Accepting request 35778 from Base:System

Copy from Base:System/openssh based on submit request 35778 from user anicka OBS-URL: https://build.opensuse.org/request/show/35778 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=39
2010-03-26 15:29:14 +00:00 · 2010-03-26 15:29:14 +00:00 · c1af9ee4bd
commit c1af9ee4bd
parent 07d1c9f99b
26 changed files with 346 additions and 246 deletions
--- a/openssh-5.2p1-gcc-fix.patch
+++ b/openssh-5.2p1-gcc-fix.patch
@ -1,10 +0,0 @@
--- scard-opensc.c
-+++ scard-opensc.c
-@@ -31,6 +31,7 @@
- #include <openssl/evp.h>
- #include <openssl/x509.h>
- 
-+#include <string.h>
- #include <stdarg.h>
- #include <string.h>
- 
--- a/openssh-5.2p1-pam-fix4.diff
+++ b/openssh-5.2p1-pam-fix4.diff
@ -1,26 +0,0 @@
-Index: openssh-5.1p1/auth-pam.c
-================================================================================
--- openssh-5.2p1/auth-pam.c
-+++ openssh-5.2p1/auth-pam.c
-@@ -602,16 +602,16 @@
- 		return;
- 	debug("PAM: cleanup");
- 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
-	if (sshpam_cred_established) {
-		debug("PAM: deleting credentials");
-		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-		sshpam_cred_established = 0;
-	}
- 	if (sshpam_session_open) {
- 		debug("PAM: closing session");
- 		pam_close_session(sshpam_handle, PAM_SILENT);
- 		sshpam_session_open = 0;
- 	}
-+	if (sshpam_cred_established) {
-+		debug("PAM: deleting credentials");
-+		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-+		sshpam_cred_established = 0;
-+	}
- 	sshpam_authenticated = 0;
- 	pam_end(sshpam_handle, sshpam_err);
- 	sshpam_handle = NULL;
--- a/openssh-5.2p1.tar.bz2
+++ b/openssh-5.2p1.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5de561b64b659e21d66b4f1c04690e94f922f3f5fb3f070e81fbd8f9f4403de8
-size 816819
--- a/openssh-5.4p1-askpass-fix.diff
+++ b/openssh-5.4p1-askpass-fix.diff
--- a/openssh-5.4p1-audit.patch
+++ b/openssh-5.4p1-audit.patch
@ -1,8 +1,10 @@
 # add support for Linux audit (FATE #120269)
 ================================================================================
--- openssh-5.2p1/Makefile.in
-+++ openssh-5.2p1/Makefile.in
-@@ -44,6 +44,7 @@
+Index: openssh-5.4p1/Makefile.in
+===================================================================
+--- openssh-5.4p1.orig/Makefile.in
+++ openssh-5.4p1/Makefile.in
+@@ -46,6 +46,7 @@ LD=@LD@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
@ -10,7 +12,7 @@
 SSHDLIBS=@SSHDLIBS@
 LIBEDIT=@LIBEDIT@
 AR=@AR@
-@@ -137,7 +138,7 @@
+@@ -142,7 +143,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
@ -19,9 +21,11 @@
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-5.2p1/auth.c
-+++ openssh-5.2p1/auth.c
-@@ -287,6 +287,12 @@
+Index: openssh-5.4p1/auth.c
+===================================================================
+--- openssh-5.4p1.orig/auth.c
+++ openssh-5.4p1/auth.c
+@@ -293,6 +293,12 @@ auth_log(Authctxt *authctxt, int authent
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
 #endif
@ -34,7 +38,7 @@
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
 		audit_event(audit_classify_auth(method));
-@@ -533,6 +539,10 @@
+@@ -564,6 +570,10 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
@ -45,9 +49,11 @@
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
--- openssh-5.2p1/config.h.in
-+++ openssh-5.2p1/config.h.in
-@@ -1397,6 +1397,9 @@
+Index: openssh-5.4p1/config.h.in
+===================================================================
+--- openssh-5.4p1.orig/config.h.in
+++ openssh-5.4p1/config.h.in
+@@ -1415,6 +1415,9 @@
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 
@ -57,9 +63,11 @@
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */
 #undef WORDS_BIGENDIAN
--- openssh-5.2p1/configure.ac
-+++ openssh-5.2p1/configure.ac
-@@ -3340,6 +3340,20 @@
+Index: openssh-5.4p1/configure.ac
+===================================================================
+--- openssh-5.4p1.orig/configure.ac
+++ openssh-5.4p1/configure.ac
+@@ -3363,6 +3363,20 @@ AC_ARG_WITH(selinux,
 	fi ]
 )
 
