Accepting request 1090577 from network

OBS-URL: https://build.opensuse.org/request/show/1090577
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=164

_multibuild

@@ -0,0 +1,3 @@
+<multibuild>
+  <package>openssh-askpass-gnome</package>
+</multibuild>

fix-missing-lz.patch

@@ -0,0 +1,25 @@
+Index: openssh-9.3p1/Makefile.in
+===================================================================
+--- openssh-9.3p1.orig/Makefile.in
++++ openssh-9.3p1/Makefile.in
+@@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+ 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ 
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
+-	$(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++	$(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+ 
+ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
+ 	$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
+ 
+ # FIPS tests
+ cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
+-	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+ 
+ cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
+-	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+ 
+ # test driver for the loginrec code - not built by default
+ logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

openssh-7.7p1-fips.patch

@@ -16,28 +16,28 @@ Index: openssh-8.8p1/Makefile.in
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
  	sshconnect.o sshconnect2.o mux.o $(SKOBJS)
  
-Index: openssh-8.8p1/cipher-ctr.c
+#Index: openssh-8.8p1/cipher-ctr.c
-===================================================================
+#===================================================================
---- openssh-8.8p1.orig/cipher-ctr.c
+#--- openssh-8.8p1.orig/cipher-ctr.c
-+++ openssh-8.8p1/cipher-ctr.c
+#+++ openssh-8.8p1/cipher-ctr.c
-@@ -27,6 +27,8 @@
+#@@ -27,6 +27,8 @@
- #include "xmalloc.h"
+# #include "xmalloc.h"
- #include "log.h"
+# #include "log.h"
- 
+# 
-+#include "fips.h"
+#+#include "fips.h"
-+
+#+
- /* compatibility with old or broken OpenSSL versions */
+# /* compatibility with old or broken OpenSSL versions */
- #include "openbsd-compat/openssl-compat.h"
+# #include "openbsd-compat/openssl-compat.h"
- 
+# 
-@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
+#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void)
- #ifndef SSH_OLD_EVP
+# #ifndef SSH_OLD_EVP
- 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+# 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- 	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+# 	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+	if (fips_mode())
+#+	if (fips_mode())
-+		aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
+#+		aes_ctr.flags |= EVP_CIPH_FLAG_FIPS;
- #endif
+# #endif
- 	return (&aes_ctr);
+# 	return (&aes_ctr);
- }
+# }
 Index: openssh-8.8p1/cipher.c
 ===================================================================
 --- openssh-8.8p1.orig/cipher.c
@@ -416,8 +416,8 @@ Index: openssh-8.8p1/kex.c
 --- openssh-8.8p1.orig/kex.c
 +++ openssh-8.8p1/kex.c
 @@ -62,6 +62,8 @@
- #include "sshbuf.h"
  #include "digest.h"
+ #include "xmalloc.h"
  
 +#include "fips.h"
 +
@@ -743,7 +743,8 @@ Index: openssh-8.8p1/ssh-keygen.c
 +	struct Key_types key_types_all[] = {
  #ifdef WITH_OPENSSL
  		{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
- 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
+ #ifdef OPENSSL_HAS_ECC
+# 		{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
 @@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw)
  		{ NULL, NULL, NULL }
  	};

openssh-7.7p1-fips_checks.patch

@@ -459,8 +459,8 @@ Index: openssh-8.8p1/sshd.c
 --- openssh-8.8p1.orig/sshd.c
 +++ openssh-8.8p1/sshd.c
 @@ -1547,6 +1547,10 @@ main(int ac, char **av)
- 	Authctxt *authctxt;
  	struct connection_info *connection_info = NULL;
+ 	sigset_t sigmask;
  
 +	/* initialize fips - can go before ssh_malloc_init(), since that is a
 +	 * OpenBSD-only thing (as of OpenSSH 7.6p1) */

openssh-7.7p1-ldap.patch

@@ -148,7 +148,7 @@ Index: openssh-8.9p1/Makefile.in
  	sshkey-xmss.o \
 @@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
  
- SFTP_OBJS=	sftp.o progressmeter.o $(SFTP_CLIENT_OBJS)
+ SFTP_OBJS=	sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
  
 -MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
 -MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
@@ -159,7 +159,7 @@ Index: openssh-8.9p1/Makefile.in
  CONFIGFILES=sshd_config.out ssh_config.out moduli.out
 @@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS)
  
 +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 +	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

openssh-7.7p1-pam_check_locks.patch

@@ -10,23 +10,23 @@ Index: openssh-8.8p1/auth.c
 --- openssh-8.8p1.orig/auth.c
 +++ openssh-8.8p1/auth.c
 @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas
+ 	if (!pw || !pw->pw_name)
  		return 0;
  
- #ifdef USE_SHADOW
+-	if (!options.use_pam && platform_locked_account(pw)) {
--	if (!options.use_pam)
++	if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) {
-+	if (!options.use_pam || options.use_pam_check_locks)
+ 		logit("User %.100s not allowed because account is locked",
- 		spw = getspnam(pw->pw_name);
+ 		    pw->pw_name);
- #ifdef HAS_SHADOW_EXPIRE
+ 		return 0;
- 	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
+#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
-@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas
+# #endif
- #endif
+# 
- 
+# 	/* check for locked account */
- 	/* check for locked account */
+#-	if (!options.use_pam && passwd && *passwd) {
--	if (!options.use_pam && passwd && *passwd) {
+#+	if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
-+	if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) {
+# 		int locked = 0;
- 		int locked = 0;
+# 
- 
+# #ifdef LOCKED_PASSWD_STRING
- #ifdef LOCKED_PASSWD_STRING
 Index: openssh-8.8p1/servconf.c
 ===================================================================
 --- openssh-8.8p1.orig/servconf.c

openssh-7.7p1-seccomp_ipc_flock.patch

@@ -37,5 +37,5 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
 +	SC_ALLOW(__NR_ipc),
 +#endif
  #ifdef __NR_madvise
- 	SC_ALLOW(__NR_madvise),
+ 	SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL),
- #endif
+ # ifdef MADV_FREE

openssh-7.7p1-sftp_print_diagnostic_messages.patch

@@ -34,8 +34,8 @@ Index: openssh-8.8p1/sftp.c
  	infile = stdin;
  
  	while ((ch = getopt(argc, argv,
--	    "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+-	    "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
-+	    "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
++	    "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) {
  		switch (ch) {
  		/* Passed through to ssh(1) */
  		case 'A':

openssh-7.7p1-systemd-notify.patch

@@ -8,8 +8,9 @@ Index: openssh-8.8p1/configure.ac
 --- openssh-8.8p1.orig/configure.ac
 +++ openssh-8.8p1/configure.ac
 @@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5],
- AC_SUBST([GSSLIBS])
+# AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
+ AC_SUBST([CHANNELLIBS])
  
 +# Check whether user wants systemd support
 +SYSTEMD_MSG="no"

openssh-8.0p1-gssapi-keyex.patch

@@ -12,7 +12,8 @@ Index: openssh-8.9p1/Makefile.in
  
 @@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
  	auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
- 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
+# 	auth2-none.o auth2-passwd.o auth2-pubkey.o \
+ 	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
  	monitor.o monitor_wrap.o auth-krb5.o \
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -379,12 +380,29 @@ Index: openssh-8.9p1/clientloop.c
  /* import options */
  extern Options options;
  
