Accepting request 35778 from Base:System

Copy from Base:System/openssh based on submit request 35778 from user anicka

OBS-URL: https://build.opensuse.org/request/show/35778
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=39

openssh-5.2p1-gcc-fix.patch

@@ -1,10 +0,0 @@
---- scard-opensc.c
-+++ scard-opensc.c
-@@ -31,6 +31,7 @@
- #include <openssl/evp.h>
- #include <openssl/x509.h>
- 
-+#include <string.h>
- #include <stdarg.h>
- #include <string.h>
- 

openssh-5.2p1-pam-fix4.diff

@@ -1,26 +0,0 @@
-Index: openssh-5.1p1/auth-pam.c
-================================================================================
---- openssh-5.2p1/auth-pam.c
-+++ openssh-5.2p1/auth-pam.c
-@@ -602,16 +602,16 @@
- 		return;
- 	debug("PAM: cleanup");
- 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
--	if (sshpam_cred_established) {
--		debug("PAM: deleting credentials");
--		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
--		sshpam_cred_established = 0;
--	}
- 	if (sshpam_session_open) {
- 		debug("PAM: closing session");
- 		pam_close_session(sshpam_handle, PAM_SILENT);
- 		sshpam_session_open = 0;
- 	}
-+	if (sshpam_cred_established) {
-+		debug("PAM: deleting credentials");
-+		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-+		sshpam_cred_established = 0;
-+	}
- 	sshpam_authenticated = 0;
- 	pam_end(sshpam_handle, sshpam_err);
- 	sshpam_handle = NULL;

openssh-5.2p1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5de561b64b659e21d66b4f1c04690e94f922f3f5fb3f070e81fbd8f9f4403de8
-size 816819

openssh-5.4p1-audit.patch

@@ -1,8 +1,10 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
---- openssh-5.2p1/Makefile.in
+Index: openssh-5.4p1/Makefile.in
-+++ openssh-5.2p1/Makefile.in
+===================================================================
-@@ -44,6 +44,7 @@
+--- openssh-5.4p1.orig/Makefile.in
++++ openssh-5.4p1/Makefile.in
+@@ -46,6 +46,7 @@ LD=@LD@
  CFLAGS=@CFLAGS@
  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
  LIBS=@LIBS@
@@ -10,7 +12,7 @@
  SSHDLIBS=@SSHDLIBS@
  LIBEDIT=@LIBEDIT@
  AR=@AR@
-@@ -137,7 +138,7 @@
+@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
  	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
@@ -19,9 +21,11 @@
  
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
---- openssh-5.2p1/auth.c
+Index: openssh-5.4p1/auth.c
-+++ openssh-5.2p1/auth.c
+===================================================================
-@@ -287,6 +287,12 @@
+--- openssh-5.4p1.orig/auth.c
++++ openssh-5.4p1/auth.c
+@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
  		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
  # endif
  #endif
@@ -34,7 +38,7 @@
  #ifdef SSH_AUDIT_EVENTS
  	if (authenticated == 0 && !authctxt->postponed)
  		audit_event(audit_classify_auth(method));
-@@ -533,6 +539,10 @@
+@@ -564,6 +570,10 @@ getpwnamallow(const char *user)
  		record_failed_login(user,
  		    get_canonical_hostname(options.use_dns), "ssh");
  #endif
@@ -45,9 +49,11 @@
  #ifdef SSH_AUDIT_EVENTS
  		audit_event(SSH_INVALID_USER);
  #endif /* SSH_AUDIT_EVENTS */
---- openssh-5.2p1/config.h.in
+Index: openssh-5.4p1/config.h.in
-+++ openssh-5.2p1/config.h.in
+===================================================================
-@@ -1397,6 +1397,9 @@
+--- openssh-5.4p1.orig/config.h.in
++++ openssh-5.4p1/config.h.in
+@@ -1415,6 +1415,9 @@
  /* Define if you want SELinux support. */
  #undef WITH_SELINUX
  
@@ -57,9 +63,11 @@
  /* Define to 1 if your processor stores words with the most significant byte
     first (like Motorola and SPARC, unlike Intel and VAX). */
  #undef WORDS_BIGENDIAN
---- openssh-5.2p1/configure.ac
+Index: openssh-5.4p1/configure.ac
-+++ openssh-5.2p1/configure.ac
+===================================================================
-@@ -3340,6 +3340,20 @@
+--- openssh-5.4p1.orig/configure.ac
++++ openssh-5.4p1/configure.ac
+@@ -3363,6 +3363,20 @@ AC_ARG_WITH(selinux,
  	fi ]
  )
  
