diff --git a/_multibuild b/_multibuild
new file mode 100644
index 0000000..2c8d823
--- /dev/null
+++ b/_multibuild
@@ -0,0 +1,3 @@
+
+ openssh-askpass-gnome
+
diff --git a/fix-missing-lz.patch b/fix-missing-lz.patch
new file mode 100644
index 0000000..bc82afa
--- /dev/null
+++ b/fix-missing-lz.patch
@@ -0,0 +1,25 @@
+Index: openssh-9.3p1/Makefile.in
+===================================================================
+--- openssh-9.3p1.orig/Makefile.in
++++ openssh-9.3p1/Makefile.in
+@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
+- $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
+ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
+ $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
+
+ # FIPS tests
+ cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
+- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
+ cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
+- $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
+ # test driver for the loginrec code - not built by default
+ logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index 03f57a8..1414775 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -16,28 +16,28 @@ Index: openssh-8.8p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o $(SKOBJS)
-Index: openssh-8.8p1/cipher-ctr.c
-===================================================================
---- openssh-8.8p1.orig/cipher-ctr.c
-+++ openssh-8.8p1/cipher-ctr.c
-@@ -27,6 +27,8 @@
- #include "xmalloc.h"
- #include "log.h"
-
-+#include "fips.h"
-+
- /* compatibility with old or broken OpenSSL versions */
- #include "openbsd-compat/openssl-compat.h"
-
-@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
- #ifndef SSH_OLD_EVP
- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+ if (fips_mode())
-+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
- #endif
- return (&aes_ctr);
- }
+#Index: openssh-8.8p1/cipher-ctr.c
+#===================================================================
+#--- openssh-8.8p1.orig/cipher-ctr.c
+#+++ openssh-8.8p1/cipher-ctr.c
+#@@ -27,6 +27,8 @@
+# #include "xmalloc.h"
+# #include "log.h"
+#
+#+#include "fips.h"
+#+
+# /* compatibility with old or broken OpenSSL versions */
+# #include "openbsd-compat/openssl-compat.h"
+#
+#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
+# #ifndef SSH_OLD_EVP
+# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+#+ if (fips_mode())
+#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
+# #endif
+# return (&aes_ctr);
+# }
Index: openssh-8.8p1/cipher.c
===================================================================
--- openssh-8.8p1.orig/cipher.c
@@ -416,8 +416,8 @@ Index: openssh-8.8p1/kex.c
--- openssh-8.8p1.orig/kex.c
+++ openssh-8.8p1/kex.c
@@ -62,6 +62,8 @@
- #include "sshbuf.h"
#include "digest.h"
+ #include "xmalloc.h"
+#include "fips.h"
+
@@ -743,7 +743,8 @@ Index: openssh-8.8p1/ssh-keygen.c
+ struct Key_types key_types_all[] = {
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
- { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
+ #ifdef OPENSSL_HAS_ECC
+# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
@@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
diff --git a/openssh-7.7p1-fips_checks.patch b/openssh-7.7p1-fips_checks.patch
index 85111ab..ebbf1ab 100644
--- a/openssh-7.7p1-fips_checks.patch
+++ b/openssh-7.7p1-fips_checks.patch
@@ -459,8 +459,8 @@ Index: openssh-8.8p1/sshd.c
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
- Authctxt *authctxt;
struct connection_info *connection_info = NULL;
+ sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
diff --git a/openssh-7.7p1-ldap.patch b/openssh-7.7p1-ldap.patch
index 151299e..9f11f91 100644
--- a/openssh-7.7p1-ldap.patch
+++ b/openssh-7.7p1-ldap.patch
@@ -148,7 +148,7 @@ Index: openssh-8.9p1/Makefile.in
sshkey-xmss.o \
@@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
- SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
+ SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
@@ -159,7 +159,7 @@ Index: openssh-8.9p1/Makefile.in
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
diff --git a/openssh-7.7p1-pam_check_locks.patch b/openssh-7.7p1-pam_check_locks.patch
index a0480f7..4186015 100644
--- a/openssh-7.7p1-pam_check_locks.patch
+++ b/openssh-7.7p1-pam_check_locks.patch
@@ -10,23 +10,23 @@ Index: openssh-8.8p1/auth.c
--- openssh-8.8p1.orig/auth.c
+++ openssh-8.8p1/auth.c
@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
+ if (!pw || !pw->pw_name)
return 0;
- #ifdef USE_SHADOW
-- if (!options.use_pam)
-+ if (!options.use_pam || options.use_pam_check_locks)
- spw = getspnam(pw->pw_name);
- #ifdef HAS_SHADOW_EXPIRE
- if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
- #endif
-
- /* check for locked account */
-- if (!options.use_pam && passwd && *passwd) {
-+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
- int locked = 0;
-
- #ifdef LOCKED_PASSWD_STRING
+- if (!options.use_pam && platform_locked_account(pw)) {
++ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
+ logit("User %.100s not allowed because account is locked",
+ pw->pw_name);
+ return 0;
+#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
+# #endif
+#
+# /* check for locked account */
+#- if (!options.use_pam && passwd && *passwd) {
+#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
+# int locked = 0;
+#
+# #ifdef LOCKED_PASSWD_STRING
Index: openssh-8.8p1/servconf.c
===================================================================
--- openssh-8.8p1.orig/servconf.c
diff --git a/openssh-7.7p1-seccomp_ipc_flock.patch b/openssh-7.7p1-seccomp_ipc_flock.patch
index 8a3b545..4b77258 100644
--- a/openssh-7.7p1-seccomp_ipc_flock.patch
+++ b/openssh-7.7p1-seccomp_ipc_flock.patch
@@ -37,5 +37,5 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
+ SC_ALLOW(__NR_ipc),
+#endif
#ifdef __NR_madvise
- SC_ALLOW(__NR_madvise),
- #endif
+ SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
+ # ifdef MADV_FREE
diff --git a/openssh-7.7p1-sftp_print_diagnostic_messages.patch b/openssh-7.7p1-sftp_print_diagnostic_messages.patch
index b6a1ed1..7b5ab04 100644
--- a/openssh-7.7p1-sftp_print_diagnostic_messages.patch
