Accepting request 59094 from home:leonardocf:branches:network

ok OBS-URL: https://build.opensuse.org/request/show/59094 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=4
2011-01-31 12:24:57 +00:00 · 2011-01-31 12:24:57 +00:00 · 2e210d7ee3
commit 2e210d7ee3
parent c87fe92d21
29 changed files with 398 additions and 296 deletions
--- a/openssh-5.6p1-host_ident.diff
+++ b/openssh-5.6p1-host_ident.diff
@ -1,16 +0,0 @@
 Index: openssh-5.5p1/sshconnect.c
 ===================================================================
 --- openssh-5.5p1.orig/sshconnect.c
 +++ openssh-5.5p1/sshconnect.c
@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so
 		error("Add correct host key in %.100s to get rid of this message.",
 		    user_hostfile);
 		error("Offending key in %s:%d", host_file, host_line);
 +		error("You can use following command to remove all keys for this IP:");
 +		if (ip_file)
 +			error("ssh-keygen -R %s -f %s", hostname, ip_file);
 +		else
 +			error("ssh-keygen -R %s", hostname);
 		/*
 		 * If strict host key checking is in use, the user will have
--- a/openssh-5.6p1-tmpdir.diff
+++ b/openssh-5.6p1-tmpdir.diff
@ -1,24 +0,0 @@
 Index: ssh-agent.c
 ===================================================================
 --- ssh-agent.c.orig
 +++ ssh-agent.c
@@ -1177,8 +1177,18 @@ main(int ac, char **av)
 	parent_pid = getpid();
 	if (agentsocket == NULL) {
 +		char *tmp1, *tmp;
 +		char *tmp2 = "ssh-XXXXXXXXXX";
 +		size_t len;
 +
 +		if ((tmp1 = getenv("TMPDIR")) == NULL)
 +			tmp1 = "/tmp";
 +		len = strlen(tmp1) + strlen(tmp2) + 1;
 +		tmp = malloc(len);
 +		snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
 		/* Create private directory for agent socket */
 -		strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir);
 +		strlcpy(socket_dir, tmp, sizeof socket_dir);
 +		free(tmp);
 		if (mkdtemp(socket_dir) == NULL) {
 			perror("mkdtemp: private socket dir");
 			exit(1);
--- a/openssh-5.6p1.tar.bz2
+++ b/openssh-5.6p1.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:7ee242e0236597108ed3156420e6a7d517fffe21d89755c37f09cceb5d796e4c
 size 896204
--- a/openssh-5.7p1-askpass-fix.diff
+++ b/openssh-5.7p1-askpass-fix.diff
@ -1,6 +1,8 @@
--- x11-ssh-askpass.c
+Index: x11-ssh-askpass.c
 ===================================================================
 --- x11-ssh-askpass.c.orig
 +++ x11-ssh-askpass.c
-@@ -1301,7 +1301,7 @@
+@@ -1301,7 +1301,7 @@ void handleKeyPress(AppInfo *app, XEvent
    }
 }
@ -9,7 +11,7 @@
 {
    /* 'gcc -Wall' complains about 'app' being an unused parameter. 
     * Tough.  We might want to use it later, and then we don't have
-@@ -1343,11 +1343,11 @@
+@@ -1343,11 +1343,11 @@ void handleButtonPress(AppInfo *app, XEv
       return;
    }
    if (ButtonPress == event->type) {
@ -23,7 +25,7 @@
 	 d->pressedButton = CANCEL_BUTTON;
 	 d->cancelButton.pressed = True;
 	 paintButton(app, d->dialogWindow, d->cancelButton);
-@@ -1356,7 +1356,7 @@
+@@ -1356,7 +1356,7 @@ void handleButtonPress(AppInfo *app, XEv
       }
    } else if (ButtonRelease == event->type) {
       if (OK_BUTTON == d->pressedButton) {
@ -32,7 +34,7 @@
 	    acceptAction(app);
 	 } else {
 	    if (d->okButton.pressed) {
-@@ -1365,7 +1365,7 @@
+@@ -1365,7 +1365,7 @@ void handleButtonPress(AppInfo *app, XEv
 	    }
 	 }
       } else if (CANCEL_BUTTON == d->pressedButton) {
@ -41,7 +43,7 @@
 	    cancelAction(app);
 	 } else {
 	    if (d->cancelButton.pressed) {
-@@ -1385,7 +1385,7 @@
+@@ -1385,7 +1385,7 @@ void handlePointerMotion(AppInfo *app, X
    if (NO_BUTTON == d->pressedButton) {
       return;
    } else if (OK_BUTTON == d->pressedButton) {
@ -50,7 +52,7 @@
 	 if (!(d->okButton.pressed)) {
 	    d->okButton.pressed = True;
 	    paintButton(app, d->dialogWindow, d->okButton);
-@@ -1397,7 +1397,7 @@
+@@ -1397,7 +1397,7 @@ void handlePointerMotion(AppInfo *app, X
 	 }
       }
    } else if (CANCEL_BUTTON == d->pressedButton) {
@ -59,9 +61,11 @@
 	 if (!(d->cancelButton.pressed)) {
 	    d->cancelButton.pressed = True;
 	    paintButton(app, d->dialogWindow, d->cancelButton);
--- x11-ssh-askpass.h
+Index: x11-ssh-askpass.h
 ===================================================================
 --- x11-ssh-askpass.h.orig
 +++ x11-ssh-askpass.h
-@@ -258,7 +258,7 @@
+@@ -258,7 +258,7 @@ void erasePassphrase(AppInfo *app);
 void addToPassphrase(AppInfo *app, char c);
 void handleKeyPress(AppInfo *app, XEvent *event);
--- a/openssh-5.7p1-audit.patch
+++ b/openssh-5.7p1-audit.patch
@ -1,9 +1,9 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
-Index: openssh-5.6p1/Makefile.in
+Index: openssh-5.7p1/Makefile.in
 ===================================================================
--- openssh-5.6p1.orig/Makefile.in
+--- openssh-5.7p1.orig/Makefile.in
-+++ openssh-5.6p1/Makefile.in
+++ openssh-5.7p1/Makefile.in
@@ -46,6 +46,7 @@ LD=@LD@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@ -12,7 +12,7 @@ Index: openssh-5.6p1/Makefile.in
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 AR=@AR@
-@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
+@@ -145,7 +146,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
@ -21,10 +21,10 @@ Index: openssh-5.6p1/Makefile.in
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-Index: openssh-5.6p1/auth.c
+Index: openssh-5.7p1/auth.c