@@ -80,7 +88,7 @@
  # Check whether user wants Kerberos 5 support
  KRB5_MSG="no"
  AC_ARG_WITH(kerberos5,
-@@ -4160,6 +4174,7 @@
+@@ -4182,6 +4196,7 @@ echo "                       PAM support
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
@@ -88,8 +96,10 @@
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
  echo "              TCP Wrappers support: $TCPW_MSG"
---- openssh-5.2p1/loginrec.c
+Index: openssh-5.4p1/loginrec.c
-+++ openssh-5.2p1/loginrec.c
+===================================================================
+--- openssh-5.4p1.orig/loginrec.c
++++ openssh-5.4p1/loginrec.c
 @@ -176,6 +176,10 @@
  #include "auth.h"
  #include "buffer.h"
@@ -210,9 +220,11 @@
  /**
   ** Low-level libutil login() functions
   **/
---- openssh-5.2p1/loginrec.h
+Index: openssh-5.4p1/loginrec.h
-+++ openssh-5.2p1/loginrec.h
+===================================================================
-@@ -127,5 +127,9 @@
+--- openssh-5.4p1.orig/loginrec.h
++++ openssh-5.4p1/loginrec.h
+@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
  char *line_abbrevname(char *dst, const char *src, int dstsize);
  
  void record_failed_login(const char *, const char *, const char *);

openssh-5.4p1-default-protocol.diff

@@ -1,6 +1,8 @@
---- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
-@@ -46,7 +46,7 @@
+@@ -46,7 +46,7 @@ ForwardX11Trusted yes
  #   IdentityFile ~/.ssh/id_rsa
  #   IdentityFile ~/.ssh/id_dsa
  #   Port 22

openssh-5.4p1-eal3.diff

@@ -1,6 +1,8 @@
---- openssh-5.2p1/sshd.8
+Index: openssh-5.4p1/sshd.8
-+++ openssh-5.2p1/sshd.8
+===================================================================
-@@ -783,7 +783,7 @@
+--- openssh-5.4p1.orig/sshd.8
++++ openssh-5.4p1/sshd.8
+@@ -840,7 +840,7 @@ Contains Diffie-Hellman groups used for
  The file format is described in
  .Xr moduli 5 .
  .Pp
@@ -9,7 +11,7 @@
  See
  .Xr motd 5 .
  .Pp
-@@ -796,7 +796,7 @@
+@@ -853,7 +853,7 @@ are displayed to anyone trying to log in
  refused.
  The file should be world-readable.
  .Pp
@@ -18,7 +20,7 @@
  This file is used in exactly the same way as
  .Pa hosts.equiv ,
  but allows host-based authentication without permitting login with
-@@ -873,8 +873,7 @@
+@@ -930,8 +930,7 @@ The content of this file is not sensitiv
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -28,19 +30,11 @@
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
  .Xr sftp-server 8
---- openssh-5.2p1/sshd_config.5
+Index: openssh-5.4p1/sshd_config.5
-+++ openssh-5.2p1/sshd_config.5
+===================================================================
-@@ -177,9 +177,6 @@
+--- openssh-5.4p1.orig/sshd_config.5
- By default, no banner is displayed.
++++ openssh-5.4p1/sshd_config.5
- .It Cm ChallengeResponseAuthentication
+@@ -451,7 +451,7 @@ or
- Specifies whether challenge-response authentication is allowed.
--All authentication styles from
--.Xr login.conf 5
--are supported.
- The default is
- .Dq yes .
- .It Cm ChrootDirectory
-@@ -438,7 +435,7 @@
  .Pp
  .Pa /etc/hosts.equiv
  and

openssh-5.4p1-engines.diff

@@ -1,5 +1,7 @@
---- openssh-5.2p1/ssh-add.c
+Index: openssh-5.4p1/ssh-add.c
-+++ openssh-5.2p1/ssh-add.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-add.c
++++ openssh-5.4p1/ssh-add.c
 @@ -43,6 +43,7 @@
  
  #include <openssl/evp.h>
@@ -8,7 +10,7 @@
  
  #include <fcntl.h>
  #include <pwd.h>
-@@ -344,6 +345,10 @@
+@@ -366,6 +367,10 @@ main(int argc, char **argv)
  
  	SSLeay_add_all_algorithms();
  
@@ -19,8 +21,10 @@
  	/* At first, get a connection to the authentication agent. */
  	ac = ssh_get_authentication_connection();
  	if (ac == NULL) {
---- openssh-5.2p1/ssh-agent.c
+Index: openssh-5.4p1/ssh-agent.c
-+++ openssh-5.2p1/ssh-agent.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-agent.c
++++ openssh-5.4p1/ssh-agent.c
 @@ -52,6 +52,7 @@
  #include <openssl/evp.h>
  #include <openssl/md5.h>
@@ -29,7 +33,7 @@
  
  #include <errno.h>
  #include <fcntl.h>
-@@ -1076,6 +1077,10 @@
+@@ -1091,6 +1092,10 @@ main(int ac, char **av)
  
  	SSLeay_add_all_algorithms();
  
@@ -40,8 +44,10 @@
  	__progname = ssh_get_progname(av[0]);
  	init_rng();
  	seed_rng();
---- openssh-5.2p1/ssh-keygen.c
+Index: openssh-5.4p1/ssh-keygen.c
-+++ openssh-5.2p1/ssh-keygen.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-keygen.c
++++ openssh-5.4p1/ssh-keygen.c
 @@ -22,6 +22,7 @@
  #include <openssl/evp.h>
  #include <openssl/pem.h>
@@ -50,7 +56,7 @@
  