-@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
+#@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt
- 			break;
+## Replaced with the section below
- 
+# 			break;
- 		/* Do channel operations unless rekeying in progress. */
+# 
--		if (!ssh_packet_is_rekeying(ssh))
+# 		/* Do channel operations unless rekeying in progress. */
-+		if (!ssh_packet_is_rekeying(ssh)) {
+#-		if (!ssh_packet_is_rekeying(ssh))
+#+		if (!ssh_packet_is_rekeying(ssh)) {
+# 			channel_after_poll(ssh, pfd, npfd_active);
+# 
+#+#ifdef GSSAPI
+#+			if (options.gss_renewal_rekey &&
+#+			    ssh_gssapi_credentials_updated(NULL)) {
+#+				debug("credentials updated - forcing rekey");
+#+				need_rekeying = 1;
+#+			}
+#+#endif
+#+		}
+#+
+# 		/* Buffer input from the connection.  */
+# 		if (conn_in_ready)
+# 			client_process_net_input(ssh);
+@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt
+ 		/* Do channel operations. */
  		channel_after_poll(ssh, pfd, npfd_active);
  
 +#ifdef GSSAPI
@@ -394,7 +412,6 @@ Index: openssh-8.9p1/clientloop.c
 +			need_rekeying = 1;
 +		}
 +#endif
-+		}
 +
  		/* Buffer input from the connection.  */
  		if (conn_in_ready)
@@ -1257,15 +1274,9 @@ Index: openssh-8.9p1/kex.c
 ===================================================================
 --- openssh-8.9p1.orig/kex.c
 +++ openssh-8.9p1/kex.c
-@@ -57,11 +57,16 @@
+@@ -57,6 +57,10 @@
- #include "misc.h"
- #include "dispatch.h"
- #include "monitor.h"
-+#include "xmalloc.h"
- 
- #include "ssherr.h"
- #include "sshbuf.h"
  #include "digest.h"
+ #include "xmalloc.h"
  
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
@@ -1274,7 +1285,7 @@ Index: openssh-8.9p1/kex.c
  #include "fips.h"
  
  /* prototype */
-@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[]
+@@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[]
  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
  	{ NULL, 0, -1, -1},
  };
@@ -1294,7 +1305,7 @@ Index: openssh-8.9p1/kex.c
  
  static const struct kexalg kexalgs_fips140_2[] = {
  #ifdef WITH_OPENSSL
-@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1
+@@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1
  
  /* Returns array of macs available depending on selected FIPS mode */
  static const struct kexalg *
@@ -1309,7 +1320,7 @@ Index: openssh-8.9p1/kex.c
  		case 1:
  			return kexalgs_fips140_2;
  		default:
-@@ -162,13 +180,13 @@ fips_select_kexalgs(void)
+@@ -162,13 +179,13 @@ fips_select_kexalgs(void)
  }
  
  char *
@@ -1325,7 +1336,7 @@ Index: openssh-8.9p1/kex.c
  		if (ret != NULL)
  			ret[rlen++] = sep;
  		nlen = strlen(k->name);
-@@ -183,15 +201,31 @@ kex_alg_list(char sep)
+@@ -183,15 +200,31 @@ kex_alg_list(char sep)
  	return ret;
  }
  
@@ -1358,7 +1369,7 @@ Index: openssh-8.9p1/kex.c
  	return NULL;
  }
  
-@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c
+@@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c
  	return r;
  }
  
@@ -1385,10 +1396,10 @@ Index: openssh-8.9p1/kex.c
 +	return 1;
 +}
 +
- /* put algorithm proposal into buffer */
+ /*
- int
+  * Fill out a proposal array with dynamically allocated values, which may
- kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
+  * be modified as required for compatibility reasons.
-@@ -765,6 +822,9 @@ kex_free(struct kex *kex)
+@@ -765,6 +821,9 @@ kex_free(struct kex *kex)
  	sshbuf_free(kex->session_id);
  	sshbuf_free(kex->initial_sig);
  	sshkey_free(kex->initial_hostkey);
@@ -1439,9 +1450,9 @@ Index: openssh-8.9p1/kex.h
  char	*kex_names_cat(const char *, const char *);
  int	 kex_assemble_names(char **, const char *, const char *);
 +int	 kex_gss_names_valid(const char *);
- 
+ void	 kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
- int	 kex_exchange_identification(struct ssh *, int, const char *);
+     const char *, const char *, const char *, const char *, const char *);
- 
+ void	 kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
 @@ -209,6 +226,12 @@ int	 kexgex_client(struct ssh *);
  int	 kexgex_server(struct ssh *);
  int	 kex_gen_client(struct ssh *);
@@ -3511,8 +3522,8 @@ Index: openssh-8.9p1/sshconnect2.c
  extern Options options;
  
  /*
-@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st
- 	char *s, *all_key;
+ 	char *s, *all_key, *hkalgs = NULL;
  	int r, use_known_hosts_order = 0;
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3523,9 +3534,6 @@ Index: openssh-8.9p1/sshconnect2.c
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  	xxx_conn_info = cinfo;
-@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st
- 		    compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
- 	}
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
 +	if (options.gss_keyex) {
@@ -3559,7 +3567,7 @@ Index: openssh-8.9p1/sshconnect2.c
  	if (options.rekey_limit || options.rekey_interval)
  		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
  		    options.rekey_interval);
-@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st
  # ifdef OPENSSL_HAS_ECC
  	ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
  # endif
@@ -3592,6 +3600,7 @@ Index: openssh-8.9p1/sshconnect2.c
  	ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
  
  	/* remove ext-info from the KEX proposals for rekeying */
+ 	free(myproposal[PROPOSAL_KEX_ALGS]);
  	myproposal[PROPOSAL_KEX_ALGS] =
  	    compat_kex_proposal(ssh, options.kex_algorithms);
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -3751,8 +3760,13 @@ Index: openssh-8.9p1/sshd.c
  		exit(1);
  	}
 @@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh)
- 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
+# 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
- 	    ssh, list_hostkey_types());
+# 	    ssh, list_hostkey_types());
+# 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
+# 	   compat_pkalg_proposal(ssh, list_hostkey_types());
+# 
+ 
+ 	free(hkalgs);
  
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
 +	{
@@ -3884,22 +3898,40 @@ Index: openssh-8.9p1/sshkey.c
 ===================================================================
 --- openssh-8.9p1.orig/sshkey.c
 +++ openssh-8.9p1/sshkey.c
-@@ -162,6 +162,7 @@ static const struct keytype keytypes[] =
+@@ -127,6 +127,17 @@
- #  endif /* ENABLE_SK */
+ extern const struct sshkey_impl sshkey_xmss_impl;
- # endif /* OPENSSL_HAS_ECC */
+ extern const struct sshkey_impl sshkey_xmss_cert_impl;
- #endif /* WITH_OPENSSL */
+ #endif
-+	{ "null", "null", NULL, KEY_NULL, 0, 0, 0 },
++const struct sshkey_impl sshkey_null_impl = {
- 	{ NULL, NULL, NULL, -1, -1, 0, 0 }
++	/* .name = */		"null",
++	/* .shortname = */	"null",
++	/* .sigalg = */		NULL,
++	/* .type = */		KEY_NULL,
++	/* .nid = */		0,
++	/* .cert = */		0,
++	/* .sigonly = */	0,
++	/* .keybits = */	0,
++	/* .funcs = */		NULL,
++};
+ 
+ const struct sshkey_impl * const keyimpls[] = {
+ 	&sshkey_ed25519_impl,
+@@ -162,6 +179,7 @@ static const struct keytype keytypes[] =
+ 	&sshkey_xmss_impl,
+ 	&sshkey_xmss_cert_impl,
+ #endif
++        &sshkey_null_impl,
+ 	NULL
  };
  