 ===================================================================
--- openssh-5.6p1.orig/auth.c
+--- openssh-5.7p1.orig/auth.c
-+++ openssh-5.6p1/auth.c
+++ openssh-5.7p1/auth.c
@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
@ -38,7 +38,7 @@ Index: openssh-5.6p1/auth.c
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(audit_classify_auth(method));
-@@ -586,6 +592,10 @@ getpwnamallow(const char *user)
+@@ -592,6 +598,10 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
@ -49,11 +49,11 @@ Index: openssh-5.6p1/auth.c
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
-Index: openssh-5.6p1/config.h.in
+Index: openssh-5.7p1/config.h.in
 ===================================================================
--- openssh-5.6p1.orig/config.h.in
+--- openssh-5.7p1.orig/config.h.in
-+++ openssh-5.6p1/config.h.in
+++ openssh-5.7p1/config.h.in
-@@ -1424,6 +1424,9 @@
+@@ -1460,6 +1460,9 @@
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
@ -63,11 +63,11 @@ Index: openssh-5.6p1/config.h.in
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
-Index: openssh-5.6p1/configure.ac
+Index: openssh-5.7p1/configure.ac
 ===================================================================
--- openssh-5.6p1.orig/configure.ac
+--- openssh-5.7p1.orig/configure.ac
-+++ openssh-5.6p1/configure.ac
+++ openssh-5.7p1/configure.ac
-@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux,
+@@ -3521,6 +3521,20 @@ AC_ARG_WITH(selinux,
 	fi ]
 )
@ -88,7 +88,7 @@ Index: openssh-5.6p1/configure.ac
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
-@@ -4185,6 +4199,7 @@ echo "                       PAM support
+@@ -4315,6 +4329,7 @@ echo "                       PAM support
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
@ -96,10 +96,10 @@ Index: openssh-5.6p1/configure.ac
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
-Index: openssh-5.6p1/loginrec.c
+Index: openssh-5.7p1/loginrec.c
 ===================================================================
--- openssh-5.6p1.orig/loginrec.c
+--- openssh-5.7p1.orig/loginrec.c
-+++ openssh-5.6p1/loginrec.c
+++ openssh-5.7p1/loginrec.c
@@ -176,6 +176,10 @@
 #include "auth.h"
 #include "buffer.h"
@ -121,7 +121,7 @@ Index: openssh-5.6p1/loginrec.c
 int lastlog_write_entry(struct logininfo *li);
 int syslogin_write_entry(struct logininfo *li);
-@@ -441,6 +448,10 @@ login_write(struct logininfo *li)
+@@ -442,6 +449,10 @@ login_write(struct logininfo *li)
 	/* set the timestamp */
 	login_set_current_time(li);
@ -132,7 +132,7 @@ Index: openssh-5.6p1/loginrec.c
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
-@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1406,6 +1417,87 @@ wtmpx_get_entry(struct logininfo *li)
 }
 #endif /* USE_WTMPX */
@ -220,10 +220,10 @@ Index: openssh-5.6p1/loginrec.c
 /**
  ** Low-level libutil login() functions
  **/
-Index: openssh-5.6p1/loginrec.h
+Index: openssh-5.7p1/loginrec.h
 ===================================================================
--- openssh-5.6p1.orig/loginrec.h
+--- openssh-5.7p1.orig/loginrec.h
-+++ openssh-5.6p1/loginrec.h
+++ openssh-5.7p1/loginrec.h
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
 char *line_abbrevname(char *dst, const char *src, int dstsize);
--- a/openssh-5.7p1-blocksigalrm.diff
+++ b/openssh-5.7p1-blocksigalrm.diff
@ -1,4 +1,6 @@
--- log.c
+Index: log.c
 ===================================================================
 --- log.c.orig
 +++ log.c
@@ -51,6 +51,7 @@
@ -8,7 +10,7 @@
 static LogLevel log_level = SYSLOG_LEVEL_INFO;
 static int log_on_stderr = 1;
-@@ -336,6 +337,7 @@
+@@ -336,6 +337,7 @@ do_log(LogLevel level, const char *fmt,
 	char fmtbuf[MSGBUFSIZ];
 	char *txt = NULL;
 	int pri = LOG_INFO;
@ -16,22 +18,22 @@
 	int saved_errno = errno;
 	if (level > log_level)
-@@ -387,6 +389,14 @@
+@@ -387,6 +389,14 @@ do_log(LogLevel level, const char *fmt,
 		snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf);
 		write(STDERR_FILENO, msgbuf, strlen(msgbuf));
 	} else {
 +		/* Prevent a race between the grace_alarm
 +		* which writes a log message and terminates
-+		* and main sshd code that leads to deadlock 
+		* and main sshd code that leads to deadlock
 +		* as syslog is not async safe.
-+		*/ 
+		*/
 +		sigemptyset(&nset);
 +		sigaddset(&nset, SIGALRM);
 +		sigprocmask(SIG_BLOCK, &nset, &oset);
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 		openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata);
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
-@@ -396,6 +406,7 @@
+@@ -396,6 +406,7 @@ do_log(LogLevel level, const char *fmt,
 		syslog(pri, "%.500s", fmtbuf);
 		closelog();
 #endif
--- a/openssh-5.7p1-default-protocol.diff
+++ b/openssh-5.7p1-default-protocol.diff
--- a/openssh-5.7p1-eal3.diff
+++ b/openssh-5.7p1-eal3.diff
@ -1,26 +1,26 @@
-Index: openssh-5.6p1/sshd.8
+Index: openssh-5.7p1/sshd.8
 ===================================================================
--- openssh-5.6p1.orig/sshd.8
+--- openssh-5.7p1.orig/sshd.8
-+++ openssh-5.6p1/sshd.8
+++ openssh-5.7p1/sshd.8
-@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for
+@@ -855,7 +855,7 @@ Contains Diffie-Hellman groups used for
 The file format is described in
 .Xr moduli 5 .
 .Pp
-.It /etc/motd
+-.It Pa /etc/motd
-+.It /etc/lib/motd
+.It Pa /etc/lib/motd
 See
 .Xr motd 5 .