  #include <errno.h>
  #include <fcntl.h>
-@@ -1099,6 +1100,11 @@
+@@ -1523,6 +1524,11 @@ main(int argc, char **argv)
  	__progname = ssh_get_progname(argv[0]);
  
  	SSLeay_add_all_algorithms();
@@ -62,8 +68,10 @@
  	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
  
  	init_rng();
---- openssh-5.2p1/ssh-keysign.c
+Index: openssh-5.4p1/ssh-keysign.c
-+++ openssh-5.2p1/ssh-keysign.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-keysign.c
++++ openssh-5.4p1/ssh-keysign.c
 @@ -38,6 +38,7 @@
  #include <openssl/evp.h>
  #include <openssl/rand.h>
@@ -72,7 +80,7 @@
  
  #include "xmalloc.h"
  #include "log.h"
-@@ -195,6 +196,11 @@
+@@ -195,6 +196,11 @@ main(int argc, char **argv)
  		fatal("could not open any host key");
  
  	SSLeay_add_all_algorithms();
@@ -84,9 +92,11 @@
  	for (i = 0; i < 256; i++)
  		rnd[i] = arc4random();
  	RAND_seed(rnd, sizeof(rnd));
---- openssh-5.2p1/ssh.c
+Index: openssh-5.4p1/ssh.c
-+++ openssh-5.2p1/ssh.c
+===================================================================
-@@ -73,6 +73,7 @@
+--- openssh-5.4p1.orig/ssh.c
++++ openssh-5.4p1/ssh.c
+@@ -74,6 +74,7 @@
  #include <openssl/err.h>
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
@@ -94,7 +104,7 @@
  
  #include "xmalloc.h"
  #include "ssh.h"
-@@ -550,6 +551,10 @@
+@@ -584,6 +585,10 @@ main(int ac, char **av)
  	SSLeay_add_all_algorithms();
  	ERR_load_crypto_strings();
  
@@ -105,8 +115,10 @@
  	/* Initialize the command to execute on remote host. */
  	buffer_init(&command);
  
---- openssh-5.2p1/sshd.c
+Index: openssh-5.4p1/sshd.c
-+++ openssh-5.2p1/sshd.c
+===================================================================
+--- openssh-5.4p1.orig/sshd.c
++++ openssh-5.4p1/sshd.c
 @@ -77,6 +77,7 @@
  #include <openssl/md5.h>
  #include <openssl/rand.h>
@@ -115,7 +127,7 @@
  
  #ifdef HAVE_SECUREWARE
  #include <sys/security.h>
-@@ -1415,6 +1416,10 @@
+@@ -1462,6 +1463,10 @@ main(int ac, char **av)
  
  	SSLeay_add_all_algorithms();
  

openssh-5.4p1-forwards.diff

@@ -1,6 +1,8 @@
---- channels.c
+Index: channels.c
+===================================================================
+--- channels.c.orig
 +++ channels.c
-@@ -2471,6 +2471,9 @@
+@@ -2625,6 +2625,9 @@ channel_setup_fwd_listener(int type, con
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
  	in_port_t *lport_p;
  

openssh-5.4p1-gssapimitm.patch

@@ -14,10 +14,10 @@ recommended to use the 'gssapi-with-mic' mechanism. Existing installations
 are encouraged to upgrade as soon as possible.
 
 Index: auth2-gss.c
-================================================================================
+===================================================================
---- auth2-gss.c
+--- auth2-gss.c.orig
 +++ auth2-gss.c
-@@ -177,6 +177,15 @@
+@@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p
  				dispatch_set(
  				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
  				    &input_gssapi_exchange_complete);
@@ -33,7 +33,7 @@ Index: auth2-gss.c
  		}
  	}
  
-@@ -298,4 +307,10 @@
+@@ -298,4 +307,10 @@ Authmethod method_gssapi = {
  	&options.gss_authentication
  };
  
@@ -44,9 +44,11 @@ Index: auth2-gss.c
 +};
 +
  #endif /* GSSAPI */
---- auth2.c
+Index: auth2.c
+===================================================================
+--- auth2.c.orig
 +++ auth2.c
-@@ -70,6 +70,7 @@
+@@ -70,6 +70,7 @@ extern Authmethod method_kbdint;
  extern Authmethod method_hostbased;
  #ifdef GSSAPI
  extern Authmethod method_gssapi;
@@ -54,7 +56,7 @@ Index: auth2-gss.c
  #endif
  #ifdef JPAKE
  extern Authmethod method_jpake;
-@@ -80,6 +81,7 @@
+@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
  	&method_pubkey,
  #ifdef GSSAPI
  	&method_gssapi,
@@ -62,10 +64,12 @@ Index: auth2-gss.c
  #endif
  #ifdef JPAKE
  	&method_jpake,
---- readconf.c
+Index: readconf.c
+===================================================================
+--- readconf.c.orig
 +++ readconf.c
-@@ -126,7 +126,7 @@
+@@ -126,7 +126,7 @@ typedef enum {
- 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
+ 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 -	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -73,7 +77,7 @@ Index: auth2-gss.c
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
  	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -165,9 +165,11 @@
+@@ -165,9 +165,11 @@ static struct {
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -85,7 +89,7 @@ Index: auth2-gss.c
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
-@@ -456,6 +458,10 @@
+@@ -459,6 +461,10 @@ parse_flag:
  	case oGssDelegateCreds:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
@@ -96,7 +100,7 @@ Index: auth2-gss.c
  
