Accepting request 59094 from home:leonardocf:branches:network

ok

OBS-URL: https://build.opensuse.org/request/show/59094
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=4

openssh-5.6p1-host_ident.diff

@@ -1,16 +0,0 @@
-Index: openssh-5.5p1/sshconnect.c
-===================================================================
---- openssh-5.5p1.orig/sshconnect.c
-+++ openssh-5.5p1/sshconnect.c
-@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so
- 		error("Add correct host key in %.100s to get rid of this message.",
- 		    user_hostfile);
- 		error("Offending key in %s:%d", host_file, host_line);
-+		error("You can use following command to remove all keys for this IP:");
-+		if (ip_file)
-+			error("ssh-keygen -R %s -f %s", hostname, ip_file);
-+		else
-+			error("ssh-keygen -R %s", hostname);
- 
- 		/*
- 		 * If strict host key checking is in use, the user will have

openssh-5.6p1-tmpdir.diff

@@ -1,24 +0,0 @@
-Index: ssh-agent.c
-===================================================================
---- ssh-agent.c.orig
-+++ ssh-agent.c
-@@ -1177,8 +1177,18 @@ main(int ac, char **av)
- 	parent_pid = getpid();
- 
- 	if (agentsocket == NULL) {
-+		char *tmp1, *tmp;
-+		char *tmp2 = "ssh-XXXXXXXXXX";
-+		size_t len;
-+
-+		if ((tmp1 = getenv("TMPDIR")) == NULL)
-+			tmp1 = "/tmp";
-+		len = strlen(tmp1) + strlen(tmp2) + 1;
-+		tmp = malloc(len);
-+		snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
- 		/* Create private directory for agent socket */
--		strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir);
-+		strlcpy(socket_dir, tmp, sizeof socket_dir);
-+		free(tmp);
- 		if (mkdtemp(socket_dir) == NULL) {
- 			perror("mkdtemp: private socket dir");
- 			exit(1);

openssh-5.6p1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7ee242e0236597108ed3156420e6a7d517fffe21d89755c37f09cceb5d796e4c
-size 896204

openssh-5.7p1-askpass-fix.diff

@@ -1,6 +1,8 @@
---- x11-ssh-askpass.c
+Index: x11-ssh-askpass.c
+===================================================================
+--- x11-ssh-askpass.c.orig
 +++ x11-ssh-askpass.c
-@@ -1301,7 +1301,7 @@
+@@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent
     }
  }
  
@@ -9,7 +11,7 @@
  {
     /* 'gcc -Wall' complains about 'app' being an unused parameter. 
      * Tough.  We might want to use it later, and then we don't have
-@@ -1343,11 +1343,11 @@
+@@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv
        return;
     }
     if (ButtonPress == event->type) {
@@ -23,7 +25,7 @@
  	 d->pressedButton = CANCEL_BUTTON;
  	 d->cancelButton.pressed = True;
  	 paintButton(app, d->dialogWindow, d->cancelButton);
-@@ -1356,7 +1356,7 @@
+@@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv
        }
     } else if (ButtonRelease == event->type) {
        if (OK_BUTTON == d->pressedButton) {
@@ -32,7 +34,7 @@
  	    acceptAction(app);
  	 } else {
  	    if (d->okButton.pressed) {
-@@ -1365,7 +1365,7 @@
+@@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv
  	    }
  	 }
        } else if (CANCEL_BUTTON == d->pressedButton) {
@@ -41,7 +43,7 @@
  	    cancelAction(app);
  	 } else {
  	    if (d->cancelButton.pressed) {
-@@ -1385,7 +1385,7 @@
+@@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X
     if (NO_BUTTON == d->pressedButton) {
        return;
     } else if (OK_BUTTON == d->pressedButton) {
@@ -50,7 +52,7 @@
  	 if (!(d->okButton.pressed)) {
  	    d->okButton.pressed = True;
  	    paintButton(app, d->dialogWindow, d->okButton);
-@@ -1397,7 +1397,7 @@
+@@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X
  	 }
        }
     } else if (CANCEL_BUTTON == d->pressedButton) {
@@ -59,9 +61,11 @@
  	 if (!(d->cancelButton.pressed)) {
  	    d->cancelButton.pressed = True;
  	    paintButton(app, d->dialogWindow, d->cancelButton);
---- x11-ssh-askpass.h
+Index: x11-ssh-askpass.h
+===================================================================
+--- x11-ssh-askpass.h.orig
 +++ x11-ssh-askpass.h
-@@ -258,7 +258,7 @@
+@@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app);
  void addToPassphrase(AppInfo *app, char c);
  
  void handleKeyPress(AppInfo *app, XEvent *event);

openssh-5.7p1-audit.patch

@@ -1,9 +1,9 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
-Index: openssh-5.6p1/Makefile.in
+Index: openssh-5.7p1/Makefile.in
 ===================================================================
---- openssh-5.6p1.orig/Makefile.in
-+++ openssh-5.6p1/Makefile.in
+--- openssh-5.7p1.orig/Makefile.in
++++ openssh-5.7p1/Makefile.in
 @@ -46,6 +46,7 @@ LD=@LD@
  CFLAGS=@CFLAGS@
  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@@ -12,7 +12,7 @@ Index: openssh-5.6p1/Makefile.in
  SSHDLIBS=@SSHDLIBS@
  LIBEDIT=@LIBEDIT@
  AR=@AR@
-@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
+@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
  	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
@@ -21,10 +21,10 @@ Index: openssh-5.6p1/Makefile.in
  