 .Pp
-@@ -863,7 +863,7 @@ are displayed to anyone trying to log in
+@@ -868,7 +868,7 @@ are displayed to anyone trying to log in
 refused.
 The file should be world-readable.
 .Pp
-.It /etc/shosts.equiv
+-.It Pa /etc/shosts.equiv
-+.It /etc/ssh/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
 This file is used in exactly the same way as
 .Pa hosts.equiv ,
 but allows host-based authentication without permitting login with
-@@ -940,8 +940,7 @@ The content of this file is not sensitiv
+@@ -947,8 +947,7 @@ The content of this file is not sensitiv
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@ -30,11 +30,11 @@ Index: openssh-5.6p1/sshd.8
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
 .Xr sftp-server 8
-Index: openssh-5.6p1/sshd_config.5
+Index: openssh-5.7p1/sshd_config.5
 ===================================================================
--- openssh-5.6p1.orig/sshd_config.5
+--- openssh-5.7p1.orig/sshd_config.5
-+++ openssh-5.6p1/sshd_config.5
+++ openssh-5.7p1/sshd_config.5
-@@ -496,7 +496,7 @@ or
+@@ -497,7 +497,7 @@ or
 .Pp
 .Pa /etc/hosts.equiv
 and
--- a/openssh-5.7p1-engines.diff
+++ b/openssh-5.7p1-engines.diff
@ -1,7 +1,7 @@
-Index: openssh-5.6p1/ssh-add.c
+Index: openssh-5.7p1/ssh-add.c
 ===================================================================
--- openssh-5.6p1.orig/ssh-add.c
+--- openssh-5.7p1.orig/ssh-add.c
-+++ openssh-5.6p1/ssh-add.c
+++ openssh-5.7p1/ssh-add.c
@@ -43,6 +43,7 @@
 #include <openssl/evp.h>
@ -10,9 +10,9 @@ Index: openssh-5.6p1/ssh-add.c
 #include <fcntl.h>
 #include <pwd.h>
-@@ -374,6 +375,10 @@ main(int argc, char **argv)
+@@ -377,6 +378,10 @@ main(int argc, char **argv)
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@ -21,10 +21,10 @@ Index: openssh-5.6p1/ssh-add.c
 	/* At first, get a connection to the authentication agent. */
 	ac = ssh_get_authentication_connection();
 	if (ac == NULL) {
-Index: openssh-5.6p1/ssh-agent.c
+Index: openssh-5.7p1/ssh-agent.c
 ===================================================================
--- openssh-5.6p1.orig/ssh-agent.c
+--- openssh-5.7p1.orig/ssh-agent.c
-+++ openssh-5.6p1/ssh-agent.c
+++ openssh-5.7p1/ssh-agent.c
@@ -52,6 +52,7 @@
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@ -33,9 +33,9 @@ Index: openssh-5.6p1/ssh-agent.c
 #include <errno.h>
 #include <fcntl.h>
-@@ -1094,6 +1095,10 @@ main(int ac, char **av)
+@@ -1153,6 +1154,10 @@ main(int ac, char **av)
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@ -44,10 +44,10 @@ Index: openssh-5.6p1/ssh-agent.c
 	__progname = ssh_get_progname(av[0]);
 	init_rng();
 	seed_rng();
-Index: openssh-5.6p1/ssh-keygen.c
+Index: openssh-5.7p1/ssh-keygen.c
 ===================================================================
--- openssh-5.6p1.orig/ssh-keygen.c
+--- openssh-5.7p1.orig/ssh-keygen.c
-+++ openssh-5.6p1/ssh-keygen.c
+++ openssh-5.7p1/ssh-keygen.c
@@ -22,6 +22,7 @@
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@ -56,10 +56,10 @@ Index: openssh-5.6p1/ssh-keygen.c
 #include <errno.h>
 #include <fcntl.h>
-@@ -1782,6 +1783,11 @@ main(int argc, char **argv)
+@@ -1815,6 +1816,11 @@ main(int argc, char **argv)
 	__progname = ssh_get_progname(argv[0]);
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@ -68,10 +68,10 @@ Index: openssh-5.6p1/ssh-keygen.c
 	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
 	init_rng();
-Index: openssh-5.6p1/ssh-keysign.c
+Index: openssh-5.7p1/ssh-keysign.c
 ===================================================================
--- openssh-5.6p1.orig/ssh-keysign.c
+--- openssh-5.7p1.orig/ssh-keysign.c
-+++ openssh-5.6p1/ssh-keysign.c
+++ openssh-5.7p1/ssh-keysign.c
@@ -38,6 +38,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@ -83,7 +83,7 @@ Index: openssh-5.6p1/ssh-keysign.c
@@ -195,6 +196,11 @@ main(int argc, char **argv)
 		fatal("could not open any host key");
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
@ -92,11 +92,11 @@ Index: openssh-5.6p1/ssh-keysign.c
 	for (i = 0; i < 256; i++)
 		rnd[i] = arc4random();
 	RAND_seed(rnd, sizeof(rnd));
-Index: openssh-5.6p1/ssh.c
+Index: openssh-5.7p1/ssh.c
 ===================================================================
--- openssh-5.6p1.orig/ssh.c
+--- openssh-5.7p1.orig/ssh.c
-+++ openssh-5.6p1/ssh.c
+++ openssh-5.7p1/ssh.c
-@@ -74,6 +74,7 @@
+@@ -75,6 +75,7 @@
 #include <openssl/err.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
@ -104,8 +104,8 @@ Index: openssh-5.6p1/ssh.c
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -602,6 +603,10 @@ main(int ac, char **av)
+@@ -601,6 +602,10 @@ main(int ac, char **av)
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 +	/* Init available hardware crypto engines. */
@ -115,10 +115,10 @@ Index: openssh-5.6p1/ssh.c
 	/* Initialize the command to execute on remote host. */
 	buffer_init(&command);
-Index: openssh-5.6p1/sshd.c
+Index: openssh-5.7p1/sshd.c
 ===================================================================
--- openssh-5.6p1.orig/sshd.c
+--- openssh-5.7p1.orig/sshd.c
-+++ openssh-5.6p1/sshd.c
+++ openssh-5.7p1/sshd.c
@@ -77,6 +77,7 @@
 #include <openssl/md5.h>
 #include <openssl/rand.h>
@ -127,9 +127,9 @@ Index: openssh-5.6p1/sshd.c
 #ifdef HAVE_SECUREWARE
 #include <sys/security.h>
-@@ -1471,6 +1472,10 @@ main(int ac, char **av)
+@@ -1474,6 +1475,10 @@ main(int ac, char **av)
- 	SSLeay_add_all_algorithms();
+ 	OpenSSL_add_all_algorithms();
 +	/* Init available hardware crypto engines. */
 +	ENGINE_load_builtin_engines();
--- a/openssh-5.7p1-gssapimitm.patch
+++ b/openssh-5.7p1-gssapimitm.patch
@ -22,9 +22,9 @@ Index: auth2-gss.c
 				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
 				    &input_gssapi_exchange_complete);
 +
-+			/* 
+			/*
-+			 * Old style 'gssapi' didn't have the GSSAPI_MIC 
+			 * Old style 'gssapi' didn't have the GSSAPI_MIC
-+			 * and went straight to sending exchange_complete 
+			 * and went straight to sending exchange_complete
 +			 */
 +			if (options.gss_enable_mitm)
 +				dispatch_set(
@ -68,7 +68,7 @@ Index: readconf.c