+++ b/openssh-7.7p1-sftp_print_diagnostic_messages.patch
@@ -34,8 +34,8 @@ Index: openssh-8.8p1/sftp.c
infile = stdin;
while ((ch = getopt(argc, argv,
-- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
-+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
++ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
switch (ch) {
/* Passed through to ssh(1) */
case 'A':
diff --git a/openssh-7.7p1-systemd-notify.patch b/openssh-7.7p1-systemd-notify.patch
index 354fc4c..ae55aae 100644
--- a/openssh-7.7p1-systemd-notify.patch
+++ b/openssh-7.7p1-systemd-notify.patch
@@ -8,8 +8,9 @@ Index: openssh-8.8p1/configure.ac
--- openssh-8.8p1.orig/configure.ac
+++ openssh-8.8p1/configure.ac
@@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
- AC_SUBST([GSSLIBS])
+# AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+ AC_SUBST([CHANNELLIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch
index f9426cb..81512d5 100644
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@@ -12,7 +12,8 @@ Index: openssh-8.9p1/Makefile.in
@@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
- auth2-none.o auth2-passwd.o auth2-pubkey.o \
+# auth2-none.o auth2-passwd.o auth2-pubkey.o \
+ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -379,22 +380,38 @@ Index: openssh-8.9p1/clientloop.c
/* import options */
extern Options options;
-@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
- break;
-
- /* Do channel operations unless rekeying in progress. */
-- if (!ssh_packet_is_rekeying(ssh))
-+ if (!ssh_packet_is_rekeying(ssh)) {
- channel_after_poll(ssh, pfd, npfd_active);
+#@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
+## Replaced with the section below
+# break;
+#
+# /* Do channel operations unless rekeying in progress. */
+#- if (!ssh_packet_is_rekeying(ssh))
+#+ if (!ssh_packet_is_rekeying(ssh)) {
+# channel_after_poll(ssh, pfd, npfd_active);
+#
+#+#ifdef GSSAPI
+#+ if (options.gss_renewal_rekey &&
+#+ ssh_gssapi_credentials_updated(NULL)) {
+#+ debug("credentials updated - forcing rekey");
+#+ need_rekeying = 1;
+#+ }
+#+#endif
+#+ }
+#+
+# /* Buffer input from the connection. */
+# if (conn_in_ready)
+# client_process_net_input(ssh);
+@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt
+ /* Do channel operations. */
+ channel_after_poll(ssh, pfd, npfd_active);
+#ifdef GSSAPI
-+ if (options.gss_renewal_rekey &&
-+ ssh_gssapi_credentials_updated(NULL)) {
-+ debug("credentials updated - forcing rekey");
-+ need_rekeying = 1;
-+ }
-+#endif
++ if (options.gss_renewal_rekey &&
++ ssh_gssapi_credentials_updated(NULL)) {
++ debug("credentials updated - forcing rekey");
++ need_rekeying = 1;
+ }
++#endif
+
/* Buffer input from the connection. */
if (conn_in_ready)
@@ -1257,15 +1274,9 @@ Index: openssh-8.9p1/kex.c
===================================================================
--- openssh-8.9p1.orig/kex.c
+++ openssh-8.9p1/kex.c
-@@ -57,11 +57,16 @@
- #include "misc.h"
- #include "dispatch.h"
- #include "monitor.h"
-+#include "xmalloc.h"
-
- #include "ssherr.h"
- #include "sshbuf.h"
+@@ -57,6 +57,10 @@
#include "digest.h"
+ #include "xmalloc.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
@@ -1274,7 +1285,7 @@ Index: openssh-8.9p1/kex.c
#include "fips.h"
/* prototype */
-@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[]
+@@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[]
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1},
};
@@ -1294,7 +1305,7 @@ Index: openssh-8.9p1/kex.c
static const struct kexalg kexalgs_fips140_2[] = {
#ifdef WITH_OPENSSL
-@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1
+@@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1
/* Returns array of macs available depending on selected FIPS mode */
static const struct kexalg *
@@ -1309,7 +1320,7 @@ Index: openssh-8.9p1/kex.c
case 1:
return kexalgs_fips140_2;
default:
-@@ -162,13 +180,13 @@ fips_select_kexalgs(void)
+@@ -162,13 +179,13 @@ fips_select_kexalgs(void)
}
char *
@@ -1325,7 +1336,7 @@ Index: openssh-8.9p1/kex.c
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(k->name);
-@@ -183,15 +201,31 @@ kex_alg_list(char sep)
+@@ -183,15 +200,31 @@ kex_alg_list(char sep)
return ret;
}
@@ -1358,7 +1369,7 @@ Index: openssh-8.9p1/kex.c
return NULL;
}
-@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c
+@@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c
return r;
}
@@ -1385,10 +1396,10 @@ Index: openssh-8.9p1/kex.c
+ return 1;
+}
+
- /* put algorithm proposal into buffer */
- int
- kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -765,6 +822,9 @@ kex_free(struct kex *kex)
+ /*
+ * Fill out a proposal array with dynamically allocated values, which may
+ * be modified as required for compatibility reasons.
+@@ -765,6 +821,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->session_id);
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
@@ -1439,9 +1450,9 @@ Index: openssh-8.9p1/kex.h
char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
+int kex_gss_names_valid(const char *);
-
- int kex_exchange_identification(struct ssh *, int, const char *);
-
+ void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+ const char *, const char *, const char *, const char *, const char *);
+ void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
@@ -209,6 +226,12 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *);
@@ -3511,8 +3522,8 @@ Index: openssh-8.9p1/sshconnect2.c
extern Options options;
/*
-@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st
- char *s, *all_key;
+@@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st
+ char *s, *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3523,9 +3534,6 @@ Index: openssh-8.9p1/sshconnect2.c
xxx_host = host;
xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
-@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
- compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
- }
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ if (options.gss_keyex) {
@@ -3559,7 +3567,7 @@ Index: openssh-8.9p1/sshconnect2.c
if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
-@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st
# ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif
@@ -3592,6 +3600,7 @@ Index: openssh-8.9p1/sshconnect2.c
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
/* remove ext-info from the KEX proposals for rekeying */
+ free(myproposal[PROPOSAL_KEX_ALGS]);
myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(ssh, options.kex_algorithms);
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3751,8 +3760,13 @@ Index: openssh-8.9p1/sshd.c
exit(1);
}
@@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
- ssh, list_hostkey_types());
+# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+# ssh, list_hostkey_types());
+# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+# compat_pkalg_proposal(ssh, list_hostkey_types());
+#
+
+ free(hkalgs);
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ {
@@ -3884,22 +3898,40 @@ Index: openssh-8.9p1/sshkey.c
===================================================================
--- openssh-8.9p1.orig/sshkey.c
+++ openssh-8.9p1/sshkey.c
-@@ -162,6 +162,7 @@ static const struct keytype keytypes[] =
- # endif /* ENABLE_SK */
- # endif /* OPENSSL_HAS_ECC */
- #endif /* WITH_OPENSSL */
-+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },
- { NULL, NULL, NULL, -1, -1, 0, 0 }
+@@ -127,6 +127,17 @@
+ extern const struct sshkey_impl sshkey_xmss_impl;
+ extern const struct sshkey_impl sshkey_xmss_cert_impl;
+ #endif
++const struct sshkey_impl sshkey_null_impl = {
++ /* .name = */ "null",
++ /* .shortname = */ "null",
++ /* .sigalg = */ NULL,
++ /* .type = */ KEY_NULL,
++ /* .nid = */ 0,
++ /* .cert = */ 0,
++ /* .sigonly = */ 0,
++ /* .keybits = */ 0,
++ /* .funcs = */ NULL,
++};
+
+ const struct sshkey_impl * const keyimpls[] = {
+ &sshkey_ed25519_impl,
+@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
+ &sshkey_xmss_impl,
+ &sshkey_xmss_cert_impl,
+ #endif
++ &sshkey_null_impl,
+ NULL
};
-@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai
- const struct keytype *kt;
+@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
- for (kt = keytypes; kt->type != -1; kt++) {
-- if (kt->name == NULL)
-+ if (kt->name == NULL || kt->type == KEY_NULL)
+ for (i = 0; keyimpls[i] != NULL; i++) {
+ impl = keyimpls[i];
+- if (impl->name == NULL)
++ if (impl->name == NULL || impl->type == KEY_NULL)
continue;
- if (!include_sigonly && kt->sigonly)
+ if (!include_sigonly && impl->sigonly)
continue;
Index: openssh-8.9p1/sshkey.h
===================================================================
diff --git a/openssh-8.1p1-audit.patch b/openssh-8.1p1-audit.patch
index 9210fea..6479633 100644
--- a/openssh-8.1p1-audit.patch
+++ b/openssh-8.1p1-audit.patch
@@ -768,8 +768,8 @@ Index: openssh-8.9p1/auth.h
+int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
- FILE *auth_openkeyfile(const char *, struct passwd *, int);
- FILE *auth_openprincipals(const char *, struct passwd *, int);
+ int auth_key_is_revoked(struct sshkey *);
+
@@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty
int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
@@ -843,8 +843,8 @@ Index: openssh-8.9p1/auth2-pubkey.c
+}
+
static int
- match_principals_option(const char *principal_list, struct sshkey_cert *cert)
- {
+ match_principals_file(struct passwd *pw, char *file,
+ struct sshkey_cert *cert, struct sshauthopt **authoptsp)
Index: openssh-8.9p1/auth2.c
===================================================================
--- openssh-8.9p1.orig/auth2.c
@@ -934,9 +934,9 @@ Index: openssh-8.9p1/kex.c
--- openssh-8.9p1.orig/kex.c
+++ openssh-8.9p1/kex.c
@@ -62,6 +62,7 @@
- #include "ssherr.h"
#include "sshbuf.h"
#include "digest.h"
+ #include "xmalloc.h"
+#include "audit.h"
#ifdef GSSAPI
@@ -2165,7 +2165,7 @@ Index: openssh-8.9p1/session.h
@@ -71,10 +77,12 @@ void session_unused(int);
int session_input_channel_req(struct ssh *, Channel *, const char *);
void session_close_by_pid(struct ssh *ssh, pid_t, int);
- void session_close_by_channel(struct ssh *, int, void *);
+ void session_close_by_channel(struct ssh *, int, int, void *);
-void session_destroy_all(struct ssh *, void (*)(Session *));
+void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
void session_pty_cleanup2(Session *);
@@ -2357,7 +2357,7 @@ Index: openssh-8.9p1/sshd.c
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
{
struct pollfd *pfd = NULL;
- int i, j, ret;
+ int i, j, ret, npfd;
@@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
diff --git a/openssh-8.1p1-ed25519-use-openssl-rng.patch b/openssh-8.1p1-ed25519-use-openssl-rng.patch
index 2faf97f..fe11530 100644
--- a/openssh-8.1p1-ed25519-use-openssl-rng.patch
+++ b/openssh-8.1p1-ed25519-use-openssl-rng.patch
@@ -9,7 +9,7 @@ index 767ec24..5d506a9 100644
--- a/ed25519.c
+++ b/ed25519.c
@@ -9,6 +9,13 @@
- #include "includes.h"
+
#include "crypto_api.h"
+#ifdef WITH_OPENSSL
@@ -19,12 +19,12 @@ index 767ec24..5d506a9 100644
+
+#include "log.h"
+
- #include "ge25519.h"
-
- static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
+ #define int8 crypto_int8
+ #define uint8 crypto_uint8
+ #define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
- unsigned char extsk[64];
- int i;
+ sc25519 scsk;
+ ge25519 gepk;
+#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */
@@ -32,12 +32,12 @@ index 767ec24..5d506a9 100644
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error());
+#else
- randombytes(sk, 32);
+ randombytes(sk,32);
+#endif
+
- crypto_hash_sha512(extsk, sk, 32);
- extsk[0] &= 248;
- extsk[31] &= 127;
+ crypto_hash_sha512(az,sk,32);
+ az[0] &= 248;
+ az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644
--- a/kexc25519.c
diff --git a/openssh-8.4p1-vendordir.patch b/openssh-8.4p1-vendordir.patch
index 7c34be3..3b38457 100644
--- a/openssh-8.4p1-vendordir.patch
+++ b/openssh-8.4p1-vendordir.patch
@@ -106,7 +106,7 @@ Index: openssh-8.9p1/ssh_config.5
+.Pq Pa /usr/etc/ssh/ssh_config
.El
.Pp
- For each parameter, the first obtained value
+ Unless noted otherwise, for each parameter, the first obtained value
@@ -2220,6 +2223,11 @@ This file provides defaults for those
values that are not specified in the user's configuration file, and
for those users who do not have a configuration file.
