Accepting request 432093 from home:pcerny:factory

next round of patches
- allow X forwarding over IPv4 when IPv6 sockets is not available
  [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
- do not write PID file when not daemonizing
  [openssh-7.2p2-no_fork-no_pid_file.patch]
- use correct options when invoking login
  [openssh-7.2p2-login_options.patch]
- helper application for retrieving users' public keys from
  an LDAP server
  [openssh-7.2p2-ldap.patch]
- allow forcing permissions over sftp
  [openssh-7.2p2-sftp_force_permissions.patch]
- do not perform run-time checks for OpenSSL API/ABI change
  [openssh-7.2p2-disable-openssl-abi-check.patch]
- suggest commands for cleaning known hosts file
  [openssh-7.2p2-host_ident.patch]
- sftp home chroot patch
  [openssh-7.2p2-sftp_homechroot.patch]
- ssh sessions auditing
  [openssh-7.2p2-audit.patch]
- enable seccomp sandbox on additional architectures
  [openssh-7.2p2-additional_seccomp_archs.patch]

OBS-URL: https://build.opensuse.org/request/show/432093
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=112

README.FIPS

@@ -0,0 +1,64 @@
+Notes on FIPS mode and OpenSSH
+
+---
+
+SUSE OpenSSH comes with FIPS 140-2 support, and certain versions have been
+certified as FIPS compliant by NIST. Apart from other things, this standard
+puts restrictions on cryptographic algorithms that may be used.
+
+Important notice: FIPS is not only a matter of functionality. If you want to
+claim having a FIPS certified service, you *must* use the certified binaries.
+Even binaries built from the same sources in the same environment and running
+on a certified system, yet from a package lacking the certification, are
+formally not considered to be fulfilling the requirements.
+
+The certified binaries (ssh, sshd, sftp-server) perform mandatory selfcheck at
+startup and proceed only when the checks succeed (non-certified binaries may
+skip the check). These checks require the cryptographic hashes contained in the
+openssh-fips subpackage.
+
+The FIPS mode for OpenSSH is enabled in two ways - either:
+
+1) /proc/sys/crypto/fips_enabled contains a single character '1' - this is a
+system-wide setting controlled bu the fips kernel parameter; or
+
+2) the environment variable SSH_FORCE_FIPS - if set (to any value), the
+binaries behave as if they were running on a system in FIPS mode.
+
+Since FIPS 140-2 only allows use of certain cryptographic algorithms, both the
+client and server will fail if they are requested to use non-approved
+algorithms while in FIPS mode. This means that working configurations for FIPS
+mode form a proper subset of all working (generic) configurations. Some
+configurations may even prevent the binaries from starting at all.
+
+This however should be viewed in the context of FIPS being a security policy
+tool - it is not of much use to run the same system both in FIPS mode and
+outside of it, since that would defeat the main purpose of FIPS having
+guaranteeing standardised minimum restrictions on cryptographic algorithms
+(and thus on the overall security of the system).
+
+Unless you specify what cryptographic algorithms you wish to use, both the
+client and server should work out of the box in FIPS mode.
+
+For sshd, you can use the `-t` option to check whether the configuration file
+is working. Setting the above mentioned environment variable allows testing of
+behaviour in FIPS mode (checksum files for both OpenSSH and OpenSSL must be
+installed).
+
+In addition to cryptographic algorithms restrictions, sshd performs periodic
+PRNG re-seeding. The seed is read from entropy source either /dev/urandom or
+/dev/random. By default, the former is used, unless the environment variable
+SSH_USE_STRONG_RNG is set to a non-zero value or the binary is running in FIPS
+mode. This has two important implications:
+
+1) the selected entropy source must be available, i.e. when running in a
+changeroot the device files need to be present there.
+
+2) /dev/random is a blocking interface - unless enough randomness is available,
+the process stops until the entropy pool is replenished. Thus on systems where
+a long running processes are expected, one should make sure there is always
+enough entropy for sshd. Sporadically this may also cause sshd to aborted,
+since some versions of OpenSSL (the underlying cryptographic engine) don't
+handle gracefully being interrupted while trying to read entropy from the
+system source.
+

openssh-7.2p2-X11_trusted_forwarding.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  48bbbfeff186061b7fd4795bff15f15f571e2c8f
+# Parent  d11948586a6da11e968278f55b48318b2263802b
 # enable trusted X11 forwarding by default in both sshd and sshsystem-wide
 # configuration
 # bnc#50836 (was suse #35836)

openssh-7.2p2-X_forward_with_disabled_ipv6.patch

@@ -0,0 +1,34 @@
+# HG changeset patch
+# Parent  3d4efb38a918055f977a08aa7d1486a04bee6e11
+Do not throw away already open sockets for X11 forwarding if another socket
+family is not available for bind()
+
+diff --git a/openssh-7.2p2/channels.c b/openssh-7.2p2/channels.c
+--- a/openssh-7.2p2/channels.c
++++ b/openssh-7.2p2/channels.c
+@@ -3937,22 +3937,24 @@ x11_create_display_inet(int x11_display_
+ 			}
+ 			if (ai->ai_family == AF_INET6)
+ 				sock_set_v6only(sock);
+ 			if (x11_use_localhost)
+ 				channel_set_reuseaddr(sock);
+ 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ 				debug2("bind port %d: %.100s", port, strerror(errno));
+ 				close(sock);
+-
++				continue;
++				/* do not remove successfully opened sockets
+ 				for (n = 0; n < num_socks; n++) {
+ 					close(socks[n]);
+ 				}
+ 				num_socks = 0;
+ 				break;
++				*/
+ 			}
+ 			socks[num_socks++] = sock;
+ 			if (num_socks == NUM_SOCKS)
+ 				break;
+ 		}
+ 		freeaddrinfo(aitop);
+ 		if (num_socks > 0)
+ 			break;