 ===================================================================
 --- readconf.c.orig
 +++ readconf.c
-@@ -126,7 +126,7 @@ typedef enum {
+@@ -128,7 +128,7 @@ typedef enum {
 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@ -77,7 +77,7 @@ Index: readconf.c
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
-@@ -167,9 +167,11 @@ static struct {
+@@ -170,9 +170,11 @@ static struct {
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -89,18 +89,18 @@ Index: readconf.c
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
-@@ -477,6 +479,10 @@ parse_flag:
+@@ -483,6 +485,10 @@ parse_flag:
 	case oGssDelegateCreds:
 		intptr = &options->gss_deleg_creds;
 		goto parse_flag;
-+		
+ 
 +	case oGssEnableMITM:
 +		intptr = &options->gss_enable_mitm;
 +		goto parse_flag;
- 
+
 	case oBatchMode:
 		intptr = &options->batch_mode;
-@@ -1059,6 +1065,7 @@ initialize_options(Options * options)
+ 		goto parse_flag;
@@ -1093,6 +1099,7 @@ initialize_options(Options * options)
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
@ -108,7 +108,7 @@ Index: readconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
-@@ -1158,6 +1165,8 @@ fill_default_options(Options * options)
+@@ -1195,6 +1202,8 @@ fill_default_options(Options * options)
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
 		options->gss_deleg_creds = 0;
@ -133,7 +133,7 @@ Index: servconf.c
 ===================================================================
 --- servconf.c.orig
 +++ servconf.c
-@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
+@@ -98,6 +98,7 @@ initialize_server_options(ServerOptions
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
 	options->gss_cleanup_creds = -1;
@ -141,7 +141,7 @@ Index: servconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
-@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption
+@@ -228,6 +229,8 @@ fill_default_server_options(ServerOption
 		options->gss_authentication = 0;
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
@ -150,7 +150,7 @@ Index: servconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -307,7 +310,7 @@ typedef enum {
+@@ -322,7 +325,7 @@ typedef enum {
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -159,7 +159,7 @@ Index: servconf.c
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -370,9 +373,11 @@ static struct {
+@@ -386,9 +389,11 @@ static struct {
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -171,22 +171,22 @@ Index: servconf.c
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions
+@@ -948,6 +953,10 @@ process_server_config_line(ServerOptions
 	case sGssCleanupCreds:
 		intptr = &options->gss_cleanup_creds;
 		goto parse_flag;
-+		
+ 
 +	case sGssEnableMITM:
 +		intptr = &options->gss_enable_mitm;
 +		goto parse_flag;
- 
+
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
 Index: servconf.h
 ===================================================================
 --- servconf.h.orig
 +++ servconf.h
-@@ -95,6 +95,7 @@ typedef struct {
+@@ -98,6 +98,7 @@ typedef struct {
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
@ -203,11 +203,11 @@ Index: ssh_config
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 +#   GSSAPIAuthentication no
-+#   GSSAPIDelegateCredentials no 
+#   GSSAPIDelegateCredentials no
 +
 +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
 +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
-+# in this release. The use of 'gssapi' is deprecated due to the presence of 
+# in this release. The use of 'gssapi' is deprecated due to the presence of
 +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 +#   GSSAPIEnableMITMAttack no
 +
@ -218,7 +218,7 @@ Index: sshconnect2.c
 ===================================================================
 --- sshconnect2.c.orig
 +++ sshconnect2.c
-@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
+@@ -324,6 +324,10 @@ Authmethod authmethods[] = {
 		NULL,
 		&options.gss_authentication,
 		NULL},
@ -229,12 +229,12 @@ Index: sshconnect2.c
 #endif
 	{"hostbased",
 		userauth_hostbased,
-@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
+@@ -701,7 +705,9 @@ process_gssapi_token(void *ctxt, gss_buf
 	if (status == GSS_S_COMPLETE) {
 		/* send either complete or MIC, depending on mechanism */
 -		if (!(flags & GSS_C_INTEG_FLAG)) {
-+		
+
 +		if (strcmp(authctxt->method->name,"gssapi")==0 ||
 +		    (!(flags & GSS_C_INTEG_FLAG))) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
@ -244,16 +244,15 @@ Index: sshd_config
 ===================================================================
 --- sshd_config.orig
 +++ sshd_config
-@@ -72,6 +72,13 @@ PasswordAuthentication no
+@@ -73,6 +73,12 @@ PasswordAuthentication no
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 +# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
 +# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
-+# in this release. The use of 'gssapi' is deprecated due to the presence of 
+# in this release. The use of 'gssapi' is deprecated due to the presence of
 +# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 +#GSSAPIEnableMITMAttack no
 + 
 +
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
--- a/openssh-5.7p1-homechroot.patch
+++ b/openssh-5.7p1-homechroot.patch
@ -48,7 +48,7 @@ Index: session.c
 static void do_authenticated1(Authctxt *);
 static void do_authenticated2(Authctxt *);
-@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command)
+@@ -808,6 +810,11 @@ do_exec(Session *s, const char *command)
 		debug("Forced command (key option) '%.900s'", command);
 	}
@ -60,7 +60,7 @@ Index: session.c
 #ifdef SSH_AUDIT_EVENTS
 	if (command != NULL)
 		PRIVSEP(audit_run_command(command));
-@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw)
+@@ -1421,6 +1428,63 @@ do_nologin(struct passwd *pw)
 }
 /*
@ -117,14 +117,14 @@ Index: session.c
 +			}
 +		}
 +		fatal ("chroot into directory without nodev or nosuid");
-+	}	
+	}
 +}
 +
 +/*
  * Chroot into a directory after checking it for safety: all path components
  * must be root-owned directories with strict permissions.
