Accepting request 46105 from Base:System

Copy from Base:System/openssh based on submit request 46105 from user anicka

OBS-URL: https://build.opensuse.org/request/show/46105
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=48

openssh-5.5p1-forwards.diff

@@ -1,14 +0,0 @@
-Index: channels.c
-===================================================================
---- channels.c.orig
-+++ channels.c
-@@ -2625,6 +2625,9 @@ channel_setup_fwd_listener(int type, con
- 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
- 	in_port_t *lport_p;
- 
-+	if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
-+		fatal("channel_setup_fwd_listener: too many forwards");
-+
- 	host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
- 	    listen_addr : host_to_connect;
- 	is_client = (type == SSH_CHANNEL_PORT_LISTENER);

openssh-5.5p1-sftp-leak.diff

@@ -1,12 +0,0 @@
-Index: openssh-5.4p1/sftp-client.c
-===================================================================
---- openssh-5.4p1.orig/sftp-client.c
-+++ openssh-5.4p1/sftp-client.c
-@@ -713,6 +713,7 @@ do_realpath(struct sftp_conn *conn, char
- 		u_int status = buffer_get_int(&msg);
- 
- 		error("Couldn't canonicalise: %s", fx2txt(status));
-+		buffer_free(&msg);
- 		return(NULL);
- 	} else if (type != SSH2_FXP_NAME)
- 		fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",

openssh-5.5p1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:125862cb2709afc830c90911c106d1ef24b5b657deceedb872982cb6544cc137
-size 876219

openssh-5.6p1-audit.patch

@@ -1,9 +1,9 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
-Index: openssh-5.4p1/Makefile.in
+Index: openssh-5.6p1/Makefile.in
 ===================================================================
---- openssh-5.4p1.orig/Makefile.in
-+++ openssh-5.4p1/Makefile.in
+--- openssh-5.6p1.orig/Makefile.in
++++ openssh-5.6p1/Makefile.in
 @@ -46,6 +46,7 @@ LD=@LD@
  CFLAGS=@CFLAGS@
  CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
@@ -21,10 +21,10 @@ Index: openssh-5.4p1/Makefile.in
  
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-Index: openssh-5.4p1/auth.c
+Index: openssh-5.6p1/auth.c
 ===================================================================
---- openssh-5.4p1.orig/auth.c
-+++ openssh-5.4p1/auth.c
+--- openssh-5.6p1.orig/auth.c
++++ openssh-5.6p1/auth.c
 @@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
  		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
  # endif
@@ -38,7 +38,7 @@ Index: openssh-5.4p1/auth.c
  #ifdef SSH_AUDIT_EVENTS
  	if (authenticated == 0 && !authctxt->postponed)
  		audit_event(audit_classify_auth(method));
-@@ -564,6 +570,10 @@ getpwnamallow(const char *user)
+@@ -586,6 +592,10 @@ getpwnamallow(const char *user)
  		record_failed_login(user,
  		    get_canonical_hostname(options.use_dns), "ssh");
  #endif
@@ -49,11 +49,11 @@ Index: openssh-5.4p1/auth.c
  #ifdef SSH_AUDIT_EVENTS
  		audit_event(SSH_INVALID_USER);
  #endif /* SSH_AUDIT_EVENTS */
-Index: openssh-5.4p1/config.h.in
+Index: openssh-5.6p1/config.h.in
 ===================================================================
---- openssh-5.4p1.orig/config.h.in
-+++ openssh-5.4p1/config.h.in
-@@ -1415,6 +1415,9 @@
+--- openssh-5.6p1.orig/config.h.in
++++ openssh-5.6p1/config.h.in
+@@ -1424,6 +1424,9 @@
  /* Define if you want SELinux support. */
  #undef WITH_SELINUX
  