openssh-7.2p2-additional_seccomp_archs.patch

@@ -0,0 +1,56 @@
+# HG changeset patch
+# Parent  27b9bd4a1a53a28b5e9eda0a9c013d98f821149b
+Enable the seccomp-bpf sandbox on more architectures
+
+upstream commit: b9c50614eba9d90939b2b119b6e1b7e03b462278 (7.3p1)
+Author: Damien Miller <djm@mindrot.org>
+Date:   Fri Jul 8 13:59:13 2016 +1000
+
+    whitelist more architectures for seccomp-bpf
+    
+    bz#2590 - testing and patch from Jakub Jelen
+
+diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
+--- a/openssh-7.2p2/configure.ac
++++ b/openssh-7.2p2/configure.ac
+@@ -818,16 +818,40 @@ main() { if (NSVersionOfRunTimeLibrary("
+ 		seccomp_audit_arch=AUDIT_ARCH_I386
+ 		;;
+ 	arm*-*)
+ 		seccomp_audit_arch=AUDIT_ARCH_ARM
+ 		;;
+ 	aarch64*-*)
+ 		seccomp_audit_arch=AUDIT_ARCH_AARCH64
+ 		;;
++	s390x-*)
++		seccomp_audit_arch=AUDIT_ARCH_S390X
++		;;
++	s390-*)
++		seccomp_audit_arch=AUDIT_ARCH_S390
++		;;
++	powerpc64-*)
++		seccomp_audit_arch=AUDIT_ARCH_PPC64
++		;;
++	powerpc64le-*)
++		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
++		;;
++	mips-*)
++		seccomp_audit_arch=AUDIT_ARCH_MIPS
++		;;
++	mipsel-*)
++		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
++		;;
++	mips64-*)
++		seccomp_audit_arch=AUDIT_ARCH_MIPS64
++		;;
++	mips64el-*)
++		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
++		;;
+ 	esac
+ 	if test "x$seccomp_audit_arch" != "x" ; then
+ 		AC_MSG_RESULT(["$seccomp_audit_arch"])
+ 		AC_DEFINE_UNQUOTED([SECCOMP_AUDIT_ARCH], [$seccomp_audit_arch],
+ 		    [Specify the system call convention in use])
+ 	else
+ 		AC_MSG_RESULT([architecture not supported])
+ 	fi

openssh-7.2p2-allow_DSS_by_default.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  2730f36bee0d6e141d8391b414a702e1add5a853
+# Parent  ec31f6a59145c0db748855bd5bc178161591dae9
 Enable DSS authentication by default to maintain compatibility with older
 versions.
 

openssh-7.2p2-allow_root_password_login.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  8cf6984812ab2211ce60c0a9156892b3a7ee3aaf
+# Parent  aab6d99cb51e48a9046c3d7be8443b83b8ee5127
 Allow root login with password by default. While less secure than upstream
 default of forbidding access to the root account with a password, we are
 temporarily introducing this change to keep the default used in older OpenSSH

openssh-7.2p2-blocksigalrm.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  5469eb754184144e42c341ccc038309e2880cadc
+# Parent  0c50460ce313d041c2484d21ab810c8ee487cded
 block SIGALRM while logging through syslog to prevent deadlocks
 (through grace_alarm_handler())
 

openssh-7.2p2-disable-openssl-abi-check.patch

@@ -0,0 +1,64 @@
+# HG changeset patch
+# Parent  2d4a91c3c6c5b161f21511712889c2906fa158a4
+disable run-time check for OpenSSL ABI by version number as that is not a
+reliable indicator of ABI changes and doesn't make much sense in a
+distribution package
+
+diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
+--- a/openssh-7.2p2/configure.ac
++++ b/openssh-7.2p2/configure.ac
+@@ -4639,16 +4639,29 @@ AC_ARG_WITH([bsd-auth],
+ 		if test "x$withval" != "xno" ; then
+ 			AC_DEFINE([BSD_AUTH], [1],
+ 				[Define if you have BSD auth support])
+ 			BSD_AUTH_MSG=yes
+ 		fi
+ 	]
+ )
+ 
++# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
++DISTRO_SSL=no
++AC_ARG_WITH([distro-ssl],
++	[  --with-distro-ssl       Disable runtime OpenSSL version checks (good for distributions)],
++	[
++		if test "x$withval" != "xno" ; then
++			AC_DEFINE([DISTRO_SSL], [1],
++                      [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
++			DISTRO_SSL=yes
++		fi
++	]
++)
++
+ # Where to place sshd.pid
+ piddir=/var/run
+ # make sure the directory exists
+ if test ! -d $piddir ; then
+ 	piddir=`eval echo ${sysconfdir}`
+ 	case $piddir in
+ 		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
+ 	esac
+diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c
+--- a/openssh-7.2p2/entropy.c
++++ b/openssh-7.2p2/entropy.c
+@@ -209,19 +209,21 @@ rexec_recv_rng_seed(Buffer *m)
+ #endif /* OPENSSL_PRNG_ONLY */
+ 
+ void
+ seed_rng(void)
+ {
+ #ifndef OPENSSL_PRNG_ONLY
+ 	unsigned char buf[RANDOM_SEED_SIZE];
+ #endif
++#ifndef DISTRO_SSL
+ 	if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
+ 		fatal("OpenSSL version mismatch. Built against %lx, you "
+ 		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
++#endif
+ 
+ #ifndef OPENSSL_PRNG_ONLY
+ 	if (RAND_status() == 1) {
+ 		debug3("RNG is ready, skipping seeding");
+ 		return;
+ 	}
+ 
+ 	if (seed_from_prngd(buf, sizeof(buf)) == -1)

openssh-7.2p2-disable_short_DH_parameters.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  c40dce555117c740f3df867e9fc2b07b64b3ad96
+# Parent  69bdfde8282f9ab67c29e431a74916c045301ff5
 
