Accepting request 1322252 from network

Remove erroneous %config() directive (forwarded request 1322250 from hpjansson)

OBS-URL: https://build.opensuse.org/request/show/1322252
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=198

0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch

@@ -49,7 +49,7 @@ index b49d415e7c7..86137a1acdb 100644
 +		return KbdintResultFailure;
  	}
  	if ((buffer = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 @@ -1015,10 +1015,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
  	}
  	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, buffer) == -1) {
@@ -106,309 +106,3 @@ index 021df829173..047d4e83c33 100644
  		if (send_userauth_info_request(ssh) == 1)
  			authctxt->postponed = 1;
 
-From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
-Date: Mon, 16 Oct 2023 21:15:45 +0200
-Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status
-
-Makes things more readable and easier to extend
----
- auth-pam.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/auth-pam.c b/auth-pam.c
-index 86137a1acdb..21291631011 100644
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
- #define pthread_join	fake_pthread_join
- #endif
- 
-+typedef int SshPamDone;
-+#define SshPamError -1
-+#define SshPamNone 0
-+#define SshPamAuthenticated 1
-+
- struct pam_ctxt {
- 	sp_pthread_t	 pam_thread;
- 	int		 pam_psock;
- 	int		 pam_csock;
--	int		 pam_done;
-+	SshPamDone	 pam_done;
- };
- 
- static void sshpam_free_ctx(void *);
-@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
- 				**prompts = NULL;
- 				*num = 0;
- 				**echo_on = 0;
--				ctxt->pam_done = -1;
-+				ctxt->pam_done = SshPamError;
- 				free(msg);
- 				sshbuf_free(buffer);
- 				return 0;
-@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
- 				import_environments(buffer);
- 				*num = 0;
- 				**echo_on = 0;
--				ctxt->pam_done = 1;
-+				ctxt->pam_done = SshPamAuthenticated;
- 				free(msg);
- 				sshbuf_free(buffer);
- 				return (0);
-@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
- 			*num = 0;
- 			**echo_on = 0;
- 			free(msg);
--			ctxt->pam_done = -1;
-+			ctxt->pam_done = SshPamError;
- 			sshbuf_free(buffer);
- 			return (-1);
- 		}
-@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
- 
- 	debug2("PAM: %s entering, %u responses", __func__, num);
- 	switch (ctxt->pam_done) {
--	case 1:
-+	case SshPamAuthenticated:
- 		sshpam_authenticated = 1;
- 		return KbdintResultSuccess;
--	case 0:
-+	case SshPamNone:
- 		break;
- 	default:
- 		return KbdintResultFailure;
-
-From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
-Date: Tue, 17 Oct 2023 04:35:17 +0200
-Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM
- messages
-
----
- auth-pam.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/auth-pam.c b/auth-pam.c
-index 21291631011..7a72e724adc 100644
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
- 			break;
- 		case PAM_ERROR_MSG:
- 		case PAM_TEXT_INFO:
-+			debug3("PAM: Got message of type %d: %s",
-+			       PAM_MSG_MEMBER(msg, i, msg_style),
-+			       PAM_MSG_MEMBER(msg, i, msg));
- 			if ((r = sshbuf_put_cstring(buffer,
- 			    PAM_MSG_MEMBER(msg, i, msg))) != 0)
- 				fatal("%s: buffer error: %s",
-
-From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
-Date: Tue, 17 Oct 2023 04:27:32 +0200
-Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to
- clients
-
-SSH keyboard-interactive authentication method supports instructions but
-sshd didn't show them until an user prompt was requested.
-
-This is quite inconvenient for various PAM modules that need to notify
-an user without requiring for their explicit input.
-
-So, properly implement RFC4256 making instructions to be shown to users
-when they are requested from PAM.
-
-Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
----
- auth-pam.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/auth-pam.c b/auth-pam.c
-index 7a72e724adc..b756f0e5221 100644
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -140,6 +140,7 @@ typedef int SshPamDone;
- #define SshPamError -1
- #define SshPamNone 0
- #define SshPamAuthenticated 1
-+#define SshPamAgain 2
- 
- struct pam_ctxt {
- 	sp_pthread_t	 pam_thread;
-@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
- 	**prompts = NULL;
- 	plen = 0;
- 	*echo_on = xmalloc(sizeof(u_int));
-+	ctxt->pam_done = SshPamNone;
-+
- 	while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
- 		if (++nmesg > PAM_MAX_NUM_MSG)
- 			fatal_f("too many query messages");
-@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
- 			return (0);
- 		case PAM_ERROR_MSG:
- 		case PAM_TEXT_INFO:
--			/* accumulate messages */
--			len = plen + mlen + 2;
--			**prompts = xreallocarray(**prompts, 1, len);
--			strlcpy(**prompts + plen, msg, len - plen);
--			plen += mlen;
--			strlcat(**prompts + plen, "\n", len - plen);
--			plen++;
--			free(msg);
--			break;
-+			*num = 0;
-+			free(*info);
-+			*info = msg; /* Steal the message */
-+			msg = NULL;
-+			ctxt->pam_done = SshPamAgain;
-+			sshbuf_free(buffer);
-+			return (0);
- 		case PAM_ACCT_EXPIRED:
- 		case PAM_MAXTRIES:
- 			if (type == PAM_ACCT_EXPIRED)
-@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
- 		return KbdintResultSuccess;
- 	case SshPamNone:
- 		break;
-+	case SshPamAgain:
-+		return KbdintResultAgain;
- 	default:
- 		return KbdintResultFailure;
- 	}
-
-From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
-Date: Tue, 17 Oct 2023 06:12:03 +0200
-Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and
- instructions as utf-8
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As per the previous server change now the keyboard-interactive service
-and instruction values could be reported as soon as they are available
-and so they're not prompts anymore and not parsed like them.
-
-While this was already supported by the SSH client, these messages were
-not properly written as the escaped sequences they contained were not
-correctly reported.
-
-So for example a message containing "\" was represented as "\\" and
-similarly for all the other C escape sequences.
-
-This was leading to more problems when it come to utf-8 chars, as they
-were only represented by their octal representation.
-
-This was easily testable by adding a line like the one below to the
-sshd PAM service:
-  auth    requisite pam_echo.so Hello SSHD! Want some 🍕?
-
-Which was causing this to be written instead:
-  Hello SSHD! Want some \360\237\215\225?
-
-To handle this, instead of simply using fmprintf, we're using the notifier
-in a way can be exposed to users in the proper format and UI.
----
- sshconnect2.c | 33 ++++++++++++++++++++++++---------
- 1 file changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 5831a00c6d1..543431218c1 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
- 	char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
- 	char prompt[256];
- 	const char *host;
-+	size_t info_len;
- 	int r;
- 
- 	debug2("input_userauth_passwd_changereq");
-@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
- 		    "no authentication context");
- 	host = options.host_key_alias ? options.host_key_alias : authctxt->host;
- 
--	if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
-+	if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
- 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
- 		goto out;
--	if (strlen(info) > 0)
--		logit("%s", info);
-+	if (info_len > 0) {
-+		struct notifier_ctx *notifier = NULL;
-+		debug_f("input_userauth_passwd_changereq info: %s", info);
-+		notifier = notify_start(0, "%s", info);
-+		notify_complete(notifier, NULL);
-+	}
- 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
- 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
- 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
-@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
- 	Authctxt *authctxt = ssh->authctxt;
- 	char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
- 	char *display_prompt = NULL, *response = NULL;
-+	struct notifier_ctx *notifier = NULL;
- 	u_char echo = 0;
- 	u_int num_prompts, i;
-+	size_t name_len, inst_len;
- 	int r;
- 
- 	debug2_f("entering");
-@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
- 
- 	authctxt->info_req_seen = 1;
- 
--	if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
--	    (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
-+	if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
-+	    (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
- 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
- 		goto out;
--	if (strlen(name) > 0)
--		logit("%s", name);
--	if (strlen(inst) > 0)
--		logit("%s", inst);
-+	if (name_len > 0) {
-+		debug_f("kbd int name: %s", name);
-+		notifier = notify_start(0, "%s", name);
-+		notify_complete(notifier, NULL);
-+		notifier = NULL;
-+	}
-+	if (inst_len > 0) {
-+		debug_f("kbd int inst: %s", inst);
-+		notifier = notify_start(0, "%s", inst);
-+		notify_complete(notifier, NULL);
-+		notifier = NULL;
-+	}
- 
- 	if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
- 		goto out;
-
-From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
-Date: Tue, 17 Oct 2023 06:05:59 +0200
-Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive
- device
-
-We were only checking if the prefix of a device name was matching what
-we had in the devices list, so if the device list contained "pam", then
-also the device "pam-foo" was matching.
----
- auth2-chall.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/auth2-chall.c b/auth2-chall.c
-index 047d4e83c33..db658c9b4a7 100644
---- a/auth2-chall.c
-+++ b/auth2-chall.c
-@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
- 			    "keyboard-interactive", devices[i]->name))
- 				continue;
- 			if (strncmp(kbdintctxt->devices, devices[i]->name,
--			    len) == 0) {
-+			    len) == 0 && strlen(devices[i]->name) == len) {
- 				kbdintctxt->device = devices[i];
- 				kbdintctxt->devices_done |= 1 << i;
- 			}

