[gsi-openssh/f17: 2/2] Based on openssh-5.9p1-26.fc17

Mattias Ellert ellert at fedoraproject.org
Mon Aug 13 17:24:52 UTC 2012 

commit 325c7f335901899763f583079ae80f5d69615a58
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date:   Mon Aug 13 18:29:46 2012 +0200

    Based on openssh-5.9p1-26.fc17

 gsi-openssh.spec                             |   10 +-
 openssh-5.9p1-audit4.patch                   |   76 ++++++------
 openssh-5.9p1-fips.patch                     |  177 ++++++++++++++------------
 openssh-5.9p1-null-xcrypt.patch              |   17 +++
 openssh-5.9p1-privsep-selinux.patch          |   59 ++++-----
 openssh-5.9p1-required-authentications.patch |  121 +++++++++---------
 6 files changed, 245 insertions(+), 215 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 1b2f4ec..b80cdcd 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -32,12 +32,12 @@
 %global nologin 1
 
 %global openssh_ver 5.9p1
-%global openssh_rel 6
+%global openssh_rel 7
 
 Summary: An implementation of the SSH protocol with GSI authentication
 Name: gsi-openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.1
+Release: %{openssh_rel}%{?dist}
 Provides: gsissh = %{version}-%{release}
 Obsoletes: gsissh < 5.8p2-2
 URL: http://www.openssh.com/portable.html
@@ -146,6 +146,8 @@ Patch711: openssh-5.9p1-log-usepam-no.patch
 Patch712: openssh-5.9p1-ctr-evp-fast.patch
 # add cavs test binary for the aes-ctr
 Patch713: openssh-5.9p1-ctr-cavstest.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=815993
+Patch714: openssh-5.9p1-null-xcrypt.patch
 
 #http://www.sxw.org.uk/computing/patches/openssh.html
 Patch800: openssh-5.9p1-gsskex.patch
@@ -319,6 +321,7 @@ This version of OpenSSH has been modified to support GSI authentication.
 %patch711 -p1 -b .log-usepam-no
 %patch712 -p1 -b .evp-ctr
 %patch713 -p1 -b .ctr-cavs
+%patch714 -p0 -b .null-xcrypt
 
 %patch800 -p1 -b .gsskex
 %patch801 -p1 -b .force_krb
@@ -548,6 +551,9 @@ fi
 %attr(0644,root,root) %{_unitdir}/gsisshd.service
 