 Raise minimal size of DH group parameters to 2048 bits like upstream did in
 7.2. 1024b values are believed to be in breaking range for state adversaries

openssh-7.2p2-dont_use_pthreads_in_PAM.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  2aa634b7522f34ddbd380c96df4e750df0608604
+# Parent  93f67586b27e7f018c5b34e33f8156df772e980d
 # posix threads are generally not supported nor safe
 # (see upstream log from 2005-05-24)
 # --used to be called '-pam-fix3'

openssh-7.2p2-eal3.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  bbb49b3f344cf24e9bbd7eb7a7c40fea21be77eb
+# Parent  8e5876ee9478740b83887db9fc6e3b1605848534
 fix paths and references in sshd man pages
 
 diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8

openssh-7.2p2-enable_PAM_by_default.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  477d43e9a3889d36b58ff19cf3cb9583e1abf9ce
+# Parent  a51f9cba48652fc5df45b9ac8bd238268c70673c
 # force PAM in defaullt install (this was removed from upstream in 3.8p1)
 # bnc#46749
 # --used to be called '-pam-fix2'

openssh-7.2p2-fips.patch

@@ -1,12 +1,12 @@
 # HG changeset patch
-# Parent  0dee2a3f80c2db73903388815fb4e311c8588a15
+# Parent  0c3e1f1c3b2ab533f9cb1c82fb75ff247a9c71b1
 FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
 algorithms.
 
 diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
 --- a/openssh-7.2p2/Makefile.in
 +++ b/openssh-7.2p2/Makefile.in
-@@ -87,17 +87,17 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -87,17 +87,18 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
  	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
  	ssh-pkcs11.o smult_curve25519_ref.o \
  	poly1305.o chacha.o cipher-chachapoly.o \
@@ -16,7 +16,8 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
  	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
  	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
 -	platform-pledge.o
-+	platform-pledge.o fips.o
++	platform-pledge.o \
++	fips.o
  
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
  	sshconnect.o sshconnect1.o sshconnect2.o mux.o

openssh-7.2p2-gssapi_key_exchange.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  c2049622cf75dbab61a8f49b53a13dc1de6695fd
+# Parent  9240088fbf80624f62dc79bcf5f3113a1b6dddd8
 GSSAPI Key Exchange implementation
 
 diff --git a/openssh-7.2p2/ChangeLog.gssapi b/openssh-7.2p2/ChangeLog.gssapi
@@ -136,14 +136,14 @@ diff --git a/openssh-7.2p2/Makefile.in b/openssh-7.2p2/Makefile.in
 -	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
 +	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o kexgssc.o \
 +	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexgsss.o \
- 	platform-pledge.o fips.o
+ 	platform-pledge.o \
+ 	fips.o
  
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
  	sshconnect.o sshconnect1.o sshconnect2.o mux.o
  
  SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
  	audit.o audit-bsm.o audit-linux.o platform.o \
- 	sshpty.o sshlogin.o servconf.o serverloop.o \
 diff --git a/openssh-7.2p2/auth-krb5.c b/openssh-7.2p2/auth-krb5.c
 --- a/openssh-7.2p2/auth-krb5.c
 +++ b/openssh-7.2p2/auth-krb5.c

openssh-7.2p2-host_ident.patch

@@ -0,0 +1,29 @@
+# HG changeset patch
+# Parent  fe2618b7337c0d97483dc98a6b53636c89f3d371
+Suggest command line for removal of offending keys from known_hosts file
+
+diff --git a/openssh-7.2p2/sshconnect.c b/openssh-7.2p2/sshconnect.c
+--- a/openssh-7.2p2/sshconnect.c
++++ b/openssh-7.2p2/sshconnect.c
+@@ -1086,16 +1086,21 @@ check_host_key(char *hostname, struct so
+ 				    ip_found->file, ip_found->line);
+ 		}
+ 		/* The host key has changed. */
+ 		warn_changed_key(host_key);
+ 		error("Add correct host key in %.100s to get rid of this message.",
+ 		    user_hostfiles[0]);
+ 		error("Offending %s key in %s:%lu", key_type(host_found->key),
+ 		    host_found->file, host_found->line);
++		error("You can use following command to remove all keys for this IP:");
++		if (host_found->file)
++			error("ssh-keygen -R %s -f %s", hostname, host_found->file);
++		else
++			error("ssh-keygen -R %s", hostname);
+ 
+ 		/*
+ 		 * If strict host key checking is in use, the user will have
+ 		 * to edit the key manually and we can only abort.
+ 		 */
+ 		if (options.strict_host_key_checking) {
+ 			error("%s host key for %.200s has changed and you have "
+ 			    "requested strict checking.", type, host);

openssh-7.2p2-hostname_changes_when_forwarding_X.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  b5245fb016a3b83611d4b4ae0c1fe3423cadd6fe
+# Parent  7e84e692f90c19e76a4180d54c7fdda2752c6c41
 # -- uset do be called '-xauthlocalhostname'
 handle hostname changes when forwarding X
 

openssh-7.2p2-lastlog.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  2ee086fa64dd40d0d50b13fa3a784717bfdd7e4b
+# Parent  3007da75cc9c93ead70a4971b9057d230178511c
 # set uid for functions that use it to seek in lastlog and wtmp files
 # bnc#18024 (was suse #3024)
 