diff --git a/openssh-8.9p1.tar.gz b/openssh-8.9p1.tar.gz
deleted file mode 100644
index c994b36..0000000
--- a/openssh-8.9p1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
-size 1820282
diff --git a/openssh-8.9p1.tar.gz.asc b/openssh-8.9p1.tar.gz.asc
deleted file mode 100644
index a554f9f..0000000
--- a/openssh-8.9p1.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmIWG5YACgkQKj9BTnNg
-YLoL2A//TuX5vo9EplHaoqTbgL5KkwaJGaae2bXczbw1N8anfSlnPi7IAL4TkLFW
-SpIAGYcDoxqSAT62Ad9TsIvallPWmzG8mIa1M6dgQHUW95KbI5NHC53NgMkExI7O
-x9HGDanLRoXCwbDrYAZN8UlddTsZYGrfoVso7lrW87lcTkM4AYQKNbCum/C8OUq0
-esJgaaiXTIK+Rwbtpa+msDo8scfq08IG4rMM+kiNOnYpxaVyPIvspUF/ULinEQ5M
-KrgRCZKI6573yZAdzA3KE6fXlzFJuxqcpk8Zimdm6c5+TEk30pzZ65Q+KLLrW7Gm
-YK9gkkbdGWvtoRoE66RnPcBbPoFFM3h0mPhY/08iKHZKQL29bhDABx5qqUN0WDtg
-uqz21PT/yXwxXglvHRMtq9w1dzjrPs/aEWQiO2ta+tspC+vUwVjnengmvcj7pP6B
-4MQWDcw0ZULn5ns/Vzja6VO9V6hKYApCHs0o4lvBnXXtdIRNHmuROoVQsGPlBTKN
-jPSfz3XU7lebayJwGpJFVwfHYTzxGu8IuK7k6WUvCA4j98HbRpJCuNEZeE4Jsvlc
-CLhee1YTkUDtNb3GaV2F8a4pDyCxvxCBlhoTMdDDWLGibylpZKaqZyxuO+X7QTUM
-TfiyQEZ6YFqQj+f1/BjzPDeXXXMOYA5tgHumjB726rtmK1HB7ZQ=
-=5Ghp
------END PGP SIGNATURE-----
diff --git a/openssh-9.3p1.tar.gz b/openssh-9.3p1.tar.gz
new file mode 100644
index 0000000..f703f3c
--- /dev/null
+++ b/openssh-9.3p1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
+size 1856839
diff --git a/openssh-9.3p1.tar.gz.asc b/openssh-9.3p1.tar.gz.asc
new file mode 100644
index 0000000..b3f840c
--- /dev/null
+++ b/openssh-9.3p1.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
+YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
+iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
+OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
+EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
+ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
+ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
+CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
+jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
+f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
+NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
+k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
+=deVJ
+-----END PGP SIGNATURE-----
diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes
index bf7054e..b46b456 100644
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa
+
+- Update to openssh 9.3p1
+ * No changes for askpass, see main package changelog for
+ details
+
-------------------------------------------------------------------
Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson
diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec
index 746820c..e4e551d 100644
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 8.9p1
+Version: 9.3p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
diff --git a/openssh-reenable-dh-group14-sha1-default.patch b/openssh-reenable-dh-group14-sha1-default.patch
index 50c2e62..8a2293a 100644
--- a/openssh-reenable-dh-group14-sha1-default.patch
+++ b/openssh-reenable-dh-group14-sha1-default.patch
@@ -31,7 +31,7 @@ Index: openssh-8.9p1/sshd_config.5
--- openssh-8.9p1.orig/sshd_config.5
+++ openssh-8.9p1/sshd_config.5
@@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
- sntrup761x25519-sha512@openssh.com,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256,
diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
diff --git a/openssh-whitelist-syscalls.patch b/openssh-whitelist-syscalls.patch
index dcb25bd..0ea17d1 100644
--- a/openssh-whitelist-syscalls.patch
+++ b/openssh-whitelist-syscalls.patch
@@ -14,7 +14,7 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
#endif
@@ -213,6 +216,9 @@ static const struct sock_filter preauth_
#ifdef __NR_futex_time64
- SC_ALLOW(__NR_futex_time64),
+ SC_FUTEX(__NR_futex_time64),
#endif
+#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
diff --git a/openssh.changes b/openssh.changes
index 81250b0..b71f4aa 100644
--- a/openssh.changes
+++ b/openssh.changes
@@ -1,3 +1,479 @@
+-------------------------------------------------------------------
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa
+
+- Update to openssh 9.3p1:
+ = Security
+ * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
+ per-hop destination constraints (ssh-add -h ...) added in
+ OpenSSH 8.9, a logic error prevented the constraints from being
+ communicated to the agent. This resulted in the keys being added
+ without constraints. The common cases of non-smartcard keys and
+ keys without destination constraints are unaffected. This
+ problem was reported by Luci Stanescu.
+
+ * ssh(1): Portable OpenSSH provides an implementation of the
+ getrrsetbyname(3) function if the standard library does not
+ provide it, for use by the VerifyHostKeyDNS feature. A
+ specifically crafted DNS response could cause this function to
+ perform an out-of-bounds read of adjacent stack data, but this
+ condition does not appear to be exploitable beyond denial-of-
+ service to the ssh(1) client.
+ The getrrsetbyname(3) replacement is only included if the
+ system's standard library lacks this function and portable
+ OpenSSH was not compiled with the ldns library (--with-ldns).
+ getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
+ fetch SSHFP records. This problem was found by the Coverity
+ static analyzer.
+
+ = New features
+ * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
+ when outputting SSHFP fingerprints to allow algorithm
+ selection. bz3493
+ * sshd(8): add a `sshd -G` option that parses and prints the
+ effective configuration without attempting to load private keys
+ and perform other checks. This allows usage of the option
+ before keys have been generated and for configuration
+ evaluation and verification by unprivileged users.
+
+ = Bugfixes
+ * scp(1), sftp(1): fix progressmeter corruption on wide displays;
+ bz3534
+ * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
+ usability of private keys as some systems are starting to
+ disable RSA/SHA1 in libcrypto.
+ * sftp-server(8): fix a memory leak. GHPR363
+ * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
+ compatibility code and simplify what's left.
+ * Fix a number of low-impact Coverity static analysis findings.
+ These include several reported via bz2687
+ * ssh_config(5), sshd_config(5): mention that some options are
+ not first-match-wins.
+ * Rework logging for the regression tests. Regression tests will
+ now capture separate logs for each ssh and sshd invocation in
+ a test.
+ * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
+ says it should; bz3532.
+ * ssh(1): ensure that there is a terminating newline when adding
+ a new entry to known_hosts; bz3529
+
+ = Portability
+ * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
+ mmap(2), madvise(2) and futex(2) flags, removing some
+ concerning kernel attack surface.
+ * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
+ bz3537
+
+- Update to openssh 9.2p1:
+ = Security
+ * sshd(8): fix a pre-authentication double-free memory fault
+ introduced in OpenSSH 9.1. This is not believed to be
+ exploitable, and it occurs in the unprivileged pre-auth process
+ that is subject to chroot(2) and is further sandboxed on most
+ major platforms.
+ * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
+ option would ignore its first argument unless it was one of the
+ special keywords "any" or "none", causing the permission list
+ to fail open if only one permission was specified. bz3515
+ * ssh(1): if the CanonicalizeHostname and
+ CanonicalizePermittedCNAMEs options were enabled, and the
+ system/libc resolver did not check that names in DNS responses
+ were valid, then use of these options could allow an attacker
+ with control of DNS to include invalid characters (possibly
+ including wildcards) in names added to known_hosts files when
+ they were updated. These names would still have to match the
+ CanonicalizePermittedCNAMEs allow-list, so practical
+ exploitation appears unlikely.