0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch

@@ -0,0 +1,73 @@
+From 91ef15e8ed01a7e16d96ba6cb9ed51965dca9641 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Mon, 16 Oct 2023 21:15:45 +0200
+Subject: [PATCH 2/6] auth-pam: Add an enum to define the PAM done status
+
+Makes things more readable and easier to extend
+---
+ auth-pam.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/auth-pam.c b/auth-pam.c
+index 86137a1acdb..21291631011 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -136,11 +136,16 @@ typedef pid_t sp_pthread_t;
+ #define pthread_join	fake_pthread_join
+ #endif
+ 
++typedef int SshPamDone;
++#define SshPamError -1
++#define SshPamNone 0
++#define SshPamAuthenticated 1
++
+ struct pam_ctxt {
+ 	sp_pthread_t	 pam_thread;
+ 	int		 pam_psock;
+ 	int		 pam_csock;
+-	int		 pam_done;
++	SshPamDone	 pam_done;
+ };
+ 
+ static void sshpam_free_ctx(void *);
+@@ -904,7 +909,7 @@ sshpam_query(void *ctx, char **name, char **info,
+ 				**prompts = NULL;
+ 				*num = 0;
+ 				**echo_on = 0;
+-				ctxt->pam_done = -1;
++				ctxt->pam_done = SshPamError;
+ 				free(msg);
+ 				sshbuf_free(buffer);
+ 				return 0;
+@@ -931,7 +936,7 @@ sshpam_query(void *ctx, char **name, char **info,
+ 				import_environments(buffer);
+ 				*num = 0;
+ 				**echo_on = 0;
+-				ctxt->pam_done = 1;
++				ctxt->pam_done = SshPamAuthenticated;
+ 				free(msg);
+ 				sshbuf_free(buffer);
+ 				return (0);
+@@ -944,7 +949,7 @@ sshpam_query(void *ctx, char **name, char **info,
+ 			*num = 0;
+ 			**echo_on = 0;
+ 			free(msg);
+-			ctxt->pam_done = -1;
++			ctxt->pam_done = SshPamError;
+ 			sshbuf_free(buffer);
+ 			return (-1);
+ 		}
+@@ -988,10 +993,10 @@ sshpam_respond(void *ctx, u_int num, char **resp)
+ 
+ 	debug2_f("PAM: entering, %u responses", num);
+ 	switch (ctxt->pam_done) {
+-	case 1:
++	case SshPamAuthenticated:
+ 		sshpam_authenticated = 1;
+ 		return KbdintResultSuccess;
+-	case 0:
++	case SshPamNone:
+ 		break;
+ 	default:
+ 		return KbdintResultFailure;
+

0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch

@@ -0,0 +1,24 @@
+From 6fa8934d31cb9925c856f1b992fc5e04dd26da21 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Tue, 17 Oct 2023 04:35:17 +0200
+Subject: [PATCH 3/6] auth-pam: Add debugging information when we receive PAM
+ messages
+
+---
+ auth-pam.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/auth-pam.c b/auth-pam.c
+index 21291631011..7a72e724adc 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -450,6 +450,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
+ 			break;
+ 		case PAM_ERROR_MSG:
+ 		case PAM_TEXT_INFO:
++			debug3("PAM: Got message of type %d: %s",
++			       PAM_MSG_MEMBER(msg, i, msg_style),
++			       PAM_MSG_MEMBER(msg, i, msg));
+ 			if ((r = sshbuf_put_cstring(buffer,
+ 			    PAM_MSG_MEMBER(msg, i, msg))) != 0)
+ 				fatal("%s: buffer error: %s",

0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch

@@ -0,0 +1,208 @@
+From 598ee34312b541fa7b3988b4896641bf81996e27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Tue, 17 Oct 2023 04:27:32 +0200
+Subject: [PATCH 4/6] auth-pam: Immediately report interactive instructions to
+ clients
+
+SSH keyboard-interactive authentication method supports instructions but
+sshd didn't show them until an user prompt was requested.
+
+This is quite inconvenient for various PAM modules that need to notify
+an user without requiring for their explicit input.
+
+So, properly implement RFC4256 making instructions to be shown to users
+when they are requested from PAM.
+
+Closes: https://bugzilla.mindrot.org/show_bug.cgi?id=2876
+---
+ auth-pam.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/auth-pam.c b/auth-pam.c
+index 7a72e724adc..b756f0e5221 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -140,6 +140,7 @@ typedef int SshPamDone;
+ #define SshPamError -1
+ #define SshPamNone 0
+ #define SshPamAuthenticated 1
++#define SshPamAgain 2
+ 
+ struct pam_ctxt {
+ 	sp_pthread_t	 pam_thread;
+@@ -868,6 +869,8 @@ sshpam_query(void *ctx, char **name, char **info,
+ 	**prompts = NULL;
+ 	plen = 0;
+ 	*echo_on = xmalloc(sizeof(u_int));
++	ctxt->pam_done = SshPamNone;
++
+ 	while (ssh_msg_recv(ctxt->pam_psock, buffer) == 0) {
+ 		if (++nmesg > PAM_MAX_NUM_MSG)
+ 			fatal_f("too many query messages");
+@@ -888,15 +891,13 @@ sshpam_query(void *ctx, char **name, char **info,
+ 			return (0);
+ 		case PAM_ERROR_MSG:
+ 		case PAM_TEXT_INFO:
+-			/* accumulate messages */
+-			len = plen + mlen + 2;
+-			**prompts = xreallocarray(**prompts, 1, len);
+-			strlcpy(**prompts + plen, msg, len - plen);
+-			plen += mlen;
+-			strlcat(**prompts + plen, "\n", len - plen);
+-			plen++;
+-			free(msg);
+-			break;
++			*num = 0;
++			free(*info);
++			*info = msg; /* Steal the message */
++			msg = NULL;
++			ctxt->pam_done = SshPamAgain;
++			sshbuf_free(buffer);
++			return (0);
+ 		case PAM_ACCT_EXPIRED:
+ 		case PAM_MAXTRIES:
+ 			if (type == PAM_ACCT_EXPIRED)
+@@ -1001,6 +1002,8 @@ sshpam_respond(void *ctx, u_int num, char **resp)
+ 		return KbdintResultSuccess;
+ 	case SshPamNone:
+ 		break;
++	case SshPamAgain:
++		return KbdintResultAgain;
+ 	default:
+ 		return KbdintResultFailure;
+ 	}
+
+From cc14301ce0542cdbb825eff8041ce98a1da9ef08 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+Date: Tue, 17 Oct 2023 06:12:03 +0200
+Subject: [PATCH 5/6] sshconnect2: Write kbd-interactive service, info and
+ instructions as utf-8
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As per the previous server change now the keyboard-interactive service
+and instruction values could be reported as soon as they are available
+and so they're not prompts anymore and not parsed like them.
+
+While this was already supported by the SSH client, these messages were
+not properly written as the escaped sequences they contained were not
+correctly reported.
+
+So for example a message containing "\" was represented as "\\" and
+similarly for all the other C escape sequences.
+
+This was leading to more problems when it come to utf-8 chars, as they
+were only represented by their octal representation.
+
+This was easily testable by adding a line like the one below to the
+sshd PAM service:
+  auth    requisite pam_echo.so Hello SSHD! Want some 🍕?
+
+Which was causing this to be written instead:
+  Hello SSHD! Want some \360\237\215\225?
+
+To handle this, instead of simply using fmprintf, we're using the notifier
+in a way can be exposed to users in the proper format and UI.
+---
+ sshconnect2.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 5831a00c6d1..543431218c1 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -1091,6 +1091,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
+ 	char *info = NULL, *lang = NULL, *password = NULL, *retype = NULL;
+ 	char prompt[256];
+ 	const char *host;
++	size_t info_len;
+ 	int r;
+ 
+ 	debug2("input_userauth_passwd_changereq");
+@@ -1100,11 +1101,15 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh)
+ 		    "no authentication context");
+ 	host = options.host_key_alias ? options.host_key_alias : authctxt->host;
+ 
+-	if ((r = sshpkt_get_cstring(ssh, &info, NULL)) != 0 ||
++	if ((r = sshpkt_get_cstring(ssh, &info, &info_len)) != 0 ||
+ 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
+ 		goto out;
+-	if (strlen(info) > 0)
+-		logit("%s", info);
++	if (info_len > 0) {
++		struct notifier_ctx *notifier = NULL;
++		debug_f("input_userauth_passwd_changereq info: %s", info);
++		notifier = notify_start(0, "%s", info);
++		notify_complete(notifier, NULL);
++	}
+ 	if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
+ 	    (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 ||
+ 	    (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 ||
+@@ -1938,8 +1943,10 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
+ 	Authctxt *authctxt = ssh->authctxt;
+ 	char *name = NULL, *inst = NULL, *lang = NULL, *prompt = NULL;
+ 	char *display_prompt = NULL, *response = NULL;
++	struct notifier_ctx *notifier = NULL;
+ 	u_char echo = 0;
+ 	u_int num_prompts, i;
++	size_t name_len, inst_len;
+ 	int r;
+ 
+ 	debug2_f("entering");
+@@ -1949,14 +1956,22 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	authctxt->info_req_seen = 1;
+ 
+-	if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0 ||
+-	    (r = sshpkt_get_cstring(ssh, &inst, NULL)) != 0 ||
++	if ((r = sshpkt_get_cstring(ssh, &name, &name_len)) != 0 ||
++	    (r = sshpkt_get_cstring(ssh, &inst, &inst_len)) != 0 ||
+ 	    (r = sshpkt_get_cstring(ssh, &lang, NULL)) != 0)
+ 		goto out;
+-	if (strlen(name) > 0)
+-		logit("%s", name);
+-	if (strlen(inst) > 0)
+-		logit("%s", inst);
++	if (name_len > 0) {
++		debug_f("kbd int name: %s", name);
++		notifier = notify_start(0, "%s", name);
++		notify_complete(notifier, NULL);
++		notifier = NULL;
++	}
++	if (inst_len > 0) {
++		debug_f("kbd int inst: %s", inst);
++		notifier = notify_start(0, "%s", inst);
++		notify_complete(notifier, NULL);
++		notifier = NULL;
++	}
+ 
+ 	if ((r = sshpkt_get_u32(ssh, &num_prompts)) != 0)
+ 		goto out;
+
+#From 99656caabc5cff24122e5b9a140e5a38ab418a5d Mon Sep 17 00:00:00 2001
+#From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
+#Date: Tue, 17 Oct 2023 06:05:59 +0200
+#Subject: [PATCH 6/6] auth2-chall: Fix selection of the keyboard-interactive
+# device
+#
+#We were only checking if the prefix of a device name was matching what
+#we had in the devices list, so if the device list contained "pam", then
+#also the device "pam-foo" was matching.
+#---
+# auth2-chall.c | 2 +-
+# 1 file changed, 1 insertion(+), 1 deletion(-)
+#
+#diff --git a/auth2-chall.c b/auth2-chall.c
+#index 047d4e83c33..db658c9b4a7 100644
+#--- a/auth2-chall.c
+#+++ b/auth2-chall.c
+#@@ -170,7 +170,7 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+# 			    "keyboard-interactive", devices[i]->name))
+# 				continue;
+# 			if (strncmp(kbdintctxt->devices, devices[i]->name,
+#-			    len) == 0) {
+#+			    len) == 0 && strlen(devices[i]->name) == len) {
+# 				kbdintctxt->device = devices[i];
+# 				kbdintctxt->devices_done |= 1 << i;
+# 			}