openssh-7.2p2-login_options.patch

@@ -0,0 +1,32 @@
+# HG changeset patch
+# Parent  a2ec408c99eefdd4c23f01eafddb0ce786514f50
+# HG changeset patch
+# Parent  b262fd34c8ecd55e93d457b3ca5593abce716856
+# login-pam cannot handle the option terminator "--" as login from util-linux
+# (this is correct behaviour considering its man-page), hence use option which
+# selects the compile-time branch in the code which doesn't use the terminator
+#
+# bnc#833605
+
+diff --git a/openssh-7.2p2/configure.ac b/openssh-7.2p2/configure.ac
+--- a/openssh-7.2p2/configure.ac
++++ b/openssh-7.2p2/configure.ac
+@@ -770,16 +770,18 @@ main() { if (NSVersionOfRunTimeLibrary("
+ 	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
+ 	AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
+ 	;;
+ *-*-linux*)
+ 	no_dev_ptmx=1
+ 	use_pie=auto
+ 	check_for_libcrypt_later=1
+ 	check_for_openpty_ctty_bug=1
++	AC_DEFINE([LOGIN_NO_ENDOPT], [1],
++		[Define if your login program cannot handle end of options ("--")])
+ 	AC_DEFINE([PAM_TTY_KLUDGE], [1],
+ 		[Work around problematic Linux PAM modules handling of PAM_TTY])
+ 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
+ 		[String used in /etc/passwd to denote locked account])
+ 	AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV])
+ 	AC_DEFINE([LINK_OPNOTSUPP_ERRNO], [EPERM],
+ 		[Define to whatever link() returns for "not supported"
+ 		if it doesn't return EOPNOTSUPP.])

openssh-7.2p2-no_fork-no_pid_file.patch

@@ -0,0 +1,26 @@
+# HG changeset patch
+# Parent  09a93433f5bb8baff0dce629c75f96357e3b1055
+Do not write a PID file when not daemonizing (e.g. when running from systemd)
+
+diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c
+--- a/openssh-7.2p2/sshd.c
++++ b/openssh-7.2p2/sshd.c
+@@ -2104,17 +2104,17 @@ main(int ac, char **av)
+ 		signal(SIGCHLD, main_sigchld_handler);
+ 		signal(SIGTERM, sigterm_handler);
+ 		signal(SIGQUIT, sigterm_handler);
+ 
+ 		/*
+ 		 * Write out the pid file after the sigterm handler
+ 		 * is setup and the listen sockets are bound
+ 		 */
+-		if (options.pid_file != NULL && !debug_flag) {
++		if (!no_daemon_flag && options.pid_file != NULL && !debug_flag) {
+ 			FILE *f = fopen(options.pid_file, "w");
+ 
+ 			if (f == NULL) {
+ 				error("Couldn't create pid file \"%s\": %s",
+ 				    options.pid_file, strerror(errno));
+ 			} else {
+ 				fprintf(f, "%ld\n", (long) getpid());
+ 				fclose(f);

openssh-7.2p2-pam_check_locks.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  5b217a9abc32fa963a125ae29c766c015db53bde
+# Parent  2b2855c68e979299aee899a7cb6e4aa57a828668
 new option UsePAMCheckLocks to enforce checking for locked accounts while
 UsePAM is used
 

openssh-7.2p2-pts_names_formatting.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  870f97b01b9ed00bac9ff0b8014a998434a6161b
+# Parent  c08afc8b92580b589ea02d84cf3d29be257ec103
 # use same lines naming as utempter (prevents problems with using different
 # formats in ?tmp? files)
 # --used to be called '-pts'

openssh-7.2p2-remove_xauth_cookies_on_exit.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  07998e381c9867b8b6f7b9205261811934bef40f
+# Parent  ff8f0a192e120430204441cdcd18ff130f85a61e
 # --used to be called '-xauth'
 try to remove xauth cookies on logout
 

openssh-7.2p2-seccomp_getuid.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  3582dd949a01d8eca2816986ca4bc0c87c96bed3
+# Parent  80f5b9b81269880fbc12bcbc5830fe2044baf894
 add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread
 from being killed by the seccomp filter
 

openssh-7.2p2-seccomp_stat.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  d3afe6b01f8769713bde6c175e29a50412799e27
+# Parent  f8357691112e6b15424f506f7ab6c417f5aa6f9e
 Allow the stat() syscall for OpenSSL re-seed patch
 (which causes OpenSSL use stat() on some file)
 

openssh-7.2p2-seed-prng.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  36ab4b78afea8cea4e3bed1291a49ba05cbb9115
+# Parent  ea1ef0bb63e77f14c91b2b417f1b8c3383b2835f
 # extended support for (re-)seeding the OpenSSL PRNG from /dev/random
 # bnc#703221, FATE#312172
 

openssh-7.2p2-send_locale.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  505927e61d1a7848f0003adb3619cc726b8e5d15
+# Parent  5bcf5f230ccaec7b9c9398cc6b4193574559861d
 send locales in default configuration
 bnc#65747
 