@ -80,7 +88,7 @@
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
-@@ -4160,6 +4174,7 @@
+@@ -4182,6 +4196,7 @@ echo "                       PAM support
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
@ -88,8 +96,10 @@
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
--- openssh-5.2p1/loginrec.c
-+++ openssh-5.2p1/loginrec.c
+Index: openssh-5.4p1/loginrec.c
+===================================================================
+--- openssh-5.4p1.orig/loginrec.c
+++ openssh-5.4p1/loginrec.c
@@ -176,6 +176,10 @@
 #include "auth.h"
 #include "buffer.h"
@ -210,9 +220,11 @@
 /**
  ** Low-level libutil login() functions
  **/
--- openssh-5.2p1/loginrec.h
-+++ openssh-5.2p1/loginrec.h
-@@ -127,5 +127,9 @@
+Index: openssh-5.4p1/loginrec.h
+===================================================================
+--- openssh-5.4p1.orig/loginrec.h
+++ openssh-5.4p1/loginrec.h
+@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 
 void record_failed_login(const char *, const char *, const char *);
--- a/openssh-5.4p1-blocksigalrm.diff
+++ b/openssh-5.4p1-blocksigalrm.diff
--- a/openssh-5.4p1-default-protocol.diff
+++ b/openssh-5.4p1-default-protocol.diff
@ -1,6 +1,8 @@
--- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
-@@ -46,7 +46,7 @@
+@@ -46,7 +46,7 @@ ForwardX11Trusted yes
 #   IdentityFile ~/.ssh/id_rsa
 #   IdentityFile ~/.ssh/id_dsa
 #   Port 22
--- a/openssh-5.4p1-eal3.diff
+++ b/openssh-5.4p1-eal3.diff
@ -1,6 +1,8 @@
--- openssh-5.2p1/sshd.8
-+++ openssh-5.2p1/sshd.8
-@@ -783,7 +783,7 @@
+Index: openssh-5.4p1/sshd.8
+===================================================================
+--- openssh-5.4p1.orig/sshd.8
+++ openssh-5.4p1/sshd.8
+@@ -840,7 +840,7 @@ Contains Diffie-Hellman groups used for
 The file format is described in
 .Xr moduli 5 .
 .Pp
@ -9,7 +11,7 @@
 See
 .Xr motd 5 .
 .Pp
-@@ -796,7 +796,7 @@
+@@ -853,7 +853,7 @@ are displayed to anyone trying to log in
 refused.
 The file should be world-readable.
 .Pp
@ -18,7 +20,7 @@
 This file is used in exactly the same way as
 .Pa hosts.equiv ,
 but allows host-based authentication without permitting login with
-@@ -873,8 +873,7 @@
+@@ -930,8 +930,7 @@ The content of this file is not sensitiv
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@ -28,19 +30,11 @@
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
 .Xr sftp-server 8
--- openssh-5.2p1/sshd_config.5
-+++ openssh-5.2p1/sshd_config.5
-@@ -177,9 +177,6 @@
- By default, no banner is displayed.
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
- The default is
- .Dq yes .
- .It Cm ChrootDirectory
-@@ -438,7 +435,7 @@
+Index: openssh-5.4p1/sshd_config.5
+===================================================================
+--- openssh-5.4p1.orig/sshd_config.5
+++ openssh-5.4p1/sshd_config.5
+@@ -451,7 +451,7 @@ or
 .Pp
 .Pa /etc/hosts.equiv
 and
--- a/openssh-5.4p1-engines.diff
+++ b/openssh-5.4p1-engines.diff
@ -1,5 +1,7 @@
--- openssh-5.2p1/ssh-add.c
-+++ openssh-5.2p1/ssh-add.c
+Index: openssh-5.4p1/ssh-add.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-add.c
+++ openssh-5.4p1/ssh-add.c
@@ -43,6 +43,7 @@
 
 #include <openssl/evp.h>
@ -8,7 +10,7 @@
 
 #include <fcntl.h>
 #include <pwd.h>
-@@ -344,6 +345,10 @@
+@@ -366,6 +367,10 @@ main(int argc, char **argv)
 
 	SSLeay_add_all_algorithms();
 
@ -19,8 +21,10 @@
 	/* At first, get a connection to the authentication agent. */
 	ac = ssh_get_authentication_connection();
 	if (ac == NULL) {
--- openssh-5.2p1/ssh-agent.c
-+++ openssh-5.2p1/ssh-agent.c
+Index: openssh-5.4p1/ssh-agent.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-agent.c
+++ openssh-5.4p1/ssh-agent.c
@@ -52,6 +52,7 @@
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@ -29,7 +33,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
-@@ -1076,6 +1077,10 @@
+@@ -1091,6 +1092,10 @@ main(int ac, char **av)
 
 	SSLeay_add_all_algorithms();
 
@ -40,8 +44,10 @@
 	__progname = ssh_get_progname(av[0]);
 	init_rng();
 	seed_rng();
--- openssh-5.2p1/ssh-keygen.c
-+++ openssh-5.2p1/ssh-keygen.c
+Index: openssh-5.4p1/ssh-keygen.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-keygen.c
+++ openssh-5.4p1/ssh-keygen.c
@@ -22,6 +22,7 @@
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@ -50,7 +56,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
-@@ -1099,6 +1100,11 @@
+@@ -1523,6 +1524,11 @@ main(int argc, char **argv)
 	__progname = ssh_get_progname(argv[0]);
 
 	SSLeay_add_all_algorithms();
@ -62,8 +68,10 @@
 	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
 
 	init_rng();
--- openssh-5.2p1/ssh-keysign.c
-+++ openssh-5.2p1/ssh-keysign.c
+Index: openssh-5.4p1/ssh-keysign.c
+===================================================================
+--- openssh-5.4p1.orig/ssh-keysign.c
+++ openssh-5.4p1/ssh-keysign.c
@@ -38,6 +38,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@ -72,7 +80,7 @@
 
 #include "xmalloc.h"
 #include "log.h"
-@@ -195,6 +196,11 @@
+@@ -195,6 +196,11 @@ main(int argc, char **argv)
 		fatal("could not open any host key");
 