logind_set_tty.patch

@@ -1,8 +1,8 @@
-diff --git a/Makefile.in b/Makefile.in
-index f0ea07e7b..35dcf45f1 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -56,6 +56,7 @@ SSHDLIBS=@SSHDLIBS@
+Index: openssh-10.0p1/Makefile.in
+===================================================================
+--- openssh-10.0p1.orig/Makefile.in
++++ openssh-10.0p1/Makefile.in
+@@ -64,6 +64,7 @@ SSHDLIBS=@SSHDLIBS@
  LIBEDIT=@LIBEDIT@
  LIBFIDO2=@LIBFIDO2@
  LIBWTMPDB=@LIBWTMPDB@
@@ -10,7 +10,7 @@ index f0ea07e7b..35dcf45f1 100644
  AR=@AR@
  AWK=@AWK@
  RANLIB=@RANLIB@
-@@ -208,7 +209,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+@@ -244,7 +245,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
  	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS)
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
@@ -19,11 +19,11 @@ index f0ea07e7b..35dcf45f1 100644
  
  sshd-session$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHD_SESSION_OBJS)
  	$(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
-diff --git a/configure.ac b/configure.ac
-index a12c6f7ad..860df3379 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1789,6 +1789,47 @@ AC_ARG_WITH([wtmpdb],
+Index: openssh-10.0p1/configure.ac
+===================================================================
+--- openssh-10.0p1.orig/configure.ac
++++ openssh-10.0p1/configure.ac
+@@ -1872,6 +1872,47 @@ AC_ARG_WITH([wtmpdb],
  )
  
  
@@ -71,11 +71,11 @@ index a12c6f7ad..860df3379 100644
  AUDIT_MODULE=none
  AC_ARG_WITH([audit],
  	[  --with-audit=module     Enable audit support (modules=debug,bsm,linux)],
-diff --git a/loginrec.c b/loginrec.c
-index 86caf83b2..8b413190b 100644
---- a/loginrec.c
-+++ b/loginrec.c
-@@ -191,6 +191,10 @@
+Index: openssh-10.0p1/loginrec.c
+===================================================================
+--- openssh-10.0p1.orig/loginrec.c
++++ openssh-10.0p1/loginrec.c
+@@ -170,6 +170,10 @@
  # include <wtmpdb.h>
  #endif
  
@@ -86,7 +86,7 @@ index 86caf83b2..8b413190b 100644
  /**
   ** prototypes for helper functions in this file
   **/
-@@ -214,6 +218,9 @@ int syslogin_write_entry(struct logininfo *li);
+@@ -193,6 +197,9 @@ int syslogin_write_entry(struct logininf
  #ifdef USE_WTMPDB
  int wtmpdb_write_entry(struct logininfo *li);
  #endif
@@ -96,7 +96,7 @@ index 86caf83b2..8b413190b 100644
  
  int getlast_entry(struct logininfo *li);
  int lastlog_get_entry(struct logininfo *li);
-@@ -477,6 +484,9 @@ login_write(struct logininfo *li)
+@@ -456,6 +463,9 @@ login_write(struct logininfo *li)
  #ifdef USE_WTMPDB
  	wtmpdb_write_entry(li);
  #endif
@@ -106,10 +106,14 @@ index 86caf83b2..8b413190b 100644
  #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
  	if (li->type == LTYPE_LOGIN &&
  	    !sys_auth_record_login(li->username,li->hostname,li->line,
-@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
- }
- #endif
- 
+@@ -1459,6 +1469,100 @@ wtmpdb_write_entry(struct logininfo *li)
+ 	default:
+ 		logit_f("invalid type field");
+ 		return (0);
++	}
++}
++#endif
++
 +#ifdef USE_LOGIND
 +#define DBUS_DESTINATION "org.freedesktop.login1"
 +#define DBUS_PATH_ID "/org/freedesktop/login1/session/auto"
@@ -139,6 +143,7 @@ index 86caf83b2..8b413190b 100644
 +				 "Id", &error, &session_id) < 0)
 +    {
 +      logit("logind: cannot get session ID");
++      sd_bus_unref(bus);
 +      return (0);
 +    }
 +
@@ -150,13 +155,17 @@ index 86caf83b2..8b413190b 100644
 +  fd = open(tty, O_RDWR|O_CLOEXEC|O_NOCTTY);
 +
 +  if (asprintf (&dbus_path, DBUS_PATH, session_id) < 0)
++  {
++    sd_bus_unref(bus);
 +    return (0);
++  }
 +
 +  if (sd_bus_call_method(bus, DBUS_DESTINATION, dbus_path,
 +			 DBUS_INTERFACE, "TakeControl", &error, NULL,
 +			 "b", 1) < 0) {
 +    logit("logind: cannot take control");
 +    free(dbus_path);
++    sd_bus_unref(bus);
 +    return (0);
 +  }
 +
@@ -165,13 +174,17 @@ index 86caf83b2..8b413190b 100644
 +			      "h", fd)) < 0) {
 +    if (r != -EBADR) /* logind does not support "SetTTY" */
 +      logit("logind: cannot set TTY(%s, %s): %s", session_id, tty, strerror(-r));
++    else
++      logit("logind: logind does not support SetTTY (%s, %s): %s", session_id, tty, strerror(-r));
 +    free(dbus_path);
++    sd_bus_unref(bus);
 +    return (0);
 +  }
 +
 +  free(dbus_path);
 +
-+  if (sd_bus_flush(bus) < 0) {
++  if (r = sd_bus_flush(bus) < 0) {
++    logit("logind: bus flush failed: %s", strerror(-r));
 +    sd_bus_unref(bus);
 +    return (0);
 +  }
@@ -191,10 +204,6 @@ index 86caf83b2..8b413190b 100644
 +	default:
 +		logit("%s: invalid type field", __func__);
 +		return (0);
-+	}
-+}
-+#endif
-+
- /**
-  ** Low-level libutil login() functions
-  **/
+ 	}
+ }
+ #endif

openssh-10.0p1.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmf2G9sACgkQKj9BTnNg
-YLotnA//ffB/6FpNdutTHMItUiZC693bQyyOAFGfnSMp6IwTkMdXa0rMdzch0wQ7
-Uu3qQIeOqah8gd6tTqX4s26OqXflnMJtL2vf1d8zhD1deMJeIKnrJW39hiSLFTsU
-vgcYXR/02yGpBXkAzm4A7kieW3PkBV9WT/Y2HV1qbHc78vZt76iWuD5AZb4D3WG8
-5aD/XfLE3a5ZVBrgwPPCaHKjtJY7WMnDMHlX5pdEUAj4wjC9KjRKdbpsg/Tad8DO
-bhVvT7CqrcJx6Q/qr0/PoTBOIRksB4rKH2XVRu4ZrEI/LN7ghu/rFEYJyiNgtjFK
-NMaXFc5Ie4uPzEJJ5O0dGHcO5B2LWZbOJE0Cr7d2lJBJfeci3sm34FdKZnK6SDsG
-j4WETUSKiwogHzhT1oA/Pr8vKWnWy7rbCDHnjRrWWjszR7W3YZ4BT2Rc4hCuh3rC
-wrt1kGzwgLfCRGWP4QarybGOsNNIFTEZovwLD3Az3p0cnG3XPQsQQ9ZofvhjZgU7
-g8N/8wndQ72U8Gsmb/KPUeOpO0uMGOUHK3Bl0/apPdF1o54jzHeOy1D76IPZxbjn
-ystFba6IKA3iLU7P8qe+6oa4Uvi0mHCawKtds4QHlIjy8cXwjXfeF+jRUEimqKeG
-jw1oF5OLwvF6ZgDkPz2Pcfie6Bee4BBUrLOT9Un+29qDYYCpnR8=
-=XwX3
------END PGP SIGNATURE-----

openssh-10.2p1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ccc42c0419937959263fa1dbd16dafc18c56b984c03562d2937ce56a60f798b2
+size 1974519

openssh-10.2p1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmjoctkACgkQKj9BTnNg
+YLp6ahAAskRpSTUBl97U3bHvjExr+68l5zA83YEeujZalFXG+6EzcB+2eZcyPQ7k
+9qjfWH9nWxQWqf/hq8GLjp2d935op6ljG0cNioQN3EhCxh68g/d8zR7KcRmjVQ/g
+WMCAYbKTmiIRZJLn0Q7fKzrIZZGWVmct4tdvvGlpsnkYe8q29KfWSZDc1N0jWnYQ
+50Wefs+QG02YuqBsJa7AWS+9KYgeu/moZ9ctJUeyzZ2lCcdPbXVkkNo1A9GIEWsD
+JTjSWdD9o7kmOV/Dw//3sCElsJL2GRZ6ePhSVwdHdY8TP3tuOQq8SCCNVpuLa8MI
+GMbZ8TFpAD3nCAXvGQIaZqH2BvXTE5o8UoV9gUe1EoRbsTbChhfaKEgdgCV3hM4t
+CQ03f/O/RAypQOL+2HMPKAlogutyfv/JEHmK0RcMVwiUN3lyC+AYutQzuyM9XeKL
+5TfgRsZdrYfFVZq08VoJ1qlOTLMkNaLkvCV/6mMLJ9eWwZ8DoMBeAJ5TzsmUSooJ
+VSN0ar/kR6PxXpJuih/yPz45S9Ai3sjgzeV9Dyq0BcVOJ5LhKDH2a18lY6IBNPvz
+kg/nT4lrS6Ga2GCmCHeCadF44LMpwnp1hraXsA0RH98N2BKlQKrk/Y77kycohcnh
+B5YIfhdIJ3Ys2o1TNIQnxQoqsCvo9WU6tF7ntame1ZCcJfzQScU=
+=h62J
+-----END PGP SIGNATURE-----

openssh-7.7p1-cavstest-ctr.patch

@@ -20,16 +20,16 @@ Index: openssh-8.8p1/Makefile.in
  
 +TARGETS += cavstest-ctr$(EXEEXT)
 +
- XMSS_OBJS=\
- 	ssh-xmss.o \
- 	sshkey-xmss.o \
+ LIBOPENSSH_OBJS=\
+ 	ssh_api.o \
+ 	ssherr.o \
 @@ -245,6 +248,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
  sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
  	$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
  