+
+ = Potentially-incompatible changes
+ * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
+ that controls whether the client-side ~C escape sequence that
+ provides a command-line is available. Among other things, the
+ ~C command-line could be used to add additional port-forwards
+ at runtime.
+ This option defaults to "no", disabling the ~C command-line
+ that was previously enabled by default. Turning off the
+ command-line allows platforms that support sandboxing of the
+ ssh(1) client (currently only OpenBSD) to use a stricter
+ default sandbox policy.
+
+ = New features
+ * sshd(8): add support for channel inactivity timeouts via a new
+ sshd_config(5) ChannelTimeout directive. This allows channels
+ that have not seen traffic in a configurable interval to be
+ automatically closed. Different timeouts may be applied to
+ session, X11, agent and TCP forwarding channels.
+ * sshd(8): add a sshd_config UnusedConnectionTimeout option to
+ terminate client connections that have no open channels for a
+ length of time. This complements the ChannelTimeout option
+ above.
+ * sshd(8): add a -V (version) option to sshd like the ssh client
+ has.
+ * ssh(1): add a "Host" line to the output of ssh -G showing the
+ original hostname argument. bz3343
+ * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
+ allow control over some SFTP protocol parameters: the copy
+ buffer length and the number of in-flight requests, both of
+ which are used during upload/download. Previously these could
+ be controlled in sftp(1) only. This makes them available in
+ both SFTP protocol clients using the same option character
+ sequence.
+ * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
+ e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
+ then it will be expanded to all possible addresses in the range
+ including the all-0s and all-1s addresses. bz#976
+ * ssh(1): support dynamic remote port forwarding in escape
+ command-line's -R processing. bz#3499
+
+ = Bugfixes
+ * ssh(1): when restoring non-blocking mode to stdio fds, restore
+ exactly the flags that ssh started with and don't just clobber
+ them with zero, as this could also remove the append flag from
+ the set. bz3523
+ * ssh(1): avoid printf("%s", NULL) if using
+ UserKnownHostsFile=none and a hostkey in one of the system
+ known hosts file changes.
+ * scp(1): switch scp from using pipes to a socket-pair for
+ communication with its ssh sub-processes, matching how sftp(1)
+ operates.
+ * sshd(8): clear signal mask early in main(); sshd may have been
+ started with one or more signals masked (sigprocmask(2) is not
+ cleared on fork/exec) and this could interfere with various
+ things, e.g. the login grace timer. Execution environments that
+ fail to clear the signal mask before running sshd are clearly
+ broken, but apparently they do exist.
+ * ssh(1): warn if no host keys for hostbased auth can be loaded.
+ * sshd(8): Add server debugging for hostbased auth that is queued
+ and sent to the client after successful authentication, but
+ also logged to assist in diagnosis of HostbasedAuthentication
+ problems. bz3507
+ * ssh(1): document use of the IdentityFile option as being usable
+ to list public keys as well as private keys. GHPR352
+ * sshd(8): check for and disallow MaxStartups values less than or
+ equal to zero during config parsing, rather than failing later
+ at runtime. bz3489
+ * ssh-keygen(1): fix parsing of hex cert expiry times specified
+ on the command-line when acting as a CA.
+ * scp(1): when scp(1) is using the SFTP protocol for transport
+ (the default), better match scp/rcp's handling of globs that
+ don't match the globbed characters but do match literally (e.g.
+ trying to transfer a file named "foo.[1]"). Previously scp(1)
+ in SFTP mode would not match these pathnames but legacy scp/rcp
+ mode would. bz3488
+ * ssh-agent(1): document the "-O no-restrict-websafe"
+ command-line option.
+ * ssh(1): honour user's umask(2) if it is more restrictive then
+ the ssh default (022).
+
+ = Portability
+ * sshd(8): allow writev(2) in the Linux seccomp sandbox. This
+ seems to be used by recent glibcs at least in some
+ configurations during error conditions. bz3512.
+ * sshd(8): simply handling of SSH_CONNECTION PAM env var,
+ removing global variable and checking the return value from
+ pam_putenv. bz3508
+ * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
+ mistakenly enabled during the OpenSSH 9.1 release cycle.
+ * misc: update autotools and regenerate the config files using
+ the latest autotools
+ * all: use -fzero-call-used-regs=used on clang 15 instead of
+ -fzero-call-used-reg=all, as some versions of clang 15 have
+ miscompile code when it was enabled. bz3475
+ * sshd(8): defer PRNG seeding until after the initial
+ closefrom(2) call. PRNG seeding will initialize OpenSSL, and
+ some engine providers (e.g. Intel's QAT) will open descriptors
+ for their own use that closefrom(2) could clobber. bz3483
+ * misc: in the poll(2)/ppoll(2) compatibility code, avoid
+ assuming the layout of fd_set.
+ * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
+ FreeBSD kernels. Some versions do not support using id 0 to
+ refer to the current PID for procctl, so try again with
+ getpid() explicitly before failing.
+ * configure.ac: fix -Wstrict-prototypes in configure test code.
+ Clang 16 now warns on this and legacy prototypes will be
+ removed in C23. GHPR355
+ * configure.ac: fix setres*id checks to work with clang-16. glibc
+ has the prototypes for setresuid behind _GNU_SOURCE, and
+ clang 16 will error out on implicit function definitions.
+ bz3497
+
+- Update to openssh 9.1p1:
+ = Security
+ * ssh-keyscan(1): fix a one-byte overflow in SSH- banner
+ processing.
+ Reported by Qualys
+ * ssh-keygen(1): double free() in error path of file hashing step
+ in signing/verify code; GHPR333
+ * ssh-keysign(8): double-free in error path introduced in
+ openssh-8.9
+
+ = Potentially-incompatible changes
+ * The portable OpenSSH project now signs commits and release tags
+ using git's recent SSH signature support. The list of developer
+ signing keys is included in the repository as
+ .git_allowed_signers and is cross-signed using the PGP key that
+ is still used to sign release artifacts:
+ https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
+ * ssh(1), sshd(8): SetEnv directives in ssh_config and
+ sshd_config are now first-match-wins to match other directives.
+ Previously if an environment variable was multiply specified
+ the last set value would have been used. bz3438
+ * ssh-keygen(8): ssh-keygen -A (generate all default host key
+ types) will no longer generate DSA keys, as these are insecure
+ and have not been used by default for some years.
+
+ = New features
+ * ssh(1), sshd(8): add a RequiredRSASize directive to set a
+ minimum RSA key length. Keys below this length will be ignored
+ for user authentication and for host authentication in sshd(8).