 	SSLeay_add_all_algorithms();
@ -84,9 +92,11 @@
 	for (i = 0; i < 256; i++)
 		rnd[i] = arc4random();
 	RAND_seed(rnd, sizeof(rnd));
--- openssh-5.2p1/ssh.c
-+++ openssh-5.2p1/ssh.c
-@@ -73,6 +73,7 @@
+Index: openssh-5.4p1/ssh.c
+===================================================================
+--- openssh-5.4p1.orig/ssh.c
+++ openssh-5.4p1/ssh.c
+@@ -74,6 +74,7 @@
 #include <openssl/err.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
@ -94,7 +104,7 @@
 
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -550,6 +551,10 @@
+@@ -584,6 +585,10 @@ main(int ac, char **av)
 	SSLeay_add_all_algorithms();
 	ERR_load_crypto_strings();
 
@ -105,8 +115,10 @@
 	/* Initialize the command to execute on remote host. */
 	buffer_init(&command);
 
--- openssh-5.2p1/sshd.c
-+++ openssh-5.2p1/sshd.c
+Index: openssh-5.4p1/sshd.c
+===================================================================
+--- openssh-5.4p1.orig/sshd.c
+++ openssh-5.4p1/sshd.c
@@ -77,6 +77,7 @@
 #include <openssl/md5.h>
 #include <openssl/rand.h>
@ -115,7 +127,7 @@
 
 #ifdef HAVE_SECUREWARE
 #include <sys/security.h>
-@@ -1415,6 +1416,10 @@
+@@ -1462,6 +1463,10 @@ main(int ac, char **av)
 
 	SSLeay_add_all_algorithms();
 
--- a/openssh-5.4p1-forwards.diff
+++ b/openssh-5.4p1-forwards.diff
@ -1,6 +1,8 @@
--- channels.c
+Index: channels.c
+===================================================================
+--- channels.c.orig
 +++ channels.c
-@@ -2471,6 +2471,9 @@
+@@ -2625,6 +2625,9 @@ channel_setup_fwd_listener(int type, con
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
 	in_port_t *lport_p;
 
--- a/openssh-5.4p1-gssapimitm.patch
+++ b/openssh-5.4p1-gssapimitm.patch
@ -14,10 +14,10 @@ recommended to use the 'gssapi-with-mic' mechanism. Existing installations
 are encouraged to upgrade as soon as possible.

 Index: auth2-gss.c
-================================================================================
--- auth2-gss.c
+===================================================================
+--- auth2-gss.c.orig
 +++ auth2-gss.c
-@@ -177,6 +177,15 @@
+@@ -177,6 +177,15 @@ input_gssapi_token(int type, u_int32_t p
 				dispatch_set(
 				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
 				    &input_gssapi_exchange_complete);
@ -33,7 +33,7 @@ Index: auth2-gss.c
 		}
 	}
 
-@@ -298,4 +307,10 @@
+@@ -298,4 +307,10 @@ Authmethod method_gssapi = {
 	&options.gss_authentication
 };
 
@ -44,9 +44,11 @@ Index: auth2-gss.c
 +};
 +
 #endif /* GSSAPI */
--- auth2.c
+Index: auth2.c
+===================================================================
+--- auth2.c.orig
 +++ auth2.c
-@@ -70,6 +70,7 @@
+@@ -70,6 +70,7 @@ extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
 #ifdef GSSAPI
 extern Authmethod method_gssapi;
@ -54,7 +56,7 @@ Index: auth2-gss.c
 #endif
 #ifdef JPAKE
 extern Authmethod method_jpake;
-@@ -80,6 +81,7 @@
+@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
 	&method_pubkey,
 #ifdef GSSAPI
 	&method_gssapi,
@ -62,10 +64,12 @@ Index: auth2-gss.c
 #endif
 #ifdef JPAKE
 	&method_jpake,
--- readconf.c
+Index: readconf.c
+===================================================================
+--- readconf.c.orig
 +++ readconf.c
-@@ -126,7 +126,7 @@
- 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
+@@ -126,7 +126,7 @@ typedef enum {
+ 	oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 -	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -73,7 +77,7 @@ Index: auth2-gss.c
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -165,9 +165,11 @@
+@@ -165,9 +165,11 @@ static struct {
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
 	{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -85,7 +89,7 @@ Index: auth2-gss.c
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
-@@ -456,6 +458,10 @@
+@@ -459,6 +461,10 @@ parse_flag:
 	case oGssDelegateCreds:
 		intptr = &options->gss_deleg_creds;
 		goto parse_flag;
@ -96,7 +100,7 @@ Index: auth2-gss.c
 