 +# FIPS tests
-+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
-+	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
++cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o $(P11OBJS)
++	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(P11OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 +
  # test driver for the loginrec code - not built by default
  logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

openssh-7.7p1-cavstest-kdf.patch

@@ -21,14 +21,14 @@ Index: openssh-8.8p1/Makefile.in
 -TARGETS += cavstest-ctr$(EXEEXT)
 +TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
  
- XMSS_OBJS=\
- 	ssh-xmss.o \
+ LIBOPENSSH_OBJS=\
+ 	ssh_api.o \
 @@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
- cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
- 	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+ cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o $(P11OBJS)
+ 	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(P11OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
  
-+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
-+	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
++cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o $(P11OBJS)
++	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(P11OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
 +
  # test driver for the loginrec code - not built by default
  logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o

openssh-7.7p1-eal3.patch

@@ -15,4 +15,4 @@ Index: openssh-8.8p1/Makefile.in
 +	-e 's|/etc/shosts.equiv|$(sysconfdir)/ssh/shosts.equiv|g' \
  	-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
  	-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
- 	-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
+ 	-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \

openssh-7.7p1-fips.patch

@@ -14,7 +14,7 @@ Index: openssh-9.6p1/Makefile.in
 +LIBSSH_OBJS += fips.o
 +
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
- 	sshconnect.o sshconnect2.o mux.o $(SKOBJS)
+ 	sshconnect.o sshconnect2.o mux.o $(P11OBJS) $(SKOBJS)
  
 Index: openssh-9.6p1/cipher.c
 ===================================================================
@@ -91,8 +91,8 @@ Index: openssh-9.6p1/cipher.c
  char *
  cipher_alg_list(char sep, int auth_only)
 @@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only)
- 	size_t nlen, rlen = 0;
  	const struct sshcipher *c;
+ 	char sep_str[2] = {sep, '\0'};
  
 -	for (c = ciphers; c->name != NULL; c++) {
 +	for (c = fips_select_ciphers(); c->name != NULL; c++) {
@@ -401,40 +401,40 @@ Index: openssh-9.6p1/kex.c
  	char *name;
  	u_int type;
 @@ -87,7 +89,7 @@ struct kexalg {
- 	int ec_nid;
  	int hash_alg;
+ 	int pq_alg;
  };
 -static const struct kexalg kexalgs[] = {
 +static const struct kexalg kexalgs_all[] = {
  #ifdef WITH_OPENSSL
- 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
- 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ 	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
+ 	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
 @@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = {
- 	{ NULL, 0, -1, -1},
+ 	{ NULL, 0, -1, -1, 0 },
  };
  
 +static const struct kexalg kexalgs_fips140_2[] = {
 +#ifdef WITH_OPENSSL
-+	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-+	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
-+	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
-+	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
-+	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
++	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
++	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ },
++	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512, KEX_NOT_PQ },
++	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512, KEX_NOT_PQ },
++	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
 +#ifdef HAVE_EVP_SHA256
-+	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
++	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ },
 +#endif /* HAVE_EVP_SHA256 */
 +#ifdef OPENSSL_HAS_ECC
 +	{ KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
-+	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
++	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256, KEX_NOT_PQ },
 +	{ KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
-+	    SSH_DIGEST_SHA384 },
++	    SSH_DIGEST_SHA384, KEX_NOT_PQ },
 +# ifdef OPENSSL_HAS_NISTP521
 +	{ KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
-+	    SSH_DIGEST_SHA512 },
++	    SSH_DIGEST_SHA512, KEX_NOT_PQ },
 +# endif /* OPENSSL_HAS_NISTP521 */
 +#endif /* OPENSSL_HAS_ECC */
 +#endif /* WITH_OPENSSL */
-+	{ NULL, -1, -1, -1},
++	{ NULL, -1, -1, -1, 0},
 +};
 +
 +/* Returns array of macs available depending on selected FIPS mode */
@@ -458,14 +458,14 @@ Index: openssh-9.6p1/kex.c
  kex_alg_list(char sep)
  {
 @@ -127,7 +170,7 @@ kex_alg_list(char sep)
- 	size_t nlen, rlen = 0;
  	const struct kexalg *k;
+ 	char sep_str[2] = {sep, '\0'};
  
--	for (k = kexalgs; k->name != NULL; k++) {
-+	for (k = fips_select_kexalgs(); k->name != NULL; k++) {
- 		if (ret != NULL)
- 			ret[rlen++] = sep;
- 		nlen = strlen(k->name);
+-	for (k = kexalgs; k->name != NULL; k++)
++	for (k = fips_select_kexalgs(); k->name != NULL; k++)
+ 		xextendf(&ret, sep_str, "%s", k->name);
+ 
+ 	return ret;
 @@ -147,7 +190,7 @@ kex_alg_by_name(const char *name)
  {
  	const struct kexalg *k;
@@ -552,14 +552,14 @@ Index: openssh-9.6p1/mac.c
  char *
  mac_alg_list(char sep)
 @@ -87,7 +125,7 @@ mac_alg_list(char sep)
- 	size_t nlen, rlen = 0;
  	const struct macalg *m;
+ 	char sep_str[2] = {sep, '\0'};
  
--	for (m = macs; m->name != NULL; m++) {
-+	for (m = fips_select_macs(); m->name != NULL; m++) {
- 		if (ret != NULL)
- 			ret[rlen++] = sep;
- 		nlen = strlen(m->name);
+-	for (m = macs; m->name != NULL; m++)
++	for (m = fips_select_macs(); m->name != NULL; m++)
+ 		xextendf(&ret, sep_str, "%s", m->name);
+ 
+ 	return ret;
 @@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name
  {
  	const struct macalg *m;
@@ -702,8 +702,8 @@ Index: openssh-9.6p1/ssh-keygen.c
 +#include "fips.h"
 +
  #ifdef WITH_OPENSSL
- #include <openssl/evp.h>
- #include <openssl/pem.h>
+ #include "openbsd-compat/openssl-compat.h"
+ #include <openssl/bn.h>
 @@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw)
  static void
  do_gen_all_hostkeys(struct passwd *pw)
@@ -751,7 +751,7 @@ Index: openssh-9.6p1/ssh-keygen.c
  	for (i = 0; key_types[i].key_type; i++) {
  		public = private = NULL;
  		prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -3794,6 +3815,15 @@ main(int argc, char **argv)
+@@ -3794,6 +3815,14 @@ main(int argc, char **argv)
  		key_type_name = DEFAULT_KEY_TYPE_NAME;
  
  	type = sshkey_type_from_shortname(key_type_name);
@@ -760,8 +760,7 @@ Index: openssh-9.6p1/ssh-keygen.c
 +	 * it has to be 1024 bit due to RFC 4253 using SHA-1 which implies 1024 bit
 +	 * keys due to FIPS-186 specification for DSS */
 +	if (fips_mode() &&
-+	    (type == KEY_DSA || type == KEY_ED25519 ||
-+	     type == KEY_DSA_CERT || type == KEY_ED25519_CERT))
++	    (type == KEY_ED25519 || type == KEY_ED25519_CERT))
 +		fatal("Key type %s not alowed in FIPS mode", key_type_name);
 +
  	type_bits_valid(type, key_type_name, &bits);
@@ -785,8 +784,8 @@ Index: openssh-9.6p1/sshd.c
 --- openssh-9.6p1.orig/sshd.c
 +++ openssh-9.6p1/sshd.c
 @@ -128,6 +128,8 @@
- #include "srclimit.h"
- #include "atomicio.h"
+ #endif
+ #include "monitor_wrap.h"
  
 +#include "fips.h"
 +

openssh-7.7p1-ldap.patch

@@ -143,9 +143,9 @@ Index: openssh-8.9p1/Makefile.in
 +INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
 +TARGETS += ssh-ldap-helper$(EXEEXT)
 +
- XMSS_OBJS=\
- 	ssh-xmss.o \
- 	sshkey-xmss.o \
+ LIBOPENSSH_OBJS=\
+ 	ssh_api.o \
+ 	ssherr.o \
 @@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
  