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-Index: openssh-5.6p1/auth.c
+Index: openssh-5.7p1/auth.c
 ===================================================================
---- openssh-5.6p1.orig/auth.c
-+++ openssh-5.6p1/auth.c
+--- openssh-5.7p1.orig/auth.c
++++ openssh-5.7p1/auth.c
 @@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
  		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
  # endif
@@ -38,7 +38,7 @@ Index: openssh-5.6p1/auth.c
  #ifdef SSH_AUDIT_EVENTS
  	if (authenticated == 0 && !authctxt->postponed)
  		audit_event(audit_classify_auth(method));
-@@ -586,6 +592,10 @@ getpwnamallow(const char *user)
+@@ -592,6 +598,10 @@ getpwnamallow(const char *user)
  		record_failed_login(user,
  		    get_canonical_hostname(options.use_dns), "ssh");
  #endif
@@ -49,11 +49,11 @@ Index: openssh-5.6p1/auth.c
  #ifdef SSH_AUDIT_EVENTS
  		audit_event(SSH_INVALID_USER);
  #endif /* SSH_AUDIT_EVENTS */
-Index: openssh-5.6p1/config.h.in
+Index: openssh-5.7p1/config.h.in
 ===================================================================
---- openssh-5.6p1.orig/config.h.in
-+++ openssh-5.6p1/config.h.in
-@@ -1424,6 +1424,9 @@
+--- openssh-5.7p1.orig/config.h.in
++++ openssh-5.7p1/config.h.in
+@@ -1460,6 +1460,9 @@
  /* Define if you want SELinux support. */
  #undef WITH_SELINUX
  
@@ -63,11 +63,11 @@ Index: openssh-5.6p1/config.h.in
  /* Define to 1 if your processor stores words with the most significant byte
     first (like Motorola and SPARC, unlike Intel and VAX). */
  #undef WORDS_BIGENDIAN
-Index: openssh-5.6p1/configure.ac
+Index: openssh-5.7p1/configure.ac
 ===================================================================
---- openssh-5.6p1.orig/configure.ac
-+++ openssh-5.6p1/configure.ac
-@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux,
+--- openssh-5.7p1.orig/configure.ac
++++ openssh-5.7p1/configure.ac
+@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux,
  	fi ]
  )
  
@@ -88,7 +88,7 @@ Index: openssh-5.6p1/configure.ac
  # Check whether user wants Kerberos 5 support
  KRB5_MSG="no"
  AC_ARG_WITH(kerberos5,
-@@ -4185,6 +4199,7 @@ echo "                       PAM support
+@@ -4315,6 +4329,7 @@ echo "                       PAM support
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
@@ -96,10 +96,10 @@ Index: openssh-5.6p1/configure.ac
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
  echo "              TCP Wrappers support: $TCPW_MSG"
-Index: openssh-5.6p1/loginrec.c
+Index: openssh-5.7p1/loginrec.c
 ===================================================================
---- openssh-5.6p1.orig/loginrec.c
-+++ openssh-5.6p1/loginrec.c
+--- openssh-5.7p1.orig/loginrec.c
++++ openssh-5.7p1/loginrec.c
 @@ -176,6 +176,10 @@
  #include "auth.h"
  #include "buffer.h"
@@ -121,7 +121,7 @@ Index: openssh-5.6p1/loginrec.c
  int lastlog_write_entry(struct logininfo *li);
  int syslogin_write_entry(struct logininfo *li);
  
-@@ -441,6 +448,10 @@ login_write(struct logininfo *li)
+@@ -442,6 +449,10 @@ login_write(struct logininfo *li)
  
  	/* set the timestamp */
  	login_set_current_time(li);
@@ -132,7 +132,7 @@ Index: openssh-5.6p1/loginrec.c
  #ifdef USE_LOGIN
  	syslogin_write_entry(li);
  #endif
-@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li)
  }
  #endif /* USE_WTMPX */
  
@@ -220,10 +220,10 @@ Index: openssh-5.6p1/loginrec.c
  /**
   ** Low-level libutil login() functions
   **/
-Index: openssh-5.6p1/loginrec.h
+Index: openssh-5.7p1/loginrec.h
 ===================================================================
---- openssh-5.6p1.orig/loginrec.h
-+++ openssh-5.6p1/loginrec.h
+--- openssh-5.7p1.orig/loginrec.h
++++ openssh-5.7p1/loginrec.h
 @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
  char *line_abbrevname(char *dst, const char *src, int dstsize);
  

openssh-5.7p1-blocksigalrm.diff

@@ -1,4 +1,6 @@
---- log.c
+Index: log.c
+===================================================================
+--- log.c.orig
 +++ log.c
 @@ -51,6 +51,7 @@
  
@@ -8,7 +10,7 @@
  
  static LogLevel log_level = SYSLOG_LEVEL_INFO;
  static int log_on_stderr = 1;
-@@ -336,6 +337,7 @@
+@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt,
  	char fmtbuf[MSGBUFSIZ];
  	char *txt = NULL;
  	int pri = LOG_INFO;
@@ -16,22 +18,22 @@
  	int saved_errno = errno;
  
  	if (level > log_level)
-@@ -387,6 +389,14 @@
+@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt,
  		snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
  		write(STDERR_FILENO, msgbuf, strlen(msgbuf));
  	} else {
 +		/* Prevent a race between the grace_alarm
 +		* which writes a log message and terminates
-+		* and main sshd code that leads to deadlock 
++		* and main sshd code that leads to deadlock
 +		* as syslog is not async safe.
-+		*/ 
++		*/
 +		sigemptyset(&nset);
 +		sigaddset(&nset, SIGALRM);
 +		sigprocmask(SIG_BLOCK, &nset, &oset);
  #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
  		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
  		syslog_r(pri, &sdata, "%.500s", fmtbuf);
-@@ -396,6 +406,7 @@
+@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt,
  		syslog(pri, "%.500s", fmtbuf);
  		closelog();
  #endif