  	case oBatchMode:
  		intptr = &options->batch_mode;
-@@ -1009,6 +1015,7 @@
+@@ -1016,6 +1022,7 @@ initialize_options(Options * options)
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
@@ -104,7 +108,7 @@ Index: auth2-gss.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -1101,6 +1108,8 @@
+@@ -1109,6 +1116,8 @@ fill_default_options(Options * options)
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
@@ -113,9 +117,11 @@ Index: auth2-gss.c
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
---- readconf.h
+Index: readconf.h
+===================================================================
+--- readconf.h.orig
 +++ readconf.h
-@@ -45,6 +45,7 @@
+@@ -45,6 +45,7 @@ typedef struct {
  					/* Try S/Key or TIS, authentication. */
  	int     gss_authentication;	/* Try GSS authentication */
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
@@ -123,9 +129,11 @@ Index: auth2-gss.c
  	int     password_authentication;	/* Try password
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
---- servconf.c
+Index: servconf.c
+===================================================================
+--- servconf.c.orig
 +++ servconf.c
-@@ -93,6 +93,7 @@
+@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
  	options->kerberos_get_afs_token = -1;
  	options->gss_authentication=-1;
  	options->gss_cleanup_creds = -1;
@@ -133,7 +141,7 @@ Index: auth2-gss.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->challenge_response_authentication = -1;
-@@ -212,6 +213,8 @@
+@@ -216,6 +217,8 @@ fill_default_server_options(ServerOption
  		options->gss_authentication = 0;
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
@@ -142,7 +150,7 @@ Index: auth2-gss.c
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -302,7 +305,7 @@
+@@ -306,7 +309,7 @@ typedef enum {
  	sBanner, sUseDNS, sHostbasedAuthentication,
  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
  	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -150,8 +158,8 @@ Index: auth2-gss.c
 +	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sZeroKnowledgePasswordAuthentication,
+ 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -364,9 +367,11 @@
+@@ -369,9 +372,11 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -163,7 +171,7 @@ Index: auth2-gss.c
  #endif
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -894,6 +899,10 @@
+@@ -928,6 +933,10 @@ process_server_config_line(ServerOptions
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
@@ -174,9 +182,11 @@ Index: auth2-gss.c
  
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
---- servconf.h
+Index: servconf.h
+===================================================================
+--- servconf.h.orig
 +++ servconf.h
-@@ -92,6 +92,7 @@
+@@ -95,6 +95,7 @@ typedef struct {
  						 * authenticated with Kerberos. */
  	int     gss_authentication;	/* If true, permit GSSAPI authentication */
  	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
@@ -184,9 +194,11 @@ Index: auth2-gss.c
  	int     password_authentication;	/* If true, permit password
  						 * authentication. */
  	int     kbd_interactive_authentication;	/* If true, permit */
---- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
-@@ -54,4 +54,14 @@
+@@ -54,5 +54,15 @@ ForwardX11Trusted yes
  #   Tunnel no
  #   TunnelDevice any:any
  #   PermitLocalCommand no
@@ -201,9 +213,12 @@ Index: auth2-gss.c
 +
 +>>>>>>>
  #   VisualHostKey no
---- sshconnect2.c
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+Index: sshconnect2.c
+===================================================================
+--- sshconnect2.c.orig
 +++ sshconnect2.c
-@@ -255,6 +255,10 @@
+@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
  		NULL,
  		&options.gss_authentication,
  		NULL},
@@ -214,7 +229,7 @@ Index: auth2-gss.c
  #endif
  	{"hostbased",
  		userauth_hostbased,
-@@ -617,7 +621,9 @@
+@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
  
  	if (status == GSS_S_COMPLETE) {
  		/* send either complete or MIC, depending on mechanism */
@@ -225,9 +240,11 @@ Index: auth2-gss.c
  			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
  			packet_send();
  		} else {
---- sshd_config
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -74,6 +74,13 @@
+@@ -72,6 +72,13 @@ PasswordAuthentication no
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  

openssh-5.4p1-homechroot.patch

@@ -1,4 +1,6 @@
---- chrootenv.h 
+Index: chrootenv.h
+===================================================================
+--- /dev/null
 +++ chrootenv.h
 @@ -0,0 +1,32 @@
 +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
@@ -33,7 +35,9 @@
 +
 +#endif
 +
---- session.c
+Index: session.c
+===================================================================
+--- session.c.orig
 +++ session.c
 @@ -119,6 +119,8 @@ void	do_child(Session *, const char *);
  void	do_motd(void);
@@ -44,7 +48,7 @@
  static void do_authenticated1(Authctxt *);
  static void do_authenticated2(Authctxt *);
  
-@@ -802,6 +804,11 @@ do_exec(Session *s, const char *command)
+@@ -805,6 +807,11 @@ do_exec(Session *s, const char *command)
  		debug("Forced command (key option) '%.900s'", command);
  	}
  