  SFTP_OBJS=	sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)

openssh-7.9p1-revert-new-qos-defaults.patch

@@ -14,10 +14,10 @@ Index: openssh-8.8p1/readconf.c
  	if (options->visual_host_key == -1)
  		options->visual_host_key = 0;
  	if (options->ip_qos_interactive == -1)
--		options->ip_qos_interactive = IPTOS_DSCP_AF21;
+-		options->ip_qos_interactive = IPTOS_DSCP_EF;
 +		options->ip_qos_interactive = IPTOS_LOWDELAY;
  	if (options->ip_qos_bulk == -1)
--		options->ip_qos_bulk = IPTOS_DSCP_CS1;
+-		options->ip_qos_bulk = IPTOS_DSCP_CS0;
 +		options->ip_qos_bulk = IPTOS_THROUGHPUT;
  	if (options->request_tty == -1)
  		options->request_tty = REQUEST_TTY_AUTO;
@@ -30,10 +30,10 @@ Index: openssh-8.8p1/servconf.c
  	if (options->permit_tun == -1)
  		options->permit_tun = SSH_TUNMODE_NO;
  	if (options->ip_qos_interactive == -1)
--		options->ip_qos_interactive = IPTOS_DSCP_AF21;
+-		options->ip_qos_interactive = IPTOS_DSCP_EF;
 +		options->ip_qos_interactive = IPTOS_LOWDELAY;
  	if (options->ip_qos_bulk == -1)
--		options->ip_qos_bulk = IPTOS_DSCP_CS1;
+-		options->ip_qos_bulk = IPTOS_DSCP_CS0;
 +		options->ip_qos_bulk = IPTOS_THROUGHPUT;
  	if (options->version_addendum == NULL)
  		options->version_addendum = xstrdup("");
@@ -46,12 +46,12 @@ Index: openssh-8.8p1/ssh_config.5
  If two values are specified, the first is automatically selected for
  interactive sessions and the second for non-interactive sessions.
  The default is
--.Cm af21
--(Low-Latency Data)
+-.Cm ef
+-(Expedited Forwarding)
 +.Cm lowdelay
  for interactive sessions and
--.Cm cs1
--(Lower Effort)
+-.Cm none
+-(the operating system default)
 +.Cm throughput
  for non-interactive sessions.
  .It Cm KbdInteractiveAuthentication
@@ -64,12 +64,12 @@ Index: openssh-8.8p1/sshd_config.5
  If two values are specified, the first is automatically selected for
  interactive sessions and the second for non-interactive sessions.
  The default is
--.Cm af21
--(Low-Latency Data)
+-.Cm ef
+-(Expedited Forwarding)
 +.Cm lowdelay
  for interactive sessions and
--.Cm cs1
--(Lower Effort)
+-.Cm none
+-(the operating system default)
 +.Cm throughput
  for non-interactive sessions.
  .It Cm KbdInteractiveAuthentication

openssh-8.0p1-gssapi-keyex.patch

@@ -8,7 +8,7 @@ index e7549470..b68c1710 100644
  	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
 +	kexgssc.o \
  	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
- 	sshbuf-io.o
+ 	sshbuf-io.o misc-agent.o
  
 @@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
  	auth2-chall.o groupaccess.o \
@@ -32,8 +32,8 @@ index e7549470..b68c1710 100644
  	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
  
  REGRESSLIBS=libssh.a $(LIBCOMPAT)
--TESTLIBS=$(LIBS) $(CHANNELLIBS)
-+TESTLIBS=$(LIBS) $(CHANNELLIBS) $(GSSLIBS)
+-TESTLIBS=$(LIBS) $(CHANNELLIBS) @TESTLIBS@
++TESTLIBS=$(LIBS) $(CHANNELLIBS) @TESTLIBS@ $(GSSLIBS)
  
  regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
  	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
@@ -855,7 +855,7 @@ index ab3a15f0..6ce56e92 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.33 2025/09/29 21:30:15 dtucker Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1176,31 +1176,31 @@ index ce85f043..574c7609 100644
  	u_int type;
 @@ -110,6 +113,30 @@ static const struct kexalg kexalgs[] = {
  #endif /* WITH_OPENSSL */
- 	{ NULL, -1, -1, -1},
+ 	{ NULL, -1, -1, -1, 0},
  };
 +static const struct kexalg gss_kexalgs_all[] = {
 +#ifdef GSSAPI
-+	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
-+	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-+	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
-+	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
-+	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
++	{ KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
++	{ KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
++	{ KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ },
++	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ },
++	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512, KEX_NOT_PQ },
 +	{ KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
-+	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
-+	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
++	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256, KEX_NOT_PQ },
++	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ },
 +#endif
-+	{ NULL, 0, -1, -1},
++	{ NULL, 0, -1, -1, 0},
 +};
 +
 +static const struct kexalg gss_kexalgs_fips140_2[] = {
 +#ifdef GSSAPI
-+	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
-+	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
++	{ KEX_GSS_GRP14_SHA256_ID, KEX_GSS_GRP14_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ },
++	{ KEX_GSS_GRP16_SHA512_ID, KEX_GSS_GRP16_SHA512, 0, SSH_DIGEST_SHA512, KEX_NOT_PQ },
 +	{ KEX_GSS_NISTP256_SHA256_ID, KEX_GSS_NISTP256_SHA256,
-+	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
-+	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
++	    NID_X9_62_prime256v1, SSH_DIGEST_SHA256, KEX_NOT_PQ },
++	{ KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256, KEX_NOT_PQ },
 +#endif
-+	{ NULL, 0, -1, -1},
++	{ NULL, 0, -1, -1, 0},
 +};
  
  /* Returns array of macs available depending on selected FIPS mode */
@@ -1231,15 +1231,15 @@ index ce85f043..574c7609 100644
 +static char *
 +kex_alg_list_internal(char sep, const struct kexalg *algs)
  {
- 	char *ret = NULL, *tmp;
- 	size_t nlen, rlen = 0;
+ 	char *ret = NULL;
  	const struct kexalg *k;
+ 	char sep_str[2] = {sep, '\0'};
  
--	for (k = fips_select_kexalgs(); k->name != NULL; k++) {
-+	for (k = algs; k->name != NULL; k++) {
- 		if (ret != NULL)
- 			ret[rlen++] = sep;
- 		nlen = strlen(k->name);
+-	for (k = fips_select_kexalgs(); k->name != NULL; k++)
++	for (k = algs; k->name != NULL; k++)
+ 		xextendf(&ret, sep_str, "%s", k->name);
+ 
+ 	return ret;
 @@ -138,6 +156,18 @@ kex_alg_list(char sep)
  	return ret;
  }
@@ -1331,7 +1331,7 @@ index a5ae6ac0..fe714141 100644
  	int	(*verify_host_key)(struct sshkey *, struct ssh *);
  	struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
 @@ -174,8 +189,10 @@ struct kex {
- int	 kex_nid_from_name(const char *);
+ int	 kex_is_pq_from_name(const char *);
  int	 kex_names_valid(const char *);
  char	*kex_alg_list(char);
 +char	*kex_gss_alg_list(char);
@@ -3132,12 +3132,11 @@ diff -up a/servconf.c.gsskex b/servconf.c
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
  		goto parse_flag;
-@@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o)
- #ifdef GSSAPI
+@@ -2892,6 +2935,9 @@ dump_config(ServerOptions *o)
  	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
  	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
+ 	dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
 +	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
-+	dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
 +	dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
 +	dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
  #endif
@@ -3840,9 +3839,9 @@ index 57995ee6..fd5b7724 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -127,6 +127,75 @@ static const struct keytype keytypes[] = {
- extern const struct sshkey_impl sshkey_xmss_impl;
- extern const struct sshkey_impl sshkey_xmss_cert_impl;
- #endif
+ extern const struct sshkey_impl sshkey_rsa_sha512_impl;
+ extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl;
+ #endif /* WITH_OPENSSL */
 +
 +static int ssh_gss_equal(const struct sshkey *, const struct sshkey *)
 +{
@@ -3916,9 +3915,9 @@ index 57995ee6..fd5b7724 100644
  const struct sshkey_impl * const keyimpls[] = {
  	&sshkey_ed25519_impl,
 @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
- 	&sshkey_xmss_impl,
- 	&sshkey_xmss_cert_impl,
- #endif
+ 	&sshkey_rsa_sha512_impl,
+ 	&sshkey_rsa_sha512_cert_impl,
+ #endif /* WITH_OPENSSL */
 +	&sshkey_gss_kex_impl,
  	NULL
  };

openssh-8.1p1-audit.patch

@@ -6,10 +6,10 @@ Index: openssh-8.9p1/Makefile.in
  	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
  	kexgssc.o \
  	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
--	sshbuf-io.o
-+	sshbuf-io.o auditstub.o
+-	sshbuf-io.o misc-agent.o
++	sshbuf-io.o misc-agent.o auditstub.o
  
- SKOBJS=	ssh-sk-client.o
+ P11OBJS= ssh-pkcs11-client.o
  
 Index: openssh-8.9p1/audit-bsm.c
 ===================================================================
@@ -57,7 +57,7 @@ Index: openssh-8.9p1/audit-bsm.c
  audit_event(struct ssh *ssh, ssh_audit_event_t event)
  {
 @@ -452,4 +471,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
- 		debug("%s: unhandled event %d", __func__, event);
+ 		debug_f("unhandled event %d", event);
  	}
  }
 +
@@ -89,7 +89,7 @@ Index: openssh-8.9p1/audit-linux.c
 ===================================================================
 --- openssh-8.9p1.orig/audit-linux.c
 +++ openssh-8.9p1/audit-linux.c
-@@ -33,27 +33,40 @@
+@@ -33,29 +33,42 @@
  
  #include "log.h"
  #include "audit.h"
@@ -130,6 +130,10 @@ Index: openssh-8.9p1/audit-linux.c
 -			return 0; /* Must prevent login */
 +			goto fatal_report; /* Must prevent login */
  	}
+-        if (hostname != NULL && strcmp(hostname, "UNKNOWN") == 0)
+-                hostname = NULL;
++        if (ip != NULL && strcmp(ip, "UNKNOWN") == 0)
++                ip = NULL;
 -	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
 +	rc = audit_log_acct_message(audit_fd, event,
  	    NULL, "login", username ? username : "(unknown)",
@@ -345,7 +349,7 @@ Index: openssh-8.9p1/audit-linux.c
 +			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
  		break;
  	default:
- 		debug("%s: unhandled event %d", __func__, event);
+ 		debug_f("unhandled event %d", event);
  		break;
  	}
  }
@@ -1269,9 +1273,9 @@ Index: openssh-8.9p1/monitor.c
  	int r;
 +	Session *s;
  