 	case oBatchMode:
 		intptr = &options->batch_mode;
-@@ -1009,6 +1015,7 @@
+@@ -1016,6 +1022,7 @@ initialize_options(Options * options)
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
 	options->gss_deleg_creds = -1;
@ -104,7 +108,7 @@ Index: auth2-gss.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
-@@ -1101,6 +1108,8 @@
+@@ -1109,6 +1116,8 @@ fill_default_options(Options * options)
 		options->gss_authentication = 0;
 	if (options->gss_deleg_creds == -1)
 		options->gss_deleg_creds = 0;
@ -113,9 +117,11 @@ Index: auth2-gss.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
--- readconf.h
+Index: readconf.h
+===================================================================
+--- readconf.h.orig
 +++ readconf.h
-@@ -45,6 +45,7 @@
+@@ -45,6 +45,7 @@ typedef struct {
 					/* Try S/Key or TIS, authentication. */
 	int     gss_authentication;	/* Try GSS authentication */
 	int     gss_deleg_creds;	/* Delegate GSS credentials */
@ -123,9 +129,11 @@ Index: auth2-gss.c
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- servconf.c
+Index: servconf.c
+===================================================================
+--- servconf.c.orig
 +++ servconf.c
-@@ -93,6 +93,7 @@
+@@ -94,6 +94,7 @@ initialize_server_options(ServerOptions
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
 	options->gss_cleanup_creds = -1;
@ -133,7 +141,7 @@ Index: auth2-gss.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
-@@ -212,6 +213,8 @@
+@@ -216,6 +217,8 @@ fill_default_server_options(ServerOption
 		options->gss_authentication = 0;
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
@ -142,7 +150,7 @@ Index: auth2-gss.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -302,7 +305,7 @@
+@@ -306,7 +309,7 @@ typedef enum {
 	sBanner, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -150,8 +158,8 @@ Index: auth2-gss.c
 +	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sZeroKnowledgePasswordAuthentication,
-@@ -364,9 +367,11 @@
+ 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
+@@ -369,9 +372,11 @@ static struct {
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -163,7 +171,7 @@ Index: auth2-gss.c
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -894,6 +899,10 @@
+@@ -928,6 +933,10 @@ process_server_config_line(ServerOptions
 	case sGssCleanupCreds:
 		intptr = &options->gss_cleanup_creds;
 		goto parse_flag;
@ -174,9 +182,11 @@ Index: auth2-gss.c
 
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
--- servconf.h
+Index: servconf.h
+===================================================================
+--- servconf.h.orig
 +++ servconf.h
-@@ -92,6 +92,7 @@
+@@ -95,6 +95,7 @@ typedef struct {
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
@ -184,9 +194,11 @@ Index: auth2-gss.c
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
--- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
-@@ -54,4 +54,14 @@
+@@ -54,5 +54,15 @@ ForwardX11Trusted yes
 #   Tunnel no
 #   TunnelDevice any:any
 #   PermitLocalCommand no
@ -201,9 +213,12 @@ Index: auth2-gss.c
 +
 +>>>>>>>
 #   VisualHostKey no
--- sshconnect2.c
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+Index: sshconnect2.c
+===================================================================
+--- sshconnect2.c.orig
 +++ sshconnect2.c
-@@ -255,6 +255,10 @@
+@@ -263,6 +263,10 @@ Authmethod authmethods[] = {
 		NULL,
 		&options.gss_authentication,
 		NULL},
@ -214,7 +229,7 @@ Index: auth2-gss.c
 #endif
 	{"hostbased",
 		userauth_hostbased,
-@@ -617,7 +621,9 @@
+@@ -640,7 +644,9 @@ process_gssapi_token(void *ctxt, gss_buf
 
 	if (status == GSS_S_COMPLETE) {
 		/* send either complete or MIC, depending on mechanism */
@ -225,9 +240,11 @@ Index: auth2-gss.c
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
 			packet_send();
 		} else {
--- sshd_config
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -74,6 +74,13 @@
+@@ -72,6 +72,13 @@ PasswordAuthentication no
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
--- a/openssh-5.4p1-homechroot.patch
+++ b/openssh-5.4p1-homechroot.patch
@ -1,4 +1,6 @@
--- chrootenv.h 
+Index: chrootenv.h
+===================================================================
+--- /dev/null
 +++ chrootenv.h
@@ -0,0 +1,32 @@
 +/* $OpenBSD: session.h,v 1.30 2008/05/08 12:21:16 djm Exp $ */
@ -33,7 +35,9 @@
 +
 +#endif
 +
--- session.c
+Index: session.c
+===================================================================
+--- session.c.orig
 +++ session.c
@@ -119,6 +119,8 @@ void	do_child(Session *, const char *);
 void	do_motd(void);
@ -44,7 +48,7 @@
 static void do_authenticated1(Authctxt *);
 static void do_authenticated2(Authctxt *);
 
-@@ -802,6 +804,11 @@ do_exec(Session *s, const char *command)
+@@ -805,6 +807,11 @@ do_exec(Session *s, const char *command)
 		debug("Forced command (key option) '%.900s'", command);
 	}
 
@ -56,7 +60,7 @@
 #ifdef SSH_AUDIT_EVENTS
 	if (command != NULL)
 		PRIVSEP(audit_run_command(command));
-@@ -1399,6 +1406,63 @@ do_nologin(struct passwd *pw)
+@@ -1418,6 +1425,63 @@ do_nologin(struct passwd *pw)
 }
 
 /*
@ -120,7 +124,7 @@
  * Chroot into a directory after checking it for safety: all path components
  * must be root-owned directories with strict permissions.
  */
-@@ -1408,6 +1472,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1427,6 +1491,7 @@ safely_chroot(const char *path, uid_t ui
 	const char *cp;
 	char component[MAXPATHLEN];
 	struct stat st;
@ -128,7 +132,7 @@
 