@@ -63,11 +63,11 @@ Index: openssh-5.4p1/config.h.in
  /* Define to 1 if your processor stores words with the most significant byte
     first (like Motorola and SPARC, unlike Intel and VAX). */
  #undef WORDS_BIGENDIAN
-Index: openssh-5.4p1/configure.ac
+Index: openssh-5.6p1/configure.ac
 ===================================================================
---- openssh-5.4p1.orig/configure.ac
-+++ openssh-5.4p1/configure.ac
-@@ -3363,6 +3363,20 @@ AC_ARG_WITH(selinux,
+--- openssh-5.6p1.orig/configure.ac
++++ openssh-5.6p1/configure.ac
+@@ -3393,6 +3393,20 @@ AC_ARG_WITH(selinux,
  	fi ]
  )
  
@@ -88,7 +88,7 @@ Index: openssh-5.4p1/configure.ac
  # Check whether user wants Kerberos 5 support
  KRB5_MSG="no"
  AC_ARG_WITH(kerberos5,
-@@ -4182,6 +4196,7 @@ echo "                       PAM support
+@@ -4185,6 +4199,7 @@ echo "                       PAM support
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
@@ -96,10 +96,10 @@ Index: openssh-5.4p1/configure.ac
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
  echo "              TCP Wrappers support: $TCPW_MSG"
-Index: openssh-5.4p1/loginrec.c
+Index: openssh-5.6p1/loginrec.c
 ===================================================================
---- openssh-5.4p1.orig/loginrec.c
-+++ openssh-5.4p1/loginrec.c
+--- openssh-5.6p1.orig/loginrec.c
++++ openssh-5.6p1/loginrec.c
 @@ -176,6 +176,10 @@
  #include "auth.h"
  #include "buffer.h"
@@ -121,7 +121,7 @@ Index: openssh-5.4p1/loginrec.c
  int lastlog_write_entry(struct logininfo *li);
  int syslogin_write_entry(struct logininfo *li);
  
-@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
+@@ -441,6 +448,10 @@ login_write(struct logininfo *li)
  
  	/* set the timestamp */
  	login_set_current_time(li);
@@ -132,7 +132,7 @@ Index: openssh-5.4p1/loginrec.c
  #ifdef USE_LOGIN
  	syslogin_write_entry(li);
  #endif
-@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1399,6 +1410,87 @@ wtmpx_get_entry(struct logininfo *li)
  }
  #endif /* USE_WTMPX */
  
@@ -220,10 +220,10 @@ Index: openssh-5.4p1/loginrec.c
  /**
   ** Low-level libutil login() functions
   **/
-Index: openssh-5.4p1/loginrec.h
+Index: openssh-5.6p1/loginrec.h
 ===================================================================
---- openssh-5.4p1.orig/loginrec.h
-+++ openssh-5.4p1/loginrec.h
+--- openssh-5.6p1.orig/loginrec.h
++++ openssh-5.6p1/loginrec.h
 @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
  char *line_abbrevname(char *dst, const char *src, int dstsize);
  

openssh-5.6p1-eal3.diff

@@ -1,8 +1,8 @@
-Index: openssh-5.4p1/sshd.8
+Index: openssh-5.6p1/sshd.8
 ===================================================================
---- openssh-5.4p1.orig/sshd.8
-+++ openssh-5.4p1/sshd.8
-@@ -840,7 +840,7 @@ Contains Diffie-Hellman groups used for
+--- openssh-5.6p1.orig/sshd.8
++++ openssh-5.6p1/sshd.8
+@@ -850,7 +850,7 @@ Contains Diffie-Hellman groups used for
  The file format is described in
  .Xr moduli 5 .
  .Pp
@@ -11,7 +11,7 @@ Index: openssh-5.4p1/sshd.8
  See
  .Xr motd 5 .
  .Pp
-@@ -853,7 +853,7 @@ are displayed to anyone trying to log in
+@@ -863,7 +863,7 @@ are displayed to anyone trying to log in
  refused.
  The file should be world-readable.
  .Pp
@@ -20,7 +20,7 @@ Index: openssh-5.4p1/sshd.8
  This file is used in exactly the same way as
  .Pa hosts.equiv ,
  but allows host-based authentication without permitting login with
-@@ -930,8 +930,7 @@ The content of this file is not sensitiv
+@@ -940,8 +940,7 @@ The content of this file is not sensitiv
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -30,11 +30,11 @@ Index: openssh-5.4p1/sshd.8
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
  .Xr sftp-server 8
-Index: openssh-5.4p1/sshd_config.5
+Index: openssh-5.6p1/sshd_config.5
 ===================================================================
---- openssh-5.4p1.orig/sshd_config.5
-+++ openssh-5.4p1/sshd_config.5
-@@ -451,7 +451,7 @@ or
+--- openssh-5.6p1.orig/sshd_config.5
++++ openssh-5.6p1/sshd_config.5
+@@ -496,7 +496,7 @@ or
  .Pp
  .Pa /etc/hosts.equiv
  and