openssh-5.7p1-eal3.diff

@@ -1,26 +1,26 @@
-Index: openssh-5.6p1/sshd.8
+Index: openssh-5.7p1/sshd.8
 ===================================================================
---- openssh-5.6p1.orig/sshd.8
-+++ openssh-5.6p1/sshd.8
-@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for
+--- openssh-5.7p1.orig/sshd.8
++++ openssh-5.7p1/sshd.8
+@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for
  The file format is described in
  .Xr moduli 5 .
  .Pp
--.It /etc/motd
-+.It /etc/lib/motd
+-.It Pa /etc/motd
++.It Pa /etc/lib/motd
  See
  .Xr motd 5 .
  .Pp
-@@ -863,7 +863,7 @@ are displayed to anyone trying to log in
+@@ -868,7 +868,7 @@ are displayed to anyone trying to log in
  refused.
  The file should be world-readable.
  .Pp
--.It /etc/shosts.equiv
-+.It /etc/ssh/shosts.equiv
+-.It Pa /etc/shosts.equiv
++.It Pa /etc/ssh/shosts.equiv
  This file is used in exactly the same way as
  .Pa hosts.equiv ,
  but allows host-based authentication without permitting login with
-@@ -940,8 +940,7 @@ The content of this file is not sensitiv
+@@ -947,8 +947,7 @@ The content of this file is not sensitiv
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -30,11 +30,11 @@ Index: openssh-5.6p1/sshd.8
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
  .Xr sftp-server 8
-Index: openssh-5.6p1/sshd_config.5
+Index: openssh-5.7p1/sshd_config.5
 ===================================================================
---- openssh-5.6p1.orig/sshd_config.5
-+++ openssh-5.6p1/sshd_config.5
-@@ -496,7 +496,7 @@ or
+--- openssh-5.7p1.orig/sshd_config.5
++++ openssh-5.7p1/sshd_config.5
+@@ -497,7 +497,7 @@ or
  .Pp
  .Pa /etc/hosts.equiv
  and

openssh-5.7p1-engines.diff

@@ -1,7 +1,7 @@
-Index: openssh-5.6p1/ssh-add.c
+Index: openssh-5.7p1/ssh-add.c
 ===================================================================
---- openssh-5.6p1.orig/ssh-add.c
-+++ openssh-5.6p1/ssh-add.c
+--- openssh-5.7p1.orig/ssh-add.c
++++ openssh-5.7p1/ssh-add.c
 @@ -43,6 +43,7 @@
  
  #include <openssl/evp.h>
@@ -10,9 +10,9 @@ Index: openssh-5.6p1/ssh-add.c
  
  #include <fcntl.h>
  #include <pwd.h>
-@@ -374,6 +375,10 @@ main(int argc, char **argv)
+@@ -377,6 +378,10 @@ main(int argc, char **argv)
  
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
  
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@@ -21,10 +21,10 @@ Index: openssh-5.6p1/ssh-add.c
  	/* At first, get a connection to the authentication agent. */
  	ac = ssh_get_authentication_connection();
  	if (ac == NULL) {
-Index: openssh-5.6p1/ssh-agent.c
+Index: openssh-5.7p1/ssh-agent.c
 ===================================================================
---- openssh-5.6p1.orig/ssh-agent.c
-+++ openssh-5.6p1/ssh-agent.c
+--- openssh-5.7p1.orig/ssh-agent.c
++++ openssh-5.7p1/ssh-agent.c
 @@ -52,6 +52,7 @@
  #include <openssl/evp.h>
  #include <openssl/md5.h>
@@ -33,9 +33,9 @@ Index: openssh-5.6p1/ssh-agent.c
  
  #include <errno.h>
  #include <fcntl.h>
-@@ -1094,6 +1095,10 @@ main(int ac, char **av)
+@@ -1153,6 +1154,10 @@ main(int ac, char **av)
  
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
  
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@@ -44,10 +44,10 @@ Index: openssh-5.6p1/ssh-agent.c
  	__progname = ssh_get_progname(av[0]);
  	init_rng();
  	seed_rng();
-Index: openssh-5.6p1/ssh-keygen.c
+Index: openssh-5.7p1/ssh-keygen.c
 ===================================================================
---- openssh-5.6p1.orig/ssh-keygen.c
-+++ openssh-5.6p1/ssh-keygen.c
+--- openssh-5.7p1.orig/ssh-keygen.c
++++ openssh-5.7p1/ssh-keygen.c
 @@ -22,6 +22,7 @@
  #include <openssl/evp.h>
  #include <openssl/pem.h>
@@ -56,10 +56,10 @@ Index: openssh-5.6p1/ssh-keygen.c
  
  #include <errno.h>
  #include <fcntl.h>
-@@ -1782,6 +1783,11 @@ main(int argc, char **argv)
+@@ -1815,6 +1816,11 @@ main(int argc, char **argv)
  	__progname = ssh_get_progname(argv[0]);
  
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@@ -68,10 +68,10 @@ Index: openssh-5.6p1/ssh-keygen.c
  	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
  
  	init_rng();
-Index: openssh-5.6p1/ssh-keysign.c
+Index: openssh-5.7p1/ssh-keysign.c
 ===================================================================
---- openssh-5.6p1.orig/ssh-keysign.c
-+++ openssh-5.6p1/ssh-keysign.c
+--- openssh-5.7p1.orig/ssh-keysign.c
++++ openssh-5.7p1/ssh-keysign.c
 @@ -38,6 +38,7 @@
  #include <openssl/evp.h>
  #include <openssl/rand.h>
@@ -83,7 +83,7 @@ Index: openssh-5.6p1/ssh-keysign.c
 @@ -195,6 +196,11 @@ main(int argc, char **argv)
  		fatal("could not open any host key");
  
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@@ -92,11 +92,11 @@ Index: openssh-5.6p1/ssh-keysign.c
  	for (i = 0; i < 256; i++)
  		rnd[i] = arc4random();
  	RAND_seed(rnd, sizeof(rnd));
-Index: openssh-5.6p1/ssh.c
+Index: openssh-5.7p1/ssh.c
 ===================================================================
---- openssh-5.6p1.orig/ssh.c
-+++ openssh-5.6p1/ssh.c
-@@ -74,6 +74,7 @@
+--- openssh-5.7p1.orig/ssh.c
++++ openssh-5.7p1/ssh.c
+@@ -75,6 +75,7 @@
  #include <openssl/err.h>
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
@@ -104,8 +104,8 @@ Index: openssh-5.6p1/ssh.c
  