@@ -56,7 +60,7 @@
  #ifdef SSH_AUDIT_EVENTS
  	if (command != NULL)
  		PRIVSEP(audit_run_command(command));
-@@ -1399,6 +1406,63 @@ do_nologin(struct passwd *pw)
+@@ -1418,6 +1425,63 @@ do_nologin(struct passwd *pw)
  }
  
  /*
@@ -120,7 +124,7 @@
   * Chroot into a directory after checking it for safety: all path components
   * must be root-owned directories with strict permissions.
   */
-@@ -1408,6 +1472,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1427,6 +1491,7 @@ safely_chroot(const char *path, uid_t ui
  	const char *cp;
  	char component[MAXPATHLEN];
  	struct stat st;
@@ -128,7 +132,7 @@
  
  	if (*path != '/')
  		fatal("chroot path does not begin at root");
-@@ -1419,7 +1484,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1438,7 +1503,7 @@ safely_chroot(const char *path, uid_t ui
  	 * root-owned directory with strict permissions.
  	 */
  	for (cp = path; cp != NULL;) {
@@ -137,7 +141,7 @@
  			strlcpy(component, path, sizeof(component));
  		else {
  			cp++;
-@@ -1432,14 +1497,20 @@ safely_chroot(const char *path, uid_t ui
+@@ -1451,14 +1516,20 @@ safely_chroot(const char *path, uid_t ui
  		if (stat(component, &st) != 0)
  			fatal("%s: stat(\"%s\"): %s", __func__,
  			    component, strerror(errno));
@@ -159,7 +163,7 @@
  	}
  
  	if (chdir(path) == -1)
-@@ -1451,6 +1522,10 @@ safely_chroot(const char *path, uid_t ui
+@@ -1469,6 +1540,10 @@ safely_chroot(const char *path, uid_t ui
  	if (chdir("/") == -1)
  		fatal("%s: chdir(/) after chroot: %s",
  		    __func__, strerror(errno));
@@ -170,9 +174,11 @@
  	verbose("Changed root directory to \"%s\"", path);
  }
  
---- sftp.c
+Index: sftp.c
+===================================================================
+--- sftp.c.orig
 +++ sftp.c
-@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
+@@ -106,6 +106,8 @@ int remote_glob(struct sftp_conn *, cons
  
  extern char *__progname;
  
@@ -181,9 +187,11 @@
  /* Separators for interactive commands */
  #define WHITESPACE " \t\r\n"
  
---- sftp-common.c
+Index: sftp-common.c
+===================================================================
+--- sftp-common.c.orig
 +++ sftp-common.c
-@@ -40,6 +40,7 @@
+@@ -43,6 +43,7 @@
  #include "xmalloc.h"
  #include "buffer.h"
  #include "log.h"
@@ -191,23 +199,25 @@
  
  #include "sftp.h"
  #include "sftp-common.h"
-@@ -194,13 +195,13 @@ ls_file(const char *name, const struct s
+@@ -196,13 +197,13 @@ ls_file(const char *name, const struct s
- 	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
+ 	char sbuf[FMT_SCALED_STRSIZE];
  
  	strmode(st->st_mode, mode);
--	if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
+-	if (!remote) {
-+	if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) {
++	if (!remote && !chroot_no_tree) {
- 		user = pw->pw_name;
+ 		user = user_from_uid(st->st_uid, 0);
  	} else {
  		snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
  		user = ubuf;
  	}
--	if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
+-	if (!remote) {
-+	if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) {
++	if (!remote && !chroot_no_tree) {
- 		group = gr->gr_name;
+ 		group = group_from_gid(st->st_gid, 0);
  	} else {
  		snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
---- sftp-server-main.c
+Index: sftp-server-main.c
+===================================================================
+--- sftp-server-main.c.orig
 +++ sftp-server-main.c
 @@ -22,11 +22,14 @@
  #include <stdarg.h>
@@ -224,11 +234,13 @@
  void
  cleanup_exit(int i)
  {
---- sshd_config.0
+Index: sshd_config.0
+===================================================================
+--- sshd_config.0.orig
 +++ sshd_config.0
-@@ -112,6 +112,14 @@ DESCRIPTION
+@@ -115,6 +115,14 @@ DESCRIPTION
-              essary if the in-process sftp server is used (see Subsystem for
+              which use logging do require /dev/log inside the chroot directory
-              details).
+              (see sftp-server(8) for details).
  
 +             In the special case when only sftp is used, not ssh nor scp, it
 +             is possible to use ChrootDirectory %h or ChrootDirectory
@@ -241,10 +253,12 @@
               The default is not to chroot(2).
  