-@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai
+@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai
- 	const struct keytype *kt;
  
- 	for (kt = keytypes; kt->type != -1; kt++) {
+ 	for (i = 0; keyimpls[i] != NULL; i++) {
--		if (kt->name == NULL)
+ 		impl = keyimpls[i];
-+		if (kt->name == NULL || kt->type == KEY_NULL)
+-		if (impl->name == NULL)
++		if (impl->name == NULL || impl->type == KEY_NULL)
  			continue;
- 		if (!include_sigonly && kt->sigonly)
+ 		if (!include_sigonly && impl->sigonly)
  			continue;
 Index: openssh-8.9p1/sshkey.h
 ===================================================================

openssh-8.1p1-audit.patch

@@ -768,8 +768,8 @@ Index: openssh-8.9p1/auth.h
 +int	 user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t,
 +    const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
  
- FILE	*auth_openkeyfile(const char *, struct passwd *, int);
+ int	 auth_key_is_revoked(struct sshkey *);
- FILE	*auth_openprincipals(const char *, struct passwd *, int);
+ 
 @@ -209,6 +211,8 @@ struct sshkey	*get_hostkey_private_by_ty
  int	 get_hostkey_index(struct sshkey *, int, struct ssh *);
  int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
@@ -843,8 +843,8 @@ Index: openssh-8.9p1/auth2-pubkey.c
 +}
 +
  static int
- match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ match_principals_file(struct passwd *pw, char *file,
- {
+     struct sshkey_cert *cert, struct sshauthopt **authoptsp)
 Index: openssh-8.9p1/auth2.c
 ===================================================================
 --- openssh-8.9p1.orig/auth2.c
@@ -934,9 +934,9 @@ Index: openssh-8.9p1/kex.c
 --- openssh-8.9p1.orig/kex.c
 +++ openssh-8.9p1/kex.c
 @@ -62,6 +62,7 @@
- #include "ssherr.h"
  #include "sshbuf.h"
  #include "digest.h"
+ #include "xmalloc.h"
 +#include "audit.h"
  
  #ifdef GSSAPI
@@ -2165,7 +2165,7 @@ Index: openssh-8.9p1/session.h
 @@ -71,10 +77,12 @@ void	 session_unused(int);
  int	 session_input_channel_req(struct ssh *, Channel *, const char *);
  void	 session_close_by_pid(struct ssh *ssh, pid_t, int);
- void	 session_close_by_channel(struct ssh *, int, void *);
+ void	 session_close_by_channel(struct ssh *, int, int, void *);
 -void	 session_destroy_all(struct ssh *, void (*)(Session *));
 +void	 session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *));
  void	 session_pty_cleanup2(Session *);
@@ -2357,7 +2357,7 @@ Index: openssh-8.9p1/sshd.c
 +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
  {
  	struct pollfd *pfd = NULL;
- 	int i, j, ret;
+ 	int i, j, ret, npfd;
 @@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so
  		if (received_sigterm) {
  			logit("Received signal %d; terminating.",

openssh-8.1p1-ed25519-use-openssl-rng.patch

@@ -9,7 +9,7 @@ index 767ec24..5d506a9 100644
 --- a/ed25519.c
 +++ b/ed25519.c
 @@ -9,6 +9,13 @@
- #include "includes.h"
+ 
  #include "crypto_api.h"
  
 +#ifdef WITH_OPENSSL
@@ -19,12 +19,12 @@ index 767ec24..5d506a9 100644
 +
 +#include "log.h"
 +
- #include "ge25519.h"
+ #define int8 crypto_int8
- 
+ #define uint8 crypto_uint8
- static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
+ #define int16 crypto_int16
 @@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
-   unsigned char extsk[64];
+   sc25519 scsk;
-   int i;
+   ge25519 gepk;
  
 +#ifdef WITH_OPENSSL
 +  /* Use FIPS approved RNG */
@@ -32,12 +32,12 @@ index 767ec24..5d506a9 100644
 +    fatal("Couldn't obtain random bytes (error 0x%lx)",
 +          (unsigned long)ERR_get_error());
 +#else
-   randombytes(sk, 32);
+   randombytes(sk,32);
 +#endif
 +
-   crypto_hash_sha512(extsk, sk, 32);
+   crypto_hash_sha512(az,sk,32);
-   extsk[0] &= 248;
+   az[0] &= 248;
-   extsk[31] &= 127;
+   az[31] &= 127;
 diff --git a/kexc25519.c b/kexc25519.c
 index f13d766..2604eda 100644
 --- a/kexc25519.c

openssh-8.4p1-vendordir.patch

@@ -106,7 +106,7 @@ Index: openssh-8.9p1/ssh_config.5
 +.Pq Pa /usr/etc/ssh/ssh_config
  .El
  .Pp
- For each parameter, the first obtained value
+ Unless noted otherwise, for each parameter, the first obtained value
 @@ -2220,6 +2223,11 @@ This file provides defaults for those
  values that are not specified in the user's configuration file, and
  for those users who do not have a configuration file.

openssh-8.9p1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7
-size 1820282

openssh-8.9p1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmIWG5YACgkQKj9BTnNg
-YLoL2A//TuX5vo9EplHaoqTbgL5KkwaJGaae2bXczbw1N8anfSlnPi7IAL4TkLFW
-SpIAGYcDoxqSAT62Ad9TsIvallPWmzG8mIa1M6dgQHUW95KbI5NHC53NgMkExI7O
-x9HGDanLRoXCwbDrYAZN8UlddTsZYGrfoVso7lrW87lcTkM4AYQKNbCum/C8OUq0
-esJgaaiXTIK+Rwbtpa+msDo8scfq08IG4rMM+kiNOnYpxaVyPIvspUF/ULinEQ5M
-KrgRCZKI6573yZAdzA3KE6fXlzFJuxqcpk8Zimdm6c5+TEk30pzZ65Q+KLLrW7Gm
-YK9gkkbdGWvtoRoE66RnPcBbPoFFM3h0mPhY/08iKHZKQL29bhDABx5qqUN0WDtg
-uqz21PT/yXwxXglvHRMtq9w1dzjrPs/aEWQiO2ta+tspC+vUwVjnengmvcj7pP6B
-4MQWDcw0ZULn5ns/Vzja6VO9V6hKYApCHs0o4lvBnXXtdIRNHmuROoVQsGPlBTKN
-jPSfz3XU7lebayJwGpJFVwfHYTzxGu8IuK7k6WUvCA4j98HbRpJCuNEZeE4Jsvlc
-CLhee1YTkUDtNb3GaV2F8a4pDyCxvxCBlhoTMdDDWLGibylpZKaqZyxuO+X7QTUM
-TfiyQEZ6YFqQj+f1/BjzPDeXXXMOYA5tgHumjB726rtmK1HB7ZQ=
-=5Ghp
------END PGP SIGNATURE-----