openssh-7.2p2-sftp_force_permissions.patch

@@ -0,0 +1,157 @@
+# HG changeset patch
+# Parent  7951ad8c720728b382cfaa32e3d7a549126a1496
+additional option for sftp-server to force file mode for new files
+FATE#312774
+http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
+http://marc.info/?l=openssh-unix-dev&m=128896838930893
+
+diff --git a/openssh-7.2p2/sftp-server.8 b/openssh-7.2p2/sftp-server.8
+--- a/openssh-7.2p2/sftp-server.8
++++ b/openssh-7.2p2/sftp-server.8
+@@ -33,16 +33,17 @@
+ .Bk -words
+ .Op Fl ehR
+ .Op Fl d Ar start_directory
+ .Op Fl f Ar log_facility
+ .Op Fl l Ar log_level
+ .Op Fl P Ar blacklisted_requests
+ .Op Fl p Ar whitelisted_requests
+ .Op Fl u Ar umask
++.Op Fl m Ar force_file_permissions
+ .Ek
+ .Nm
+ .Fl Q Ar protocol_feature
+ .Sh DESCRIPTION
+ .Nm
+ is a program that speaks the server side of SFTP protocol
+ to stdout and expects client requests from stdin.
+ .Nm
+@@ -133,16 +134,20 @@ Places this instance of
+ into a read-only mode.
+ Attempts to open files for writing, as well as other operations that change
+ the state of the filesystem, will be denied.
+ .It Fl u Ar umask
+ Sets an explicit
+ .Xr umask 2
+ to be applied to newly-created files and directories, instead of the
+ user's default mask.
++.It Fl m Ar force_file_permissions
++Sets explicit file permissions to be applied to newly-created files instead
++of the default or client requested mode.  Numeric values include:
++777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
+ .El
+ .Pp
+ On some systems,
+ .Nm
+ must be able to access
+ .Pa /dev/log
+ for logging to work, and use of
+ .Nm
+diff --git a/openssh-7.2p2/sftp-server.c b/openssh-7.2p2/sftp-server.c
+--- a/openssh-7.2p2/sftp-server.c
++++ b/openssh-7.2p2/sftp-server.c
+@@ -73,16 +73,20 @@ static u_int version;
+ static int init_done;
+ 
+ /* Disable writes */
+ static int readonly;
+ 
+ /* Requests that are allowed/denied */
+ static char *request_whitelist, *request_blacklist;
+ 
++/* Force file permissions */
++int permforce = 0;
++long permforcemode;
++
+ /* portable attributes, etc. */
+ typedef struct Stat Stat;
+ 
+ struct Stat {
+ 	char *name;
+ 	char *long_name;
+ 	Attrib attrib;
+ };
+@@ -687,16 +691,20 @@ process_open(u_int32_t id)
+ 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
+ 	    (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
+ 	    (r = decode_attrib(iqueue, &a)) != 0)
+ 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 
+ 	debug3("request %u: open flags %d", id, pflags);
+ 	flags = flags_from_portable(pflags);
+ 	mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
++	if (permforce == 1) {
++		mode = permforcemode;
++		(void)umask(0); /* so umask does not interfere */
++	}
+ 	logit("open \"%s\" flags %s mode 0%o",
+ 	    name, string_from_portable(pflags), mode);
+ 	if (readonly &&
+ 	    ((flags & O_ACCMODE) == O_WRONLY ||
+ 	    (flags & O_ACCMODE) == O_RDWR)) {
+ 		verbose("Refusing open request in read-only mode");
+ 		status = SSH2_FX_PERMISSION_DENIED;
+ 	} else {
+@@ -1489,17 +1497,18 @@ sftp_server_cleanup_exit(int i)
+ static void
+ sftp_server_usage(void)
+ {
+ 	extern char *__progname;
+ 
+ 	fprintf(stderr,
+ 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
+ 	    "[-l log_level]\n\t[-P blacklisted_requests] "
+-	    "[-p whitelisted_requests] [-u umask]\n"
++	    "[-p whitelisted_requests] [-u umask]\n\t"
++	    "[-m force_file_permissions]\n"
+ 	    "       %s -Q protocol_feature\n",
+ 	    __progname, __progname);
+ 	exit(1);
+ }
+ 
+ int
+ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+ {
+@@ -1515,17 +1524,17 @@ sftp_server_main(int argc, char **argv, 
+ 
+ 	ssh_malloc_init();	/* must be called before any mallocs */
+ 	__progname = ssh_get_progname(argv[0]);
+ 	log_init(__progname, log_level, log_facility, log_stderr);
+ 
+ 	pw = pwcopy(user_pw);
+ 
+ 	while (!skipargs && (ch = getopt(argc, argv,
+-	    "d:f:l:P:p:Q:u:cehR")) != -1) {
++	    "d:f:l:P:p:Q:u:m:cehR")) != -1) {
+ 		switch (ch) {
+ 		case 'Q':
+ 			if (strcasecmp(optarg, "requests") != 0) {
+ 				fprintf(stderr, "Invalid query type\n");
+ 				exit(1);
+ 			}
+ 			for (i = 0; handlers[i].handler != NULL; i++)
+ 				printf("%s\n", handlers[i].name);
+@@ -1575,16 +1584,23 @@ sftp_server_main(int argc, char **argv, 
+ 		case 'u':
+ 			errno = 0;
+ 			mask = strtol(optarg, &cp, 8);
+ 			if (mask < 0 || mask > 0777 || *cp != '\0' ||
+ 			    cp == optarg || (mask == 0 && errno != 0))
+ 				fatal("Invalid umask \"%s\"", optarg);
+ 			(void)umask((mode_t)mask);
+ 			break;
++		case 'm':
++			permforce = 1;
++			permforcemode = strtol(optarg, &cp, 8);
++			if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' ||
++				cp == optarg || (permforcemode == 0 && errno != 0))
++				fatal("Invalid umask \"%s\"", optarg);
++			break;
+ 		case 'h':
+ 		default:
+ 			sftp_server_usage();
+ 		}
+ 	}
+ 
+ 	log_init(__progname, log_level, log_facility, log_stderr);
+ 