       Ciphers
---- sshd_config.5
+Index: sshd_config.5
+===================================================================
+--- sshd_config.5.orig
 +++ sshd_config.5
-@@ -219,6 +219,17 @@ in-process sftp server is used (see
+@@ -224,6 +224,17 @@ inside the chroot directory (see
- .Cm Subsystem
+ .Xr sftp-server 8
  for details).
  .Pp
 +In the special case when only sftp is used, not ssh nor scp,

openssh-5.4p1-pam-fix2.diff

@@ -1,6 +1,8 @@
---- sshd_config
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -58,7 +58,7 @@
+@@ -56,7 +56,7 @@
  #IgnoreRhosts yes
  
  # To disable tunneled clear text passwords, change to no here!
@@ -9,7 +11,7 @@
  #PermitEmptyPasswords no
  
  # Change to no to disable s/key passwords
-@@ -83,7 +83,7 @@
+@@ -81,7 +81,7 @@
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.

openssh-5.4p1-saveargv-fix.diff

@@ -1,6 +1,8 @@
---- sshd.c
+Index: sshd.c
+===================================================================
+--- sshd.c.orig
 +++ sshd.c
-@@ -304,6 +304,7 @@
+@@ -306,6 +306,7 @@ sighup_handler(int sig)
  static void
  sighup_restart(void)
  {
@@ -8,7 +10,7 @@
  	logit("Received SIGHUP; restarting.");
  	close_listen_socks();
  	close_startup_pipes();
-@@ -1269,7 +1270,11 @@
+@@ -1307,7 +1308,11 @@ main(int ac, char **av)
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
  	compat_init_setproctitle(ac, av);

openssh-5.4p1-send_locale.diff

@@ -1,6 +1,8 @@
---- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
-@@ -63,5 +63,8 @@
+@@ -63,6 +63,9 @@ ForwardX11Trusted yes
  # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
  #   GSSAPIEnableMITMAttack no
  
@@ -10,9 +12,12 @@
 +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +SendEnv LC_IDENTIFICATION LC_ALL
  #   VisualHostKey no
---- sshd_config
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -119,6 +119,11 @@
+@@ -117,6 +117,11 @@ X11Forwarding yes
  # override default of no subsystems
  Subsystem	sftp	/usr/libexec/sftp-server
  

openssh-5.4p1-tmpdir.diff

@@ -1,6 +1,8 @@
---- ssh-agent.c
+Index: ssh-agent.c
+===================================================================
+--- ssh-agent.c.orig
 +++ ssh-agent.c
-@@ -1159,8 +1159,18 @@
+@@ -1174,8 +1174,18 @@ main(int ac, char **av)
  	parent_pid = getpid();
  
  	if (agentsocket == NULL) {

openssh-5.4p1-xauth.diff

@@ -1,6 +1,8 @@
---- session.c
+Index: session.c
+===================================================================
+--- session.c.orig
 +++ session.c
-@@ -2493,8 +2493,41 @@
+@@ -2521,8 +2521,41 @@ void
  session_close(Session *s)
  {
  	u_int i;

openssh-5.4p1-xauthlocalhostname.diff

@@ -1,6 +1,8 @@
---- session.c
+Index: session.c
+===================================================================
+--- session.c.orig
 +++ session.c
-@@ -1110,7 +1110,7 @@
+@@ -1113,7 +1113,7 @@ copy_environment(char **source, char ***
  }
  
  static char **
@@ -9,7 +11,7 @@
  {
  	char buf[256];
  	u_int i, envsize;
-@@ -1297,6 +1297,8 @@
+@@ -1300,6 +1300,8 @@ do_setup_env(Session *s, const char *she
  		for (i = 0; env[i]; i++)
  			fprintf(stderr, "  %.200s\n", env[i]);
  	}
@@ -18,7 +20,7 @@
  	return env;
  }
  
-@@ -1305,7 +1307,7 @@
+@@ -1308,7 +1310,7 @@ do_setup_env(Session *s, const char *she
   * first in this order).
   */
  static void
@@ -27,7 +29,7 @@
  {
  	FILE *f = NULL;
  	char cmd[1024];
-@@ -1359,12 +1361,20 @@
+@@ -1362,12 +1364,20 @@ do_rc_files(Session *s, const char *shel
  		    options.xauth_location);
  		f = popen(cmd, "w");
  		if (f) {
@@ -48,7 +50,7 @@
  		} else {
  			fprintf(stderr, "Could not run %s\n",
  			    cmd);
-@@ -1650,6 +1660,7 @@
+@@ -1669,6 +1679,7 @@ do_child(Session *s, const char *command
  {
  	extern char **environ;
  	char **env;
@@ -56,7 +58,7 @@
  	char *argv[ARGV_MAX];
  	const char *shell, *shell0, *hostname = NULL;
  	struct passwd *pw = s->pw;
-@@ -1716,7 +1727,7 @@
+@@ -1735,7 +1746,7 @@ do_child(Session *s, const char *command
  	 * Make sure $SHELL points to the shell from the password file,
  	 * even if shell is overridden from login.conf
  	 */
@@ -65,7 +67,7 @@
  