 	if (*path != '/')
 		fatal("chroot path does not begin at root");
-@@ -1419,7 +1484,7 @@ safely_chroot(const char *path, uid_t ui
+@@ -1438,7 +1503,7 @@ safely_chroot(const char *path, uid_t ui
 	 * root-owned directory with strict permissions.
 	 */
 	for (cp = path; cp != NULL;) {
@ -137,7 +141,7 @@
 			strlcpy(component, path, sizeof(component));
 		else {
 			cp++;
-@@ -1432,14 +1497,20 @@ safely_chroot(const char *path, uid_t ui
+@@ -1451,14 +1516,20 @@ safely_chroot(const char *path, uid_t ui
 		if (stat(component, &st) != 0)
 			fatal("%s: stat(\"%s\"): %s", __func__,
 			    component, strerror(errno));
@ -159,7 +163,7 @@
 	}
 
 	if (chdir(path) == -1)
-@@ -1451,6 +1522,10 @@ safely_chroot(const char *path, uid_t ui
+@@ -1469,6 +1540,10 @@ safely_chroot(const char *path, uid_t ui
 	if (chdir("/") == -1)
 		fatal("%s: chdir(/) after chroot: %s",
 		    __func__, strerror(errno));
@ -170,9 +174,11 @@
 	verbose("Changed root directory to \"%s\"", path);
 }
 
--- sftp.c
+Index: sftp.c
+===================================================================
+--- sftp.c.orig
 +++ sftp.c
-@@ -94,6 +94,8 @@ int remote_glob(struct sftp_conn *, cons
+@@ -106,6 +106,8 @@ int remote_glob(struct sftp_conn *, cons
 
 extern char *__progname;
 
@ -181,9 +187,11 @@
 /* Separators for interactive commands */
 #define WHITESPACE " \t\r\n"
 
--- sftp-common.c
+Index: sftp-common.c
+===================================================================
+--- sftp-common.c.orig
 +++ sftp-common.c
-@@ -40,6 +40,7 @@
+@@ -43,6 +43,7 @@
 #include "xmalloc.h"
 #include "buffer.h"
 #include "log.h"
@ -191,23 +199,25 @@
 
 #include "sftp.h"
 #include "sftp-common.h"
-@@ -194,13 +195,13 @@ ls_file(const char *name, const struct s
- 	char buf[1024], mode[11+1], tbuf[12+1], ubuf[11+1], gbuf[11+1];
+@@ -196,13 +197,13 @@ ls_file(const char *name, const struct s
+ 	char sbuf[FMT_SCALED_STRSIZE];
 
 	strmode(st->st_mode, mode);
-	if (!remote && (pw = getpwuid(st->st_uid)) != NULL) {
-+	if (!remote && !chroot_no_tree && (pw = getpwuid(st->st_uid)) != NULL) {
- 		user = pw->pw_name;
+-	if (!remote) {
+	if (!remote && !chroot_no_tree) {
+ 		user = user_from_uid(st->st_uid, 0);
 	} else {
 		snprintf(ubuf, sizeof ubuf, "%u", (u_int)st->st_uid);
 		user = ubuf;
 	}
-	if (!remote && (gr = getgrgid(st->st_gid)) != NULL) {
-+	if (!remote && !chroot_no_tree && (gr = getgrgid(st->st_gid)) != NULL) {
- 		group = gr->gr_name;
+-	if (!remote) {
+	if (!remote && !chroot_no_tree) {
+ 		group = group_from_gid(st->st_gid, 0);
 	} else {
 		snprintf(gbuf, sizeof gbuf, "%u", (u_int)st->st_gid);
--- sftp-server-main.c
+Index: sftp-server-main.c
+===================================================================
+--- sftp-server-main.c.orig
 +++ sftp-server-main.c
@@ -22,11 +22,14 @@
 #include <stdarg.h>
@ -224,11 +234,13 @@
 void
 cleanup_exit(int i)
 {
--- sshd_config.0
+Index: sshd_config.0
+===================================================================
+--- sshd_config.0.orig
 +++ sshd_config.0
-@@ -112,6 +112,14 @@ DESCRIPTION
-              essary if the in-process sftp server is used (see Subsystem for
-              details).
+@@ -115,6 +115,14 @@ DESCRIPTION
+              which use logging do require /dev/log inside the chroot directory
+              (see sftp-server(8) for details).
 
 +             In the special case when only sftp is used, not ssh nor scp, it
 +             is possible to use ChrootDirectory %h or ChrootDirectory
@ -241,10 +253,12 @@
              The default is not to chroot(2).
 
      Ciphers
--- sshd_config.5
+Index: sshd_config.5
+===================================================================
+--- sshd_config.5.orig
 +++ sshd_config.5
-@@ -219,6 +219,17 @@ in-process sftp server is used (see
- .Cm Subsystem
+@@ -224,6 +224,17 @@ inside the chroot directory (see
+ .Xr sftp-server 8
 for details).
 .Pp
 +In the special case when only sftp is used, not ssh nor scp,
--- a/openssh-5.4p1-pam-fix2.diff
+++ b/openssh-5.4p1-pam-fix2.diff
@ -1,6 +1,8 @@
--- sshd_config
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -58,7 +58,7 @@
+@@ -56,7 +56,7 @@
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
@ -9,7 +11,7 @@
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
-@@ -83,7 +83,7 @@
+@@ -81,7 +81,7 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
--- a/openssh-5.4p1-pam-fix3.diff
+++ b/openssh-5.4p1-pam-fix3.diff
--- a/openssh-5.4p1-pts.diff
+++ b/openssh-5.4p1-pts.diff
--- a/openssh-5.4p1-saveargv-fix.diff
+++ b/openssh-5.4p1-saveargv-fix.diff
@ -1,6 +1,8 @@
--- sshd.c
+Index: sshd.c
+===================================================================
+--- sshd.c.orig
 +++ sshd.c
-@@ -304,6 +304,7 @@
+@@ -306,6 +306,7 @@ sighup_handler(int sig)
 static void
 sighup_restart(void)
 {
@ -8,7 +10,7 @@
 	logit("Received SIGHUP; restarting.");
 	close_listen_socks();
 	close_startup_pipes();
-@@ -1269,7 +1270,11 @@
+@@ -1307,7 +1308,11 @@ main(int ac, char **av)
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
 	compat_init_setproctitle(ac, av);
--- a/openssh-5.4p1-send_locale.diff
+++ b/openssh-5.4p1-send_locale.diff
@ -1,6 +1,8 @@
--- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
-@@ -63,5 +63,8 @@
+@@ -63,6 +63,9 @@ ForwardX11Trusted yes
 # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
 #   GSSAPIEnableMITMAttack no
 
