdsa-sha2-nistp384-cert-v01@openssh.com,
+-ecdsa-sha2-nistp521-cert-v01@openssh.com,
+-sk-ssh-ed25519-cert-v01@openssh.com,
+-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+-rsa-sha2-512-cert-v01@openssh.com,
+-rsa-sha2-256-cert-v01@openssh.com,
+-ssh-ed25519,
+-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-sk-ssh-ed25519@openssh.com,
+-sk-ecdsa-sha2-nistp256@openssh.com,
+-rsa-sha2-512,rsa-sha2-256
+-.Ed
++built-in openssh default set.
+ .Pp
+ The list of available signature algorithms may also be obtained using
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
+@@ -2122,7 +2084,9 @@ This file should be writable by root onl
+ .El
+ .Sh SEE ALSO
+ .Xr sftp-server 8 ,
+-.Xr sshd 8
++.Xr sshd 8 ,
++.Xr crypto-policies 7 ,
++.Xr update-crypto-policies 8
+ .Sh AUTHORS
+ .An -nosplit
+ OpenSSH is a derivative of the original and free

openssh-9.6p1-crypto-policies.patch

@@ -0,0 +1,43 @@
+Index: openssh-9.6p1/ssh_config
+===================================================================
+--- openssh-9.6p1.orig/ssh_config
++++ openssh-9.6p1/ssh_config
+@@ -17,6 +17,12 @@
+ # list of available options, their meanings and defaults, please see the
+ # ssh_config(5) man page.
+ 
++# This system is following system-wide crypto policies.
++# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
++# file under /etc/ssh/ssh_config.d/ which will be automatically
++# included below. For more information, see the manual pages for
++# update-crypto-policies(8) and ssh_config(5).
++
+ # To modify the system-wide ssh configuration, create a "*.conf" file under
+ # "/etc/ssh/ssh_config.d/" which will be automatically included below.
+ # Don't edit this configuration file itself if possible to avoid update
+Index: openssh-9.6p1/ssh_config_suse
+===================================================================
+--- /dev/null
++++ openssh-9.6p1/ssh_config_suse
+@@ -0,0 +1,9 @@
++# The options here are in the "Match final block" to be applied as the last
++# options and could be potentially overwritten by the user configuration
++Match final all
++	# Follow system-wide Crypto Policy, if defined:
++	Include /etc/crypto-policies/back-ends/openssh.config
++
++# Uncomment this if you want to use .local domain
++# Host *.local
++
+Index: openssh-9.6p1/sshd_config_suse_cp
+===================================================================
+--- /dev/null
++++ openssh-9.6p1/sshd_config_suse_cp
+@@ -0,0 +1,7 @@
++# This system is following system-wide crypto policy. The changes to
++# crypto properties (Ciphers, MACs, ...) will not have any effect in
++# this or following included files. To override some configuration option,
++# write it before this block or include it before this file.
++# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
++Include /etc/crypto-policies/back-ends/opensshserver.config
++