openssh-5.6p1-engines.diff

@@ -1,7 +1,7 @@
-Index: openssh-5.4p1/ssh-add.c
+Index: openssh-5.6p1/ssh-add.c
 ===================================================================
---- openssh-5.4p1.orig/ssh-add.c
-+++ openssh-5.4p1/ssh-add.c
+--- openssh-5.6p1.orig/ssh-add.c
++++ openssh-5.6p1/ssh-add.c
 @@ -43,6 +43,7 @@
  
  #include <openssl/evp.h>
@@ -10,7 +10,7 @@ Index: openssh-5.4p1/ssh-add.c
  
  #include <fcntl.h>
  #include <pwd.h>
-@@ -366,6 +367,10 @@ main(int argc, char **argv)
+@@ -374,6 +375,10 @@ main(int argc, char **argv)
  
  	SSLeay_add_all_algorithms();
  
@@ -21,10 +21,10 @@ Index: openssh-5.4p1/ssh-add.c
  	/* At first, get a connection to the authentication agent. */
  	ac = ssh_get_authentication_connection();
  	if (ac == NULL) {
-Index: openssh-5.4p1/ssh-agent.c
+Index: openssh-5.6p1/ssh-agent.c
 ===================================================================
---- openssh-5.4p1.orig/ssh-agent.c
-+++ openssh-5.4p1/ssh-agent.c
+--- openssh-5.6p1.orig/ssh-agent.c
++++ openssh-5.6p1/ssh-agent.c
 @@ -52,6 +52,7 @@
  #include <openssl/evp.h>
  #include <openssl/md5.h>
@@ -33,7 +33,7 @@ Index: openssh-5.4p1/ssh-agent.c
  
  #include <errno.h>
  #include <fcntl.h>
-@@ -1091,6 +1092,10 @@ main(int ac, char **av)
+@@ -1094,6 +1095,10 @@ main(int ac, char **av)
  
  	SSLeay_add_all_algorithms();
  
@@ -44,10 +44,10 @@ Index: openssh-5.4p1/ssh-agent.c
  	__progname = ssh_get_progname(av[0]);
  	init_rng();
  	seed_rng();
-Index: openssh-5.4p1/ssh-keygen.c
+Index: openssh-5.6p1/ssh-keygen.c
 ===================================================================
---- openssh-5.4p1.orig/ssh-keygen.c
-+++ openssh-5.4p1/ssh-keygen.c
+--- openssh-5.6p1.orig/ssh-keygen.c
++++ openssh-5.6p1/ssh-keygen.c
 @@ -22,6 +22,7 @@
  #include <openssl/evp.h>
  #include <openssl/pem.h>
@@ -56,7 +56,7 @@ Index: openssh-5.4p1/ssh-keygen.c
  
  #include <errno.h>
  #include <fcntl.h>
-@@ -1523,6 +1524,11 @@ main(int argc, char **argv)
+@@ -1782,6 +1783,11 @@ main(int argc, char **argv)
  	__progname = ssh_get_progname(argv[0]);
  