openssh-9.3p1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8
+size 1856839

openssh-9.3p1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmQSOZYACgkQKj9BTnNg
+YLrKJg//fSKjNlnb3l75ZwLoWhwpEZQp7poEq5qCCRNvu4dleuU1sMxNPl9/Ow1i
+iZVW67OGNjIsJ7FJmHNF3UOgkH50c6OHivmDaTywDtyCLZvUVmaSfOe0own8s8KB
+OV7czHqd9giHQlGWWTxg9eVAfOaqpzXugkzo7UoTVqEqJ3Ru/FQ4RGSIjTGzuM/0
+EC+JkKyO+0pP3mr4XfZdxsbYc9WVEG9ZIlT153y9I5MfiWM1SC/0gg4NLz025Xaa
+ment5c+BdhIwYjC2f5F/9s0J6+lFHiFBHLQVGx4qq/Tx3XGfP0xBcS1V9Mkhyjzf
+ZXj6acQ+T50H8p3OWZyrWn11YNtGjzkwuQWrj8Ue4NPFGqgPbANeH32yOiIWpIh0
+CtpGnRGQP1zF14hEAR5gKangTNCp/IVMBhIs4UL3zI6uS2yRLTGOWcgrnjJv26vg
+jb2WmL0AeqYLZw41pbq+zmVizhhg8qk7KPQQsFxnalSFHz35tnHN8oQD5TCDxqtu
+f/roTbZhW/nnlaMlEAnB09LO6e1nyDIcJ6hj0CK9cSgIn8pb1q9GdjYx5PNKwsoa
+NuD+bqlzF5krjiOHJh+vDw0GKFusflL46Dmry5a4K0vLUGBn6uAUPtuwMdBsLofU
+k3a4zBMlOCm6o3WqgAug4fSwCfYkJ9Dc+FaedGC1X4fys4lV/6k=
+=deVJ
+-----END PGP SIGNATURE-----

openssh-askpass-gnome.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- openssh-askpass-gnome: require only openssh-clients, not the full
+  openssh (including -server), to avoid pulling in excessive
+  dependencies when installing git on Gnome (boo#1211446)
+
+-------------------------------------------------------------------
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to openssh 9.3p1
+  * No changes for askpass, see main package changelog for
+    details
+
 -------------------------------------------------------------------
 Tue Sep 28 19:05:15 UTC 2021 - Hans Petter Jansson <hpj@suse.com>
 

openssh-askpass-gnome.spec

@@ -18,7 +18,7 @@
 
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        8.9p1
+Version:        9.3p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause
@@ -26,7 +26,7 @@ Group:          Productivity/Networking/SSH
 URL:            https://www.openssh.com/
 Source:         https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz
 Source42:       https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc
-Requires:       %{_name} = %{version}
+Requires:       %{_name}-clients = %{version}
 Supplements:    packageand(openssh-clients:libgtk-3-0)
 %if 0%{?suse_version} >= 1550
 BuildRequires:  gtk3-devel

openssh-reenable-dh-group14-sha1-default.patch

@@ -31,7 +31,7 @@ Index: openssh-8.9p1/sshd_config.5
 --- openssh-8.9p1.orig/sshd_config.5
 +++ openssh-8.9p1/sshd_config.5
 @@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec
- sntrup761x25519-sha512@openssh.com,
+ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
  diffie-hellman-group-exchange-sha256,
  diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256

openssh-whitelist-syscalls.patch

@@ -14,7 +14,7 @@ Index: openssh-8.8p1/sandbox-seccomp-filter.c
  #endif
 @@ -213,6 +216,9 @@ static const struct sock_filter preauth_
  #ifdef __NR_futex_time64
- 	SC_ALLOW(__NR_futex_time64),
+ 	SC_FUTEX(__NR_futex_time64),
  #endif
 +#ifdef __NR_futex_time64
 +	SC_ALLOW(__NR_futex_time64),