  #ifdef HAVE_LOGIN_CAP
  	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1784,7 +1795,7 @@
+@@ -1803,7 +1814,7 @@ do_child(Session *s, const char *command
  	closefrom(STDERR_FILENO + 1);
  
  	if (!options.use_login)

openssh-5.4p1.dif

@@ -1,4 +1,6 @@
---- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
 @@ -17,9 +17,20 @@
  # list of available options, their meanings and defaults, please see the
@@ -22,9 +24,11 @@
  #   RhostsRSAAuthentication no
  #   RSAAuthentication yes
  #   PasswordAuthentication yes
---- sshd_config
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -88,7 +88,7 @@
+@@ -86,7 +86,7 @@
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
@@ -33,9 +37,11 @@
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
---- sshlogin.c
+Index: sshlogin.c
+===================================================================
+--- sshlogin.c.orig
 +++ sshlogin.c
-@@ -125,6 +125,7 @@
+@@ -133,6 +133,7 @@ record_login(pid_t pid, const char *tty,
  
  	li = login_alloc_entry(pid, user, host, tty);
  	login_set_addr(li, addr, addrlen);

openssh-5.4p1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:21b9ddf3f42f777951a039a6c816d895d80a734046de9dbd411c042cbdb5f0f8
+size 872892

openssh-askpass-gnome.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz
+
+- update to 5.4p1
+- remove -pam-fix4.diff (in upstream now) 
+
 -------------------------------------------------------------------
 Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz
 

openssh-askpass-gnome.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh-askpass-gnome (Version 5.2p1)
+# spec file for package openssh-askpass-gnome (Version 5.4p1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -22,8 +22,8 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
-Version:        5.2p1
+Version:        5.4p1
-Release:        12
+Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
@@ -31,14 +31,13 @@ Url:            http://www.openssh.com/
 %define _name openssh
 Source:         %{_name}-%{version}.tar.bz2
 Patch:          %{_name}-%{version}.dif
-Patch15:        %{_name}-%{version}-pam-fix2.diff
+Patch1:         %{_name}-%{version}-pam-fix2.diff
-Patch18:        %{_name}-%{version}-saveargv-fix.diff
+Patch2:         %{_name}-%{version}-saveargv-fix.diff
-Patch19:        %{_name}-%{version}-pam-fix3.diff
+Patch3:         %{_name}-%{version}-pam-fix3.diff
-Patch21:        %{_name}-%{version}-gssapimitm.patch
+Patch4:         %{_name}-%{version}-gssapimitm.patch
-Patch26:        %{_name}-%{version}-eal3.diff
+Patch5:         %{_name}-%{version}-eal3.diff
-Patch27:        %{_name}-%{version}-engines.diff
+Patch6:         %{_name}-%{version}-engines.diff
-Patch28:        %{_name}-%{version}-blocksigalrm.diff
+Patch7:         %{_name}-%{version}-blocksigalrm.diff
-Patch29:        %{_name}-%{version}-pam-fix4.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -74,14 +73,13 @@ Authors:
 %prep
 %setup -q -n %{_name}-%{version}
 %patch 
-%patch15
+%patch1
-%patch18
+%patch2
-%patch19
+%patch3
-%patch21
+%patch4
-%patch26 -p1
+%patch5 -p1
-%patch27 -p1
+%patch6 -p1
-%patch28
+%patch7
-%patch29 -p1
 
 %build
 %{?suse_update_config:%{suse_update_config}}

openssh.changes

@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Tue Mar 23 18:57:07 CET 2010 - anicka@suse.cz
+
+- update to 5.4p1
+ * After a transition period of about 10 years, this release disables
+   SSH protocol 1 by default. Clients and servers that need to use the
+   legacy protocol must explicitly enable it in ssh_config / sshd_config
+   or on the command-line.
+ * Remove the libsectok/OpenSC-based smartcard code and add support for
+   PKCS#11 tokens. This support is automatically enabled on all
+   platforms that support dlopen(3) and was inspired by patches written
+   by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.
+ * Add support for certificate authentication of users and hosts using a
+   new, minimal OpenSSH certificate format (not X.509). Certificates
+   contain a public key, identity information and some validity
+   constraints and are signed with a standard SSH public key using
+   ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
+   or via a TrustedUserCAKeys option in sshd_config(5) (for user
+   authentication), or in known_hosts (for host authentication).
+   Documentation for certificate support may be found in ssh-keygen(1),
+   sshd(8) and ssh(1) and a description of the protocol extensions in
+   PROTOCOL.certkeys.
+ * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
+   stdio on the client to a single port forward on the server. This
+   allows, for example, using ssh as a ProxyCommand to route connections
+   via intermediate servers. bz#1618
+ * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may
+   be revoked using a new sshd_config(5) option "RevokedKeys". Host keys
+   are revoked through known_hosts (details in the sshd(8) man page).
+   Revoked keys cannot be used for user or host authentication and will
+   trigger a warning if used.
+ * Rewrite the ssh(1) multiplexing support to support non-blocking
+   operation of the mux master, improve the resilience of the master to
+   malformed messages sent to it by the slave and add support for
+   requesting port- forwardings via the multiplex protocol. The new
+   stdio-to-local forward mode ("ssh -W host:port ...") is also
+   supported. The revised multiplexing protocol is documented in the
+   file PROTOCOL.mux in the source distribution.
+ * Add a 'read-only' mode to sftp-server(8) that disables open in write
+   mode and all other fs-modifying protocol methods. bz#430
+ * Allow setting an explicit umask on the sftp-server(8) commandline to
+   override whatever default the user has. bz#1229
+ * Many improvements to the sftp(1) client, many of which were
+   implemented by Carlos Silva through the Google Summer of Code
+   program:
+   - Support the "-h" (human-readable units) flag for ls
+   - Implement tab-completion of commands, local and remote filenames
+   - Support most of scp(1)'s commandline arguments in sftp(1), as a
+     first step towards making sftp(1) a drop-in replacement for scp(1).
+     Note that the rarely-used "-P sftp_server_path" option has been
+     moved to "-D sftp_server_path" to make way for "-P port" to match
+     scp(1).
+   - Add recursive transfer support for get/put and on the commandline
+ * New RSA keys will be generated with a public exponent of RSA_F4 ==
+   (2**16)+1 == 65537 instead of the previous value 35.
+ * Passphrase-protected SSH protocol 2 private keys are now protected
+   with AES-128 instead of 3DES. This applied to newly-generated keys
+   as well as keys that are reencrypted (e.g. by changing their
+   passphrase).
+- cleanup in patches 
+
 -------------------------------------------------------------------
 Tue Mar  2 09:09:18 UTC 2010 - coolo@novell.com
 