  	SSLeay_add_all_algorithms();
@@ -68,10 +68,10 @@ Index: openssh-5.4p1/ssh-keygen.c
  	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
  
  	init_rng();
-Index: openssh-5.4p1/ssh-keysign.c
+Index: openssh-5.6p1/ssh-keysign.c
 ===================================================================
---- openssh-5.4p1.orig/ssh-keysign.c
-+++ openssh-5.4p1/ssh-keysign.c
+--- openssh-5.6p1.orig/ssh-keysign.c
++++ openssh-5.6p1/ssh-keysign.c
 @@ -38,6 +38,7 @@
  #include <openssl/evp.h>
  #include <openssl/rand.h>
@@ -92,10 +92,10 @@ Index: openssh-5.4p1/ssh-keysign.c
  	for (i = 0; i < 256; i++)
  		rnd[i] = arc4random();
  	RAND_seed(rnd, sizeof(rnd));
-Index: openssh-5.4p1/ssh.c
+Index: openssh-5.6p1/ssh.c
 ===================================================================
---- openssh-5.4p1.orig/ssh.c
-+++ openssh-5.4p1/ssh.c
+--- openssh-5.6p1.orig/ssh.c
++++ openssh-5.6p1/ssh.c
 @@ -74,6 +74,7 @@
  #include <openssl/err.h>
  #include "openbsd-compat/openssl-compat.h"
@@ -104,7 +104,7 @@ Index: openssh-5.4p1/ssh.c
  
  #include "xmalloc.h"
  #include "ssh.h"
-@@ -584,6 +585,10 @@ main(int ac, char **av)
+@@ -602,6 +603,10 @@ main(int ac, char **av)
  	SSLeay_add_all_algorithms();
  	ERR_load_crypto_strings();
  
@@ -115,10 +115,10 @@ Index: openssh-5.4p1/ssh.c
  	/* Initialize the command to execute on remote host. */
  	buffer_init(&command);
  
-Index: openssh-5.4p1/sshd.c
+Index: openssh-5.6p1/sshd.c
 ===================================================================
---- openssh-5.4p1.orig/sshd.c
-+++ openssh-5.4p1/sshd.c
+--- openssh-5.6p1.orig/sshd.c
++++ openssh-5.6p1/sshd.c
 @@ -77,6 +77,7 @@
  #include <openssl/md5.h>
  #include <openssl/rand.h>
@@ -127,7 +127,7 @@ Index: openssh-5.4p1/sshd.c
  
  #ifdef HAVE_SECUREWARE
  #include <sys/security.h>
-@@ -1462,6 +1463,10 @@ main(int ac, char **av)
+@@ -1471,6 +1472,10 @@ main(int ac, char **av)
  
  	SSLeay_add_all_algorithms();
  

openssh-5.6p1-gssapimitm.patch

@@ -75,9 +75,9 @@ Index: readconf.c
 -	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
 +	oAddressFamily, oGssAuthentication, oGssDelegateCreds, oGssEnableMITM,
  	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
- 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -165,9 +165,11 @@ static struct {
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+@@ -167,9 +167,11 @@ static struct {
  #if defined(GSSAPI)
  	{ "gssapiauthentication", oGssAuthentication },
  	{ "gssapidelegatecredentials", oGssDelegateCreds },
@@ -89,7 +89,7 @@ Index: readconf.c
  #endif
  	{ "fallbacktorsh", oDeprecated },
  	{ "usersh", oDeprecated },
-@@ -459,6 +461,10 @@ parse_flag:
+@@ -477,6 +479,10 @@ parse_flag:
  	case oGssDelegateCreds:
  		intptr = &options->gss_deleg_creds;
  		goto parse_flag;
@@ -100,7 +100,7 @@ Index: readconf.c
  