openssh-mitigate-lingering-secrets.patch

@@ -0,0 +1,344 @@
+Index: openssh-9.3p2/kex.c
+===================================================================
+--- openssh-9.3p2.orig/kex.c
++++ openssh-9.3p2/kex.c
+@@ -1564,16 +1564,16 @@ enc_destroy(struct sshenc *enc)
+ 		return;
+ 
+ 	if (enc->key) {
+-		memset(enc->key, 0, enc->key_len);
++		explicit_bzero(enc->key, enc->key_len);
+ 		free(enc->key);
+ 	}
+ 
+ 	if (enc->iv) {
+-		memset(enc->iv,  0, enc->iv_len);
++		explicit_bzero(enc->iv,  enc->iv_len);
+ 		free(enc->iv);
+ 	}
+ 
+-	memset(enc, 0, sizeof(*enc));
++	explicit_bzero(enc, sizeof(*enc));
+ }
+ 
+ void
+@@ -1584,7 +1584,7 @@ newkeys_destroy(struct newkeys *newkeys)
+ 
+ 	enc_destroy(&newkeys->enc);
+ 	mac_destroy(&newkeys->mac);
+-	memset(&newkeys->comp, 0, sizeof(newkeys->comp));
++	explicit_bzero(&newkeys->comp, sizeof(newkeys->comp));
+ }
+ 
+ /*
+Index: openssh-9.3p2/mac.c
+===================================================================
+--- openssh-9.3p2.orig/mac.c
++++ openssh-9.3p2/mac.c
+@@ -284,11 +284,11 @@ mac_destroy(struct sshmac *mac)
+ 		return;
+ 
+ 	if (mac->key) {
+-		memset(mac->key, 0, mac->key_len);
++		explicit_bzero(mac->key, mac->key_len);
+ 		free(mac->key);
+ 	}
+ 
+-	memset(mac, 0, sizeof(*mac));
++	explicit_bzero(mac, sizeof(*mac));
+ }
+ 
+ /* XXX copied from ciphers_valid */
+Index: openssh-9.3p2/monitor.c
+===================================================================
+--- openssh-9.3p2.orig/monitor.c
++++ openssh-9.3p2/monitor.c
+@@ -1789,8 +1789,12 @@ mm_answer_audit_end_command(struct ssh *
+ void
+ monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor)
+ {
+-	ssh_clear_newkeys(ssh, MODE_IN);
+-	ssh_clear_newkeys(ssh, MODE_OUT);
++	u_int mode;
++
++	for (mode = 0; mode < MODE_MAX; mode++) {
++		ssh_clear_curkeys(ssh, mode);  /* current keys */
++		ssh_clear_newkeys(ssh, mode);  /* next keys */
++	}
+ 	sshbuf_free(child_state);
+ 	child_state = NULL;
+ }
+Index: openssh-9.3p2/packet.c
+===================================================================
+--- openssh-9.3p2.orig/packet.c
++++ openssh-9.3p2/packet.c
+@@ -655,6 +655,7 @@ ssh_packet_close_internal(struct ssh *ss
+ 		ssh->local_ipaddr = NULL;
+ 		free(ssh->remote_ipaddr);
+ 		ssh->remote_ipaddr = NULL;
++		explicit_bzero(ssh->state, sizeof(*ssh->state));
+ 		free(ssh->state);
+ 		ssh->state = NULL;
+ 		kex_free(ssh->kex);
+@@ -783,8 +784,10 @@ compress_buffer(struct ssh *ssh, struct
+ 		case Z_OK:
+ 			/* Append compressed data to output_buffer. */
+ 			if ((r = sshbuf_put(out, buf, sizeof(buf) -
+-			    ssh->state->compression_out_stream.avail_out)) != 0)
++			    ssh->state->compression_out_stream.avail_out)) != 0) {
++				explicit_bzero(buf, sizeof(buf));
+ 				return r;
++			}
+ 			break;
+ 		case Z_STREAM_ERROR:
+ 		default:
+@@ -819,8 +822,10 @@ uncompress_buffer(struct ssh *ssh, struc
+ 		switch (status) {
+ 		case Z_OK:
+ 			if ((r = sshbuf_put(out, buf, sizeof(buf) -
+-			    ssh->state->compression_in_stream.avail_out)) != 0)
++			    ssh->state->compression_in_stream.avail_out)) != 0) {
++				explicit_bzero(buf, sizeof(buf));
+ 				return r;
++			}
+ 			break;
+ 		case Z_BUF_ERROR:
+ 			/*
+@@ -870,6 +875,17 @@ uncompress_buffer(struct ssh *ssh, struc
+ #endif	/* WITH_ZLIB */
+ 
+ void
++ssh_clear_curkeys(struct ssh *ssh, int mode)