openssh-7.2p2-sftp_homechroot.patch

@@ -0,0 +1,366 @@
+# HG changeset patch
+# Parent  2f269fe1cd176bc5ff833819e1b04f1d96f13144
+run sftp sessions inside a chroot
+
+diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c
+--- a/openssh-7.2p2/session.c
++++ b/openssh-7.2p2/session.c
+@@ -123,16 +123,18 @@ int	do_exec(Session *, const char *);
+ void	do_login(Session *, const char *);
+ #ifdef LOGIN_NEEDS_UTMPX
+ static void	do_pre_login(Session *s);
+ #endif
+ void	do_child(Session *, const char *);
+ void	do_motd(void);
+ int	check_quietlogin(Session *, const char *);
+ 
++int	chroot_no_tree = 0;
++
+ static void do_authenticated1(Authctxt *);
+ static void do_authenticated2(Authctxt *);
+ 
+ static int session_pty_req(Session *);
+ 
+ /* import */
+ extern ServerOptions options;
+ extern char *__progname;
+@@ -838,16 +840,21 @@ do_exec(Session *s, const char *command)
+ 		    "subsystem '%.900s'", s->subsys);
+ 	} else if (command == NULL) {
+ 		snprintf(session_type, sizeof(session_type), "shell");
+ 	} else {
+ 		/* NB. we don't log unforced commands to preserve privacy */
+ 		snprintf(session_type, sizeof(session_type), "command");
+ 	}
+ 
++	if ((s->is_subsystem != SUBSYSTEM_INT_SFTP) && chroot_no_tree) {
++		logit("You aren't welcomed, go away!");
++		exit (1);
++	}
++
+ 	if (s->ttyfd != -1) {
+ 		tty = s->tty;
+ 		if (strncmp(tty, "/dev/", 5) == 0)
+ 			tty += 5;
+ 	}
+ 
+ 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
+ 	    session_type,
+@@ -1492,58 +1499,123 @@ do_nologin(struct passwd *pw)
+  		while (fgets(buf, sizeof(buf), f))
+  			fputs(buf, stderr);
+  		fclose(f);
+  	}
+ 	exit(254);
+ }
+ 
+ /*
++ * Test if filesystem is mounted nosuid and nodev
++ */
++
++static void
++test_nosuid (char * path, dev_t fs)
++{
++	FILE *f;
++	struct stat st;
++	char buf[4096], *s, *on, *mountpoint, *opt;
++	int nodev, nosuid;
++
++	if (!(f = popen ("/bin/mount", "r")))
++		fatal ("%s: popen(\"/bin/mount\", \"r\"): %s",
++		    __func__, strerror (errno));
++	for (;;) {
++		s = fgets (buf, sizeof (buf), f);
++		if (ferror (f))
++			fatal ("%s: read from popen: %s", __func__,
++			    strerror (errno));
++		if (!s) {
++			pclose (f);
++			fatal ("cannot find filesystem with the chroot directory");
++		}
++		(void) strtok (buf, " ");
++		on = strtok (NULL, " ");
++		if (strcmp (on, "on")) {
++			pclose (f);
++			fatal ("bad format of mount output");
++		}
++		mountpoint = strtok (NULL, " ");
++		if (memcmp (path, mountpoint, strlen (mountpoint)))
++			continue;
++		if (stat(mountpoint, &st) != 0) {
++			pclose (f);
++			fatal("%s: stat(\"%s\"): %s", __func__,
++			    mountpoint, strerror(errno));
++		}
++		if (fs != st.st_dev)
++			continue;
++		nodev = nosuid = 0;
++		for (opt = strtok (NULL, "("); opt; opt = strtok (NULL, " ,)")) {
++			if (!strcmp (opt, "nodev"))
++				nodev = 1;
++			else if (!strcmp (opt, "nosuid"))
++				nosuid = 1;
++			else if (!strcmp (opt, "noexec"))
++				nosuid = 1;
++			if (nodev && nosuid) {
++				pclose (f);
++				return;
++			}
++		}
++		fatal ("chroot into directory without nodev and either noexec or nosuid");
++	}
++}
++
++/*
+  * Chroot into a directory after checking it for safety: all path components
+  * must be root-owned directories with strict permissions.
+  */
+ static void
+ safely_chroot(const char *path, uid_t uid)
+ {
+ 	const char *cp;
+ 	char component[PATH_MAX];
+ 	struct stat st;
++	int last;
+ 
+ 	if (*path != '/')
+ 		fatal("chroot path does not begin at root");
+ 	if (strlen(path) >= sizeof(component))
+ 		fatal("chroot path too long");
+ 
+ 	/*
+ 	 * Descend the path, checking that each component is a
+ 	 * root-owned directory with strict permissions.
+ 	 */
+ 	for (cp = path; cp != NULL;) {
+-		if ((cp = strchr(cp, '/')) == NULL)
++		if (last = ((cp = strchr(cp, '/')) == NULL))
+ 			strlcpy(component, path, sizeof(component));
+ 		else {
+ 			cp++;
+ 			memcpy(component, path, cp - path);
+ 			component[cp - path] = '\0';
+ 		}
+ 	
+ 		debug3("%s: checking '%s'", __func__, component);
+ 
+ 		if (stat(component, &st) != 0)
+ 			fatal("%s: stat(\"%s\"): %s", __func__,
+ 			    component, strerror(errno));
+-		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
++		if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid))
+ 			fatal("bad ownership or modes for chroot "
+ 			    "directory %s\"%s\"", 
+ 			    cp == NULL ? "" : "component ", component);
+ 		if (!S_ISDIR(st.st_mode))
+ 			fatal("chroot path %s\"%s\" is not a directory",
+ 			    cp == NULL ? "" : "component ", component);
+ 
+ 	}
++	setenv ("TZ", "/etc/localtime", 0);
++	tzset();
++
++	if (st.st_uid) {
++		test_nosuid(path, st.st_dev);
++		++chroot_no_tree;
++	}
+ 
+ 	if (chdir(path) == -1)
+ 		fatal("Unable to chdir to chroot path \"%s\": "
+ 		    "%s", path, strerror(errno));
+ 	if (chroot(path) == -1)
+ 		fatal("chroot(\"%s\"): %s", path, strerror(errno));
+ 	if (chdir("/") == -1)
+ 		fatal("%s: chdir(/) after chroot: %s",
+diff --git a/openssh-7.2p2/sftp-chrootenv.h b/openssh-7.2p2/sftp-chrootenv.h
+new file mode 100644
+--- /dev/null
++++ b/openssh-7.2p2/sftp-chrootenv.h
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (c) 2009 Jan F Chadima.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++#ifndef CHROOTENV_H