+ ssh(1) will terminate a connection if the server offers an RSA
+ key that falls below this limit, as the SSH protocol does not
+ include the ability to retry a failed key exchange.
+ * sftp-server(8): add a "users-groups-by-id@openssh.com"
+ extension request that allows the client to obtain user/group
+ names that correspond to a set of uids/gids.
+ * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
+ extension (when available) to fill in user/group names for
+ directory listings.
+ * sftp-server(8): support the "home-directory" extension request
+ defined in draft-ietf-secsh-filexfer-extensions-00. This
+ overlaps a bit with the existing "expand-path@openssh.com", but
+ some other clients support it.
+ * ssh-keygen(1), sshd(8): allow certificate validity intervals,
+ sshsig verification times and authorized_keys expiry-time
+ options to accept dates in the UTC time zone in addition to the
+ default of interpreting them in the system time zone. YYYYMMDD
+ and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
+ suffixed with a 'Z' character.
+ Also allow certificate validity intervals to be specified in
+ raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890.
+ This is intended for use by regress tests and other tools that
+ call ssh-keygen as part of a CA workflow. bz3468
+ * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
+ "/usr/libexec/sftp-server -el debug3"
+ * ssh-keygen(1): allow the existing -U (use agent) flag to work
+ with "-Y sign" operations, where it will be interpreted to
+ require that the private keys is hosted in an agent; bz3429
+
+ = Bugfixes
+ * ssh-keygen(1): implement the "verify-required" certificate
+ option.
+ This was already documented when support for user-verified FIDO
+ keys was added, but the ssh-keygen(1) code was missing.
+ * ssh-agent(1): hook up the restrict_websafe command-line flag;
+ previously the flag was accepted but never actually used.
+ * sftp(1): improve filename tab completions: never try to
+ complete names to non-existent commands, and better match the
+ completion type (local or remote filename) against the argument
+ position being completed.
+ * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
+ handling, especially relating to keys that request
+ user-verification. These should reduce the number of
+ unnecessary PIN prompts for keys that support intrinsic user
+ verification. GHPR302, GHPR329
+ * ssh-keygen(1): when enrolling a FIDO resident key, check if a
+ credential with matching application and user ID strings
+ already exists and, if so, prompt the user for confirmation
+ before overwriting the credential. GHPR329
+ * sshd(8): improve logging of errors when opening authorized_keys
+ files. bz2042
+ * ssh(1): avoid multiplexing operations that could cause SIGPIPE
+ from causing the client to exit early. bz3454
+ * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
+ directive applies to both transmitted and received data.
+ GHPR328
+ * ssh-keygen(1): avoid double fclose() in error path.
+ * sshd(8): log an error if pipe() fails while accepting a
+ connection. bz3447
+ * ssh(1), ssh-keygen(1): fix possible NULL deref when built
+ without FIDO support. bz3443
+ * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
+ GHPR294.
+ * sshd(8): ensure that authentication passwords are cleared from
+ memory in error paths. GHPR286
+ * ssh(1), ssh-agent(1): avoid possibility of notifier code
+ executing kill(-1). GHPR286
+ * ssh_config(5): note that the ProxyJump directive also accepts
+ the same tokens as ProxyCommand. GHPR305.
+ * scp(1): do not not ftruncate(3) files early when in sftp mode.
+ The previous behaviour of unconditionally truncating the
+ destination file would cause "scp ~/foo localhost:foo" and the
+ reverse "scp localhost:foo ~/foo" to delete all the contents of
+ their destination. bz3431
+ * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign'
+ is unable to load a private key; bz3429
+ * sftp(1), scp(1): when performing operations that glob(3) a
+ remote path, ensure that the implicit working directory used to
+ construct that path escapes glob(3) characters. This prevents
+ glob characters from being processed in places they shouldn't,
+ e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
+ treat the path "/tmp/a*" literally and not attempt to expand
+ it.
+ * ssh(1), sshd(8): be stricter in which characters will be
+ accepted in specifying a mask length; allow only 0-9. GHPR278
+ * ssh-keygen(1): avoid printing hash algorithm twice when dumping
+ a KRL
+ * ssh(1), sshd(8): continue running local I/O for open channels
+ during SSH transport rekeying. This should make ~-escapes work
+ in the client (e.g. to exit) if the connection happened to have
+ stalled during a rekey event.
+ * ssh(1), sshd(8): avoid potential poll() spin during rekeying
+ * Further hardening for sshbuf internals: disallow "reparenting"
+ a hierarchical sshbuf and zero the entire buffer if
+ reallocation fails. GHPR287
+
+ = Portability
+ * ssh(1), ssh-keygen(1), sshd(8): automatically enable the
+ built-in FIDO security key support if libfido2 is found and
+ usable, unless --without-security-key-builtin was requested.
+ * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
+ FIDO device usable on Cygwin. The windows://hello FIDO device
+ will be automatically used by default on this platform unless
+ requested otherwise, or when probing resident FIDO credentials
+ (an operation not currently supported by WinHello).
+ * Portable OpenSSH: remove workarounds for obsolete and
+ unsupported versions of OpenSSL libcrypto. In particular, this
+ release removes fallback support for OpenSSL that lacks AES-CTR
+ or AES-GCM. Those AES cipher modes were added to OpenSSL prior
+ to the minimum version currently supported by OpenSSH, so this
+ is not expected to impact any currently supported
+ configurations.
+ * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current
+ Linux/glibc
+ * All: resync and clean up internal CSPRNG code.
+ * scp(1), sftp(1), sftp-server(8): avoid linking these programs
+ with unnecessary libraries. They are no longer linked against
+ libz and libcrypto. This may be of benefit to space constrained
+ systems using any of those components in isolation.
+ * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
+ architectures.
+ * configure: remove special casing of crypt(). configure will no
+ longer search for crypt() in libcrypto, as it was removed from
+ there years ago. configure will now only search libc and
+ libcrypt.
+ * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in
+ its RSA implementation (CVE-2022-2274) on x86_64.
+ * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322
+ * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing
+ includes required by the XMSS code on some platforms.
+ * sshd(8): cache timezone data in capsicum sandbox.
+
+- Update to openssh 9.0p1:
+ = Potentially-incompatible changes
+ * This release switches scp(1) from using the legacy scp/rcp
+ protocol to using the SFTP protocol by default.
+ Legacy scp/rcp performs wildcard expansion of remote filenames
+ (e.g. "scp host:* .") through the remote shell. This has the
+ side effect of requiring double quoting of shell
+ meta-characters in file names included on scp(1) command-lines,
+ otherwise they could be interpreted as shell commands on the
+ remote side.