++{
++	struct session_state *state = ssh->state;
++
++	if (state && state->newkeys[mode]) {
++		kex_free_newkeys(state->newkeys[mode]);
++		state->newkeys[mode] = NULL;
++	}
++}
++
++void
+ ssh_clear_newkeys(struct ssh *ssh, int mode)
+ {
+ 	if (ssh->kex && ssh->kex->newkeys[mode]) {
+@@ -1418,7 +1434,9 @@ ssh_packet_read_seqnr(struct ssh *ssh, u
+ 		}
+ 
+ 		/* Append it to the buffer. */
+-		if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
++		r = ssh_packet_process_incoming(ssh, buf, len);
++		explicit_bzero(buf, len);
++		if (r != 0)
+ 			goto out;
+ 	}
+  out:
+@@ -2375,9 +2393,12 @@ ssh_packet_get_state(struct ssh *ssh, st
+ 	    (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
+ 	    (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
+ 	    (r = sshbuf_put_stringb(m, state->input)) != 0 ||
+-	    (r = sshbuf_put_stringb(m, state->output)) != 0)
++	    (r = sshbuf_put_stringb(m, state->output)) != 0) {
++		sshbuf_obfuscate(m);
+ 		return r;
++	}
+ 
++	sshbuf_obfuscate(m);
+ 	return 0;
+ }
+ 
+@@ -2496,6 +2517,8 @@ ssh_packet_set_state(struct ssh *ssh, st
+ 	size_t ilen, olen;
+ 	int r;
+ 
++	sshbuf_unobfuscate(m);
++
+ 	if ((r = kex_from_blob(m, &ssh->kex)) != 0 ||
+ 	    (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 ||
+ 	    (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 ||
+@@ -2509,7 +2532,7 @@ ssh_packet_set_state(struct ssh *ssh, st
+ 	    (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 ||
+ 	    (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 ||
+ 	    (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0)
+-		return r;
++		goto out;
+ 	/*
+ 	 * We set the time here so that in post-auth privsep child we
+ 	 * count from the completion of the authentication.
+@@ -2518,10 +2541,10 @@ ssh_packet_set_state(struct ssh *ssh, st
+ 	/* XXX ssh_set_newkeys overrides p_read.packets? XXX */
+ 	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 ||
+ 	    (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0)
+-		return r;
++		goto out;
+ 
+ 	if ((r = ssh_packet_set_postauth(ssh)) != 0)
+-		return r;
++		goto out;
+ 
+ 	sshbuf_reset(state->input);
+ 	sshbuf_reset(state->output);
+@@ -2529,12 +2552,19 @@ ssh_packet_set_state(struct ssh *ssh, st
+ 	    (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
+ 	    (r = sshbuf_put(state->input, input, ilen)) != 0 ||
+ 	    (r = sshbuf_put(state->output, output, olen)) != 0)
+-		return r;
++		goto out;
+ 
+-	if (sshbuf_len(m))
+-		return SSH_ERR_INVALID_FORMAT;
++	if (sshbuf_len(m)) {
++		r = SSH_ERR_INVALID_FORMAT;
++		goto out;
++	}
++
++	r = 0;
++out:
++	if (r != 0)
++		sshbuf_obfuscate(m);
+ 	debug3_f("done");
+-	return 0;
++	return r;
+ }
+ 
+ /* NEW API */
+Index: openssh-9.3p2/packet.h
+===================================================================
+--- openssh-9.3p2.orig/packet.h
++++ openssh-9.3p2/packet.h
+@@ -103,6 +103,7 @@ void     ssh_packet_close(struct ssh *);
+ void	 ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
+ void	 ssh_packet_clear_keys(struct ssh *);
+ void     ssh_packet_clear_keys_noaudit(struct ssh *);
++void	 ssh_clear_curkeys(struct ssh *, int);
+ void	 ssh_clear_newkeys(struct ssh *, int);
+ 
+ int	 ssh_packet_is_rekeying(struct ssh *);
+Index: openssh-9.3p2/sshbuf.c
+===================================================================