  #include "xmalloc.h"
  #include "ssh.h"
-@@ -602,6 +603,10 @@ main(int ac, char **av)
- 	SSLeay_add_all_algorithms();
+@@ -601,6 +602,10 @@ main(int ac, char **av)
+ 	OpenSSL_add_all_algorithms();
  	ERR_load_crypto_strings();
  
 +	/* Init available hardware crypto engines. */
@@ -115,10 +115,10 @@ Index: openssh-5.6p1/ssh.c
  	/* Initialize the command to execute on remote host. */
  	buffer_init(&command);
  
-Index: openssh-5.6p1/sshd.c
+Index: openssh-5.7p1/sshd.c
 ===================================================================
---- openssh-5.6p1.orig/sshd.c
-+++ openssh-5.6p1/sshd.c
+--- openssh-5.7p1.orig/sshd.c
++++ openssh-5.7p1/sshd.c
 @@ -77,6 +77,7 @@
  #include <openssl/md5.h>
  #include <openssl/rand.h>
@@ -127,9 +127,9 @@ Index: openssh-5.6p1/sshd.c
  
  #ifdef HAVE_SECUREWARE
  #include <sys/security.h>
-@@ -1471,6 +1472,10 @@ main(int ac, char **av)
+@@ -1474,6 +1475,10 @@ main(int ac, char **av)
  
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
  
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();

openssh-5.7p1-gssapimitm.patch

@@ -22,9 +22,9 @@ Index: auth2-gss.c
  				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
  				    &input_gssapi_exchange_complete);
 +
-+			/* 
-+			 * Old style 'gssapi' didn't have the GSSAPI_MIC 
-+			 * and went straight to sending exchange_complete 
++			/*
++			 * Old style 'gssapi' didn't have the GSSAPI_MIC
++			 * and went straight to sending exchange_complete
 +			 */
 +			if (options.gss_enable_mitm)
 +				dispatch_set(
@@ -68,7 +68,7 @@ Index: readconf.c
 ===================================================================
 --- readconf.c.orig
 +++ readconf.c
-@@ -126,7 +126,7 @@ typedef enum {
+@@ -128,7 +128,7 @@ typedef enum {
  	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -77,7 +77,7 @@ Index: readconf.c
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
  	oSendEnv, oControlPath, oControlMaster, oControlPersist,
  	oHashKnownHosts,
-@@ -167,9 +167,11 @@ static struct {
+@@ -170,9 +170,11 @@ static struct {
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -89,18 +89,18 @@ Index: readconf.c
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
-@@ -477,6 +479,10 @@ parse_flag:
- 	case oGssDelegateCreds:
+@@ -483,6 +485,10 @@ parse_flag:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
-+		
+ 
 +	case oGssEnableMITM:
 +		intptr = &options->gss_enable_mitm;
 +		goto parse_flag;
- 
++
  	case oBatchMode:
  		intptr = &options->batch_mode;
-@@ -1059,6 +1065,7 @@ initialize_options(Options * options)
+ 		goto parse_flag;
+@@ -1093,6 +1099,7 @@ initialize_options(Options * options)
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
@@ -108,7 +108,7 @@ Index: readconf.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -1158,6 +1165,8 @@ fill_default_options(Options * options)
+@@ -1195,6 +1202,8 @@ fill_default_options(Options * options)
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
@@ -133,7 +133,7 @@ Index: servconf.c
 ===================================================================
 --- servconf.c.orig
 +++ servconf.c
-@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
+@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions
  	options->kerberos_get_afs_token = -1;
  	options->gss_authentication=-1;
  	options->gss_cleanup_creds = -1;
@@ -141,7 +141,7 @@ Index: servconf.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->challenge_response_authentication = -1;
-@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption
+@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption
  		options->gss_authentication = 0;
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
@@ -150,7 +150,7 @@ Index: servconf.c
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -307,7 +310,7 @@ typedef enum {
+@@ -322,7 +325,7 @@ typedef enum {
  	sBanner, sUseDNS, sHostbasedAuthentication,
  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
  	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -159,7 +159,7 @@ Index: servconf.c
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -370,9 +373,11 @@ static struct {
+@@ -386,9 +389,11 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -171,22 +171,22 @@ Index: servconf.c
  #endif
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions
- 	case sGssCleanupCreds:
+@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;
-+		
+ 
 +	case sGssEnableMITM:
 +		intptr = &options->gss_enable_mitm;
 +		goto parse_flag;
- 
++
  	case sPasswordAuthentication:
  		intptr = &options->password_authentication;
+ 		goto parse_flag;
 Index: servconf.h
 ===================================================================
 --- servconf.h.orig
 +++ servconf.h
-@@ -95,6 +95,7 @@ typedef struct {
+@@ -98,6 +98,7 @@ typedef struct {
  						 * authenticated with Kerberos. */
  	int     gss_authentication;	/* If true, permit GSSAPI authentication */
  	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
@@ -203,11 +203,11 @@ Index: ssh_config
  #   TunnelDevice any:any
  #   PermitLocalCommand no
 +#   GSSAPIAuthentication no
-+#   GSSAPIDelegateCredentials no 
++#   GSSAPIDelegateCredentials no
 +
 +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
 +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
-+# in this release. The use of 'gssapi' is deprecated due to the presence of 
++# in this release. The use of 'gssapi' is deprecated due to the presence of
 +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 +#   GSSAPIEnableMITMAttack no
 +
@@ -218,7 +218,7 @@ Index: sshconnect2.c
 ===================================================================
 --- sshconnect2.c.orig
 +++ sshconnect2.c
-@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
+@@ -324,6 +324,10 @@ Authmethod authmethods[] = {
  		NULL,
  		&options.gss_authentication,
  		NULL},
@@ -229,12 +229,12 @@ Index: sshconnect2.c
  #endif
  	{"hostbased",
  		userauth_hostbased,
-@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf
  