openssh.changes

@@ -1,3 +1,479 @@
+-------------------------------------------------------------------
+Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to openssh 9.3p1:
+  = Security
+  * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
+   per-hop destination constraints (ssh-add -h ...) added in
+   OpenSSH 8.9, a logic error prevented the constraints from being
+   communicated to the agent. This resulted in the keys being added
+   without constraints. The common cases of non-smartcard keys and
+   keys without destination constraints are unaffected. This
+   problem was reported by Luci Stanescu.
+
+ * ssh(1): Portable OpenSSH provides an implementation of the
+   getrrsetbyname(3) function if the standard library does not
+   provide it, for use by the VerifyHostKeyDNS feature. A
+   specifically crafted DNS response could cause this function to
+   perform an out-of-bounds read of adjacent stack data, but this
+   condition does not appear to be exploitable beyond denial-of-
+   service to the ssh(1) client.
+   The getrrsetbyname(3) replacement is only included if the
+   system's standard library lacks this function and portable
+   OpenSSH was not compiled with the ldns library (--with-ldns).
+   getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
+   fetch SSHFP records. This problem was found by the Coverity
+   static analyzer.
+
+  = New features
+  * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
+    when outputting SSHFP fingerprints to allow algorithm
+    selection. bz3493
+  * sshd(8): add a `sshd -G` option that parses and prints the
+    effective configuration without attempting to load private keys
+    and perform other checks. This allows usage of the option
+    before keys have been generated and for configuration
+    evaluation and verification by unprivileged users.
+
+  = Bugfixes
+  * scp(1), sftp(1): fix progressmeter corruption on wide displays;
+    bz3534
+  * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing
+    usability of private keys as some systems are starting to
+    disable RSA/SHA1 in libcrypto.
+  * sftp-server(8): fix a memory leak. GHPR363
+  * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
+    compatibility code and simplify what's left.
+  * Fix a number of low-impact Coverity static analysis findings.
+    These include several reported via bz2687
+  * ssh_config(5), sshd_config(5): mention that some options are
+    not first-match-wins.
+  * Rework logging for the regression tests. Regression tests will
+    now capture separate logs for each ssh and sshd invocation in
+    a test.
+  * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
+    says it should; bz3532.
+  * ssh(1): ensure that there is a terminating newline when adding
+    a new entry to known_hosts; bz3529
+
+  = Portability
+  * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
+    mmap(2), madvise(2) and futex(2) flags, removing some
+    concerning kernel attack surface.
+  * sshd(8): improve Linux seccomp-bpf sandbox for older systems;
+    bz3537
+
+- Update to openssh 9.2p1:
+  = Security
+  * sshd(8): fix a pre-authentication double-free memory fault
+    introduced in OpenSSH 9.1. This is not believed to be
+    exploitable, and it occurs in the unprivileged pre-auth process
+    that is subject to chroot(2) and is further sandboxed on most
+    major platforms.
+  * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen
+    option would ignore its first argument unless it was one of the
+    special keywords "any" or "none", causing the permission list
+    to fail open if only one permission was specified. bz3515
+  * ssh(1): if the CanonicalizeHostname and
+    CanonicalizePermittedCNAMEs options were enabled, and the
+    system/libc resolver did not check that names in DNS responses
+    were valid, then use of these options could allow an attacker
+    with control of DNS to include invalid characters (possibly
+    including wildcards) in names added to known_hosts files when
+    they were updated. These names would still have to match the
+    CanonicalizePermittedCNAMEs allow-list, so practical
+    exploitation appears unlikely.
+
+  = Potentially-incompatible changes
+  * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option
+    that controls whether the client-side ~C escape sequence that
+    provides a  command-line is available. Among other things, the
+    ~C command-line could be used to add additional port-forwards
+    at runtime.
+    This option defaults to "no", disabling the ~C command-line
+    that was previously enabled by default. Turning off the
+    command-line allows platforms that support sandboxing of the
+    ssh(1) client (currently only OpenBSD) to use a stricter
+    default sandbox policy.
+
+  = New features
+  * sshd(8): add support for channel inactivity timeouts via a new
+    sshd_config(5) ChannelTimeout directive. This allows channels
+    that have not seen traffic in a configurable interval to be
+    automatically closed. Different timeouts may be applied to
+    session, X11, agent and TCP forwarding channels.
+  * sshd(8): add a sshd_config UnusedConnectionTimeout option to
+    terminate client connections that have no open channels for a
+    length of time. This complements the ChannelTimeout option
+    above.
+  * sshd(8): add a -V (version) option to sshd like the ssh client
+    has.
+  * ssh(1): add a "Host" line to the output of ssh -G showing the
+    original hostname argument. bz3343
+  * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
+    allow control over some SFTP protocol parameters: the copy
+    buffer length and the number of in-flight requests, both of
+    which are used during upload/download. Previously these could
+    be controlled in sftp(1) only. This makes them available in
+    both SFTP protocol clients using the same option character
+    sequence.
+  * ssh-keyscan(1): allow scanning of complete CIDR address ranges,
+    e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed,
+    then it will be expanded to all possible addresses in the range
+    including the all-0s and all-1s addresses. bz#976
+  * ssh(1): support dynamic remote port forwarding in escape
+    command-line's -R processing. bz#3499
+ 
+  = Bugfixes
+  * ssh(1): when restoring non-blocking mode to stdio fds, restore
+    exactly the flags that ssh started with and don't just clobber
+    them with zero, as this could also remove the append flag from
+    the set. bz3523
+  * ssh(1): avoid printf("%s", NULL) if using
+    UserKnownHostsFile=none and a hostkey in one of the system
+    known hosts file changes.
+  * scp(1): switch scp from using pipes to a socket-pair for
+    communication with its ssh sub-processes, matching how sftp(1)
+    operates.
+  * sshd(8): clear signal mask early in main(); sshd may have been
+    started with one or more signals masked (sigprocmask(2) is not
+    cleared on fork/exec) and this could interfere with various
+    things, e.g. the login grace timer. Execution environments that
+    fail to clear the signal mask before running sshd are clearly
+    broken, but apparently they do exist.
+  * ssh(1): warn if no host keys for hostbased auth can be loaded.
+  * sshd(8): Add server debugging for hostbased auth that is queued
+    and sent to the client after successful authentication, but
+    also logged to assist in diagnosis of HostbasedAuthentication
+    problems. bz3507
+  * ssh(1): document use of the IdentityFile option as being usable
+    to list public keys as well as private keys. GHPR352
+  * sshd(8): check for and disallow MaxStartups values less than or
+    equal to zero during config parsing, rather than failing later
+    at runtime.  bz3489
+  * ssh-keygen(1): fix parsing of hex cert expiry times specified
+    on the command-line when acting as a CA.
+  * scp(1): when scp(1) is using the SFTP protocol for transport
+    (the default), better match scp/rcp's handling of globs that
+    don't match the globbed characters but do match literally (e.g.
+    trying to transfer a file named "foo.[1]"). Previously scp(1)
+    in SFTP mode would not match these pathnames but legacy scp/rcp
+    mode would. bz3488
+  * ssh-agent(1): document the "-O no-restrict-websafe"
+    command-line option.
+  * ssh(1): honour user's umask(2) if it is more restrictive then
+    the ssh default (022).
+ 
+  = Portability
+  * sshd(8): allow writev(2) in the Linux seccomp sandbox. This
+    seems to be used by recent glibcs at least in some
+    configurations during error conditions. bz3512.
+  * sshd(8): simply handling of SSH_CONNECTION PAM env var,
+    removing global variable and checking the return value from
+    pam_putenv. bz3508
+  * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was
+    mistakenly enabled during the OpenSSH 9.1 release cycle.
+  * misc: update autotools and regenerate the config files using
+    the latest autotools
+  * all: use -fzero-call-used-regs=used on clang 15 instead of
+    -fzero-call-used-reg=all, as some versions of clang 15 have
+    miscompile code when it was enabled. bz3475
+  * sshd(8): defer PRNG seeding until after the initial
+    closefrom(2) call. PRNG seeding will initialize OpenSSL, and
+    some engine providers (e.g. Intel's QAT) will open descriptors
+    for their own use that closefrom(2) could clobber. bz3483
+  * misc: in the poll(2)/ppoll(2) compatibility code, avoid
+    assuming the layout of fd_set.
+  * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older
+    FreeBSD kernels. Some versions do not support using id 0 to
+    refer to the current PID for procctl, so try again with
+    getpid() explicitly before failing.
+  * configure.ac: fix -Wstrict-prototypes in configure test code.
+    Clang 16 now warns on this and legacy prototypes will be
+    removed in C23. GHPR355
+  * configure.ac: fix setres*id checks to work with clang-16. glibc
+    has the prototypes for setresuid behind _GNU_SOURCE, and
+    clang 16 will error out on implicit function definitions.
+    bz3497
+
+- Update to openssh 9.1p1:
+  = Security
+  * ssh-keyscan(1): fix a one-byte overflow in SSH- banner
+    processing.
+    Reported by Qualys
+  * ssh-keygen(1): double free() in error path of file hashing step
+    in signing/verify code; GHPR333
+  * ssh-keysign(8): double-free in error path introduced in
+    openssh-8.9
+ 
+  = Potentially-incompatible changes
+  * The portable OpenSSH project now signs commits and release tags
+    using git's recent SSH signature support. The list of developer
+    signing keys is included in the repository as
+    .git_allowed_signers and is cross-signed using the PGP key that
+    is still used to sign release artifacts:
+    https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
+  * ssh(1), sshd(8): SetEnv directives in ssh_config and
+    sshd_config are now first-match-wins to match other directives.
+    Previously if an environment variable was multiply specified
+    the last set value would have been used. bz3438
+  * ssh-keygen(8): ssh-keygen -A (generate all default host key
+    types) will no longer generate DSA keys, as these are insecure
+    and have not been used by default for some years.
+ 
+  = New features
+  * ssh(1), sshd(8): add a RequiredRSASize directive to set a
+    minimum RSA key length. Keys below this length will be ignored
+    for user authentication and for host authentication in sshd(8).
+    ssh(1) will terminate a connection if the server offers an RSA
+    key that falls below this limit, as the SSH protocol does not
+    include the ability to retry a failed key exchange.
+  * sftp-server(8): add a "users-groups-by-id@openssh.com"
+    extension request that allows the client to obtain user/group
+    names that correspond to a set of uids/gids.
+  * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
+    extension (when available) to fill in user/group names for
+    directory listings.
+  * sftp-server(8): support the "home-directory" extension request
+    defined in draft-ietf-secsh-filexfer-extensions-00. This
+    overlaps a bit with the existing "expand-path@openssh.com", but
+    some other clients support it.
+  * ssh-keygen(1), sshd(8): allow certificate validity intervals,