  	case oBatchMode:
  		intptr = &options->batch_mode;
-@@ -1016,6 +1022,7 @@ initialize_options(Options * options)
+@@ -1059,6 +1065,7 @@ initialize_options(Options * options)
  	options->challenge_response_authentication = -1;
  	options->gss_authentication = -1;
  	options->gss_deleg_creds = -1;
@@ -108,7 +108,7 @@ Index: readconf.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->kbd_interactive_devices = NULL;
-@@ -1109,6 +1116,8 @@ fill_default_options(Options * options)
+@@ -1158,6 +1165,8 @@ fill_default_options(Options * options)
  		options->gss_authentication = 0;
  	if (options->gss_deleg_creds == -1)
  		options->gss_deleg_creds = 0;
@@ -121,7 +121,7 @@ Index: readconf.h
 ===================================================================
 --- readconf.h.orig
 +++ readconf.h
-@@ -45,6 +45,7 @@ typedef struct {
+@@ -47,6 +47,7 @@ typedef struct {
  					/* Try S/Key or TIS, authentication. */
  	int     gss_authentication;	/* Try GSS authentication */
  	int     gss_deleg_creds;	/* Delegate GSS credentials */
@@ -141,7 +141,7 @@ Index: servconf.c
  	options->password_authentication = -1;
  	options->kbd_interactive_authentication = -1;
  	options->challenge_response_authentication = -1;
-@@ -216,6 +217,8 @@ fill_default_server_options(ServerOption
+@@ -217,6 +218,8 @@ fill_default_server_options(ServerOption
  		options->gss_authentication = 0;
  	if (options->gss_cleanup_creds == -1)
  		options->gss_cleanup_creds = 1;
@@ -150,7 +150,7 @@ Index: servconf.c
  	if (options->password_authentication == -1)
  		options->password_authentication = 1;
  	if (options->kbd_interactive_authentication == -1)
-@@ -306,7 +309,7 @@ typedef enum {
+@@ -307,7 +310,7 @@ typedef enum {
  	sBanner, sUseDNS, sHostbasedAuthentication,
  	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
  	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@@ -159,7 +159,7 @@ Index: servconf.c
  	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
  	sUsePrivilegeSeparation, sAllowAgentForwarding,
  	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -369,9 +372,11 @@ static struct {
+@@ -370,9 +373,11 @@ static struct {
  #ifdef GSSAPI
  	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
  	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -171,7 +171,7 @@ Index: servconf.c
  #endif
  	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
  	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -928,6 +933,10 @@ process_server_config_line(ServerOptions
+@@ -929,6 +934,10 @@ process_server_config_line(ServerOptions
  	case sGssCleanupCreds:
  		intptr = &options->gss_cleanup_creds;
  		goto parse_flag;

openssh-5.6p1-homechroot.patch

@@ -39,7 +39,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -119,6 +119,8 @@ void	do_child(Session *, const char *);
+@@ -120,6 +120,8 @@ void	do_child(Session *, const char *);
  void	do_motd(void);
  int	check_quietlogin(Session *, const char *);
  
@@ -48,7 +48,7 @@ Index: session.c
  static void do_authenticated1(Authctxt *);
  static void do_authenticated2(Authctxt *);
  
-@@ -805,6 +807,11 @@ do_exec(Session *s, const char *command)
+@@ -806,6 +808,11 @@ do_exec(Session *s, const char *command)
  		debug("Forced command (key option) '%.900s'", command);
  	}
  
@@ -60,7 +60,7 @@ Index: session.c
  #ifdef SSH_AUDIT_EVENTS
  	if (command != NULL)
  		PRIVSEP(audit_run_command(command));
-@@ -1418,6 +1425,63 @@ do_nologin(struct passwd *pw)
+@@ -1419,6 +1426,63 @@ do_nologin(struct passwd *pw)
  }
  