 %changelog
+* Mon Aug 13 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 5.9p1-7
+- Based on openssh-5.9p1-26.fc17
+
 * Thu Jul 19 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 5.9p1-6.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 
diff --git a/openssh-5.9p1-audit4.patch b/openssh-5.9p1-audit4.patch
index 88dd403..1ae1e71 100644
--- a/openssh-5.9p1-audit4.patch
+++ b/openssh-5.9p1-audit4.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
---- openssh-5.9p1/audit-bsm.c.audit4	2012-02-06 17:15:01.574908126 +0100
-+++ openssh-5.9p1/audit-bsm.c	2012-02-06 17:15:21.656095559 +0100
+--- openssh-5.9p1/audit-bsm.c.audit4	2012-07-27 14:27:56.149474798 +0200
++++ openssh-5.9p1/audit-bsm.c	2012-07-27 14:27:56.164474882 +0200
 @@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
  {
  	/* not implemented */
@@ -13,8 +13,8 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
---- openssh-5.9p1/audit.c.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/audit.c	2012-02-06 17:15:21.690032906 +0100
+--- openssh-5.9p1/audit.c.audit4	2012-07-27 14:27:56.150474804 +0200
++++ openssh-5.9p1/audit.c	2012-07-27 14:27:56.165474888 +0200
 @@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
  	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
  }
@@ -45,8 +45,8 @@ diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
---- openssh-5.9p1/audit.h.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/audit.h	2012-02-06 17:15:21.690876254 +0100
+--- openssh-5.9p1/audit.h.audit4	2012-07-27 14:27:56.151474810 +0200
++++ openssh-5.9p1/audit.h	2012-07-27 14:27:56.165474888 +0200
 @@ -62,5 +62,7 @@ void	audit_unsupported(int);
  void	audit_kex(int, char *, char *, char *);
  void	audit_unsupported_body(int);
@@ -56,8 +56,8 @@ diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
---- openssh-5.9p1/audit-linux.c.audit4	2012-02-06 17:15:01.575908525 +0100
-+++ openssh-5.9p1/audit-linux.c	2012-02-06 17:15:21.682001323 +0100
+--- openssh-5.9p1/audit-linux.c.audit4	2012-07-27 14:27:56.149474798 +0200
++++ openssh-5.9p1/audit-linux.c	2012-07-27 14:27:56.166474894 +0200
 @@ -294,6 +294,8 @@ audit_unsupported_body(int what)
  #endif
  }
@@ -109,8 +109,8 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
 +
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
---- openssh-5.9p1/auditstub.c.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/auditstub.c	2012-02-06 17:15:21.690876254 +0100
+--- openssh-5.9p1/auditstub.c.audit4	2012-07-27 14:27:56.151474810 +0200
++++ openssh-5.9p1/auditstub.c	2012-07-27 14:27:56.166474894 +0200
 @@ -27,6 +27,8 @@
   * Red Hat author: Jan F. Chadima <jchadima at redhat.com>
   */
@@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
 +{
 +}
 diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
---- openssh-5.9p1/kex.c.audit4	2012-02-06 17:15:01.578907640 +0100
-+++ openssh-5.9p1/kex.c	2012-02-06 17:15:21.691785656 +0100
+--- openssh-5.9p1/kex.c.audit4	2012-07-27 14:27:56.153474822 +0200
++++ openssh-5.9p1/kex.c	2012-07-27 14:27:56.167474900 +0200
 @@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
  	fprintf(stderr, "\n");
  }
@@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
 +
 diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
 --- openssh-5.9p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.9p1/kex.h	2012-02-06 17:15:21.691785656 +0100
++++ openssh-5.9p1/kex.h	2012-07-27 14:27:56.168474905 +0200
 @@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
  void	 kexecdh_client(Kex *);
  void	 kexecdh_server(Kex *);
@@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
      BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 --- openssh-5.9p1/mac.c.audit4	2011-08-17 02:29:03.000000000 +0200
-+++ openssh-5.9p1/mac.c	2012-02-06 17:15:21.692918961 +0100
++++ openssh-5.9p1/mac.c	2012-07-27 14:27:56.168474905 +0200
 @@ -168,6 +168,20 @@ mac_clear(Mac *mac)
  	mac->umac_ctx = NULL;
  }
@@ -209,16 +209,16 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
  int
 diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
 --- openssh-5.9p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.9p1/mac.h	2012-02-06 17:15:21.692918961 +0100
++++ openssh-5.9p1/mac.h	2012-07-27 14:27:56.169474910 +0200
 @@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
  int	 mac_init(Mac *);
  u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
  void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.audit4	2012-02-06 17:15:01.579896475 +0100
-+++ openssh-5.9p1/monitor.c	2012-02-06 17:16:32.405783810 +0100
-@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer 
+--- openssh-5.9p1/monitor.c.audit4	2012-07-27 14:27:56.154474827 +0200
++++ openssh-5.9p1/monitor.c	2012-07-27 14:31:20.311655098 +0200
+@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
  int mm_answer_audit_end_command(int, Buffer *);
  int mm_answer_audit_unsupported_body(int, Buffer *);
  int mm_answer_audit_kex_body(int, Buffer *);
@@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
  #endif
  
  static int monitor_read_log(struct monitor *);
-@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
      {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
  #endif
      {0, 0, NULL}
  };
-@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[] 
+@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
      {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
  #endif
      {0, 0, NULL}
  };
-@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
- #endif
+@@ -449,10 +454,6 @@ monitor_child_preauth(Authctxt *_authctx
+ 			authenticated = 0;
  	}
  