+    sshsig verification times and authorized_keys expiry-time
+    options to accept dates in the UTC time zone in addition to the
+    default of interpreting them in the system time zone. YYYYMMDD
+    and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
+    suffixed with a 'Z' character.
+    Also allow certificate validity intervals to be specified in
+    raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890.
+    This is intended for use by regress tests and other tools that
+    call ssh-keygen as part of a CA workflow. bz3468
+  * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
+    "/usr/libexec/sftp-server -el debug3"
+  * ssh-keygen(1): allow the existing -U (use agent) flag to work
+    with "-Y sign" operations, where it will be interpreted to
+    require that the private keys is hosted in an agent; bz3429
+ 
+  = Bugfixes
+  * ssh-keygen(1): implement the "verify-required" certificate
+    option.
+    This was already documented when support for user-verified FIDO
+    keys was added, but the ssh-keygen(1) code was missing.
+  * ssh-agent(1): hook up the restrict_websafe command-line flag;
+    previously the flag was accepted but never actually used.
+  * sftp(1): improve filename tab completions: never try to
+    complete names to non-existent commands, and better match the
+    completion type (local or remote filename) against the argument
+    position being completed.
+  * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
+    handling, especially relating to keys that request
+    user-verification. These should reduce the number of
+    unnecessary PIN prompts for keys that support intrinsic user
+    verification. GHPR302, GHPR329
+  * ssh-keygen(1): when enrolling a FIDO resident key, check if a
+    credential with matching application and user ID strings
+    already exists and, if so, prompt the user for confirmation
+    before overwriting the credential. GHPR329
+  * sshd(8): improve logging of errors when opening authorized_keys
+    files. bz2042
+  * ssh(1): avoid multiplexing operations that could cause SIGPIPE
+    from causing the client to exit early. bz3454
+  * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
+    directive applies to both transmitted and received data.
+    GHPR328
+  * ssh-keygen(1): avoid double fclose() in error path.
+  * sshd(8): log an error if pipe() fails while accepting a
+    connection. bz3447
+  * ssh(1), ssh-keygen(1): fix possible NULL deref when built
+    without FIDO support. bz3443
+  * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
+    GHPR294.
+  * sshd(8): ensure that authentication passwords are cleared from
+    memory in error paths. GHPR286
+  * ssh(1), ssh-agent(1): avoid possibility of notifier code
+    executing kill(-1). GHPR286
+  * ssh_config(5): note that the ProxyJump directive also accepts
+    the same tokens as ProxyCommand. GHPR305.
+  * scp(1): do not not ftruncate(3) files early when in sftp mode.
+    The previous behaviour of unconditionally truncating the
+    destination file would cause "scp ~/foo localhost:foo" and the
+    reverse "scp localhost:foo ~/foo" to delete all the contents of
+    their destination. bz3431
+  * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign'
+    is unable to load a private key; bz3429
+  * sftp(1), scp(1): when performing operations that glob(3) a
+    remote path, ensure that the implicit working directory used to
+    construct that path escapes glob(3) characters. This prevents
+    glob characters from being processed in places they shouldn't,
+    e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
+    treat the path "/tmp/a*" literally and not attempt to expand
+    it.
+  * ssh(1), sshd(8): be stricter in which characters will be
+    accepted in specifying a mask length; allow only 0-9. GHPR278
+  * ssh-keygen(1): avoid printing hash algorithm twice when dumping
+    a KRL
+  * ssh(1), sshd(8): continue running local I/O for open channels
+    during SSH transport rekeying. This should make ~-escapes work
+    in the client (e.g. to exit) if the connection happened to have
+    stalled during a rekey event.
+  * ssh(1), sshd(8): avoid potential poll() spin during rekeying
+  * Further hardening for sshbuf internals: disallow "reparenting"
+    a hierarchical sshbuf and zero the entire buffer if
+    reallocation fails. GHPR287
+ 
+  = Portability
+  * ssh(1), ssh-keygen(1), sshd(8): automatically enable the
+    built-in FIDO security key support if libfido2 is found and
+    usable, unless --without-security-key-builtin was requested.
+  * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
+    FIDO device usable on Cygwin. The windows://hello FIDO device
+    will be automatically used by default on this platform unless
+    requested otherwise, or when probing resident FIDO credentials
+    (an operation not currently supported by WinHello).
+  * Portable OpenSSH: remove workarounds for obsolete and
+    unsupported versions of OpenSSL libcrypto. In particular, this
+    release removes fallback support for OpenSSL that lacks AES-CTR
+    or AES-GCM. Those AES cipher modes were added to OpenSSL prior
+    to the minimum version currently supported by OpenSSH, so this
+    is not expected to impact any currently supported
+    configurations.
+  * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current
+    Linux/glibc
+  * All: resync and clean up internal CSPRNG code.
+  * scp(1), sftp(1), sftp-server(8): avoid linking these programs
+    with unnecessary libraries. They are no longer linked against
+    libz and libcrypto. This may be of benefit to space constrained
+    systems using any of those components in isolation.
+  * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
+    architectures.
+  * configure: remove special casing of crypt(). configure will no
+    longer search for crypt() in libcrypto, as it was removed from
+    there years ago. configure will now only search libc and
+    libcrypt.
+  * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in
+    its RSA implementation (CVE-2022-2274) on x86_64.
+  * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR322
+  * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing
+    includes required by the XMSS code on some platforms.
+  * sshd(8): cache timezone data in capsicum sandbox.
+
+- Update to openssh 9.0p1:
+  = Potentially-incompatible changes
+  * This release switches scp(1) from using the legacy scp/rcp
+    protocol to using the SFTP protocol by default.
+    Legacy scp/rcp performs wildcard expansion of remote filenames
+    (e.g. "scp host:* .") through the remote shell. This has the
+    side effect of requiring double quoting of shell
+    meta-characters in file names included on scp(1) command-lines,
+    otherwise they could be interpreted as shell commands on the
+    remote side.
+    This creates one area of potential incompatibility: scp(1) when
+    using the SFTP protocol no longer requires this finicky and
+    brittle quoting, and attempts to use it may cause transfers to
+    fail. We consider the removal of the need for double-quoting
+    shell characters in file names to be a benefit and do not
+    intend to introduce bug-compatibility for legacy scp/rcp in
+    scp(1) when using the SFTP protocol.
+    Another area of potential incompatibility relates to the use of
+    remote paths relative to other user's home directories, for
+    example - "scp host:~user/file /tmp". The SFTP protocol has no
+    native way to expand a ~user path. However, sftp-server(8) in
+    OpenSSH 8.7 and later support a protocol extension
+    "expand-path@openssh.com" to support this.
+    In case of incompatibility, the scp(1) client may be instructed
+    to use the legacy scp/rcp using the -O flag.
+
+  = New features
+  * ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519
+    key exchange method by default
+    ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is
+    believed to resist attacks enabled by future quantum computers
+    and is paired with the X25519 ECDH key exchange (the previous
+    default) as a backstop against any weaknesses in NTRU Prime
+    that may be discovered in the future. The combination ensures
+    that the hybrid exchange offers at least as good security as
+    the status quo.
+    We are making this change now (i.e. ahead of cryptographically-
+    relevant quantum computers) to prevent "capture now, decrypt
+    later" attacks where an adversary who can record and store SSH
+    session ciphertext would be able to decrypt it once a
+    sufficiently advanced quantum computer is available.
+  * sftp-server(8): support the "copy-data" extension to allow
+    server-side copying of files/data, following the design in
+    draft-ietf-secsh-filexfer-extensions-00. bz2948
+  * sftp(1): add a "cp" command to allow the sftp client to perform
+    server-side file copies.
+ 
+  = Bugfixes
+  * ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's
+    output fd closes without data in the channel buffer. bz3405 and
+    bz3411
+  * sshd(8): pack pollfd array in server listen/accept loop. Could
+    cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
+  * ssh-keygen(1): avoid NULL deref via the find-principals and
+    check-novalidate operations. bz3409 and GHPR307 respectively.
+  * scp(1): fix a memory leak in argument processing. bz3404
+  * sshd(8): don't try to resolve ListenAddress directives in the
+    sshd re-exec path. They are unused after re-exec and parsing
+    errors (possible for example if the host's network
+    configuration changed) could prevent connections from being
+    accepted.
+  * sshd(8): when refusing a public key authentication request from
+    a client for using an unapproved or unsupported signature
+    algorithm include the algorithm name in the log message to make
+    debugging easier.
+     
+  = Portability
+  * sshd(8): refactor platform-specific locked account check,
+    fixing an incorrect free() on platforms with both libiaf and
+    shadow passwords (probably only Unixware) GHPR284,
+  * ssh(1), sshd(8): Fix possible integer underflow in
+    scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.
+  * sshd(8): provide killpg implementation (mostly for Tandem
+    NonStop) GHPR301.
+  * Check for missing ftruncate prototype. GHPR301
+  * sshd(8): default to not using sandbox when cross compiling. On
+    most systems poll(2) does not work when the number of FDs is
+    reduced with setrlimit, so assume it doesn't when cross
+    compiling and we can't run the test.  bz#3398.
+  * sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix
+    sandbox violations on some (at least i386 and armhf) 32bit
+    Linux platforms. bz#3396.
+  * Improve detection of -fzero-call-used-regs=all support in
+    configure script.
+
+- Add patch that explicitly adds -lz in Makefile.in to some
+  binaries which need it:
+  * fix-missing-lz.patch
+- Rebase patches:
+  * openssh-7.7p1-fips.patch
+  * openssh-7.7p1-fips_checks.patch
+  * openssh-7.7p1-ldap.patch
+  * openssh-7.7p1-pam_check_locks.patch
+  * openssh-7.7p1-seccomp_ipc_flock.patch
+  * openssh-7.7p1-sftp_print_diagnostic_messages.patch
+  * openssh-7.7p1-systemd-notify.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+  * openssh-8.1p1-audit.patch
+  * openssh-8.1p1-ed25519-use-openssl-rng.patch
+  * openssh-8.4p1-vendordir.patch
+  * openssh-reenable-dh-group14-sha1-default.patch
+  * openssh-whitelist-syscalls.patch
+  * wtmpdb.patch
+- Fix setting libexec dir in the LDAP patch.
+- Fix build in Leap 15.x which doesn't use %{_distconfdir}
+ 
+-------------------------------------------------------------------
+Fri May  5 15:18:20 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Add _multibuild to define 2nd spec file as additional flavor.
+  Eliminates the need for source package links in OBS.
+
+-------------------------------------------------------------------
+Mon Apr 17 13:14:49 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
+
+- wtmpdb.patch: add support for wtmpdb to sshd [jsc#PED-3144]
+
 -------------------------------------------------------------------
 Mon Mar 27 08:39:38 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
 