+ This creates one area of potential incompatibility: scp(1) when
+ using the SFTP protocol no longer requires this finicky and
+ brittle quoting, and attempts to use it may cause transfers to
+ fail. We consider the removal of the need for double-quoting
+ shell characters in file names to be a benefit and do not
+ intend to introduce bug-compatibility for legacy scp/rcp in
+ scp(1) when using the SFTP protocol.
+ Another area of potential incompatibility relates to the use of
+ remote paths relative to other user's home directories, for
+ example - "scp host:~user/file /tmp". The SFTP protocol has no
+ native way to expand a ~user path. However, sftp-server(8) in
+ OpenSSH 8.7 and later support a protocol extension
+ "expand-path@openssh.com" to support this.
+ In case of incompatibility, the scp(1) client may be instructed
+ to use the legacy scp/rcp using the -O flag.
+
+ = New features
+ * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519
+ key exchange method by default
+ ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is
+ believed to resist attacks enabled by future quantum computers
+ and is paired with the X25519 ECDH key exchange (the previous
+ default) as a backstop against any weaknesses in NTRU Prime
+ that may be discovered in the future. The combination ensures
+ that the hybrid exchange offers at least as good security as
+ the status quo.
+ We are making this change now (i.e. ahead of cryptographically-
+ relevant quantum computers) to prevent "capture now, decrypt
+ later" attacks where an adversary who can record and store SSH
+ session ciphertext would be able to decrypt it once a
+ sufficiently advanced quantum computer is available.
+ * sftp-server(8): support the "copy-data" extension to allow
+ server-side copying of files/data, following the design in
+ draft-ietf-secsh-filexfer-extensions-00. bz2948
+ * sftp(1): add a "cp" command to allow the sftp client to perform
+ server-side file copies.
+
+ = Bugfixes
+ * ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's
+ output fd closes without data in the channel buffer. bz3405 and
+ bz3411
+ * sshd(8): pack pollfd array in server listen/accept loop. Could
+ cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
+ * ssh-keygen(1): avoid NULL deref via the find-principals and
+ check-novalidate operations. bz3409 and GHPR307 respectively.
+ * scp(1): fix a memory leak in argument processing. bz3404
+ * sshd(8): don't try to resolve ListenAddress directives in the
+ sshd re-exec path. They are unused after re-exec and parsing
+ errors (possible for example if the host's network
+ configuration changed) could prevent connections from being
+ accepted.
+ * sshd(8): when refusing a public key authentication request from
+ a client for using an unapproved or unsupported signature
+ algorithm include the algorithm name in the log message to make
+ debugging easier.
+
+ = Portability
+ * sshd(8): refactor platform-specific locked account check,
+ fixing an incorrect free() on platforms with both libiaf and
+ shadow passwords (probably only Unixware) GHPR284,
+ * ssh(1), sshd(8): Fix possible integer underflow in
+ scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.
+ * sshd(8): provide killpg implementation (mostly for Tandem
+ NonStop) GHPR301.
+ * Check for missing ftruncate prototype. GHPR301
+ * sshd(8): default to not using sandbox when cross compiling. On
+ most systems poll(2) does not work when the number of FDs is
+ reduced with setrlimit, so assume it doesn't when cross
+ compiling and we can't run the test. bz#3398.
+ * sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix
+ sandbox violations on some (at least i386 and armhf) 32bit
+ Linux platforms. bz#3396.
+ * Improve detection of -fzero-call-used-regs=all support in
+ configure script.
+
+- Add patch that explicitly adds -lz in Makefile.in to some
+ binaries which need it:
+ * fix-missing-lz.patch
+- Rebase patches:
+ * openssh-7.7p1-fips.patch
+ * openssh-7.7p1-fips_checks.patch
+ * openssh-7.7p1-ldap.patch
+ * openssh-7.7p1-pam_check_locks.patch
+ * openssh-7.7p1-seccomp_ipc_flock.patch
+ * openssh-7.7p1-sftp_print_diagnostic_messages.patch
+ * openssh-7.7p1-systemd-notify.patch
+ * openssh-8.0p1-gssapi-keyex.patch
+ * openssh-8.1p1-audit.patch
+ * openssh-8.1p1-ed25519-use-openssl-rng.patch
+ * openssh-8.4p1-vendordir.patch
+ * openssh-reenable-dh-group14-sha1-default.patch
+ * openssh-whitelist-syscalls.patch
+ * wtmpdb.patch
+- Fix setting libexec dir in the LDAP patch.
+- Fix build in Leap 15.x which doesn't use %{_distconfdir}
+
+-------------------------------------------------------------------
+Fri May 5 15:18:20 UTC 2023 - Dominique Leuenberger
+
+- Add _multibuild to define 2nd spec file as additional flavor.
+ Eliminates the need for source package links in OBS.
+
+-------------------------------------------------------------------
+Mon Apr 17 13:14:49 UTC 2023 - Thorsten Kukuk
+
+- wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144]
+
-------------------------------------------------------------------
Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk
diff --git a/openssh.spec b/openssh.spec
index b3434c7..99de630 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -24,13 +24,20 @@
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+%bcond_without ldap
+
+%if 0%{?suse_version} >= 1550
+%bcond_without wtmpdb
+%else
+%bcond_with wtmpdb
+%endif
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 8.9p1
+Version: 9.3p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -107,17 +114,21 @@ Patch47: openssh-8.4p1-vendordir.patch
Patch48: openssh-8.4p1-pam_motd.patch
Patch49: openssh-do-not-send-empty-message.patch
Patch50: openssh-openssl-3.patch
+Patch51: wtmpdb.patch
+Patch100: fix-missing-lz.patch
BuildRequires: audit-devel
BuildRequires: automake
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
+%if %{with ldap}
BuildRequires: openldap2-devel
+%endif
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: zlib-devel
-BuildRequires: pkgconfig(libfido2)
+BuildRequires: pkgconfig(libfido2) >= 1.2.0
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-shadow
BuildRequires: sysuser-tools
@@ -128,6 +139,9 @@ BuildRequires: pkgconfig(krb5)
%else
BuildRequires: krb5-mini-devel
%endif
+%if %{with wtmpdb}
+BuildRequires: pkgconfig(libwtmpdb)
+%endif
Requires(pre): findutils
Requires(pre): grep
@@ -215,6 +229,7 @@ also be forwarded over the secure channel.
This package contains clients for making secure connections to Secure
Shell servers.
+%if %{with ldap}
%package helpers
Summary: OpenSSH AuthorizedKeysCommand helpers
Group: Productivity/Networking/SSH
@@ -231,6 +246,7 @@ also be forwarded over the secure channel.