 -	/* Drain any buffered messages from the child */
@@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
  	if (!authctxt->valid)
  		fatal("%s: authenticated invalid user", __func__);
  	if (strcmp(auth_method, "unknown") == 0)
-@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1952,11 +1953,13 @@ mm_get_keystate(struct monitor *pmonitor
  
  	blob = buffer_get_string(&m, &bloblen);
  	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
  	xfree(blob);
  
  	/* Now get sequence numbers for the packets */
-@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -2002,6 +2005,21 @@ mm_get_keystate(struct monitor *pmonitor
  	}
  
  	buffer_free(&m);
@@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
  }
  
  
-@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2448,4 +2466,22 @@ mm_answer_audit_kex_body(int sock, Buffe
  	return 0;
  }
  
@@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
---- openssh-5.9p1/monitor.h.audit4	2012-02-06 17:15:01.580908188 +0100
-+++ openssh-5.9p1/monitor.h	2012-02-06 17:15:21.695033617 +0100
+--- openssh-5.9p1/monitor.h.audit4	2012-07-27 14:27:56.155474832 +0200
++++ openssh-5.9p1/monitor.h	2012-07-27 14:27:56.171474920 +0200
 @@ -63,6 +63,7 @@ enum monitor_reqtype {
  	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
  	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
  	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
  	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
 diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
---- openssh-5.9p1/monitor_wrap.c.audit4	2012-02-06 17:15:01.581802928 +0100
-+++ openssh-5.9p1/monitor_wrap.c	2012-02-06 17:15:21.696033353 +0100
+--- openssh-5.9p1/monitor_wrap.c.audit4	2012-07-27 14:27:56.156474837 +0200
++++ openssh-5.9p1/monitor_wrap.c	2012-07-27 14:27:56.172474926 +0200
 @@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
  		fatal("%s: conversion of newkeys failed", __func__);
  
@@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
---- openssh-5.9p1/monitor_wrap.h.audit4	2012-02-06 17:15:01.582908343 +0100
-+++ openssh-5.9p1/monitor_wrap.h	2012-02-06 17:15:21.696033353 +0100
+--- openssh-5.9p1/monitor_wrap.h.audit4	2012-07-27 14:27:56.157474843 +0200
++++ openssh-5.9p1/monitor_wrap.h	2012-07-27 14:27:56.173474932 +0200
 @@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
  void mm_audit_end_command(int, const char *);
  void mm_audit_unsupported_body(int);
@@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
  
  struct Session;
 diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
---- openssh-5.9p1/packet.c.audit4	2012-02-06 17:15:01.545908387 +0100
-+++ openssh-5.9p1/packet.c	2012-02-06 17:15:21.696886524 +0100
+--- openssh-5.9p1/packet.c.audit4	2012-07-27 14:27:56.099474520 +0200
++++ openssh-5.9p1/packet.c	2012-07-27 14:27:56.174474938 +0200
 @@ -60,6 +60,7 @@
  #include <signal.h>
  
@@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
 +
 diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 --- openssh-5.9p1/packet.h.audit4	2011-05-15 00:43:13.000000000 +0200
-+++ openssh-5.9p1/packet.h	2012-02-06 17:15:21.697874825 +0100
++++ openssh-5.9p1/packet.h	2012-07-27 14:27:56.175474944 +0200
 @@ -124,4 +124,5 @@ void	 packet_restore_state(void);
  void	*packet_get_input(void);
  void	*packet_get_output(void);
@@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 +void	 packet_destroy_all(int, int);
  #endif				/* PACKET_H */
 diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
---- openssh-5.9p1/session.c.audit4	2012-02-06 17:15:01.562908533 +0100
-+++ openssh-5.9p1/session.c	2012-02-06 17:15:21.697874825 +0100
+--- openssh-5.9p1/session.c.audit4	2012-07-27 14:27:56.130474693 +0200
++++ openssh-5.9p1/session.c	2012-07-27 14:27:56.176474950 +0200
 @@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
  