openssh.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh (Version 5.2p1)
+# spec file for package openssh (Version 5.4p1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -35,8 +35,8 @@ Requires:       /bin/netstat
 PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        5.2p1
+Version:        5.4p1
-Release:        12
+Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@@ -51,25 +51,23 @@ Source7:        ssh.reg
 Source8:        ssh-askpass
 Source9:        sshd.fw
 Patch:          %{name}-%{version}.dif
-Patch12:        %{name}-%{version}-askpass-fix.diff
+Patch1:         %{name}-%{version}-askpass-fix.diff
-Patch15:        %{name}-%{version}-pam-fix2.diff
+Patch2:         %{name}-%{version}-pam-fix2.diff
-Patch18:        %{name}-%{version}-saveargv-fix.diff
+Patch3:         %{name}-%{version}-saveargv-fix.diff
-Patch19:        %{name}-%{version}-pam-fix3.diff
+Patch4:         %{name}-%{version}-pam-fix3.diff
-Patch21:        %{name}-%{version}-gssapimitm.patch
+Patch5:         %{name}-%{version}-gssapimitm.patch
-Patch26:        %{name}-%{version}-eal3.diff
+Patch6:         %{name}-%{version}-eal3.diff
-Patch27:        %{name}-%{version}-engines.diff
+Patch7:         %{name}-%{version}-engines.diff
-Patch28:        %{name}-%{version}-blocksigalrm.diff
+Patch8:         %{name}-%{version}-blocksigalrm.diff
-Patch35:        %{name}-%{version}-send_locale.diff
+Patch9:         %{name}-%{version}-send_locale.diff
-Patch36:        %{name}-%{version}-xauthlocalhostname.diff
+Patch10:        %{name}-%{version}-xauthlocalhostname.diff
-Patch37:        %{name}-%{version}-tmpdir.diff
+Patch11:        %{name}-%{version}-tmpdir.diff
-Patch40:        %{name}-%{version}-xauth.diff
+Patch12:        %{name}-%{version}-xauth.diff
-Patch41:        %{name}-%{version}-gcc-fix.patch
+Patch14:        %{name}-%{version}-default-protocol.diff
-Patch43:        %{name}-%{version}-default-protocol.diff
+Patch15:        %{name}-%{version}-audit.patch
-Patch44:        %{name}-%{version}-audit.patch
+Patch16:        %{name}-%{version}-pts.diff
-Patch45:        %{name}-%{version}-pts.diff
+Patch17:        %{name}-%{version}-forwards.diff
-Patch46:        %{name}-%{version}-pam-fix4.diff
+Patch18:        %{name}-%{version}-homechroot.patch
-Patch48:        %{name}-%{version}-forwards.diff
-Patch49:        %{name}-%{version}-homechroot.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %package      askpass
@@ -98,28 +96,26 @@ Window System passphrase dialog for OpenSSH.
 %prep
 %setup -q -b 3 -a 1 -a 5
 %patch 
-%patch15
+%patch2
+%patch3
+%patch4
+%patch5
+%patch6 -p1
+%patch7 -p1
+%patch8
+%patch9
+%patch10
+%patch11
+%patch12
+%patch14
+%patch15 -p1
+%patch16
+%patch17
 %patch18
-%patch19
-%patch21
-%patch26 -p1
-%patch27 -p1
-%patch28
-%patch35
-%patch36
-%patch37
-%patch40
-%patch41
-%patch43
-%patch44 -p1
-%patch45
-%patch46 -p1
-%patch48
-%patch49
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}
-%patch12
+%patch1
 
 %build
 # This package failed when testing with -Wl,-as-needed being default.
@@ -248,6 +244,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) %dir /usr/%_lib/ssh
 %attr(0755,root,root) /usr/%_lib/ssh/sftp-server
 %attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
+%attr(0755,root,root) /usr/%_lib/ssh/ssh-pkcs11-helper
 %dir /etc/slp.reg.d
 %config /etc/slp.reg.d/ssh.reg
 /var/adm/fillup-templates/sysconfig.ssh