++#define CHROOTENV_H
++
++extern int	chroot_no_tree;
++
++#endif
++
+diff --git a/openssh-7.2p2/sftp-common.c b/openssh-7.2p2/sftp-common.c
+--- a/openssh-7.2p2/sftp-common.c
++++ b/openssh-7.2p2/sftp-common.c
+@@ -43,16 +43,17 @@
+ 
+ #include "xmalloc.h"
+ #include "ssherr.h"
+ #include "sshbuf.h"
+ #include "log.h"
+ 
+ #include "sftp.h"
+ #include "sftp-common.h"
++#include "sftp-chrootenv.h"
+ 
+ /* Clear contents of attributes structure */
+ void
+ attrib_clear(Attrib *a)
+ {
+ 	a->flags = 0;
+ 	a->size = 0;
+ 	a->uid = 0;
+@@ -216,23 +217,23 @@ ls_file(const char *name, const struct s
+ 	int ulen, glen, sz = 0;
+ 	struct tm *ltime = localtime(&st->st_mtime);
+ 	char *user, *group;
+ 	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
+ 	char sbuf[FMT_SCALED_STRSIZE];
+ 	time_t now;
+ 
+ 	strmode(st->st_mode, mode);
+-	if (!remote) {
++	if (!remote && !chroot_no_tree) {
+ 		user = user_from_uid(st->st_uid, 0);
+ 	} else {
+ 		snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
+ 		user = ubuf;
+ 	}
+-	if (!remote) {
++	if (!remote && !chroot_no_tree) {
+ 		group = group_from_gid(st->st_gid, 0);
+ 	} else {
+ 		snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
+ 		group = gbuf;
+ 	}
+ 	if (ltime != NULL) {
+ 		now = time(NULL);
+ 		if (now - (365*24*60*60)/2 < st->st_mtime &&
+diff --git a/openssh-7.2p2/sftp-server-main.c b/openssh-7.2p2/sftp-server-main.c
+--- a/openssh-7.2p2/sftp-server-main.c
++++ b/openssh-7.2p2/sftp-server-main.c
+@@ -17,22 +17,25 @@
+ 
+ #include "includes.h"
+ 
+ #include <sys/types.h>
+ #include <pwd.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <unistd.h>
++//#include <time.h>
+ 
+ #include "log.h"
+ #include "sftp.h"
+ #include "misc.h"
+ #include "xmalloc.h"
+ 
++int chroot_no_tree = 0;
++
+ void
+ cleanup_exit(int i)
+ {
+ 	sftp_server_cleanup_exit(i);
+ }
+ 
+ int
+ main(int argc, char **argv)
+diff --git a/openssh-7.2p2/sftp.c b/openssh-7.2p2/sftp.c
+--- a/openssh-7.2p2/sftp.c
++++ b/openssh-7.2p2/sftp.c
+@@ -112,16 +112,18 @@ struct complete_ctx {
+ 	char **remote_pathp;
+ };
+ 
+ int remote_glob(struct sftp_conn *, const char *, int,
+     int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */
+ 
+ extern char *__progname;
+ 
++int chroot_no_tree = 0;
++
+ /* Separators for interactive commands */
+ #define WHITESPACE " \t\r\n"
+ 
+ /* ls flags */
+ #define LS_LONG_VIEW	0x0001	/* Full view ala ls -l */
+ #define LS_SHORT_VIEW	0x0002	/* Single row view ala ls -1 */
+ #define LS_NUMERIC_VIEW	0x0004	/* Long view with numeric uid/gid */
+ #define LS_NAME_SORT	0x0008	/* Sort by name (default) */
+diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0
+--- a/openssh-7.2p2/sshd_config.0
++++ b/openssh-7.2p2/sshd_config.0
+@@ -251,16 +251,24 @@ DESCRIPTION
+              directory on some operating systems (see sftp-server(8) for
+              details).
+ 
+              For safety, it is very important that the directory hierarchy be
+              prevented from modification by other processes on the system
+              (especially those outside the jail).  Misconfiguration can lead
+              to unsafe environments which sshd(8) cannot detect.
+ 
++             In the special case when only sftp is used, not ssh nor scp, it
++             is possible to use ChrootDirectory %h or ChrootDirectory
++             /some/path/%u. The file system containing this directory must be
++             mounted with options nodev and either nosuid or noexec. The owner
++             of the directory should be the user. The ownership of the other
++             components of the path must fulfill the usual conditions. No adi-
++             tional files are required to be present in the directory.
++
+              The default is M-bM-^@M-^\noneM-bM-^@M-^], indicating not to chroot(2).
+ 
+      Ciphers
+              Specifies the ciphers allowed.  Multiple ciphers must be comma-
+              separated.  If the specified value begins with a M-bM-^@M-^X+M-bM-^@M-^Y character,
+              then the specified ciphers will be appended to the default set
+              instead of replacing them.
+ 
+diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5
+--- a/openssh-7.2p2/sshd_config.5
++++ b/openssh-7.2p2/sshd_config.5
+@@ -424,16 +424,27 @@ for details).
+ .Pp
+ For safety, it is very important that the directory hierarchy be
+ prevented from modification by other processes on the system (especially
+ those outside the jail).
+ Misconfiguration can lead to unsafe environments which
+ .Xr sshd 8
+ cannot detect.
+ .Pp
++In the special case when only sftp is used, not ssh nor scp,
++it is possible to use
++.Cm ChrootDirectory
++%h or
++.Cm ChrootDirectory
++/some/path/%u. The file system containing this directory must be
++mounted with options nodev and either nosuid or noexec. The owner of the
++directory should be the user. The ownership of the other components of the path
++must fulfill the usual conditions. No aditional files are required to be present
++in the directory.
++.Pp
+ The default is
+ .Dq none ,
+ indicating not to
+ .Xr chroot 2 .
+ .It Cm Ciphers
+ Specifies the ciphers allowed.
+ Multiple ciphers must be comma-separated.
+ If the specified value begins with a