This package contains helper applications for OpenSSH which retrieve
keys from various sources.
+%endif
%package fips
Summary: OpenSSH FIPS crypto module HMACs
@@ -262,7 +278,7 @@ cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
# set libexec dir in the LDAP patch
sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
$( grep -Rl @LIBEXECDIR@ \
- $( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
+ $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
)
%build
@@ -294,9 +310,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
%endif
--disable-strip \
--with-audit=linux \
+%if %{with ldap}
--with-ldap \
+%endif
--with-xauth=%{_bindir}/xauth \
--with-libedit \
+%if %{with wtmpdb}
+ --with-wtmpdb \
+%endif
--with-security-key-builtin \
--target=%{_target_cpu}-suse-linux
@@ -327,12 +348,16 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
+echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+
# Move /etc to /usr/etc/ssh
+%if %{defined _distconfdir}
mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
-echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
%if 0%{?suse_version} < 1550
# install firewall definitions
@@ -426,9 +451,15 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%license LICENCE
%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%if %{defined _distconfdir}
%attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
%attr(0600,root,root) %{_distconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
+%else
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
+%endif
%attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0444,root,root) %{_mandir}/man5/moduli.5*
%attr(0755,root,root) %{_bindir}/ssh-keygen*
@@ -439,12 +470,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
%dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
-%attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
-%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%if %{defined _distconfdir}
+%attr(0755,root,root) %dir %{_distconfdir}/ssh
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
+%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
%attr(0644,root,root) %{_pam_vendordir}/sshd
%else
+%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
@@ -463,11 +495,19 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%endif
%files server-config-rootlogin
+%if %{defined _distconfdir}
%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%else
+%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
%files clients
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%if %{defined _distconfdir}
%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
+%else
+%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
+%endif
%attr(0755,root,root) %{_bindir}/ssh
%attr(0755,root,root) %{_bindir}/scp*
%attr(0755,root,root) %{_bindir}/sftp*
@@ -492,6 +532,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
+%if %{with ldap}
%files helpers
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
@@ -500,6 +541,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
%attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
%attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
+%endif
%files fips
%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}
diff --git a/wtmpdb.patch b/wtmpdb.patch
new file mode 100644
index 0000000..bf5bca9
--- /dev/null
+++ b/wtmpdb.patch
@@ -0,0 +1,185 @@
+diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
+--- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200
+@@ -1703,6 +1703,49 @@
+ fi ]
+ )
+
++# Check whether user wants wtmpdb support
++WTMPDB_MSG="no"
++AC_ARG_WITH([wtmpdb],
++ [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd],
++ [ if test "x$withval" != "xno" ; then
++ if test "x$withval" = "xyes" ; then
++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++ if test "x$PKGCONFIG" != "xno"; then
++ AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
++ if "$PKGCONFIG" libwtmpdb; then
++ AC_MSG_RESULT([yes])
++ use_pkgconfig_for_libwtmpdb=yes
++ else
++ AC_MSG_RESULT([no])
++ fi
++ fi
++ else
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ if test -n "${rpath_opt}"; then
++ LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
++ else
++ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++ fi
++ fi
++ if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
++ LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
++ CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
++ else
++ LIBWTMPDB="-lwtmpdb"
++ fi
++ OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
++ AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
++ [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
++ WTMPDB_MSG="yes"
++ AC_SUBST([LIBWTMPDB])
++ ],
++ [ AC_MSG_ERROR([libwtmpdb not found]) ],
++ [ $OTHERLIBS ]
++ )
++ fi ]
++)
++
++
+ AUDIT_MODULE=none
+ AC_ARG_WITH([audit],
+ [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
+diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
+--- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200
+@@ -187,6 +187,10 @@
+ # include
+ #endif
+
++#ifdef USE_WTMPDB
++# include
++#endif
++
+ /**
+ ** prototypes for helper functions in this file
+ **/
+@@ -207,6 +211,9 @@
+ int wtmpx_write_entry(struct logininfo *li);
+ int lastlog_write_entry(struct logininfo *li);
+ int syslogin_write_entry(struct logininfo *li);
++#ifdef USE_WTMPDB
++int wtmpdb_write_entry(struct logininfo *li);
++#endif
+
+ int getlast_entry(struct logininfo *li);
+ int lastlog_get_entry(struct logininfo *li);
+@@ -467,6 +474,9 @@
+ #ifdef USE_WTMPX
+ wtmpx_write_entry(li);
+ #endif
++#ifdef USE_WTMPDB
++ wtmpdb_write_entry(li);
++#endif
+ #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
+ if (li->type == LTYPE_LOGIN &&
+ !sys_auth_record_login(li->username,li->hostname,li->line,
+@@ -1409,6 +1419,64 @@
+ }
+ #endif /* USE_WTMPX */
+
++#ifdef USE_WTMPDB
++static int
++wtmpdb_perform_login(struct logininfo *li)
++{
++ uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
++ const char *tty;
++
++ if (strncmp(li->line, "/dev/", 5) == 0)
++ tty = &(li->line[5]);
++ else
++ tty = li->line;
++
++ li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
++ login_time, tty, li->hostname, 0, 0);
++ if (li->wtmpdb_id < 0)
++ return (0);
++
++ return (1);
++}
++
++
++static int
++wtmpdb_perform_logout(struct logininfo *li)
++{
++ uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
++
++ if (li->wtmpdb_id == 0) {
++ const char *tty;
++
++ if (strncmp(li->line, "/dev/", 5) == 0)
++ tty = &(li->line[5]);
++ else
++ tty = li->line;
++
++ li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
++ }
++ wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
++
++ return (1);
++}
++
++
++int
++wtmpdb_write_entry(struct logininfo *li)
++{
++ switch(li->type) {
++ case LTYPE_LOGIN:
++ return (wtmpdb_perform_login(li));
++ case LTYPE_LOGOUT:
++ return (wtmpdb_perform_logout(li));
++ default:
++ logit("%s: invalid type field", __func__);
++ return (0);
++ }
++}
++#endif
++
++
+ /**
+ ** Low-level libutil login() functions
+ **/
+diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
+--- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200
+@@ -79,6 +79,9 @@
+ unsigned int tv_sec;
+ unsigned int tv_usec;
+ union login_netinfo hostaddr; /* caller's host address(es) */
++#ifdef USE_WTMPDB
++ int64_t wtmpdb_id; /* ID for wtmpdb_logout */
++#endif
+ }; /* struct logininfo */
+
+ /*
+diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
+--- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200
+@@ -55,6 +55,7 @@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBFIDO2=@LIBFIDO2@
++LIBWTMPDB=@LIBWTMPDB@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+@@ -212,7 +213,7 @@
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
+
+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)