+--- openssh-9.3p2.orig/sshbuf.c
++++ openssh-9.3p2/sshbuf.c
+@@ -309,6 +309,31 @@ sshbuf_mutable_ptr(const struct sshbuf *
+ 	return buf->d + buf->off;
+ }
+ 
++/* Trivially obfuscate the buffer. This is used to make sensitive data
++ * (e.g. keystate) slightly less obvious if found lingering in kernel
++ * memory after being sent from the privsep child to its parent.
++ *
++ * Longer term we should consider using a one-time pad or a stream cipher
++ * here. */
++void
++sshbuf_obfuscate(struct sshbuf *buf)
++{
++	size_t i;
++
++	if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
++		return;
++
++	for (i = buf->off; i < buf->size; i++) {
++		buf->d [i] ^= 0xaa;
++	}
++}
++
++void
++sshbuf_unobfuscate(struct sshbuf *buf)
++{
++	sshbuf_obfuscate(buf);
++}
++
+ int
+ sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
+ {
+Index: openssh-9.3p2/sshbuf.h
+===================================================================
+--- openssh-9.3p2.orig/sshbuf.h
++++ openssh-9.3p2/sshbuf.h
+@@ -298,6 +298,9 @@ int sshbuf_write_file(const char *path,
+ int sshbuf_read(int, struct sshbuf *, size_t, size_t *)
+     __attribute__((__nonnull__ (2)));
+ 
++void sshbuf_obfuscate(struct sshbuf *buf);
++void sshbuf_unobfuscate(struct sshbuf *buf);
++
+ /* Macros for decoding/encoding integers */
+ #define PEEK_U64(p) \
+ 	(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
+Index: openssh-9.3p2/sshd.c
+===================================================================
+--- openssh-9.3p2.orig/sshd.c
++++ openssh-9.3p2/sshd.c
+@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *);
+ static char *listener_proctitle;
+ 
+ /*
++ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
++ * information leaks due to registers and other data having been stored on
++ * the stack. Called after fork() and before exit().
++ */
++static void
++clobber_stack(void)
++{
++	char data [32768];
++
++	explicit_bzero(data, 32768);
++}
++
++/*
+  * Close all listening sockets
+  */
+ static void
+@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh,
+ 			sensitive_data.host_certificates[i] = NULL;
+ 		}
+ 	}
++
++	clobber_stack();
+ }
+ 
+ /* Demote private to public keys for network child */
+@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh)
+ static void
+ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
+ {
++	clobber_stack();
++
+ #ifdef DISABLE_FD_PASSING
+ 	if (1) {
+ #else
+@@ -2360,6 +2377,7 @@ main(int ac, char **av)
+ 	if (use_privsep) {
+ 		mm_send_keystate(ssh, pmonitor);
+ 		ssh_packet_clear_keys(ssh);
++		clobber_stack();
+ 		exit(0);
+ 	}
+ 
+@@ -2436,6 +2454,7 @@ main(int ac, char **av)
+ 	if (use_privsep)
+ 		mm_terminate();
+ 
++	clobber_stack();
+ 	exit(0);
+ }
+ 
+@@ -2596,8 +2615,10 @@ cleanup_exit(int i)
+ 	/* cleanup_exit can be called at the very least from the privsep
+ 	   wrappers used for auditing.  Make sure we don't recurse
+ 	   indefinitely. */
+-	if (in_cleanup)
++	if (in_cleanup) {
++		clobber_stack();
+ 		_exit(i);
++	}
+ 	in_cleanup = 1;
+ 	if (the_active_state != NULL && the_authctxt != NULL) {
+ 		do_cleanup(the_active_state, the_authctxt);
+@@ -2623,5 +2644,7 @@ cleanup_exit(int i)
+ 	    (!use_privsep || mm_is_monitor()))
+ 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
+ #endif
++
++	clobber_stack();
+ 	_exit(i);
+ }