  */
-@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1430,6 +1494,7 @@ safely_chroot(const char *path, uid_t ui
 	const char *cp;
 	char component[MAXPATHLEN];
 	struct stat st;
@ -132,7 +132,7 @@ Index: session.c
 	if (*path != '/')
 		fatal("chroot path does not begin at root");
-@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1441,7 +1506,7 @@ safely_chroot(const char *path, uid_t ui
 	 * root-owned directory with strict permissions.
 	 */
 	for (cp = path; cp != NULL;) {
@ -141,7 +141,7 @@ Index: session.c
 			strlcpy(component, path, sizeof(component));
 		else {
 			cp++;
-@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui
+@@ -1454,14 +1519,20 @@ safely_chroot(const char *path, uid_t ui
 		if (stat(component, &st) != 0)
 			fatal("%s: stat(\"%s\"): %s", __func__,
 			    component, strerror(errno));
@ -163,7 +163,7 @@ Index: session.c
 	}
 	if (chdir(path) == -1)
-@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui
+@@ -1472,6 +1543,10 @@ safely_chroot(const char *path, uid_t ui
 	if (chdir("/") == -1)
 		fatal("%s: chdir(/) after chroot: %s",
 		    __func__, strerror(errno));
@ -257,7 +257,7 @@ Index: sshd_config.5
 ===================================================================
 --- sshd_config.5.orig
 +++ sshd_config.5
-@@ -269,6 +269,17 @@ inside the chroot directory (see
+@@ -268,6 +268,17 @@ inside the chroot directory (see
 .Xr sftp-server 8
 for details).
 .Pp
@ -267,7 +267,7 @@ Index: sshd_config.5
 +%h or
 +.Cm ChrootDirectory
 +/some/path/%u. The file system containing this directory must be
-+mounted with options nodev and either nosuid or noexec. The owner of the 
+mounted with options nodev and either nosuid or noexec. The owner of the
 +directory should be the user. The ownership of the other components of the path
 +must fulfill the usual conditions. No aditional files are required to be present
 +in the directory.
--- a/openssh-5.7p1-host_ident.diff
+++ b/openssh-5.7p1-host_ident.diff
@ -0,0 +1,16 @@
 Index: openssh-5.7p1/sshconnect.c
 ===================================================================
 --- openssh-5.7p1.orig/sshconnect.c
 +++ openssh-5.7p1/sshconnect.c
@@ -958,6 +958,11 @@ check_host_key(char *hostname, struct so
 		    user_hostfile);
 		error("Offending %s key in %s:%lu", key_type(host_found->key),
 		    host_found->file, host_found->line);
 +		error("You can use following command to remove all keys for this IP:");
 +		if (host_found->file)
 +			error("ssh-keygen -R %s -f %s", hostname, host_found->file);
 +		else
 +			error("ssh-keygen -R %s", hostname);
 		/*
 		 * If strict host key checking is in use, the user will have
--- a/openssh-5.7p1-pam-fix2.diff
+++ b/openssh-5.7p1-pam-fix2.diff
@ -2,7 +2,7 @@ Index: sshd_config
 ===================================================================
 --- sshd_config.orig
 +++ sshd_config
-@@ -56,7 +56,7 @@
+@@ -57,7 +57,7 @@
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
@ -11,7 +11,7 @@ Index: sshd_config
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
-@@ -81,7 +81,7 @@
+@@ -82,7 +82,7 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
--- a/openssh-5.7p1-pam-fix3.diff
+++ b/openssh-5.7p1-pam-fix3.diff
@ -1,6 +1,8 @@
--- auth-pam.c
+Index: auth-pam.c
 ===================================================================
 --- auth-pam.c.orig
 +++ auth-pam.c
-@@ -786,7 +786,9 @@
+@@ -786,7 +786,9 @@ sshpam_query(void *ctx, char **name, cha
 					fatal("Internal error: PAM auth "
 					    "succeeded when it should have "
 					    "failed");
--- a/openssh-5.7p1-pts.diff
+++ b/openssh-5.7p1-pts.diff
@ -2,7 +2,7 @@ Index: loginrec.c
 ===================================================================
 --- loginrec.c.orig
 +++ loginrec.c
-@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li)
+@@ -555,7 +555,7 @@ getlast_entry(struct logininfo *li)
  * 1. The full filename (including '/dev')
  * 2. The stripped name (excluding '/dev')
  * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@ -11,7 +11,7 @@ Index: loginrec.c
  *
  * Form 3 is used on some systems to identify a .tmp.? entry when
  * attempting to remove it. Typically both addition and removal is
-@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s
+@@ -616,6 +616,10 @@ line_abbrevname(char *dst, const char *s
 	if (strncmp(src, "tty", 3) == 0)
 		src += 3;
 #endif
--- a/openssh-5.7p1-saveargv-fix.diff
+++ b/openssh-5.7p1-saveargv-fix.diff
@ -10,7 +10,7 @@ Index: sshd.c
 	logit("Received SIGHUP; restarting.");
 	close_listen_socks();
 	close_startup_pipes();
-@@ -1316,7 +1317,11 @@ main(int ac, char **av)
+@@ -1319,7 +1320,11 @@ main(int ac, char **av)
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
 	compat_init_setproctitle(ac, av);
--- a/openssh-5.7p1-selinux.diff
+++ b/openssh-5.7p1-selinux.diff
@ -0,0 +1,173 @@
 Index: openssh-5.7p1/ChangeLog
 ===================================================================
 --- openssh-5.7p1.orig/ChangeLog
 +++ openssh-5.7p1/ChangeLog
@@ -1,3 +1,10 @@
 +20110125
 + - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
 +   openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
 +   port-linux.c to avoid compilation errors. Add -lselinux to ssh when
 +   building with SELinux support to avoid linking failure; report from
 +   amk AT spamfence.net; ok dtucker
 +
 20110122
  - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] Add
    RSA_get_default_method() for the benefit of openssl versions that don't
 Index: openssh-5.7p1/configure.ac
 ===================================================================
 --- openssh-5.7p1.orig/configure.ac
 +++ openssh-5.7p1/configure.ac
@@ -1,4 +1,4 @@
 -# $Id: configure.ac,v 1.469 2011/01/21 22:37:05 dtucker Exp $
 +# $Id: configure.ac,v 1.470 2011/01/25 01:16:17 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
 -AC_REVISION($Revision: 1.469 $)
 +AC_REVISION($Revision: 1.470 $)
 AC_CONFIG_SRCDIR([ssh.c])
 # local macros
@@ -737,7 +737,6 @@ mips-sony-bsd|mips-sony-newsos4)