  	if (status == GSS_S_COMPLETE) {
  		/* send either complete or MIC, depending on mechanism */
 -		if (!(flags & GSS_C_INTEG_FLAG)) {
-+		
++
 +		if (strcmp(authctxt->method->name,"gssapi")==0 ||
 +		    (!(flags & GSS_C_INTEG_FLAG))) {
  			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
@@ -244,16 +244,15 @@ Index: sshd_config
 ===================================================================
 --- sshd_config.orig
 +++ sshd_config
-@@ -72,6 +72,13 @@ PasswordAuthentication no
+@@ -73,6 +73,12 @@ PasswordAuthentication no
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  
 +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
 +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
-+# in this release. The use of 'gssapi' is deprecated due to the presence of 
++# in this release. The use of 'gssapi' is deprecated due to the presence of
 +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 +#GSSAPIEnableMITMAttack no
-+ 
 +
  # Set this to 'yes' to enable PAM authentication, account processing, 
  # and session processing. If this is enabled, PAM authentication will 

openssh-5.7p1-homechroot.patch

@@ -48,7 +48,7 @@ Index: session.c
  static void do_authenticated1(Authctxt *);
  static void do_authenticated2(Authctxt *);
  
-@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command)
+@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command)
  		debug("Forced command (key option) '%.900s'", command);
  	}
  
@@ -60,7 +60,7 @@ Index: session.c
  #ifdef SSH_AUDIT_EVENTS
  	if (command != NULL)
  		PRIVSEP(audit_run_command(command));
-@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw)
+@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw)
  }
  
  /*
@@ -117,14 +117,14 @@ Index: session.c
 +			}
 +		}
 +		fatal ("chroot into directory without nodev or nosuid");
-+	}	
++	}
 +}
 +
 +/*
   * Chroot into a directory after checking it for safety: all path components
   * must be root-owned directories with strict permissions.
   */
-@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui
  	const char *cp;
  	char component[MAXPATHLEN];
  	struct stat st;
@@ -132,7 +132,7 @@ Index: session.c
  
  	if (*path != '/')
  		fatal("chroot path does not begin at root");
-@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui
  	 * root-owned directory with strict permissions.
  	 */
  	for (cp = path; cp != NULL;) {
@@ -141,7 +141,7 @@ Index: session.c
  			strlcpy(component, path, sizeof(component));
  		else {
  			cp++;
-@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui
+@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui
  		if (stat(component, &st) != 0)
  			fatal("%s: stat(\"%s\"): %s", __func__,
  			    component, strerror(errno));
@@ -163,7 +163,7 @@ Index: session.c
  	}
  
  	if (chdir(path) == -1)
-@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui
+@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui
  	if (chdir("/") == -1)
  		fatal("%s: chdir(/) after chroot: %s",
  		    __func__, strerror(errno));
@@ -257,7 +257,7 @@ Index: sshd_config.5
 ===================================================================
 --- sshd_config.5.orig
 +++ sshd_config.5
-@@ -269,6 +269,17 @@ inside the chroot directory (see
+@@ -268,6 +268,17 @@ inside the chroot directory (see
  .Xr sftp-server 8
  for details).
  .Pp
@@ -267,7 +267,7 @@ Index: sshd_config.5
 +%h or
 +.Cm ChrootDirectory
 +/some/path/%u. The file system containing this directory must be
-+mounted with options nodev and either nosuid or noexec. The owner of the 
++mounted with options nodev and either nosuid or noexec. The owner of the
 +directory should be the user. The ownership of the other components of the path
 +must fulfill the usual conditions. No aditional files are required to be present
 +in the directory.

openssh-5.7p1-host_ident.diff

@@ -0,0 +1,16 @@
+Index: openssh-5.7p1/sshconnect.c
+===================================================================
+--- openssh-5.7p1.orig/sshconnect.c
++++ openssh-5.7p1/sshconnect.c
+@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so
+ 		    user_hostfile);
+ 		error("Offending %s key in %s:%lu", key_type(host_found->key),
+ 		    host_found->file, host_found->line);
++		error("You can use following command to remove all keys for this IP:");
++		if (host_found->file)
++			error("ssh-keygen -R %s -f %s", hostname, host_found->file);
++		else
++			error("ssh-keygen -R %s", hostname);
+ 
+ 		/*
+ 		 * If strict host key checking is in use, the user will have

openssh-5.7p1-pam-fix2.diff

@@ -2,7 +2,7 @@ Index: sshd_config
 ===================================================================
 --- sshd_config.orig
 +++ sshd_config
-@@ -56,7 +56,7 @@
+@@ -57,7 +57,7 @@
  #IgnoreRhosts yes
  
  # To disable tunneled clear text passwords, change to no here!
@@ -11,7 +11,7 @@ Index: sshd_config
  #PermitEmptyPasswords no
  
  # Change to no to disable s/key passwords
-@@ -81,7 +81,7 @@
+@@ -82,7 +82,7 @@
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.

openssh-5.7p1-pam-fix3.diff

@@ -1,6 +1,8 @@
---- auth-pam.c
+Index: auth-pam.c
+===================================================================
+--- auth-pam.c.orig
 +++ auth-pam.c
-@@ -786,7 +786,9 @@
+@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha
  					fatal("Internal error: PAM auth "
  					    "succeeded when it should have "
  					    "failed");

openssh-5.7p1-pts.diff

@@ -2,7 +2,7 @@ Index: loginrec.c
 ===================================================================
 --- loginrec.c.orig
 +++ loginrec.c
-@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li)
+@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li)
   * 1. The full filename (including '/dev')
   * 2. The stripped name (excluding '/dev')
   * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@@ -11,7 +11,7 @@ Index: loginrec.c
   *
   * Form 3 is used on some systems to identify a .tmp.? entry when
   * attempting to remove it. Typically both addition and removal is
-@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s
+@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s
  	if (strncmp(src, "tty", 3) == 0)
  		src += 3;
  #endif

openssh-5.7p1-saveargv-fix.diff

@@ -10,7 +10,7 @@ Index: sshd.c
  	logit("Received SIGHUP; restarting.");
  	close_listen_socks();
  	close_startup_pipes();
-@@ -1316,7 +1317,11 @@ main(int ac, char **av)
+@@ -1319,7 +1320,11 @@ main(int ac, char **av)
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
  	compat_init_setproctitle(ac, av);