  /*
@@ -124,7 +124,7 @@ Index: session.c
   * Chroot into a directory after checking it for safety: all path components
   * must be root-owned directories with strict permissions.
   */
-@@ -1427,6 +1491,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1428,6 +1492,7 @@ safely_chroot(const char *path, uid_t ui
  	const char *cp;
  	char component[MAXPATHLEN];
  	struct stat st;
@@ -132,7 +132,7 @@ Index: session.c
  
  	if (*path != '/')
  		fatal("chroot path does not begin at root");
-@@ -1438,7 +1503,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1439,7 +1504,7 @@ safely_chroot(const char *path, uid_t ui
  	 * root-owned directory with strict permissions.
  	 */
  	for (cp = path; cp != NULL;) {
@@ -141,7 +141,7 @@ Index: session.c
  			strlcpy(component, path, sizeof(component));
  		else {
  			cp++;
-@@ -1451,14 +1516,20 @@ safely_chroot(const char *path, uid_t ui
+@@ -1452,14 +1517,20 @@ safely_chroot(const char *path, uid_t ui
  		if (stat(component, &st) != 0)
  			fatal("%s: stat(\"%s\"): %s", __func__,
  			    component, strerror(errno));
@@ -163,7 +163,7 @@ Index: session.c
  	}
  
  	if (chdir(path) == -1)
-@@ -1469,6 +1540,10 @@ safely_chroot(const char *path, uid_t ui
+@@ -1470,6 +1541,10 @@ safely_chroot(const char *path, uid_t ui
  	if (chdir("/") == -1)
  		fatal("%s: chdir(/) after chroot: %s",
  		    __func__, strerror(errno));
@@ -238,9 +238,9 @@ Index: sshd_config.0
 ===================================================================
 --- sshd_config.0.orig
 +++ sshd_config.0
-@@ -115,6 +115,14 @@ DESCRIPTION
-              which use logging do require /dev/log inside the chroot directory
-              (see sftp-server(8) for details).
+@@ -143,6 +143,14 @@ DESCRIPTION
+              though sessions which use logging do require /dev/log inside the
+              chroot directory (see sftp-server(8) for details).
  
 +             In the special case when only sftp is used, not ssh nor scp, it
 +             is possible to use ChrootDirectory %h or ChrootDirectory
@@ -257,7 +257,7 @@ Index: sshd_config.5
 ===================================================================
 --- sshd_config.5.orig
 +++ sshd_config.5
-@@ -224,6 +224,17 @@ inside the chroot directory (see
+@@ -269,6 +269,17 @@ inside the chroot directory (see
  .Xr sftp-server 8
  for details).
  .Pp

openssh-5.6p1-host_ident.diff

@@ -0,0 +1,16 @@
+Index: openssh-5.5p1/sshconnect.c
+===================================================================
+--- openssh-5.5p1.orig/sshconnect.c
++++ openssh-5.5p1/sshconnect.c
+@@ -916,6 +916,11 @@ check_host_key(char *hostname, struct so
+ 		error("Add correct host key in %.100s to get rid of this message.",
+ 		    user_hostfile);
+ 		error("Offending key in %s:%d", host_file, host_line);
++		error("You can use following command to remove all keys for this IP:");
++		if (ip_file)
++			error("ssh-keygen -R %s -f %s", hostname, ip_file);
++		else
++			error("ssh-keygen -R %s", hostname);
+ 
+ 		/*
+ 		 * If strict host key checking is in use, the user will have

openssh-5.6p1-pts.diff

@@ -1,6 +1,8 @@
---- loginrec.c
+Index: loginrec.c
+===================================================================
+--- loginrec.c.orig
 +++ loginrec.c
-@@ -549,7 +549,7 @@
+@@ -554,7 +554,7 @@ getlast_entry(struct logininfo *li)
   * 1. The full filename (including '/dev')
   * 2. The stripped name (excluding '/dev')
   * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00
@@ -9,7 +11,7 @@
   *
   * Form 3 is used on some systems to identify a .tmp.? entry when
   * attempting to remove it. Typically both addition and removal is
-@@ -610,6 +610,10 @@
+@@ -615,6 +615,10 @@ line_abbrevname(char *dst, const char *s
  	if (strncmp(src, "tty", 3) == 0)
  		src += 3;
  #endif