 			[ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1,
 				[Define if you have Solaris process contracts])
 			  SSHDLIBS="$SSHDLIBS -lcontract"
 -			  AC_SUBST(SSHDLIBS)
 			  SPC_MSG="yes" ], )
 		],
 	)
@@ -748,7 +747,6 @@ mips-sony-bsd|mips-sony-newsos4)
 			[ AC_DEFINE(USE_SOLARIS_PROJECTS, 1,
 				[Define if you have Solaris projects])
 			SSHDLIBS="$SSHDLIBS -lproject"
 -			AC_SUBST(SSHDLIBS)
 			SP_MSG="yes" ], )
 		],
 	)
@@ -3515,11 +3513,14 @@ AC_ARG_WITH(selinux,
 			  LIBS="$LIBS -lselinux"
 			],
 			AC_MSG_ERROR(SELinux support requires libselinux library))
 +		SSHLIBS="$SSHLIBS $LIBSELINUX"
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
 		LIBS="$save_LIBS"
 	fi ]
 )
 +AC_SUBST(SSHLIBS)
 +AC_SUBST(SSHDLIBS)
 # Check whether user wants Linux audit support
 LINUX_AUDIT_MSG="no"
@@ -4356,6 +4357,9 @@ echo "         Libraries: ${LIBS}"
 if test ! -z "${SSHDLIBS}"; then
 echo "         +for sshd: ${SSHDLIBS}"
 fi
 +if test ! -z "${SSHLIBS}"; then
 +echo "          +for ssh: ${SSHLIBS}"
 +fi
 echo ""
 Index: openssh-5.7p1/Makefile.in
 ===================================================================
 --- openssh-5.7p1.orig/Makefile.in
 +++ openssh-5.7p1/Makefile.in
@@ -1,4 +1,4 @@
 -# $Id: Makefile.in,v 1.320 2011/01/17 10:15:29 dtucker Exp $
 +# $Id: Makefile.in,v 1.321 2011/01/25 01:16:16 djm Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -47,6 +47,7 @@ CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
 LIBAUDIT=@LIBAUDIT@
 +SSHLIBS=@SSHLIBS@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 AR=@AR@
@@ -143,7 +144,7 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
 -	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(LIBAUDIT)
 Index: openssh-5.7p1/openbsd-compat/port-linux.c
 ===================================================================
 --- openssh-5.7p1.orig/openbsd-compat/port-linux.c
 +++ openssh-5.7p1/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
 -/* $Id: port-linux.c,v 1.11 2011/01/17 07:50:24 dtucker Exp $ */
 +/* $Id: port-linux.c,v 1.12 2011/01/25 01:16:18 djm Exp $ */
 /*
  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -205,6 +205,20 @@ ssh_selinux_change_context(const char *n
 	xfree(oldctx);
 	xfree(newctx);
 }
 +
 +void
 +ssh_selinux_setfscreatecon(const char *path)
 +{
 +		security_context_t context;
 +
 +		if (path == NULL) {
 +			setfscreatecon(NULL);
 +			return;
 +		}
 +		matchpathcon(path, 0700, &context);
 +		setfscreatecon(context);
 +}
 +
 #endif /* WITH_SELINUX */
 #ifdef LINUX_OOM_ADJUST
 Index: openssh-5.7p1/openbsd-compat/port-linux.h
 ===================================================================
 --- openssh-5.7p1.orig/openbsd-compat/port-linux.h
 +++ openssh-5.7p1/openbsd-compat/port-linux.h
@@ -1,4 +1,4 @@
 -/* $Id: port-linux.h,v 1.4 2009/12/08 02:39:48 dtucker Exp $ */
 +/* $Id: port-linux.h,v 1.5 2011/01/25 01:16:18 djm Exp $ */
 /*
  * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_setup_exec_context(char *);
 void ssh_selinux_change_context(const char *);
 +void ssh_selinux_setfscreatecon(const char *);
 #endif
 #ifdef LINUX_OOM_ADJUST
 Index: openssh-5.7p1/ssh.c
 ===================================================================
 --- openssh-5.7p1.orig/ssh.c
 +++ openssh-5.7p1/ssh.c
@@ -857,15 +857,12 @@ main(int ac, char **av)
 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
 	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) {
 #ifdef WITH_SELINUX
 -		char *scon;
 -
 -		matchpathcon(buf, 0700, &scon);
 -		setfscreatecon(scon);
 +		ssh_selinux_setfscreatecon(buf);
 #endif
 		if (mkdir(buf, 0700) < 0)
 			error("Could not create directory '%.200s'.", buf);
 #ifdef WITH_SELINUX
 -		setfscreatecon(NULL);
 +		ssh_selinux_setfscreatecon(NULL);
 #endif
 	}
 	/* load options.identity_files */
--- a/openssh-5.7p1-send_locale.diff
+++ b/openssh-5.7p1-send_locale.diff
@ -8,8 +8,8 @@ Index: ssh_config
 ->>>>>>>
 +# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
-+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +SendEnv LC_IDENTIFICATION LC_ALL
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
@ -22,8 +22,8 @@ Index: sshd_config
 Subsystem	sftp	/usr/libexec/sftp-server
 +# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
-+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +AcceptEnv LC_IDENTIFICATION LC_ALL
 +
 # Example of overriding settings on a per-user basis
--- a/openssh-5.7p1-sshconfig-knownhostschanges.diff
+++ b/openssh-5.7p1-sshconfig-knownhostschanges.diff
@ -2,11 +2,12 @@ Index: ssh_config
 ===================================================================
 --- ssh_config.orig
 +++ ssh_config
-@@ -67,5 +67,12 @@ ForwardX11Trusted yes
+@@ -67,5 +67,13 @@ ForwardX11Trusted yes
- SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 SendEnv LC_IDENTIFICATION LC_ALL
 -#   VisualHostKey no
 +
 +# This will print the fingerprint of the host key in "visual" form
 +# this should make it easier to also recognize bad things
 +VisualHostKey no
--- a/openssh-5.7p1-xauth.diff
+++ b/openssh-5.7p1-xauth.diff
@ -2,7 +2,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -2525,8 +2525,41 @@ void
+@@ -2463,8 +2463,41 @@ void
 session_close(Session *s)
 {
 	u_int i;
--- a/openssh-5.7p1-xauthlocalhostname.diff
+++ b/openssh-5.7p1-xauthlocalhostname.diff
@ -2,7 +2,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -1114,7 +1114,7 @@ copy_environment(char **source, char ***
+@@ -1116,7 +1116,7 @@ copy_environment(char **source, char ***
 }
 static char **
@ -11,7 +11,7 @@ Index: session.c
 {
 	char buf[256];
 	u_int i, envsize;
-@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she
+@@ -1303,6 +1303,8 @@ do_setup_env(Session *s, const char *she
 		for (i = 0; env[i]; i++)
 			fprintf(stderr, "  %.200s\n", env[i]);
 	}
@ -20,7 +20,7 @@ Index: session.c
 	return env;
 }
-@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she
+@@ -1311,7 +1313,7 @@ do_setup_env(Session *s, const char *she
  * first in this order).