@ -10,9 +12,12 @@
 +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +SendEnv LC_IDENTIFICATION LC_ALL
 #   VisualHostKey no
--- sshd_config
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -119,6 +119,11 @@
+@@ -117,6 +117,11 @@ X11Forwarding yes
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
--- a/openssh-5.4p1-tmpdir.diff
+++ b/openssh-5.4p1-tmpdir.diff
@ -1,6 +1,8 @@
--- ssh-agent.c
+Index: ssh-agent.c
+===================================================================
+--- ssh-agent.c.orig
 +++ ssh-agent.c
-@@ -1159,8 +1159,18 @@
+@@ -1174,8 +1174,18 @@ main(int ac, char **av)
 	parent_pid = getpid();
 
 	if (agentsocket == NULL) {
--- a/openssh-5.4p1-xauth.diff
+++ b/openssh-5.4p1-xauth.diff
@ -1,6 +1,8 @@
--- session.c
+Index: session.c
+===================================================================
+--- session.c.orig
 +++ session.c
-@@ -2493,8 +2493,41 @@
+@@ -2521,8 +2521,41 @@ void
 session_close(Session *s)
 {
 	u_int i;
--- a/openssh-5.4p1-xauthlocalhostname.diff
+++ b/openssh-5.4p1-xauthlocalhostname.diff
@ -1,6 +1,8 @@
--- session.c
+Index: session.c
+===================================================================
+--- session.c.orig
 +++ session.c
-@@ -1110,7 +1110,7 @@
+@@ -1113,7 +1113,7 @@ copy_environment(char **source, char ***
 }
 
 static char **
@ -9,7 +11,7 @@
 {
 	char buf[256];
 	u_int i, envsize;
-@@ -1297,6 +1297,8 @@
+@@ -1300,6 +1300,8 @@ do_setup_env(Session *s, const char *she
 		for (i = 0; env[i]; i++)
 			fprintf(stderr, "  %.200s\n", env[i]);
 	}
@ -18,7 +20,7 @@
 	return env;
 }
 
-@@ -1305,7 +1307,7 @@
+@@ -1308,7 +1310,7 @@ do_setup_env(Session *s, const char *she
  * first in this order).
  */
 static void
@ -27,7 +29,7 @@
 {
 	FILE *f = NULL;
 	char cmd[1024];
-@@ -1359,12 +1361,20 @@
+@@ -1362,12 +1364,20 @@ do_rc_files(Session *s, const char *shel
 		    options.xauth_location);
 		f = popen(cmd, "w");
 		if (f) {
@ -48,7 +50,7 @@
 		} else {
 			fprintf(stderr, "Could not run %s\n",
 			    cmd);
-@@ -1650,6 +1660,7 @@
+@@ -1669,6 +1679,7 @@ do_child(Session *s, const char *command
 {
 	extern char **environ;
 	char **env;
@ -56,7 +58,7 @@
 	char *argv[ARGV_MAX];
 	const char *shell, *shell0, *hostname = NULL;
 	struct passwd *pw = s->pw;
-@@ -1716,7 +1727,7 @@
+@@ -1735,7 +1746,7 @@ do_child(Session *s, const char *command
 	 * Make sure $SHELL points to the shell from the password file,
 	 * even if shell is overridden from login.conf
 	 */
@ -65,7 +67,7 @@
 
 #ifdef HAVE_LOGIN_CAP
 	shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell);
-@@ -1784,7 +1795,7 @@
+@@ -1803,7 +1814,7 @@ do_child(Session *s, const char *command
 	closefrom(STDERR_FILENO + 1);
 
 	if (!options.use_login)
--- a/openssh-5.4p1.dif
+++ b/openssh-5.4p1.dif
@ -1,4 +1,6 @@
--- ssh_config
+Index: ssh_config
+===================================================================
+--- ssh_config.orig
 +++ ssh_config
@@ -17,9 +17,20 @@
 # list of available options, their meanings and defaults, please see the
@ -22,9 +24,11 @@
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
--- sshd_config
+Index: sshd_config
+===================================================================
+--- sshd_config.orig
 +++ sshd_config
-@@ -88,7 +88,7 @@
+@@ -86,7 +86,7 @@
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
@ -33,9 +37,11 @@
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
--- sshlogin.c
+Index: sshlogin.c
+===================================================================
+--- sshlogin.c.orig
 +++ sshlogin.c
-@@ -125,6 +125,7 @@
+@@ -133,6 +133,7 @@ record_login(pid_t pid, const char *tty,
 
 	li = login_alloc_entry(pid, user, host, tty);
 	login_set_addr(li, addr, addrlen);
--- a/openssh-5.4p1.tar.bz2
+++ b/openssh-5.4p1.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:21b9ddf3f42f777951a039a6c816d895d80a734046de9dbd411c042cbdb5f0f8
+size 872892
--- a/openssh-askpass-gnome.changes
+++ b/openssh-askpass-gnome.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Mar 26 11:04:59 CET 2010 - anicka@suse.cz
+
+- update to 5.4p1
+- remove -pam-fix4.diff (in upstream now) 
+
 -------------------------------------------------------------------
 Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz

--- a/openssh-askpass-gnome.spec
+++ b/openssh-askpass-gnome.spec
@ -1,5 +1,5 @@
 #
-# spec file for package openssh-askpass-gnome (Version 5.2p1)
+# spec file for package openssh-askpass-gnome (Version 5.4p1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -22,8 +22,8 @@ Name:           openssh-askpass-gnome
 BuildRequires:  gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
 License:        BSD3c(or similar)
 Group:          Productivity/Networking/SSH
-Version:        5.2p1
-Release:        12
+Version:        5.4p1
+Release:        1
 Requires:       openssh = %{version} openssh-askpass = %{version}
 AutoReqProv:    on
 Summary:        A GNOME-Based Passphrase Dialog for OpenSSH
@ -31,14 +31,13 @@ Url:            http://www.openssh.com/
 %define _name openssh
 Source:         %{_name}-%{version}.tar.bz2
 Patch:          %{_name}-%{version}.dif
-Patch15:        %{_name}-%{version}-pam-fix2.diff
-Patch18:        %{_name}-%{version}-saveargv-fix.diff
-Patch19:        %{_name}-%{version}-pam-fix3.diff
-Patch21:        %{_name}-%{version}-gssapimitm.patch
-Patch26:        %{_name}-%{version}-eal3.diff
-Patch27:        %{_name}-%{version}-engines.diff
-Patch28:        %{_name}-%{version}-blocksigalrm.diff
-Patch29:        %{_name}-%{version}-pam-fix4.diff
+Patch1:         %{_name}-%{version}-pam-fix2.diff
+Patch2:         %{_name}-%{version}-saveargv-fix.diff
+Patch3:         %{_name}-%{version}-pam-fix3.diff
+Patch4:         %{_name}-%{version}-gssapimitm.patch
+Patch5:         %{_name}-%{version}-eal3.diff
+Patch6:         %{_name}-%{version}-engines.diff
+Patch7:         %{_name}-%{version}-blocksigalrm.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -74,14 +73,13 @@ Authors:
 %prep
 %setup -q -n %{_name}-%{version}
 %patch 
-%patch15
-%patch18
-%patch19
-%patch21
-%patch26 -p1
-%patch27 -p1
-%patch28
-%patch29 -p1
+%patch1
+%patch2
+%patch3
+%patch4
+%patch5 -p1
+%patch6 -p1
+%patch7

 %build
 %{?suse_update_config:%{suse_update_config}}
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Tue Mar 23 18:57:07 CET 2010 - anicka@suse.cz
+
+- update to 5.4p1
+ * After a transition period of about 10 years, this release disables
+   SSH protocol 1 by default. Clients and servers that need to use the
+   legacy protocol must explicitly enable it in ssh_config / sshd_config
+   or on the command-line.
+ * Remove the libsectok/OpenSC-based smartcard code and add support for
+   PKCS#11 tokens. This support is automatically enabled on all
+   platforms that support dlopen(3) and was inspired by patches written
+   by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.
+ * Add support for certificate authentication of users and hosts using a
+   new, minimal OpenSSH certificate format (not X.509). Certificates
+   contain a public key, identity information and some validity
+   constraints and are signed with a standard SSH public key using
+   ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
+   or via a TrustedUserCAKeys option in sshd_config(5) (for user
+   authentication), or in known_hosts (for host authentication).
+   Documentation for certificate support may be found in ssh-keygen(1),
+   sshd(8) and ssh(1) and a description of the protocol extensions in
+   PROTOCOL.certkeys.
+ * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
+   stdio on the client to a single port forward on the server. This
+   allows, for example, using ssh as a ProxyCommand to route connections
+   via intermediate servers. bz#1618
+ * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may
+   be revoked using a new sshd_config(5) option "RevokedKeys". Host keys
+   are revoked through known_hosts (details in the sshd(8) man page).
+   Revoked keys cannot be used for user or host authentication and will
+   trigger a warning if used.
+ * Rewrite the ssh(1) multiplexing support to support non-blocking
+   operation of the mux master, improve the resilience of the master to
+   malformed messages sent to it by the slave and add support for
+   requesting port- forwardings via the multiplex protocol. The new
+   stdio-to-local forward mode ("ssh -W host:port ...") is also
+   supported. The revised multiplexing protocol is documented in the
+   file PROTOCOL.mux in the source distribution.
+ * Add a 'read-only' mode to sftp-server(8) that disables open in write
+   mode and all other fs-modifying protocol methods. bz#430
+ * Allow setting an explicit umask on the sftp-server(8) commandline to
+   override whatever default the user has. bz#1229
+ * Many improvements to the sftp(1) client, many of which were
+   implemented by Carlos Silva through the Google Summer of Code
+   program:
+   - Support the "-h" (human-readable units) flag for ls
+   - Implement tab-completion of commands, local and remote filenames
+   - Support most of scp(1)'s commandline arguments in sftp(1), as a
+     first step towards making sftp(1) a drop-in replacement for scp(1).
+     Note that the rarely-used "-P sftp_server_path" option has been
+     moved to "-D sftp_server_path" to make way for "-P port" to match
+     scp(1).
+   - Add recursive transfer support for get/put and on the commandline
+ * New RSA keys will be generated with a public exponent of RSA_F4 ==
+   (2**16)+1 == 65537 instead of the previous value 35.
+ * Passphrase-protected SSH protocol 2 private keys are now protected
+   with AES-128 instead of 3DES. This applied to newly-generated keys
+   as well as keys that are reencrypted (e.g. by changing their
+   passphrase).
+- cleanup in patches 
+
 -------------------------------------------------------------------
 Tue Mar  2 09:09:18 UTC 2010 - coolo@novell.com