openssh-5.6p1-saveargv-fix.diff

@@ -10,7 +10,7 @@ Index: sshd.c
  	logit("Received SIGHUP; restarting.");
  	close_listen_socks();
  	close_startup_pipes();
-@@ -1307,7 +1308,11 @@ main(int ac, char **av)
+@@ -1316,7 +1317,11 @@ main(int ac, char **av)
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
  	compat_init_setproctitle(ac, av);

openssh-5.6p1-tmpdir.diff

@@ -2,7 +2,7 @@ Index: ssh-agent.c
 ===================================================================
 --- ssh-agent.c.orig
 +++ ssh-agent.c
-@@ -1174,8 +1174,18 @@ main(int ac, char **av)
+@@ -1177,8 +1177,18 @@ main(int ac, char **av)
  	parent_pid = getpid();
  
  	if (agentsocket == NULL) {

openssh-5.6p1-xauth.diff

@@ -2,7 +2,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -2521,8 +2521,41 @@ void
+@@ -2525,8 +2525,41 @@ void
  session_close(Session *s)
  {
  	u_int i;

openssh-5.6p1-xauthlocalhostname.diff

@@ -2,7 +2,7 @@ Index: session.c
 ===================================================================
 --- session.c.orig
 +++ session.c
-@@ -1113,7 +1113,7 @@ copy_environment(char **source, char ***
+@@ -1114,7 +1114,7 @@ copy_environment(char **source, char ***
  }
  
  static char **
@@ -11,7 +11,7 @@ Index: session.c
  {
  	char buf[256];
  	u_int i, envsize;
-@@ -1300,6 +1300,8 @@ do_setup_env(Session *s, const char *she
+@@ -1301,6 +1301,8 @@ do_setup_env(Session *s, const char *she
  		for (i = 0; env[i]; i++)
  			fprintf(stderr, "  %.200s\n", env[i]);
  	}
@@ -20,7 +20,7 @@ Index: session.c
  	return env;
  }
  
-@@ -1308,7 +1310,7 @@ do_setup_env(Session *s, const char *she
+@@ -1309,7 +1311,7 @@ do_setup_env(Session *s, const char *she
   * first in this order).
   */
  static void
@@ -29,7 +29,7 @@ Index: session.c
  {
  	FILE *f = NULL;
  	char cmd[1024];
-@@ -1362,12 +1364,20 @@ do_rc_files(Session *s, const char *shel
+@@ -1363,12 +1365,20 @@ do_rc_files(Session *s, const char *shel
  		    options.xauth_location);
  		f = popen(cmd, "w");
  		if (f) {
@@ -50,7 +50,7 @@ Index: session.c
  		} else {
  			fprintf(stderr, "Could not run %s\n",
  			    cmd);
-@@ -1669,6 +1679,7 @@ do_child(Session *s, const char *command
+@@ -1670,6 +1680,7 @@ do_child(Session *s, const char *command
  {
  	extern char **environ;
  	char **env;
@@ -58,7 +58,7 @@ Index: session.c
  	char *argv[ARGV_MAX];
  	const char *shell, *shell0, *hostname = NULL;
  	struct passwd *pw = s->pw;
-@@ -1735,7 +1746,7 @@ do_child(Session *s, const char *command
+@@ -1736,7 +1747,7 @@ do_child(Session *s, const char *command
  	 * Make sure $SHELL points to the shell from the password file,
  	 * even if shell is overridden from login.conf
  	 */
@@ -67,7 +67,7 @@ Index: session.c
  