openssh.changes

@@ -1,3 +1,133 @@
+-------------------------------------------------------------------
+Fri Jul  5 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch from upstream to fix proxy multiplexing mode:
+  * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+- Add patch from upstream to restore correctly sigprocmask
+  * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+- Add patch from upstream to fix a logic error in
+  ObscureKeystrokeTiming that rendered this feature ineffective,
+  allowing a passive observer to detect which network packets
+  contained real keystrokes (bsc#1227318, CVE-2024-39894):
+  * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+
+-------------------------------------------------------------------
+Wed Jul  3 16:53:53 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add obsoletes for openssh-server-config-rootlogin since that
+  package existed for a brief period of time during SLE 15 SP6/
+  Leap 15.6 development but even if it was removed from the
+  repositories before GM, some users might have it in their
+  systems from having tried a beta/RC release (boo#1227350).
+
+-------------------------------------------------------------------
+Mon Jul  1 07:50:28 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch to fix a race condition in a signal handler by removing
+  the async-signal-unsafe code (CVE-2024-6387, bsc#1226642):
+  * fix-CVE-2024-6387.patch
+
+-------------------------------------------------------------------
+Mon Jun 10 07:10:48 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add #include <stdlib.h> in some files added by the ldap patch to
+  fix build with gcc14 (boo#1225904).
+  * openssh-7.7p1-ldap.patch
+
+-------------------------------------------------------------------
+Fri May 17 07:45:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Remove the recommendation for openssh-server-config-rootlogin
+  from openssh-server. Since the default for that config option
+  was changed in SLE it's not needed anymore in SLE nor in TW
+  (boo#1224392).
+
+-------------------------------------------------------------------
+Tue May 14 19:29:05 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add a warning in %post of openssh-clients, openssh-server and 
+  openssh-server-config-disallow-rootlogin to warn the user if
+  the /etc/ssh/(ssh_config.d|sshd_config.d) directories are not
+  being used (bsc#1223486).
+
+-------------------------------------------------------------------
+Mon May 13 15:27:37 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Only for SLE15, restore the patch file removed in
+  Thu Feb 18 13:54:44 UTC 2021 to restore the previous behaviour
+  from SP5 of having root password login allowed by default
+  (fixes bsc#1223486, related to bsc#1173067):
+  * openssh-7.7p1-allow_root_password_login.patch
+- Since the default value for this config option is now set to
+  permit root to use password logins in SLE15, the
+  openssh-server-config-rootlogin subpackage isn't useful there so 
+  we now create an openssh-server-config-disallow-rootlogin
+  subpackage that sets the configuration the other way around
+  than openssh-server-config-rootlogin.
+
+-------------------------------------------------------------------
+Mon Apr 15 13:21:50 UTC 2024 - Marcus Meissner <meissner@suse.com>
+
+- openssh-8.0p1-gssapi-keyex.patch: Added missing struct initializer,
+  added missing parameter (bsc#1222840)
+
+-------------------------------------------------------------------
+Fri Apr 12 10:04:45 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Make openssh-server recommend the openssh-server-config-rootlogin
+  package in SLE in order to keep the same behaviour of previous
+  SPs where the PermitRootLogin default was set to yes
+  (bsc#1221005).
+- Fix crypto-policies requirement to be set by openssh-server, not
+  the config-rootlogin subpackage.
+- Add back %config(noreplace) tag for more config files that were
+  already set like this in previous SPs.
+
+-------------------------------------------------------------------
+Thu Apr 11 06:35:21 UTC 2024 - Arnav Singh <opensuse@arnavion.dev>
+
+- Fix duplicate loading of dropins. (boo#1222467)
+
+-------------------------------------------------------------------
+Fri Apr  5 11:10:18 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add missing bugzilla/CVE references to the changelog
+
+-------------------------------------------------------------------
+Thu Apr  4 12:23:13 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch from SLE which was missing in Factory:
+  * Mon Jun  7 20:54:09 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
+- Add openssh-mitigate-lingering-secrets.patch (bsc#1186673), which
+  attempts to mitigate instances of secrets lingering in memory
+  after a session exits. (bsc#1213004 bsc#1213008) 
+- Rebase patch:
+  * openssh-6.6p1-privsep-selinux.patch
+
+-------------------------------------------------------------------
+Tue Apr  2 13:07:43 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+   
+- Rebase openssh-7.7p1-fips.patch (bsc#1221928) 
+  Remove OPENSSL_HAVE_EVPGCM-ifdef, which is no longer supported by
+  upstream
+
+-------------------------------------------------------------------
+Tue Apr  2 11:23:05 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Use %config(noreplace) for sshd_config . In any case, it's
+  recommended to drop a file in sshd_config.d instead of editing
+  sshd_config (bsc#1221063)
+- Use %{_libexecdir} when removing ssh-keycat instead of the
+  hardcoded path so it works in TW and SLE.
+
+-------------------------------------------------------------------
+Mon Mar  4 09:57:06 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support [bsc#1211301]
+  * Add patches:
+    - openssh-9.6p1-crypto-policies.patch
+    - openssh-9.6p1-crypto-policies-man.patch
+
 -------------------------------------------------------------------
 Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
 