- 	debug3("%s entering", __func__);
+ 	debug3_f("entering");
  	if ((r = sshbuf_get_cstring(m, &cmd, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "buffer error");
 +
  	/* sanity check command, if so how? */
 -	audit_run_command(cmd);
@@ -1518,10 +1522,10 @@ Index: openssh-8.9p1/monitor_wrap.c
  	int r;
 +	int handle;
  
- 	debug3("%s entering command %s", __func__, command);
+ 	debug3_f("entering command %s", command);
  
 @@ -914,6 +930,30 @@ mm_audit_run_command(const char *command
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "buffer error");
  
  	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
@@ -1691,9 +1695,9 @@ Index: openssh-8.9p1/packet.c
   * Returns the IP-address of the remote host as a string.  The returned
   * string must not be freed.
 @@ -579,22 +587,19 @@ ssh_packet_rdomain_in(struct ssh *ssh)
- {
  	struct session_state *state = ssh->state;
  	u_int mode;
+ 	struct packet *p;
 +	u_int had_keys = packet_state_has_keys(state);
  
  	if (!state->initialized)
@@ -1715,9 +1719,9 @@ Index: openssh-8.9p1/packet.c
 +	state->outgoing_packet = NULL;
  	sshbuf_free(state->incoming_packet);
 +	state->incoming_packet = NULL;
- 	for (mode = 0; mode < MODE_MAX; mode++) {
- 		kex_free_newkeys(state->newkeys[mode]);	/* current keys */
- 		state->newkeys[mode] = NULL;
+ 	while ((p = TAILQ_FIRST(&state->outgoing))) {
+ 		sshbuf_free(p->payload);
+ 		TAILQ_REMOVE(&state->outgoing, p, next);
 @@ -634,8 +639,18 @@ ssh_packet_close_internal(struct ssh *ss
  #endif	/* WITH_ZLIB */
  	cipher_free(state->send_context);
@@ -1832,15 +1836,15 @@ Index: openssh-8.9p1/session.c
 ===================================================================
 --- openssh-8.9p1.orig/session.c
 +++ openssh-8.9p1/session.c
-@@ -135,7 +135,7 @@ extern char *__progname;
- extern int debug_flag;
- extern u_int utmp_len;
- extern int startup_pipe;
--extern void destroy_sensitive_data(void);
-+extern void destroy_sensitive_data(struct ssh *);
- extern struct sshbuf *loginmsg;
- extern struct sshauthopt *auth_opts;
- extern char *tun_fwd_ifnames; /* serverloop.c */
+#@@ -135,7 +135,7 @@ extern char *__progname;
+# extern ServerOptions options;
+# extern char *__progname;
+# extern int debug_flag;
+#-extern void destroy_sensitive_data(void);
+#+extern void destroy_sensitive_data(struct ssh *);
+# extern struct sshbuf *loginmsg;
+# extern struct sshauthopt *auth_opts;
+# extern char *tun_fwd_ifnames; /* serverloop.c */
 @@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
  	/* Parent.  Close the slave side of the pseudo tty. */
  	close(ttyfd);
@@ -1855,7 +1859,7 @@ Index: openssh-8.9p1/session.c
 +
  	/* Enter interactive session. */
  	s->ptymaster = ptymaster;
- 	ssh_packet_set_interactive(ssh, 1,
+ 	session_set_fds(ssh, s, ptyfd, fdout, -1, 1, 1);
 @@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
  	    s->self);
  
@@ -2266,7 +2270,7 @@ Index: openssh-8.9p1/sshkey.c
  #endif
  
  #include "crypto_api.h"
-@@ -400,6 +403,53 @@ sshkey_type_is_valid_ca(int type)
+@@ -400,6 +403,47 @@ sshkey_type_is_valid_ca(int type)
  }
  
  int
@@ -2300,12 +2304,6 @@ Index: openssh-8.9p1/sshkey.c
 +          }
 +#  endif /* OPENSSL_HAS_ECC */
 +# endif /* OPENSSL < 3.0.0 */
-+      case KEY_DSA_CERT:
-+      case KEY_DSA: {
-+              const BIGNUM *priv_key = NULL;
-+              DSA_get0_key(k->dsa, NULL, &priv_key);
-+              return priv_key != NULL;
-+          }
 +#endif /* WITH_OPENSSL */
 +      case KEY_ED25519_CERT:
 +      case KEY_ED25519:

openssh-8.4p1-vendordir.patch

@@ -35,17 +35,15 @@ Index: openssh-8.9p1/pathnames.h
  #ifndef _PATH_SSH_PIDDIR
  #define _PATH_SSH_PIDDIR		"/var/run"
  #endif
-@@ -35,13 +37,17 @@
+@@ -35,11 +37,15 @@
   * should be world-readable.
   */
  #define _PATH_SERVER_CONFIG_FILE	SSHDIR "/sshd_config"
 +#define _PATH_SERVER_VENDOR_CONFIG_FILE	VENDORDIR "/sshd_config"
  #define _PATH_HOST_CONFIG_FILE		SSHDIR "/ssh_config"
 +#define _PATH_HOST_VENDOR_CONFIG_FILE   VENDORDIR "/ssh_config"
- #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
  #define _PATH_HOST_ECDSA_KEY_FILE	SSHDIR "/ssh_host_ecdsa_key"
  #define _PATH_HOST_ED25519_KEY_FILE	SSHDIR "/ssh_host_ed25519_key"
- #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
  #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
  #define _PATH_DH_MODULI			SSHDIR "/moduli"
 +#define	_PATH_VENDOR_DH_MODULI		VENDORDIR "/moduli"

openssh-askpass-gnome.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Oct 14 07:15:46 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+
+- "Update" to openssh 10.2p1:
+  * No changes for askpass, see main package changelog for
+    details.
+- Build with gcr-4 in Factory and SLE-16/Leap 16 instead of gtk-3
+
 -------------------------------------------------------------------
 Thu Apr 10 08:16:09 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
 

openssh-askpass-gnome.spec

@@ -18,8 +18,8 @@
 
 %define _name openssh
 Name:           openssh-askpass-gnome
-Version:        10.0p2
-%define wrongly_named_version 10.0p1
+Version:        10.2p1
+%define wrongly_named_version 10.2p1
 Release:        0
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
 License:        BSD-2-Clause
@@ -28,9 +28,9 @@ URL:            https://www.openssh.com/
 Source0:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{wrongly_named_version}.tar.gz
 Source1:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{wrongly_named_version}.tar.gz.asc
 Requires:       %{_name}-clients = %{version}
-Supplements:    packageand(openssh-clients:libgtk-3-0)
+Supplements:    packageand(openssh-clients:gcr)
 %if 0%{?suse_version} >= 1550
-BuildRequires:  gtk3-devel
+BuildRequires:  pkgconfig(gcr-4)
 %else
 BuildRequires:  gtk2-devel
 %endif
@@ -47,7 +47,7 @@ GNOME-based passphrase dialog for OpenSSH.
 cd contrib
 export CFLAGS="%{optflags}"
 %if 0%{?suse_version} >= 1550
-%make_build gnome-ssh-askpass3
+%make_build gnome-ssh-askpass4
 %else
 %make_build gnome-ssh-askpass2
 %endif
@@ -55,7 +55,7 @@ export CFLAGS="%{optflags}"
 %install
 install -d -m 755 %{buildroot}%{_libexecdir}/ssh/
 %if 0%{?suse_version} >= 1550
-install contrib/gnome-ssh-askpass3 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
+install contrib/gnome-ssh-askpass4 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
 %else
 install contrib/gnome-ssh-askpass2 %{buildroot}%{_libexecdir}/ssh/gnome-ssh-askpass
 %endif

openssh-link-with-sk.patch

@@ -8,8 +8,8 @@ Index: openssh-8.8p1/Makefile.in
  
 -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
 -	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS)
-+	$(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(P11OBJS) $(SFTPSERVER_OBJS)
++	$(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(P11OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
  
  sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
  	$(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)

openssh-mitigate-lingering-secrets.patch

@@ -134,22 +134,22 @@ Index: openssh-9.3p2/packet.c
  	}
   out:
 @@ -2375,9 +2393,12 @@ ssh_packet_get_state(struct ssh *ssh, st
- 	    (r = sshbuf_put_u32(m, state->p_read.packets)) != 0 ||
- 	    (r = sshbuf_put_u64(m, state->p_read.bytes)) != 0 ||
- 	    (r = sshbuf_put_stringb(m, state->input)) != 0 ||
--	    (r = sshbuf_put_stringb(m, state->output)) != 0)
-+	    (r = sshbuf_put_stringb(m, state->output)) != 0) {
+ 	    (r = sshbuf_put_stringb(m, state->output)) != 0 ||
+ 	    (r = sshbuf_put_u32(m, ENCODE_INT(state->interactive_mode))) != 0 ||
+ 	    (r = sshbuf_put_u32(m, ENCODE_INT(state->qos_interactive))) != 0 ||
+-	    (r = sshbuf_put_u32(m, ENCODE_INT(state->qos_other))) != 0)
++	    (r = sshbuf_put_u32(m, ENCODE_INT(state->qos_other))) != 0) {
 +		sshbuf_obfuscate(m);
  		return r;
 +	}
- 
+ #undef ENCODE_INT
 +	sshbuf_obfuscate(m);
  	return 0;
  }
  
 @@ -2496,6 +2517,8 @@ ssh_packet_set_state(struct ssh *ssh, st
- 	size_t ilen, olen;
  	int r;
+ 	u_int interactive, qos_interactive, qos_other;
  
 +	sshbuf_unobfuscate(m);
 +
@@ -178,13 +178,24 @@ Index: openssh-9.3p2/packet.c
  
  	sshbuf_reset(state->input);
  	sshbuf_reset(state->output);
-@@ -2529,12 +2552,19 @@ ssh_packet_set_state(struct ssh *ssh, st
+@@ -2529,22 +2552,29 @@ ssh_packet_set_state(struct ssh *ssh, st
  	    (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 ||
  	    (r = sshbuf_put(state->input, input, ilen)) != 0 ||
  	    (r = sshbuf_put(state->output, output, olen)) != 0)
 -		return r;
 +		goto out;
  