openssh.spec

@@ -24,13 +24,20 @@
 %define _appdefdir  %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
 %define CHECKSUM_SUFFIX .hmac
 %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
+%bcond_without ldap
+
+%if 0%{?suse_version} >= 1550
+%bcond_without wtmpdb
+%else
+%bcond_with wtmpdb
+%endif
 
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        8.9p1
+Version:        9.3p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
@@ -107,17 +114,21 @@ Patch47:        openssh-8.4p1-vendordir.patch
 Patch48:        openssh-8.4p1-pam_motd.patch
 Patch49:        openssh-do-not-send-empty-message.patch
 Patch50:        openssh-openssl-3.patch
+Patch51:        wtmpdb.patch
+Patch100:       fix-missing-lz.patch
 BuildRequires:  audit-devel
 BuildRequires:  automake
 BuildRequires:  groff
 BuildRequires:  libedit-devel
 BuildRequires:  libselinux-devel
+%if %{with ldap}
 BuildRequires:  openldap2-devel
+%endif
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  zlib-devel
-BuildRequires:  pkgconfig(libfido2)
+BuildRequires:  pkgconfig(libfido2) >= 1.2.0
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  sysuser-shadow
 BuildRequires:  sysuser-tools
@@ -128,6 +139,9 @@ BuildRequires:  pkgconfig(krb5)
 %else
 BuildRequires:  krb5-mini-devel
 %endif
+%if %{with wtmpdb}
+BuildRequires:  pkgconfig(libwtmpdb)
+%endif
 Requires(pre):  findutils
 Requires(pre):  grep
 
@@ -215,6 +229,7 @@ also be forwarded over the secure channel.
 This package contains clients for making secure connections to Secure
 Shell servers.
 
+%if %{with ldap}
 %package helpers
 Summary:        OpenSSH AuthorizedKeysCommand helpers
 Group:          Productivity/Networking/SSH
@@ -231,6 +246,7 @@ also be forwarded over the secure channel.
 