@@ -10,7 +140,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
     protocol by sending extra messages prior to the commencement of
     encryption, and deleting an equal number of consecutive messages
     immediately after encryption starts. A peer SSH client/server
-    would not be able to detect that messages were deleted.
+    would not be able to detect that messages were deleted
+    (bsc#1217950, CVE-2023-48795).
   * ssh-agent(1): when adding PKCS#11-hosted private keys while
     specifying destination constraints, if the PKCS#11 token returned
     multiple keys then only the first key had the constraints applied.
@@ -22,7 +153,8 @@ Sun Feb 25 18:26:23 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
     user or hostname via %u, %h or similar expansion token, then
     an attacker who could supply arbitrary user/hostnames to ssh(1)
     could potentially perform command injection depending on what
-    quoting was present in the user-supplied ssh_config(5) directive.
+    quoting was present in the user-supplied ssh_config(5) directive
+    (bsc#1218215, CVE-2023-51385).
 
   = Potentially incompatible changes
   * ssh(1), sshd(8): the RFC4254 connection/channels protocol provides
@@ -262,14 +394,14 @@ Wed Sep 27 06:28:57 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 -------------------------------------------------------------------
 Fri Jul 21 02:48:58 UTC 2023 - Simon Lees <sflees@suse.de>
 
-- Update to openssh 9.3p2 (bsc#1213504, CVE-2023-38408):
+- Update to openssh 9.3p2:
   Security
   ========
 
-  Fix CVE-2023-38408 - a condition where specific libaries loaded via
+  Fix a condition where specific libaries loaded via
   ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
   code execution via a forwarded agent socket if the following
-  conditions are met:
+  conditions are met (bsc#1213504, CVE-2023-38408):
 
   * Exploitation requires the presence of specific libraries on
     the victim system.
@@ -1025,7 +1157,7 @@ Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
 
     Depending on system configuration, inherited groups may allow
     AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
-    gain unintended privilege.
+    gain unintended privilege (bsc#1190975, CVE-2021-41617).
 
     Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
     enabled by default in sshd_config(5).
@@ -1224,7 +1356,7 @@ Tue Sep 28 17:50:57 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
   * ssh-agent(1): fixed a double-free memory corruption that was
     introduced in OpenSSH 8.2 . We treat all such memory faults as
     potentially exploitable. This bug could be reached by an attacker
-    with access to the agent socket.
+    with access to the agent socket (bsc#1183137, CVE-2021-28041)
 
   = Potentially-incompatible changes
   * ssh(1), sshd(8): this release changes the first-preference signature
@@ -2253,7 +2385,9 @@ Tue Oct  9 11:01:40 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
   * openssh-7.7p1-fips.patch
   * openssh-7.7p1-cavstest-ctr.patch
   * openssh-7.7p1-cavstest-kdf.patch
-  * openssh-7.7p1-fips_checks.patch
+  * openssh-7.7p1-fips_checks.patch . Close the right
+    filedescriptor to avoid fd leads, and also close fdh in
+    read_hmac (bsc#1209536).
   * openssh-7.7p1-seed-prng.patch
   * openssh-7.7p1-systemd-notify.patch
   * openssh-7.7p1-gssapi_key_exchange.patch

openssh.spec

@@ -28,8 +28,10 @@
 
 %if 0%{?suse_version} >= 1550
 %bcond_without wtmpdb
+%bcond_with allow_root_password_login_by_default
 %else
 %bcond_with wtmpdb
+%bcond_without allow_root_password_login_by_default
 %endif
 