+ 	if ((r = sshbuf_get_u32(m, &interactive)) != 0 ||
+ 	    (r = sshbuf_get_u32(m, &qos_interactive)) != 0 ||
+ 	    (r = sshbuf_get_u32(m, &qos_other)) != 0)
+-		return r;
++		goto out;
+ #define DECODE_INT(v) ((v) > INT_MAX ? -1 : (int)(v))
+ 	state->interactive_mode = DECODE_INT(interactive);
+ 	state->qos_interactive = DECODE_INT(qos_interactive);
+ 	state->qos_other = DECODE_INT(qos_other);
+ #undef DECODE_INT
+ 
 -	if (sshbuf_len(m))
 -		return SSH_ERR_INVALID_FORMAT;
 +	if (sshbuf_len(m)) {
@@ -368,8 +379,8 @@ Index: openssh-9.9p2/sshd-auth.c
  privsep_child_demote(void)
  {
 @@ -796,6 +796,7 @@ main(int ac, char **av)
- 	 */
  	mm_send_keystate(ssh, pmonitor);
+ 	sshauthopt_free(auth_opts);
  	ssh_packet_clear_keys(ssh);
 +	clobber_stack();
  	exit(0);

openssh.changes

@@ -1,3 +1,311 @@
+-------------------------------------------------------------------
+Thu Dec 11 15:29:12 UTC 2025 - Hans Petter Jansson <hpj@suse.com>
+
+- Install 50-suse.conf in distconfdir instead of sysconfdir if
+  possible (bsc#1254374).
+
+-------------------------------------------------------------------
+Tue Oct 14 07:15:46 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+
+- Update to openssh 10.2p1:
+  = Future deprecation warning
+  * A future release of OpenSSH will deprecate support for SHA1
+    SSHFP records due to weaknesses in the SHA1 hash function.
+    SHA1 SSHFP DNS records will be ignored and ssh-keygen -r
+    will generate only SHA256 SSHFP records.
+    The SHA256 hash algorithm, which has no known weaknesses, has
+    been supported for SSHFP records since OpenSSH 6.1, released
+    in 2012.
+
+  = Bugfixes
+  * ssh(1): fix mishandling of terminal connections when
+    ControlPersist was active that rendered the session unusable.
+    bz3872
+  * ssh-keygen(1): fix download of keys from PKCS#11 tokens.
+  * ssh-keygen(1): fix CA signing operations when the CA key is
+    held in a ssh-agent(1). bz3877
+
+  = Portability
+  * All: support platforms without mmap(2), e.g. WASM builds such
+    as https://hterm.org
+  * All: fix builds on FreeBSD for missing fnctl.h include.
+  * All: fix builds on MacOS <10.12 Sierra, which lacks
+    clock_gettime(3)
+  * sshd(8): don't PAM_RHOST if the remote host is the "UNKNOWN"
+    placeholder name. Avoids potential hangs in some PAM modules
+    as they try to resolve it. Note, sshd(8) only uses the
+    "UNKNOWN" name when the connection is not on an IPv4 or
+    IPv6 socket.
+
+- Update to openssh 10.1p1:
+  = Potentially-incompatible changes
+  * ssh(1): add a warning when the connection negotiates a non-post
+    quantum key agreement algorithm.
+    This warning has been added due to the risk of "store now,
+    decrypt later" attacks. More details at
+    https://openssh.com/pq.html
+    This warning may be controlled via a new WarnWeakCrypto
+    ssh_config option, defaulting to on. This option is likely to
+    control additional weak crypto warnings in the future.
+  * ssh(1), sshd(8): major changes to handling of
+    DSCP marking/IPQoS. In both client and server the default DSCP
+    (a.k.a IPQoS) values were revised and the way these values are
+    used during runtime has changed.
+    Interactive traffic is now assigned to the EF (Expedited
+    Forwarding) class by default. This provides more appropriate
+    packet prioritisation information for the intermediate network,
+    such as wireless media (cf. RFC 8325). Non-interactive traffic
+    will now use the operating system default DSCP marking. Both
+    the interactive and non-interactive DSCP values may be
+    overridden via the IPQoS keyword, described in ssh_config(5)
+    and sshd_config(5).
+    The appropriate DSCP marking is now automatically selected and
+    updated as needed over the course of a connection's lifetime.
+    ssh(1) and sshd(8) will switch between the interactive and
+    non-interactive IPQoS values depending on the type of SSH
+    channels open at the time. For example, if an sftp session is
+    using the connection alongside a shell session, then the non-
+    interactive value will be used for the duration of the sftp. A
+    connection which contains only interactive sessions is marked
+    EF.
+  * ssh(1), sshd(8): deprecate support for IPv4 type-of-service
+    (ToS) keywords in the IPQoS configuration directive.
+    Type of Service (ToS) was deprecated in the late nineties and
+    replaced with the Differentiated Services architecture, which
+    has significant advantages for operators because it offers more
+    granularity.
+    OpenSSH switched its default IPQoS from ToS to DSCP values in
+    2018 (openssh-7.7).
+    IPQoS configurations with 'lowdelay', 'reliability', or
+    'throughput' will be ignored and will instead use the system
+    default QoS settings. Additionally, a debug message will be
+    logged about the deprecation with a suggestion to use DSCP QoS
+    instead.
+  * ssh-add(1): when adding certificates to an agent, set the
+    expiry to the certificate expiry time plus a short (5 min)
+    grace period.
+    This will cause the agent to automatically remove certificates
+    shortly after they expire. A new ssh-add -N option disables
+    this behaviour.
+  * All: remove experimental support for XMSS keys. This was never
+    enabled by default. We expect to implement a new post-quantum
+    signature scheme in the near future.
+  * ssh-agent(1), sshd(8): move agent listener sockets from /tmp to
+    under ~/.ssh/agent for both ssh-agent(1) and forwarded sockets
+    in sshd(8).
+    This ensures processes that have restricted filesystem access
+    that includes /tmp do not ambiently have the ability to use
+    keys in an agent.
+    Moving the default directory has the consequence that the OS
+    will no longer clean up stale agent sockets, so ssh-agent now
+    gains this ability.
+    To support $HOME on NFS, the socket path includes a truncated
+    hash of the hostname. ssh-agent will, by default, only clean up
+    sockets from the same hostname.
+    ssh-agent(1) gains some new flags: -U suppresses the automatic
+    cleanup of stale sockets when it starts. -u forces a cleanup
+    without keeping a running agent, -uu forces a cleanup that
+    ignores the hostname. -T makes ssh-agent put the socket back
+    in /tmp.
+
+  = Security
+  * ssh(1): disallow control characters in usernames passed via the
+   commandline or expanded using %-sequences from the configuration
+   file, and disallow \0 characters in ssh:// URIs.
+   If an ssh(1) commandline was constructed using usernames or URIs
+   obtained from an untrusted source, and if a ProxyCommand that
+   uses the %r expansion was configured, then it may be possible
+   for an attacker to inject shell expressions that may be executed
+   when the proxy command is started.
+   We strongly recommend against using untrusted inputs to
+   construct ssh(1) commandlines.
+   This change also relaxes the validity checks in one small way:
+   usernames supplied via the configuration file as literals (i.e.
+   that have no % expansion characters) are not subject to these
+   validity checks. This allows usernames that contain arbitrary
+   characters to be used, but only via configuration files. This is
+   done on the basis that ssh's configuration is trusted.
+
+  = New features
+  * ssh(1), sshd(8): add SIGINFO handlers to log active channel and
+    session information.
+  * sshd(8): when refusing a certificate for user authentication,
+    log enough information to identify the certificate in addition
+    to the  reason why it was being denied. Makes debugging
+    certificate authorisation problems a bit easier.
+  * ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
+    tokens.
+  * ssh(1): add an ssh_config(5) RefuseConnection option that, when
+    encountered while processing an active section in a
+    configuration, terminates ssh(1) with an error message that
+    contains the argument to the option.
+    This may be useful for expressing reminders or warnings in
+    config files, for example:
+    Match host foo
+          RefuseConnection "foo is deprecated, use splork instead"
+  * sshd(8): make the X11 display number check relative to
+    X11DisplayOffset. This will allow people to use
+    X11DisplayOffset to configure much higher port ranges if they
+    really want, while not changing the default behaviour.
+  * unit tests: the unit test framework now includes some basic
+    benchmarking capabilities. Run with
+    "make UNITTEST_BENCHMARK=yes" on OpenBSD or "make unit-bench"
+    on Portable OpenSSH.
+
+  = Bugfixes
+  * sshd(8): fix mistracking of MaxStartups process exits in some
+    situations. At worst, this could cause all MaxStartups slots to
+    fill and sshd to refuse new connections.
+  * ssh(1): fix delay on X client startup when
+    ObscureKeystrokeTiming is enabled. bz#3820
+  * sshd(8): increase the maximum size of the supported
+    configuration from 256KB to 4MB, which ought to be enough for
+    anybody. Fail early and visibly when this limit is breached.
+    bz3808
+  * sftp(1): during sftp uploads, avoid a condition where a failed
+    write could be ignored if a subsequent write succeeded. This is
+    unlikely but technically possible because sftp servers are
+    allowed to reorder requests.
+  * sshd(8): avoid a race condition when the sshd-auth process
+    exits that could cause a spurious error message to be logged.
+  * sshd(8): log at level INFO when PerSourcePenalties actually
+    blocks access to a source address range. Previously this was
+    logged at level VERBOSE, which hid enforcement actions under
+    default config settings.
+  * sshd(8): GssStrictAcceptor was missing from sshd -T output; fix
+  * sshd(8): Make the MaxStartups and PerSourceNetBlockSize options
+    first-match-wins as advertised. bz3859
+  * ssh(1): fix an incorrect return value check in the local
+    forward cancellation path that would cause failed cancellations
+    not to be logged.
+  * sshd(8): make "Match !final" not trigger a second parsing pass
+    of ssh_config (unless hostname canonicalisation or a separate
+    "Match final" does). bz3843
+  * ssh(1): better debug diagnostics when loading keys. Will now
+    list key fingerprint and algorithm (not just algorithm number)
+    as well as making it explicit which keys didn't load.
+  * All: fix a number of memory leaks found by LeakSanitizer,
+    Coverity and manual inspection.
+  * sshd(8): Output the current name for PermitRootLogin's
+    "prohibit-password" in sshd -T instead of its deprecated alias
+    "without-password".  bz#3788
+  * ssh(1): make writing known_hosts lines more atomic by writing
+    the entire line in one operation and using unbuffered stdio.
+    Usually writes to this file are serialised on the "Are you sure
+    you want to continue connecting?" prompt, but if host key
+    checking is disabled and connections were being made with high
+    concurrency then interleaved writes might have been possible.
+
+  = Portability
+  * sshd(8): check the username didn't change during the PAM
+    transactions.
+    PAM modules can change the user during their execution, but
+    this is not supported by sshd(8). If such a case was
+    incorrectly configured by the system administrator, then
+    sshd(8) could end up using a different username to the one
+    authorised by PAM.
+  * sshd(8): don't log audit messages with UNKNOWN hostname to
+    avoid slow DNS lookups in the audit subsystem.
+  * All: when making a copy of struct passwd, ensure struct fields
+    are non-NULL. Android libc can return NULL pw_gecos, for
+    example.
+  * All: Remove status bits from OpenSSL >=3 version check.
+  * sshd(8), ssh(1): Use SSH_TUN_COMPAT_AF on FreeBSD. Otherwise
+    tun forwarding from other OSes fails as soon as the first IPv6
+    message is sent by the other side (which is usually a Router
+    Solicitation ICMPv6 message which is sent as soon as the
+    interface is up).
+  * ssh(1), ssh-agent(8): check for nlist function presence before
+    attempting to use it instead of relying on the presence of the
+    nlist.h header.  Mac OS X, for example, has the header but not
+    the function in the 64bit libraries.
+  * All: fill in missing system header files.
+    Create replacement header files inside openbsd-compat for
+    common headers that are missing on a given platform. Usually
+    these are just empty, but in some cases they'll include the
+    equivalent file. This avoids having to wrap those includes in
+    '#ifdef HAVE_FOO_H' and reduces the diff between Portable
+    OpenSSH and OpenBSD.
+  * sshd(8): handle futex_time64 properly in seccomp sandbox
+    Previously we only allowed __NR_futex, but some 32-bit systems
+    apparently support __NR_futex_time64. We had support for this
+    in the sandbox, but because of a macro error only __NR_futex
+    was allowlisted.
+  * Add contrib/gnome-ssh-askpass4 for GNOME 40+ using the GCR API.
+  * sshd(8): let ga_init() fail gracefully if getgrouplist does.
+    Apparently getgrouplist() can fail on OSX when passed a
+    non-existent group name. Other platforms seem to return a group
+    list consisting of the numeric gid passed to the function.
+    bz3848
+  * ssh-agent(1): exit 0 from SIGTERM under systemd
+    socket-activation, preventing a graceful shutdown of an agent
+    via systemd from incorrectly marking the service as "failed".
+  * build: wrap some autoconf macros in AC_CACHE_CHECK.
+    This allows skipping/overriding the OSSH_CHECK_CFLAG_COMPILE
+    and OSSH_CHECK_CFLAG_LINK macros used to discover supported
+    compiler or linker flags. E.g.
+      $ ./configure ossh_cv_cflag__fzero_call_used_regs_used=no
+      [...]
+      checking if cc supports compile flag -fzero-call-used-regs=used
+      and linking succeeds... (cached) no
+
+- Rebased patches:
+  * logind_set_tty.patch
+  * openssh-7.7p1-cavstest-ctr.patch
+  * openssh-7.7p1-cavstest-kdf.patch
+  * openssh-7.7p1-eal3.patch
+  * openssh-7.7p1-fips.patch
+  * openssh-7.7p1-ldap.patch
+  * openssh-7.9p1-revert-new-qos-defaults.patch
+  * openssh-8.0p1-gssapi-keyex.patch
+  * openssh-8.1p1-audit.patch
+  * openssh-8.4p1-vendordir.patch
+  * openssh-link-with-sk.patch
+  * openssh-mitigate-lingering-secrets.patch
+
+- Split patch 
+  * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+  composed of different patches to separate files to ease
+  maintenance and rebase them:
+  * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+  * 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+  * 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+  * 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+  * 0005-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+
+- Drop patches already included by upstream:
+  * openssh-9.6p1-pam-rhost.patch
+  * openssh-10.0p2-relax-openssl-version-check.patch
+
+-------------------------------------------------------------------
+Mon Sep 22 08:44:33 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add patch to relax the openssl 3.x version check so that we
+  don't identify a mismatch between released and pre-release
+  versions as incompatible when we already identify the whole
+  3.x versions as compatible (boo#1250115):
+  * openssh-10.0p2-relax-openssl-version-check.patch
+- Run some of the tests to check there are no regressions.
+
+-------------------------------------------------------------------
+Tue Sep  9 07:26:02 UTC 2025 - Luna D Dragon <luna.dragon@suse.com>
+
+- Update sshd@.service to match upstream more closely, to enable
+  support for ephemeral sshd keys.
+- Add openssh-9.6p1-pam-rhost.patch which fixes a performance issue
+  where pam can do a reverse dns query of "UNKNOWN" which times out
+  multiple times, causing a substantial slowdown when logging in
+  (bsc#1249352).
+
+-------------------------------------------------------------------
+Tue May 13 09:32:44 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
+
+- Enable --with-logind to call the SetTTY dbus method in systemd
+  in SLE15 too. This allows "wall" to print messages in ssh ttys
+  (bsc#1239671)
+- Small fixes to unref the dbus session when any error occurs:
+  * logind_set_tty.patch
+
 -------------------------------------------------------------------
 Tue Apr 22 16:45:33 UTC 2025 - Hans Petter Jansson <hpj@suse.com>
 