 This package contains helper applications for OpenSSH which retrieve
 keys from various sources.
+%endif
 
 %package fips
 Summary:        OpenSSH FIPS crypto module HMACs
@@ -262,7 +278,7 @@ cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
 # set libexec dir in the LDAP patch
 sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
     $( grep -Rl @LIBEXECDIR@ \
-        $( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
+        $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
     )
 
 %build
@@ -294,9 +310,14 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
 %endif
     --disable-strip \
     --with-audit=linux \
+%if %{with ldap}
     --with-ldap \
+%endif
     --with-xauth=%{_bindir}/xauth \
     --with-libedit \
+%if %{with wtmpdb}
+    --with-wtmpdb \
+%endif
     --with-security-key-builtin \
     --target=%{_target_cpu}-suse-linux
 
@@ -327,12 +348,16 @@ install -m 755 contrib/ssh-copy-id %{buildroot}%{_bindir}
 install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1
 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config
 
+echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+
 # Move /etc to /usr/etc/ssh
+%if %{defined _distconfdir}
 mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d
 mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/
 mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/
-echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 
 %if 0%{?suse_version} < 1550
 # install firewall definitions
@@ -426,9 +451,15 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %license LICENCE
 %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%if %{defined _distconfdir}
 %attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d
 %attr(0600,root,root) %{_distconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d
+%else
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %{_sysconfdir}/ssh/moduli
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d
+%endif
 %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0444,root,root) %{_mandir}/man5/moduli.5*
 %attr(0755,root,root) %{_bindir}/ssh-keygen*
@@ -439,12 +470,13 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start
 %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d
-%attr(0755,root,root) %dir %{_distconfdir}/ssh
-%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d
-%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
 %if %{defined _distconfdir}
+%attr(0755,root,root) %dir %{_distconfdir}/ssh
+%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d
+%attr(0640,root,root) %{_distconfdir}/ssh/sshd_config
 %attr(0644,root,root) %{_pam_vendordir}/sshd
 %else
+%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd
 %endif
 %attr(0644,root,root) %{_unitdir}/sshd.service
@@ -463,11 +495,19 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %endif
 
 %files server-config-rootlogin
+%if %{defined _distconfdir}
 %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%else
+%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf
+%endif
 
 %files clients
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
+%if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
+%else
+%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config
+%endif
 %attr(0755,root,root) %{_bindir}/ssh
 %attr(0755,root,root) %{_bindir}/scp*
 %attr(0755,root,root) %{_bindir}/sftp*
@@ -492,6 +532,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8*
 %attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8*
 
+%if %{with ldap}
 %files helpers
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
@@ -500,6 +541,7 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 %attr(0444,root,root) %{_mandir}/man5/ssh-ldap*
 %attr(0444,root,root) %{_mandir}/man8/ssh-ldap*
 %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
+%endif
 
 %files fips
 %attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX}

wtmpdb.patch

@@ -0,0 +1,185 @@
+diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac
+--- openssh-8.9p1.old/configure.ac	2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/configure.ac	2023-04-17 14:52:21.499002203 +0200
+@@ -1703,6 +1703,49 @@
+ 	fi ]
+ )
+ 
++# Check whether user wants wtmpdb support
++WTMPDB_MSG="no"
++AC_ARG_WITH([wtmpdb],
++	[  --with-wtmpdb[[=PATH]]   Enable wtmpdb support for sshd],
++	[ if test "x$withval" != "xno" ; then
++		if test "x$withval" = "xyes" ; then
++			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++			if test "x$PKGCONFIG" != "xno"; then
++				AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb])
++				if "$PKGCONFIG" libwtmpdb; then
++					AC_MSG_RESULT([yes])
++					use_pkgconfig_for_libwtmpdb=yes
++				else
++					AC_MSG_RESULT([no])
++				fi
++			fi
++		else
++			CPPFLAGS="$CPPFLAGS -I${withval}/include"
++			if test -n "${rpath_opt}"; then
++				LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
++			else
++				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
++			fi
++		fi
++		if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then
++			LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb`
++			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`"
++		else
++			LIBWTMPDB="-lwtmpdb"
++		fi
++		OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'`
++		AC_CHECK_LIB([wtmpdb], [wtmpdb_login],
++			[ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd])
++			  WTMPDB_MSG="yes"
++			  AC_SUBST([LIBWTMPDB])
++			],
++			[ AC_MSG_ERROR([libwtmpdb not found]) ],
++			[ $OTHERLIBS ]
++		)
++	fi ]
++)
++
++
+ AUDIT_MODULE=none
+ AC_ARG_WITH([audit],
+ 	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
+diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c
+--- openssh-8.9p1.old/loginrec.c	2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/loginrec.c	2023-04-18 10:05:04.311193333 +0200
+@@ -187,6 +187,10 @@
+ # include <util.h>
+ #endif
+ 
++#ifdef USE_WTMPDB
++# include <wtmpdb.h>
++#endif
++
+ /**
+  ** prototypes for helper functions in this file
+  **/
+@@ -207,6 +211,9 @@
+ int wtmpx_write_entry(struct logininfo *li);
+ int lastlog_write_entry(struct logininfo *li);
+ int syslogin_write_entry(struct logininfo *li);
++#ifdef USE_WTMPDB
++int wtmpdb_write_entry(struct logininfo *li);
++#endif
+ 
+ int getlast_entry(struct logininfo *li);
+ int lastlog_get_entry(struct logininfo *li);
+@@ -467,6 +474,9 @@
+ #ifdef USE_WTMPX
+ 	wtmpx_write_entry(li);
+ #endif
++#ifdef USE_WTMPDB
++	wtmpdb_write_entry(li);
++#endif
+ #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
+ 	if (li->type == LTYPE_LOGIN &&
+ 	    !sys_auth_record_login(li->username,li->hostname,li->line,
+@@ -1409,6 +1419,64 @@
+ }
+ #endif /* USE_WTMPX */
+ 
++#ifdef USE_WTMPDB
++static int
++wtmpdb_perform_login(struct logininfo *li)
++{
++	uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
++	const char *tty;
++
++	if (strncmp(li->line, "/dev/", 5) == 0)
++		tty = &(li->line[5]);
++	else
++		tty = li->line;
++
++	li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username,
++				     login_time, tty, li->hostname, 0, 0);
++	if (li->wtmpdb_id < 0)
++		return (0);
++
++	return (1);
++}
++
++
++static int
++wtmpdb_perform_logout(struct logininfo *li)
++{
++	uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec;
++
++	if (li->wtmpdb_id == 0) {
++		const char *tty;
++
++	  if (strncmp(li->line, "/dev/", 5) == 0)
++		tty = &(li->line[5]);
++	  else
++		tty = li->line;
++
++	  li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL);
++	}
++	wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL);
++
++	return (1);
++}
++
++
++int
++wtmpdb_write_entry(struct logininfo *li)
++{
++	switch(li->type) {
++	case LTYPE_LOGIN:
++		return (wtmpdb_perform_login(li));
++	case LTYPE_LOGOUT:
++		return (wtmpdb_perform_logout(li));
++	default:
++		logit("%s: invalid type field", __func__);
++		return (0);
++	}
++}
++#endif
++
++
+ /**
+  ** Low-level libutil login() functions
+  **/
+diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h
+--- openssh-8.9p1.old/loginrec.h	2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/loginrec.h	2023-04-17 14:58:20.808850750 +0200
+@@ -79,6 +79,9 @@
+ 	unsigned int tv_sec;
+ 	unsigned int tv_usec;
+ 	union login_netinfo hostaddr;       /* caller's host address(es) */
++#ifdef USE_WTMPDB
++	int64_t wtmpdb_id;                  /* ID for wtmpdb_logout */
++#endif
+ }; /* struct logininfo */
+ 
+ /*
+diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in
+--- openssh-8.9p1.old/Makefile.in	2022-02-23 12:31:11.000000000 +0100
++++ openssh-8.9p1/Makefile.in	2023-04-17 14:44:32.156538001 +0200
+@@ -55,6 +55,7 @@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBFIDO2=@LIBFIDO2@
++LIBWTMPDB=@LIBWTMPDB@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+@@ -212,7 +213,7 @@
+ 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
+ 
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+ 
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)