 #Compat macro for new _fillupdir macro introduced in Nov 2017
@@ -116,12 +118,27 @@ Patch49:        openssh-do-not-send-empty-message.patch
 Patch50:        openssh-openssl-3.patch
 Patch51:        wtmpdb.patch
 Patch52:        logind_set_tty.patch
+Patch54:        openssh-mitigate-lingering-secrets.patch
 Patch100:       fix-missing-lz.patch
 Patch102:       openssh-7.8p1-role-mls.patch
 Patch103:       openssh-6.6p1-privsep-selinux.patch
 Patch104:       openssh-6.6p1-keycat.patch
 Patch105:       openssh-6.6.1p1-selinux-contexts.patch
 Patch106:       openssh-7.6p1-cleanup-selinux.patch
+# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
+Patch107:       openssh-9.6p1-crypto-policies.patch
+Patch108:       openssh-9.6p1-crypto-policies-man.patch
+# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
+Patch109:       fix-CVE-2024-6387.patch
+# PATCH-FIX-UPSTREAM 
+Patch110:       0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+# PATCH-FIX-UPSTREAM 
+Patch111:       0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
+Patch112:       0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+%if 0%{with allow_root_password_login_by_default}
+Patch1000:      openssh-7.7p1-allow_root_password_login.patch
+%endif
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff
@@ -186,12 +203,19 @@ clients.
 Summary:        SSH (Secure Shell) server
 Group:          Productivity/Networking/SSH
 Requires:       %{name}-common = %{version}-%{release}
+Requires:       crypto-policies >= 20220824
 Recommends:     audit
 Requires(pre):  findutils
 Requires(pre):  grep
 Requires(post): %fillup_prereq
 Requires(post): permissions
 Provides:       openssh:%{_sbindir}/sshd
+%if 0%{with allow_root_password_login_by_default}
+# For a brief period of time this package existed in SLE/Leap.
+# It was removed before GM but some people might have it from
+# a beta distribution version (boo#1227350)
+Obsoletes:      openssh-server-config-rootlogin <= %{version}
+%endif
 %sysusers_requires
 
 %description server
@@ -206,20 +230,36 @@ also be forwarded over the secure channel.
 This package contains the Secure Shell daemon, which allows clients to
 securely connect to your server.
 
+%if 0%{with allow_root_password_login_by_default}
+%package server-config-disallow-rootlogin
+Summary:        Config to disallow password root logins to sshd
+Group:          Productivity/Networking/SSH
+Requires:       %{name}-server = %{version}-%{release}
+Conflicts:      %{name}-server-config-rootlogin
+
+%description server-config-disallow-rootlogin
+The openssh-server package by default allows password based
+root logins. This package provides a config that disallows root
+to log in using the passwor. It's useful to secure your system
+preventing password attacks on the root account over ssh.
+%else
 %package server-config-rootlogin
 Summary:        Config to permit root logins to sshd
 Group:          Productivity/Networking/SSH
 Requires:       %{name}-server = %{version}-%{release}
+Conflicts:      %{name}-server-config-disallow-rootlogin
 
 %description server-config-rootlogin
 The openssh-server package by default disallows password based
 root logins. This package provides a config that does. It's useful
 to temporarily have a password based login to be able to use
 ssh-copy-id(1).
+%endif
 
 %package clients
 Summary:        SSH (Secure Shell) client applications
 Group:          Productivity/Networking/SSH
+Requires:       crypto-policies >= 20220824
 Requires:       %{name}-common = %{version}-%{release}
 Provides:       openssh:%{_bindir}/ssh
 