openssh-5.7p1-selinux.diff

@@ -0,0 +1,173 @@
+Index: openssh-5.7p1/ChangeLog
+===================================================================
+--- openssh-5.7p1.orig/ChangeLog
++++ openssh-5.7p1/ChangeLog
+@@ -1,3 +1,10 @@
++20110125
++ - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
++   openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
++   port-linux.c to avoid compilation errors. Add -lselinux to ssh when
++   building with SELinux support to avoid linking failure; report from
++   amk AT spamfence.net; ok dtucker
++
+ 20110122
+  - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
+    RSA_get_default_method() for the benefit of openssl versions that don't
+Index: openssh-5.7p1/configure.ac
+===================================================================
+--- openssh-5.7p1.orig/configure.ac
++++ openssh-5.7p1/configure.ac
+@@ -1,4 +1,4 @@
+-# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $
++# $Id: configure.ac,v 1.470 2011/01/25 01:16:17 djm Exp $
+ #
+ # Copyright (c) 1999-2004 Damien Miller
+ #
+@@ -15,7 +15,7 @@
+ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ 
+ AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
+-AC_REVISION($Revision: 1.469 $)
++AC_REVISION($Revision: 1.470 $)
+ AC_CONFIG_SRCDIR([ssh.c])
+ 
+ # local macros
+@@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4)
+ 			[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
+ 				[Define if you have Solaris process contracts])
+ 			  SSHDLIBS="$SSHDLIBS -lcontract"
+-			  AC_SUBST(SSHDLIBS)
+ 			  SPC_MSG="yes" ], )
+ 		],
+ 	)
+@@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4)
+ 			[ AC_DEFINE(USE_SOLARIS_PROJECTS, 1,
+ 				[Define if you have Solaris projects])
+ 			SSHDLIBS="$SSHDLIBS -lproject"
+-			AC_SUBST(SSHDLIBS)
+ 			SP_MSG="yes" ], )
+ 		],
+ 	)
+@@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux,
+ 			  LIBS="$LIBS -lselinux"
+ 			],
+ 			AC_MSG_ERROR(SELinux support requires libselinux library))
++		SSHLIBS="$SSHLIBS $LIBSELINUX"
+ 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+ 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ 		LIBS="$save_LIBS"
+ 	fi ]
+ )
++AC_SUBST(SSHLIBS)
++AC_SUBST(SSHDLIBS)
+ 
+ # Check whether user wants Linux audit support
+ LINUX_AUDIT_MSG="no"
+@@ -4356,6 +4357,9 @@ echo "         Libraries: ${LIBS}"
+ if test ! -z "${SSHDLIBS}"; then
+ echo "         +for sshd: ${SSHDLIBS}"
+ fi
++if test ! -z "${SSHLIBS}"; then
++echo "          +for ssh: ${SSHLIBS}"
++fi
+ 
+ echo ""
+ 
+Index: openssh-5.7p1/Makefile.in
+===================================================================
+--- openssh-5.7p1.orig/Makefile.in
++++ openssh-5.7p1/Makefile.in
+@@ -1,4 +1,4 @@
+-# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $
++# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $
+ 
+ # uncomment if you run a non bourne compatable shell. Ie. csh
+ #SHELL = @SH@
+@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ LIBAUDIT=@LIBAUDIT@
++SSHLIBS=@SSHLIBS@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ AR=@AR@
+@@ -143,7 +144,7 @@ libssh.a: $(LIBSSH_OBJS)
+ 	$(RANLIB) $@
+ 
+ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
+ 
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+ 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
+Index: openssh-5.7p1/openbsd-compat/port-linux.c
+===================================================================
+--- openssh-5.7p1.orig/openbsd-compat/port-linux.c
++++ openssh-5.7p1/openbsd-compat/port-linux.c
+@@ -1,4 +1,4 @@
+-/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */
++/* $Id: port-linux.c,v 1.12 2011/01/25 01:16:18 djm Exp $ */
+ 
+ /*
+  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+@@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n
+ 	xfree(oldctx);
+ 	xfree(newctx);
+ }
++
++void
++ssh_selinux_setfscreatecon(const char *path)
++{
++		security_context_t context;
++
++		if (path == NULL) {
++			setfscreatecon(NULL);
++			return;
++		}
++		matchpathcon(path, 0700, &context);
++		setfscreatecon(context);
++}
++
+ #endif /* WITH_SELINUX */
+ 
+ #ifdef LINUX_OOM_ADJUST
+Index: openssh-5.7p1/openbsd-compat/port-linux.h
+===================================================================
+--- openssh-5.7p1.orig/openbsd-compat/port-linux.h
++++ openssh-5.7p1/openbsd-compat/port-linux.h
+@@ -1,4 +1,4 @@
+-/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */
++/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */
+ 
+ /*
+  * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_change_context(const char *);
++void ssh_selinux_setfscreatecon(const char *);
+ #endif
+ 
+ #ifdef LINUX_OOM_ADJUST
+Index: openssh-5.7p1/ssh.c
+===================================================================
+--- openssh-5.7p1.orig/ssh.c
++++ openssh-5.7p1/ssh.c
+@@ -857,15 +857,12 @@ main(int ac, char **av)
+ 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
+ 	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
+ #ifdef WITH_SELINUX
+-		char *scon;
+-
+-		matchpathcon(buf, 0700, &scon);
+-		setfscreatecon(scon);
++		ssh_selinux_setfscreatecon(buf);
+ #endif
+ 		if (mkdir(buf, 0700) < 0)
+ 			error("Could not create directory '%.200s'.", buf);
+ #ifdef WITH_SELINUX
+-		setfscreatecon(NULL);
++		ssh_selinux_setfscreatecon(NULL);
+ #endif
+ 	}
+ 	/* load options.identity_files */

openssh-5.7p1-send_locale.diff

@@ -8,8 +8,8 @@ Index: ssh_config
  
 ->>>>>>>
 +# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
-+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
-+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
++SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +SendEnv LC_IDENTIFICATION LC_ALL
  #   VisualHostKey no
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
@@ -22,8 +22,8 @@ Index: sshd_config
  Subsystem	sftp	/usr/libexec/sftp-server
  