--- a/openssh.spec
+++ b/openssh.spec
@ -1,5 +1,5 @@
 #
-# spec file for package openssh (Version 5.2p1)
+# spec file for package openssh (Version 5.4p1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -35,8 +35,8 @@ Requires:       /bin/netstat
 PreReq:         pwdutils %insserv_prereq  %fillup_prereq coreutils permissions
 Conflicts:      nonfreessh
 AutoReqProv:    on
-Version:        5.2p1
-Release:        12
+Version:        5.4p1
+Release:        1
 %define xversion 1.2.4.1
 Summary:        Secure Shell Client and Server (Remote Login Program)
 Url:            http://www.openssh.com/
@ -51,25 +51,23 @@ Source7:        ssh.reg
 Source8:        ssh-askpass
 Source9:        sshd.fw
 Patch:          %{name}-%{version}.dif
-Patch12:        %{name}-%{version}-askpass-fix.diff
-Patch15:        %{name}-%{version}-pam-fix2.diff
-Patch18:        %{name}-%{version}-saveargv-fix.diff
-Patch19:        %{name}-%{version}-pam-fix3.diff
-Patch21:        %{name}-%{version}-gssapimitm.patch
-Patch26:        %{name}-%{version}-eal3.diff
-Patch27:        %{name}-%{version}-engines.diff
-Patch28:        %{name}-%{version}-blocksigalrm.diff
-Patch35:        %{name}-%{version}-send_locale.diff
-Patch36:        %{name}-%{version}-xauthlocalhostname.diff
-Patch37:        %{name}-%{version}-tmpdir.diff
-Patch40:        %{name}-%{version}-xauth.diff
-Patch41:        %{name}-%{version}-gcc-fix.patch
-Patch43:        %{name}-%{version}-default-protocol.diff
-Patch44:        %{name}-%{version}-audit.patch
-Patch45:        %{name}-%{version}-pts.diff
-Patch46:        %{name}-%{version}-pam-fix4.diff
-Patch48:        %{name}-%{version}-forwards.diff
-Patch49:        %{name}-%{version}-homechroot.patch
+Patch1:         %{name}-%{version}-askpass-fix.diff
+Patch2:         %{name}-%{version}-pam-fix2.diff
+Patch3:         %{name}-%{version}-saveargv-fix.diff
+Patch4:         %{name}-%{version}-pam-fix3.diff
+Patch5:         %{name}-%{version}-gssapimitm.patch
+Patch6:         %{name}-%{version}-eal3.diff
+Patch7:         %{name}-%{version}-engines.diff
+Patch8:         %{name}-%{version}-blocksigalrm.diff
+Patch9:         %{name}-%{version}-send_locale.diff
+Patch10:        %{name}-%{version}-xauthlocalhostname.diff
+Patch11:        %{name}-%{version}-tmpdir.diff
+Patch12:        %{name}-%{version}-xauth.diff
+Patch14:        %{name}-%{version}-default-protocol.diff
+Patch15:        %{name}-%{version}-audit.patch
+Patch16:        %{name}-%{version}-pts.diff
+Patch17:        %{name}-%{version}-forwards.diff
+Patch18:        %{name}-%{version}-homechroot.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %package      askpass
@ -98,28 +96,26 @@ Window System passphrase dialog for OpenSSH.
 %prep
 %setup -q -b 3 -a 1 -a 5
 %patch 
-%patch15
+%patch2
+%patch3
+%patch4
+%patch5
+%patch6 -p1
+%patch7 -p1
+%patch8
+%patch9
+%patch10
+%patch11
+%patch12
+%patch14
+%patch15 -p1
+%patch16
+%patch17
 %patch18
-%patch19
-%patch21
-%patch26 -p1
-%patch27 -p1
-%patch28
-%patch35
-%patch36
-%patch37
-%patch40
-%patch41
-%patch43
-%patch44 -p1
-%patch45
-%patch46 -p1
-%patch48
-%patch49
 cp -v %{SOURCE4} .
 cp -v %{SOURCE6} .
 cd ../x11-ssh-askpass-%{xversion}
-%patch12
+%patch1

 %build
 # This package failed when testing with -Wl,-as-needed being default.
@ -248,6 +244,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) %dir /usr/%_lib/ssh
 %attr(0755,root,root) /usr/%_lib/ssh/sftp-server
 %attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign
+%attr(0755,root,root) /usr/%_lib/ssh/ssh-pkcs11-helper
 %dir /etc/slp.reg.d
 %config /etc/slp.reg.d/ssh.reg
 /var/adm/fillup-templates/sysconfig.ssh