@@ -360,7 +400,11 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
 
+%if 0%{with allow_root_password_login_by_default}
+echo "PermitRootLogin prohibit-password" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
 echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 
 # Move /etc to /usr/etc/ssh
 %if %{defined _distconfdir}
@@ -368,8 +412,19 @@ mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
 mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
+%if 0%{with allow_root_password_login_by_default}
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %endif
+%endif
+
+install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
+%if %{defined _distconfdir}
+install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
 
 %if 0%{?suse_version} < 1550
 # install firewall definitions
@@ -388,7 +443,7 @@ install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE14} %{buildroot}%{_sysusersdir}/sshd.conf
 
-rm %{buildroot}/usr/libexec/ssh/ssh-keycat
+rm %{buildroot}%{_libexecdir}/ssh/ssh-keycat
 #rm -r %{buildroot}/usr/lib/debug/.build-id
 
 # the hmac hashes - taken from openssl
@@ -422,6 +477,15 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 %{fillup_only -n ssh}
 %service_add_post sshd.service
 
+%if ! %{defined _distconfdir}
+test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+    echo " /etc/ssh/sshd_config.d/ . The crypto-policies configuration won't"
+    echo "be honored until the following line is added at the start of"
+    echo "/etc/ssh/sshd_config :"
+    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
 %preun server
 %service_del_preun sshd.service
 
@@ -435,6 +499,16 @@ else
 %service_del_postun sshd.service
 fi
 
+%if ! %{defined _distconfdir}
+%post server-config-disallow-rootlogin
+test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
+    echo "WARNING: /etc/ssh/sshd_config doesn't include config files from"
+    echo " /etc/ssh/sshd_config.d/ . The config file installed by"
+    echo "openssh-server-config-disallow-rootlogin won't be used until"
+    echo "the following line is added at the start of /etc/ssh/sshd_config :"
+    echo "Include /etc/ssh/sshd_config.d/*.conf" ) ) ||:
+%endif
+
 %if %{defined _distconfdir}
 %posttrans server
 # Migration to /usr/etc.
@@ -448,6 +522,16 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/
 test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config.rpmsave.old ||:
 %endif
 
+%if ! %{defined _distconfdir}
+%post clients
+test -f /etc/ssh/ssh_config && (grep -q "^Include /etc/ssh/ssh_config\.d/\*\.conf" /etc/ssh/ssh_config || ( \
+    echo "WARNING: /etc/ssh/ssh_config doesn't include config files from"
+    echo " /etc/ssh/ssh_config.d/ . The crypto-policies configuration won't"
+    echo "be honored until the following line is added at the start of"
+    echo "/etc/ssh/ssh_config :"
+    echo "Include /etc/ssh/ssh_config.d/*.conf" ) ) ||:
+%endif
+
 %if %{defined _distconfdir}
 %posttrans clients
 # Migration to /usr/etc.
@@ -472,7 +556,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
 %else
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
-%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
 %endif
 %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
@@ -488,12 +572,17 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %if %{defined _distconfdir}
 %attr(0755,root,root) %dir %{_distconfdir}/ssh
 %attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
-%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
+%attr(0640,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config
 %attr(0644,root,root) %{_pam_vendordir}/sshd
 %else
-%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
+%if %{defined _distconfdir}
+%attr(0600,root,root) %config(noreplace) %{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%else
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
+%endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
 %attr(0644,root,root) %{_sysusersdir}/sshd.conf
 %attr(0444,root,root) %{_mandir}/man5/sshd_config*
@@ -511,19 +600,29 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %config %{_fwdefdir}/sshd
 %endif
 
+%if 0%{with allow_root_password_login_by_default}
+%files server-config-disallow-rootlogin
+%if %{defined _distconfdir}
+%{_distconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%else
+%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/51-permit-root-login.conf
+%endif
+%else
 %files server-config-rootlogin
 %if %{defined _distconfdir}
 %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
 %else
-%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 %endif
 
 %files clients
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
 %else
-%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
 %endif
 %attr(0755,root,root) %{_bindir}/ssh
 %attr(0755,root,root) %{_bindir}/scp*