 +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
-+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
-+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
++AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
++AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +AcceptEnv LC_IDENTIFICATION LC_ALL
 +
  # Example of overriding settings on a per-user basis

openssh-5.7p1-sshconfig-knownhostschanges.diff

@@ -2,11 +2,12 @@ Index: ssh_config
 ===================================================================
 --- ssh_config.orig
 +++ ssh_config
-@@ -67,5 +67,12 @@ ForwardX11Trusted yes
- SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
- SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+@@ -67,5 +67,13 @@ ForwardX11Trusted yes
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
  SendEnv LC_IDENTIFICATION LC_ALL
 -#   VisualHostKey no
++
 +# This will print the fingerprint of the host key in "visual" form
 +# this should make it easier to also recognize bad things
 +VisualHostKey no

openssh-5.7p1-xauth.diff

@@ -2,7 +2,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -2525,8 +2525,41 @@ void
+@@ -2463,8 +2463,41 @@ void
  session_close(Session *s)
  {
  	u_int i;

openssh-5.7p1-xauthlocalhostname.diff

@@ -2,7 +2,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -1114,7 +1114,7 @@ copy_environment(char **source, char ***
+@@ -1116,7 +1116,7 @@ copy_environment(char **source, char ***
  }
  
  static char **
@@ -11,7 +11,7 @@ Index: session.c
  {
  	char buf[256];
  	u_int i, envsize;
-@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she
+@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she
  		for (i = 0; env[i]; i++)
  			fprintf(stderr, "  %.200s\n", env[i]);
  	}
@@ -20,7 +20,7 @@ Index: session.c
  	return env;
  }
  
-@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she
+@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she
   * first in this order).
   */
  static void
@@ -29,12 +29,12 @@ Index: session.c
  {
  	FILE *f = NULL;
  	char cmd[1024];
-@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel
+@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel
  		    options.xauth_location);
  		f = popen(cmd, "w");
  		if (f) {
 +			char hostname[MAXHOSTNAMELEN];
-+		    
++
  			fprintf(f, "remove %s\n",
  			    s->auth_display);
  			fprintf(f, "add %s %s %s\n",
@@ -50,7 +50,7 @@ Index: session.c
  		} else {
  			fprintf(stderr, "Could not run %s\n",
  			    cmd);
-@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command
+@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command
  {
  	extern char **environ;
  	char **env;
@@ -58,7 +58,7 @@ Index: session.c
  	char *argv[ARGV_MAX];
  	const char *shell, *shell0, *hostname = NULL;
  	struct passwd *pw = s->pw;
-@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command
+@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command
  	 * Make sure $SHELL points to the shell from the password file,
  	 * even if shell is overridden from login.conf
  	 */
@@ -67,7 +67,7 @@ Index: session.c
  
  #ifdef HAVE_LOGIN_CAP
  	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command
+@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command
  	closefrom(STDERR_FILENO + 1);
  
  	if (!options.use_login)

openssh-5.7p1.dif

@@ -17,7 +17,7 @@ Index: ssh_config
 +# remote side (the "spoofed" X-server by the remote sshd) can read your
 +# keystrokes as you type, just like any other X11 client could do.
 +# Set this to "no" here for global effect or in your own ~/.ssh/config
-+# file if you want to have the remote X11 authentification data to 
++# file if you want to have the remote X11 authentification data to
 +# expire after two minutes after remote login.
 +ForwardX11Trusted yes
 +
@@ -28,12 +28,12 @@ Index: sshd_config
 ===================================================================
 --- sshd_config.orig
 +++ sshd_config
-@@ -86,7 +86,7 @@
+@@ -87,7 +87,7 @@
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
 -#X11Forwarding no
-+X11Forwarding yes 
++X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes

openssh-5.7p1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e8e4d63cbfdd0c97f8856693b4412e0bda78bb152ec1cb6f426193dc16d412c3
+size 894451

openssh-SuSE.tar.bz2

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0b46d50d58800dc184448c70485265894d97da90749019917708c22ac8845753
-size 1943
+oid sha256:a73f20ff86a679a64f3b94a666dc9e7e1b442fb2da09ddb56f9a01f4dbdbc241
+size 1975

openssh-askpass-gnome.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
+
+- Update to 5.7p1
+
 -------------------------------------------------------------------
 Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
 

openssh-askpass-gnome.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh-askpass-gnome (Version 5.6p1)
+# spec file for package openssh-askpass-gnome (Version 5.7p1)
 #
 # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -22,8 +22,8 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
-Version:        5.6p1
-Release:        8
+Version:        5.7p1
+Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH

openssh-linux-new-oomkill.patch

@@ -1,94 +0,0 @@
-Index: openbsd-compat/port-linux.c
-===================================================================
-RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/port-linux.c,v
-retrieving revision 1.9
-diff -u -p -r1.9 port-linux.c
---- openbsd-compat/port-linux.c	10 Sep 2010 00:30:25 -0000	1.9
-+++ openbsd-compat/port-linux.c	16 Nov 2010 05:10:13 -0000
-@@ -208,14 +208,21 @@ ssh_selinux_change_context(const char *n
- #endif /* WITH_SELINUX */
- 
- #ifdef LINUX_OOM_ADJUST
--#define OOM_ADJ_PATH	"/proc/self/oom_adj"
- /*
-- * The magic "don't kill me", as documented in eg:
-+ * The magic "don't kill me" values, old and new, as documented in eg:
-  * http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt
-+ * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt
-  */
--#define OOM_ADJ_NOKILL	-17
- 
- static int oom_adj_save = INT_MIN;
-+static char *oom_adj_path = NULL;
-+struct {
-+	char *path;
-+	int value;
-+} oom_adjust[] = {
-+	{"/proc/self/oom_score_adj", -1000},	/* new values, 2.6.36 and up */
-+	{"/proc/self/oom_adj", -17},		/* old values, 2.6.35 and down */
-+};
- 
- /*
-  * Tell the kernel's out-of-memory killer to avoid sshd.
-@@ -224,23 +231,31 @@ static int oom_adj_save = INT_MIN;
- void
- oom_adjust_setup(void)
- {
-+	int i, value;
- 	FILE *fp;
- 
- 	debug3("%s", __func__);
--	if ((fp = fopen(OOM_ADJ_PATH, "r+")) != NULL) {
--		if (fscanf(fp, "%d", &oom_adj_save) != 1)
--			verbose("error reading %s: %s", OOM_ADJ_PATH, strerror(errno));
--		else {
--			rewind(fp);
--			if (fprintf(fp, "%d\n", OOM_ADJ_NOKILL) <= 0)
--				verbose("error writing %s: %s",
--				    OOM_ADJ_PATH, strerror(errno));
--			else
--				verbose("Set %s from %d to %d",
--				    OOM_ADJ_PATH, oom_adj_save, OOM_ADJ_NOKILL);
-+	 for (i = 0; i < 2; i++) {
-+		oom_adj_path = oom_adjust[i].path;
-+		value = oom_adjust[i].value;
-+		if ((fp = fopen(oom_adj_path, "r+")) != NULL) {
-+			if (fscanf(fp, "%d", &oom_adj_save) != 1)
-+				verbose("error reading %s: %s", oom_adj_path,
-+				    strerror(errno));
-+			else {
-+				rewind(fp);
-+				if (fprintf(fp, "%d\n", value) <= 0)
-+					verbose("error writing %s: %s",
-+					   oom_adj_path, strerror(errno));
-+				else
-+					verbose("Set %s from %d to %d",
-+					   oom_adj_path, oom_adj_save, value);
-+			}
-+			fclose(fp);
-+			return;
- 		}
--		fclose(fp);
- 	}
-+	oom_adj_path = NULL;
- }
- 
- /* Restore the saved OOM adjustment */
-@@ -250,13 +265,14 @@ oom_adjust_restore(void)
- 	FILE *fp;
- 
- 	debug3("%s", __func__);
--	if (oom_adj_save == INT_MIN || (fp = fopen(OOM_ADJ_PATH, "w")) == NULL)
-+	if (oom_adj_save == INT_MIN || oom_adj_save == NULL ||
-+	    (fp = fopen(oom_adj_path, "w")) == NULL)
- 		return;
- 
- 	if (fprintf(fp, "%d\n", oom_adj_save) <= 0)
--		verbose("error writing %s: %s", OOM_ADJ_PATH, strerror(errno));
-+		verbose("error writing %s: %s", oom_adj_path, strerror(errno));
- 	else
--		verbose("Set %s to %d", OOM_ADJ_PATH, oom_adj_save);
-+		verbose("Set %s to %d", oom_adj_path, oom_adj_save);
- 
- 	fclose(fp);
- 	return;

openssh.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com
+
+- Update to 5.7p1
+ * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
+   and host/user keys (ECDSA) as specified by RFC5656.
+ * sftp(1)/sftp-server(8): add a protocol extension to support a hard
+   link operation.
+ * scp(1): Add a new -3 option to scp: Copies between two remote hosts
+   are transferred through the local host.
+ * ssh(1): automatically order the hostkeys requested by the client
+   based on which hostkeys are already recorded in known_hosts.
+ * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
+   TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
+ * sftp(1): the sftp client is now significantly faster at performing
+   directory listings, using OpenBSD glob(3) extensions to preserve
+   the results of stat(3) operations performed in the course of its
+   execution rather than performing expensive round trips to fetch
+   them again afterwards.
+ * ssh(1): "atomically" create the listening mux socket by binding it on
+   a temporary name and then linking it into position after listen() has
+   succeeded.
+ * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
+   configuration to allow selection of which key exchange methods are
+   used by ssh(1) and sshd(8) and their order of preference.
+ * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
+   a generic bandwidth limiter that can be attached using the atomicio
+   callback mechanism and use it to add a bandwidth limit option to
+   sftp(1).
+ * Support building against openssl-1.0.0a.
+ * Bug fixes.
+- Remove patches that are now upstream:
+ * openssh-5.6p1-tmpdir.diff
+ * openssh-linux-new-oomkill.patch
+- Add upstream patch to fix build with SELinux enabled.
+
 -------------------------------------------------------------------
 Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
 

openssh.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh (Version 5.6p1)
+# spec file for package openssh (Version 5.7p1)
 #
 # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -29,8 +29,8 @@ Requires:       /bin/netstat
 PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        5.6p1
-Release:        8
+Version:        5.7p1
+Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@@ -55,7 +55,6 @@ Patch7:         %{name}-%{version}-engines.diff
 Patch8:         %{name}-%{version}-blocksigalrm.diff
 Patch9:         %{name}-%{version}-send_locale.diff
 Patch10:        %{name}-%{version}-xauthlocalhostname.diff
-Patch11:        %{name}-%{version}-tmpdir.diff
 Patch12:        %{name}-%{version}-xauth.diff
 Patch14:        %{name}-%{version}-default-protocol.diff
 Patch15:        %{name}-%{version}-audit.patch
@@ -63,7 +62,7 @@ Patch16:        %{name}-%{version}-pts.diff
 Patch17:        %{name}-%{version}-homechroot.patch
 Patch18:        %{name}-%{version}-sshconfig-knownhostschanges.diff
 Patch19:        %{name}-%{version}-host_ident.diff
-Patch20:        openssh-linux-new-oomkill.patch 
+Patch20:        %{name}-%{version}-selinux.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %package      askpass
@@ -101,7 +100,6 @@ Window System passphrase dialog for OpenSSH.
 %patch8
 %patch9
 %patch10
-%patch11
 %patch12
 %patch14
 %patch15 -p1
@@ -109,7 +107,7 @@ Window System passphrase dialog for OpenSSH.
 %patch17
 %patch18
 %patch19 -p1
-%patch20
+%patch20 -p1
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}