openssh.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Thu Sep 29 23:27:49 UTC 2016 - pcerny@suse.com
+
+- allow X forwarding over IPv4 when IPv6 sockets is not available
+  [openssh-7.2p2-X_forward_with_disabled_ipv6.patch]
+- do not write PID file when not daemonizing
+  [openssh-7.2p2-no_fork-no_pid_file.patch]
+- use correct options when invoking login
+  [openssh-7.2p2-login_options.patch]
+- helper application for retrieving users' public keys from
+  an LDAP server
+  [openssh-7.2p2-ldap.patch]
+- allow forcing permissions over sftp
+  [openssh-7.2p2-sftp_force_permissions.patch]
+- do not perform run-time checks for OpenSSL API/ABI change
+  [openssh-7.2p2-disable-openssl-abi-check.patch]
+- suggest commands for cleaning known hosts file
+  [openssh-7.2p2-host_ident.patch]
+- sftp home chroot patch
+  [openssh-7.2p2-sftp_homechroot.patch]
+- ssh sessions auditing
+  [openssh-7.2p2-audit.patch]
+- enable seccomp sandbox on additional architectures
+  [openssh-7.2p2-additional_seccomp_archs.patch]
+
 -------------------------------------------------------------------
 Fri Sep 16 12:45:11 UTC 2016 - pcerny@suse.com
 

openssh.spec

@@ -88,7 +88,10 @@ BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 %endif
 BuildRequires:  tcpd-devel
-PreReq:         pwdutils %{insserv_prereq} %{fillup_prereq} coreutils
+PreReq:         pwdutils %{fillup_prereq} coreutils
+%if ! %{uses_systemd}
+PreReq:         %{insserv_prereq}
+%endif
 Version:        7.2p2
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
@@ -128,6 +131,16 @@ Patch15:        openssh-7.2p2-seccomp_stat.patch
 Patch16:        openssh-7.2p2-fips.patch
 Patch17:        openssh-7.2p2-seed-prng.patch
 Patch18:        openssh-7.2p2-gssapi_key_exchange.patch
+Patch19:        openssh-7.2p2-audit.patch
+Patch20:        openssh-7.2p2-login_options.patch
+Patch21:        openssh-7.2p2-disable-openssl-abi-check.patch
+Patch22:        openssh-7.2p2-no_fork-no_pid_file.patch
+Patch23:        openssh-7.2p2-host_ident.patch
+Patch24:        openssh-7.2p2-sftp_homechroot.patch
+Patch25:        openssh-7.2p2-sftp_force_permissions.patch
+Patch26:        openssh-7.2p2-X_forward_with_disabled_ipv6.patch
+Patch27:        openssh-7.2p2-ldap.patch
+Patch28:        openssh-7.2p2-additional_seccomp_archs.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Conflicts:      nonfreessh
 Recommends:     audit
@@ -198,14 +211,24 @@ FIPS140 CAVS tests related parts of the OpenSSH package
 %patch16 -p2
 %patch17 -p2
 %patch18 -p2
+%patch19 -p2
+%patch20 -p2
+%patch21 -p2
+%patch22 -p2
+%patch23 -p2
+%patch24 -p2
+%patch25 -p2
+%patch26 -p2
+%patch27 -p2
+%patch28 -p2
 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
 
 %build
-#### set libexec dir in the LDAP patch
-###sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
-###    $( grep -Rl @LIBEXECDIR@ \
-###        $( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
-###    )
+# set libexec dir in the LDAP patch
+sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \
+    $( grep -Rl @LIBEXECDIR@ \
+        $( grep "^+++" %{PATCH27} | sed -r 's@^.+/([^/\t ]+).*$@\1@' )
+    )
 
 autoreconf -fiv
 %ifarch s390 s390x %sparc
@@ -271,7 +294,7 @@ install -d -m 755 %{buildroot}%{_initddir}
 %if %{uses_systemd}
 install -m 0755 %{SOURCE1} .
 install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
-ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcsshd
+ln -s /sbin/service %{buildroot}%{_sbindir}/rcsshd
 %else
 install -D -m 0755 %{SOURCE1} %{buildroot}%{_initddir}/sshd
 install -m 0644 %{SOURCE10} .
@@ -376,7 +399,7 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
 %attr(0755,root,root) %{_bindir}/*
 %attr(0755,root,root) %{_sbindir}/*
 %attr(0755,root,root) %dir %{_libexecdir}/ssh
-###%exclude %{_libexecdir}/ssh/ssh-ldap*
+%exclude %{_libexecdir}/ssh/ssh-ldap*
 %attr(0755,root,root) %{_libexecdir}/ssh/*
 %attr(0444,root,root) %doc %{_mandir}/man1/*
 %attr(0444,root,root) %doc %{_mandir}/man5/*
@@ -395,10 +418,10 @@ rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes
 %files helpers
 %defattr(-,root,root)
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
-###%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
+%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf
 %attr(0755,root,root) %dir %{_libexecdir}/ssh
-###%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
-###%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
+%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap*
+%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema
 
 %files fips
 %defattr(-,root,root)