  */
 static void
@ -29,12 +29,12 @@ Index: session.c
 {
 	FILE *f = NULL;
 	char cmd[1024];
-@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel
+@@ -1365,12 +1367,20 @@ do_rc_files(Session *s, const char *shel
 		    options.xauth_location);
 		f = popen(cmd, "w");
 		if (f) {
 +			char hostname[MAXHOSTNAMELEN];
-+		    
+
 			fprintf(f, "remove %s\n",
 			    s->auth_display);
 			fprintf(f, "add %s %s %s\n",
@ -50,7 +50,7 @@ Index: session.c
 		} else {
 			fprintf(stderr, "Could not run %s\n",
 			    cmd);
-@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command
+@@ -1608,6 +1618,7 @@ do_child(Session *s, const char *command
 {
 	extern char **environ;
 	char **env;
@ -58,7 +58,7 @@ Index: session.c
 	char *argv[ARGV_MAX];
 	const char *shell, *shell0, *hostname = NULL;
 	struct passwd *pw = s->pw;
-@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command
+@@ -1674,7 +1685,7 @@ do_child(Session *s, const char *command
 	 * Make sure $SHELL points to the shell from the password file,
 	 * even if shell is overridden from login.conf
 	 */
@ -67,7 +67,7 @@ Index: session.c
 #ifdef HAVE_LOGIN_CAP
 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command
+@@ -1743,7 +1754,7 @@ do_child(Session *s, const char *command
 	closefrom(STDERR_FILENO + 1);
 	if (!options.use_login)
--- a/openssh-5.7p1.dif
+++ b/openssh-5.7p1.dif
@ -17,7 +17,7 @@ Index: ssh_config
 +# remote side (the "spoofed" X-server by the remote sshd) can read your
 +# keystrokes as you type, just like any other X11 client could do.
 +# Set this to "no" here for global effect or in your own ~/.ssh/config
-+# file if you want to have the remote X11 authentification data to 
+# file if you want to have the remote X11 authentification data to
 +# expire after two minutes after remote login.
 +ForwardX11Trusted yes
 +
@ -28,12 +28,12 @@ Index: sshd_config
 ===================================================================
 --- sshd_config.orig
 +++ sshd_config
-@@ -86,7 +86,7 @@
+@@ -87,7 +87,7 @@
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 -#X11Forwarding no
-+X11Forwarding yes 
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
--- a/openssh-5.7p1.tar.bz2
+++ b/openssh-5.7p1.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e8e4d63cbfdd0c97f8856693b4412e0bda78bb152ec1cb6f426193dc16d412c3
 size 894451
--- a/openssh-SuSE.tar.bz2
+++ b/openssh-SuSE.tar.bz2
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0b46d50d58800dc184448c70485265894d97da90749019917708c22ac8845753
+oid sha256:a73f20ff86a679a64f3b94a666dc9e7e1b442fb2da09ddb56f9a01f4dbdbc241
-size 1943
+size 1975
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Mon Jan 24 11:51:10 UTC 2011 - lchiquitto@novell.com
 - Update to 5.7p1
 -------------------------------------------------------------------
 Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -1,5 +1,5 @@
 #
-# spec file for package openssh-askpass-gnome (Version 5.6p1)
+# spec file for package openssh-askpass-gnome (Version 5.7p1)
 #
 # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -22,8 +22,8 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
-Version:        5.6p1
+Version:        5.7p1
-Release:        8
+Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
--- a/openssh-linux-new-oomkill.patch
+++ b/openssh-linux-new-oomkill.patch
@ -1,94 +0,0 @@
 Index: openbsd-compat/port-linux.c
 ===================================================================
 RCS file: /home/dtucker/openssh/cvs/openssh/openbsd-compat/port-linux.c,v
 retrieving revision 1.9
 diff -u -p -r1.9 port-linux.c
 --- openbsd-compat/port-linux.c	10 Sep 2010 00:30:25 -0000	1.9
 +++ openbsd-compat/port-linux.c	16 Nov 2010 05:10:13 -0000
@@ -208,14 +208,21 @@ ssh_selinux_change_context(const char *n
 #endif /* WITH_SELINUX */
 #ifdef LINUX_OOM_ADJUST
 -#define OOM_ADJ_PATH	"/proc/self/oom_adj"
 /*
 - * The magic "don't kill me", as documented in eg:
 + * The magic "don't kill me" values, old and new, as documented in eg:
  * http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt
 + * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt
  */
 -#define OOM_ADJ_NOKILL	-17
 static int oom_adj_save = INT_MIN;
 +static char *oom_adj_path = NULL;
 +struct {
 +	char *path;
 +	int value;
 +} oom_adjust[] = {
 +	{"/proc/self/oom_score_adj", -1000},	/* new values, 2.6.36 and up */
 +	{"/proc/self/oom_adj", -17},		/* old values, 2.6.35 and down */
 +};
 /*
  * Tell the kernel's out-of-memory killer to avoid sshd.