  #ifdef HAVE_LOGIN_CAP
  	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1803,7 +1814,7 @@ do_child(Session *s, const char *command
+@@ -1805,7 +1816,7 @@ do_child(Session *s, const char *command
  	closefrom(STDERR_FILENO + 1);
  
  	if (!options.use_login)

openssh-5.6p1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7ee242e0236597108ed3156420e6a7d517fffe21d89755c37f09cceb5d796e4c
+size 896204

openssh-askpass-gnome.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Aug 24 15:50:17 CEST 2010 - anicka@suse.cz
+
+- update to 5.6p1 
+
 -------------------------------------------------------------------
 Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz
 

openssh-askpass-gnome.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh-askpass-gnome (Version 5.5p1)
+# spec file for package openssh-askpass-gnome (Version 5.6p1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -22,7 +22,7 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
-Version:        5.5p1
+Version:        5.6p1
 Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on

openssh.changes

@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Tue Aug 24 15:43:08 CEST 2010 - anicka@suse.cz
+
+- update to 5.6p1
+ * Added a ControlPersist option to ssh_config(5) that automatically
+   starts a background ssh(1) multiplex master when connecting.
+ * Hostbased authentication may now use certificate host keys.
+ * ssh-keygen(1) now supports signing certificate using a CA key that
+   has been stored in a PKCS#11 token.
+ * ssh(1) will now log the hostname and address that we connected to at
+   LogLevel=verbose after authentication is successful to mitigate
+   "phishing" attacks by servers with trusted keys that accept
+   authentication silently and automatically before presenting fake
+   password/passphrase prompts.
+ * Expand %h to the hostname in ssh_config Hostname options.
+ * Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
+   keys in addition to RFC4716 (SSH.COM) encodings via a new -m option 
+ * sshd(8) will now queue debug messages for bad ownership or
+   permissions on the user's keyfiles encountered during authentication
+   and will send them after authentication has successfully completed.
+ * ssh(1) connection multiplexing now supports remote forwarding with
+   dynamic port allocation and can report the allocated port back to
+   the user
+ * sshd(8) now supports indirection in matching of principal names
+   listed in certificates.
+ * sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
+   file containing a list of names that may be accepted in place of the
+   username when authorizing a certificate trusted via the
+   sshd_config(5) TrustedCAKeys option.
+ * Additional sshd_config(5) options are now valid inside Match blocks
+ * Revised the format of certificate keys.
+ * bugfixes 
+- removed -forward patch (SSH_MAX_FORWARDS_PER_DIRECTION not hard-coded
+  any more), removed memory leak fix (fixed in upstream)
+
+-------------------------------------------------------------------
+Fri Aug 20 13:00:43 CEST 2010 - anicka@suse.cz
+
+- hint user how to remove offending keys (bnc#625552) 
+
 -------------------------------------------------------------------
 Thu Jul 22 17:58:09 CEST 2010 - anicka@suse.cz
 

openssh.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package openssh (Version 5.5p1)
+# spec file for package openssh (Version 5.6p1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -35,7 +35,7 @@ Requires:       /bin/netstat
 PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        5.5p1
+Version:        5.6p1
 Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
@@ -66,10 +66,9 @@ Patch12:        %{name}-%{version}-xauth.diff
 Patch14:        %{name}-%{version}-default-protocol.diff
 Patch15:        %{name}-%{version}-audit.patch
 Patch16:        %{name}-%{version}-pts.diff
-Patch17:        %{name}-%{version}-forwards.diff
-Patch18:        %{name}-%{version}-homechroot.patch
-Patch19:        %{name}-%{version}-sshconfig-knownhostschanges.diff
-Patch20:        %{name}-%{version}-sftp-leak.diff	
+Patch17:        %{name}-%{version}-homechroot.patch
+Patch18:        %{name}-%{version}-sshconfig-knownhostschanges.diff
+Patch19:        %{name}-%{version}-host_ident.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %package      askpass
@@ -114,8 +113,7 @@ Window System passphrase dialog for OpenSSH.
 %patch16
 %patch17
 %patch18
-%patch19
-%patch20 -p1
+%patch19 -p1
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}