@@ -68,7 +376,8 @@ Wed Apr  9 09:33:10 UTC 2025 - Antonio Larrosa <alarrosa@suse.com>
   * sshd(8): fix the DisableForwarding directive, which was failing
     to disable X11 forwarding and agent forwarding as documented.
     X11 forwarding is disabled by default in the server and agent
-    forwarding is off by default in the client.
+    forwarding is off by default in the client (bsc#1241012,
+    CVE-2025-32728)
 
   = New features
   * ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256

openssh.spec

@@ -59,15 +59,14 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           openssh
-Version:        10.0p2
-%define wrongly_named_version 10.0p1
+Version:        10.2p1
 Release:        0
 Summary:        Secure Shell Client and Server (Remote Login Program)
 License:        BSD-2-Clause AND MIT
 Group:          Productivity/Networking/SSH
 URL:            https://www.openssh.com/
-Source0:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{wrongly_named_version}.tar.gz
-Source1:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{wrongly_named_version}.tar.gz.asc
+Source0:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+Source1:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2:        sshd.pamd
 Source3:        README.SUSE
 Source4:        README.kerberos
@@ -149,6 +148,9 @@ Patch107:       openssh-send-extra-term-env.patch
 # 200 - 300  --  Patches submitted to upstream
 # PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010
 Patch200:       0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+Patch201:       0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+Patch202:       0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
+Patch203:       0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch
 # 1000 - 2000  --  Conditional patches
 %if %{with crypto_policies}
 # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
@@ -337,7 +339,7 @@ This package contains the FIPS-140 CAVS (Cryptographic Algorithm
 Validation Program/Suite) related tests of OpenSSH.
 
 %prep
-%setup -q -n "%{name}-%{wrongly_named_version}"
+%setup -q -n "%{name}-%{version}"
 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} .
 
 %autopatch -p1
@@ -392,8 +394,8 @@ export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS
 %endif
 %if 0%{?suse_version} >= 1550
     --disable-lastlog \
-    --with-logind \
 %endif
+    --with-logind \
     --with-security-key-builtin \
     --target=%{_target_cpu}-suse-linux
 
@@ -450,10 +452,11 @@ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buil
 %endif
 
 %if %{with crypto_policies}
-install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %if %{defined _distconfdir}
+install -m 644 ssh_config_suse %{buildroot}%{_distconfdir}/ssh/ssh_config.d/50-suse.conf
 install -m 644 sshd_config_suse_cp %{buildroot}%{_distconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %else
+install -m 644 ssh_config_suse %{buildroot}%{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 install -m 644 sshd_config_suse_cp %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
 %endif
 %endif
@@ -499,6 +502,15 @@ done
 
 }}
 
+%check
+make file-tests
+make interop-tests
+make extra-tests
+make unit
+pushd openbsd-compat/regress
+make
+popd
+
 %pre server -f sshd.pre
 %if %{defined _distconfdir}
 # Prepare for migration to /usr/etc.
@@ -660,9 +672,14 @@ test -f /etc/ssh/ssh_config.rpmsave && mv -v /etc/ssh/ssh_config.rpmsave /etc/ss
 
 %files clients
 %if %{with crypto_policies}
+%if %{defined _distconfdir}
+%dir %attr(0755,root,root) %{_distconfdir}/ssh/ssh_config.d
+%attr(0644,root,root) %{_distconfdir}/ssh/ssh_config.d/50-suse.conf
+%else
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-suse.conf
 %endif
+%endif
 %if %{defined _distconfdir}
 %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config
 %else

sshd@.service

@@ -2,10 +2,11 @@
 Description=OpenSSH Per-Connection Server Daemon
 Documentation=man:systemd-ssh-generator(8) man:sshd(8)
 After=network.target
-	
+
 [Service]
 EnvironmentFile=-/etc/sysconfig/ssh
 ExecStartPre=/usr/sbin/sshd-gen-keys-start
 ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
-ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
+ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS -o "AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"
 StandardInput=socket
+ImportCredential=ssh.ephemeral-authorized_keys-all