@@ -224,23 +231,31 @@ static int oom_adj_save = INT_MIN;
 void
 oom_adjust_setup(void)
 {
 +	int i, value;
 	FILE *fp;
 	debug3("%s", __func__);
 -	if ((fp = fopen(OOM_ADJ_PATH, "r+")) != NULL) {
 -		if (fscanf(fp, "%d", &oom_adj_save) != 1)
 -			verbose("error reading %s: %s", OOM_ADJ_PATH, strerror(errno));
 -		else {
 -			rewind(fp);
 -			if (fprintf(fp, "%d\n", OOM_ADJ_NOKILL) <= 0)
 -				verbose("error writing %s: %s",
 -				    OOM_ADJ_PATH, strerror(errno));
 -			else
 -				verbose("Set %s from %d to %d",
 -				    OOM_ADJ_PATH, oom_adj_save, OOM_ADJ_NOKILL);
 +	 for (i = 0; i < 2; i++) {
 +		oom_adj_path = oom_adjust[i].path;
 +		value = oom_adjust[i].value;
 +		if ((fp = fopen(oom_adj_path, "r+")) != NULL) {
 +			if (fscanf(fp, "%d", &oom_adj_save) != 1)
 +				verbose("error reading %s: %s", oom_adj_path,
 +				    strerror(errno));
 +			else {
 +				rewind(fp);
 +				if (fprintf(fp, "%d\n", value) <= 0)
 +					verbose("error writing %s: %s",
 +					   oom_adj_path, strerror(errno));
 +				else
 +					verbose("Set %s from %d to %d",
 +					   oom_adj_path, oom_adj_save, value);
 +			}
 +			fclose(fp);
 +			return;
 		}
 -		fclose(fp);
 	}
 +	oom_adj_path = NULL;
 }
 /* Restore the saved OOM adjustment */
@@ -250,13 +265,14 @@ oom_adjust_restore(void)
 	FILE *fp;
 	debug3("%s", __func__);
 -	if (oom_adj_save == INT_MIN || (fp = fopen(OOM_ADJ_PATH, "w")) == NULL)
 +	if (oom_adj_save == INT_MIN || oom_adj_save == NULL ||
 +	    (fp = fopen(oom_adj_path, "w")) == NULL)
 		return;
 	if (fprintf(fp, "%d\n", oom_adj_save) <= 0)
 -		verbose("error writing %s: %s", OOM_ADJ_PATH, strerror(errno));
 +		verbose("error writing %s: %s", oom_adj_path, strerror(errno));
 	else
 -		verbose("Set %s to %d", OOM_ADJ_PATH, oom_adj_save);
 +		verbose("Set %s to %d", oom_adj_path, oom_adj_save);
 	fclose(fp);
 	return;
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,39 @@
 -------------------------------------------------------------------
 Mon Jan 24 11:24:59 UTC 2011 - lchiquitto@novell.com
 - Update to 5.7p1
 * Implement Elliptic Curve Cryptography modes for key exchange (ECDH)
   and host/user keys (ECDSA) as specified by RFC5656.
 * sftp(1)/sftp-server(8): add a protocol extension to support a hard
   link operation.
 * scp(1): Add a new -3 option to scp: Copies between two remote hosts
   are transferred through the local host.
 * ssh(1): automatically order the hostkeys requested by the client
   based on which hostkeys are already recorded in known_hosts.
 * ssh(1)/sshd(8): add a new IPQoS option to specify arbitrary
   TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput.
 * sftp(1): the sftp client is now significantly faster at performing
   directory listings, using OpenBSD glob(3) extensions to preserve
   the results of stat(3) operations performed in the course of its
   execution rather than performing expensive round trips to fetch
   them again afterwards.
 * ssh(1): "atomically" create the listening mux socket by binding it on
   a temporary name and then linking it into position after listen() has
   succeeded.
 * ssh(1)/sshd(8): add a KexAlgorithms knob to the client and server
   configuration to allow selection of which key exchange methods are
   used by ssh(1) and sshd(8) and their order of preference.
 * sftp(1)/scp(1): factor out bandwidth limiting code from scp(1) into
   a generic bandwidth limiter that can be attached using the atomicio
   callback mechanism and use it to add a bandwidth limit option to
   sftp(1).
 * Support building against openssl-1.0.0a.
 * Bug fixes.
 - Remove patches that are now upstream:
 * openssh-5.6p1-tmpdir.diff
 * openssh-linux-new-oomkill.patch
 - Add upstream patch to fix build with SELinux enabled.
 -------------------------------------------------------------------
 Wed Jan 12 13:37:38 CET 2011 - sbrabec@suse.cz
--- a/openssh.spec
+++ b/openssh.spec
@ -1,5 +1,5 @@
 #
-# spec file for package openssh (Version 5.6p1)
+# spec file for package openssh (Version 5.7p1)
 #
 # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -29,8 +29,8 @@ Requires:       /bin/netstat
 PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        5.6p1
+Version:        5.7p1
-Release:        8
+Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@ -55,7 +55,6 @@ Patch7:         %{name}-%{version}-engines.diff
 Patch8:         %{name}-%{version}-blocksigalrm.diff
 Patch9:         %{name}-%{version}-send_locale.diff
 Patch10:        %{name}-%{version}-xauthlocalhostname.diff
 Patch11:        %{name}-%{version}-tmpdir.diff
 Patch12:        %{name}-%{version}-xauth.diff
 Patch14:        %{name}-%{version}-default-protocol.diff
 Patch15:        %{name}-%{version}-audit.patch
@ -63,7 +62,7 @@ Patch16:        %{name}-%{version}-pts.diff
 Patch17:        %{name}-%{version}-homechroot.patch
 Patch18:        %{name}-%{version}-sshconfig-knownhostschanges.diff
 Patch19:        %{name}-%{version}-host_ident.diff
-Patch20:        openssh-linux-new-oomkill.patch 
+Patch20:        %{name}-%{version}-selinux.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %package      askpass
@ -101,7 +100,6 @@ Window System passphrase dialog for OpenSSH.
 %patch8
 %patch9
 %patch10
 %patch11
 %patch12
 %patch14
 %patch15 -p1
@ -109,7 +107,7 @@ Window System passphrase dialog for OpenSSH.
 %patch17
 %patch18
 %patch19 -p1
-%patch20
+%patch20 -p1
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}