  	/* remove hostkey from the child's memory */
@@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
  	/* Force a password change */
  	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
---- openssh-5.9p1/sshd.c.audit4	2012-02-06 17:15:01.583866459 +0100
-+++ openssh-5.9p1/sshd.c	2012-02-06 17:15:21.699033720 +0100
+--- openssh-5.9p1/sshd.c.audit4	2012-07-27 14:27:56.159474855 +0200
++++ openssh-5.9p1/sshd.c	2012-07-27 14:27:56.178474961 +0200
 @@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
  	}
  }
diff --git a/openssh-5.9p1-fips.patch b/openssh-5.9p1-fips.patch
index c783f6a..6918b82 100644
--- a/openssh-5.9p1-fips.patch
+++ b/openssh-5.9p1-fips.patch
@@ -1,50 +1,6 @@
-diff -up openssh-5.9p1/Makefile.in.fips openssh-5.9p1/Makefile.in
---- openssh-5.9p1/Makefile.in.fips	2011-09-08 14:51:55.788515769 +0200
-+++ openssh-5.9p1/Makefile.in	2011-09-08 14:51:58.390439672 +0200
-@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS)
- 	$(RANLIB) $@
- 
- ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
--	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
-+	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS)
- 
- sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
--	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
-+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
- 
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
- 
- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
--	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- 
- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
--	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- 
- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
--	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- 
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
--	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- 
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -172,7 +172,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
- 	$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
- 
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
--	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
- 
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
- 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.9p1/authfile.c.fips openssh-5.9p1/authfile.c
---- openssh-5.9p1/authfile.c.fips	2011-09-08 14:51:57.076455523 +0200
-+++ openssh-5.9p1/authfile.c	2011-09-08 14:51:58.485565698 +0200
+--- openssh-5.9p1/authfile.c.fips	2012-07-17 20:57:35.078155160 +0200
++++ openssh-5.9p1/authfile.c	2012-07-17 20:57:35.086155338 +0200
 @@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
  	/* Allocate space for the private part of the key in the buffer. */
  	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -78,22 +34,9 @@ diff -up openssh-5.9p1/authfile.c.fips openssh-5.9p1/authfile.c
  	cipher_crypt(&ciphercontext, cp,
  	    buffer_ptr(&copy), buffer_len(&copy));
  	cipher_cleanup(&ciphercontext);
-diff -up openssh-5.9p1/cipher-ctr.c.fips openssh-5.9p1/cipher-ctr.c
---- openssh-5.9p1/cipher-ctr.c.fips	2010-10-07 13:06:42.000000000 +0200
-+++ openssh-5.9p1/cipher-ctr.c	2011-09-08 14:51:58.593563819 +0200
-@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
- 	aes_ctr.do_cipher = ssh_aes_ctr;
- #ifndef SSH_OLD_EVP
- 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
--	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
-+	    EVP_CIPH_FLAG_FIPS;
- #endif
- 	return (&aes_ctr);
- }
 diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
---- openssh-5.9p1/cipher.c.fips	2011-09-08 14:51:44.592501867 +0200
-+++ openssh-5.9p1/cipher.c	2011-09-08 14:51:58.700440064 +0200
+--- openssh-5.9p1/cipher.c.fips	2012-07-17 20:57:34.988153164 +0200
++++ openssh-5.9p1/cipher.c	2012-07-17 20:57:35.086155338 +0200
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -178,9 +121,22 @@ diff -up openssh-5.9p1/cipher.c.fips openssh-5.9p1/cipher.c
  }
  
  /*
+diff -up openssh-5.9p1/cipher-ctr.c.fips openssh-5.9p1/cipher-ctr.c
+--- openssh-5.9p1/cipher-ctr.c.fips	2010-10-07 13:06:42.000000000 +0200
++++ openssh-5.9p1/cipher-ctr.c	2012-07-17 20:57:35.086155338 +0200
+@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
+ 	aes_ctr.do_cipher = ssh_aes_ctr;
+ #ifndef SSH_OLD_EVP
+ 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+-	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
++	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
++	    EVP_CIPH_FLAG_FIPS;
+ #endif
+ 	return (&aes_ctr);
+ }
 diff -up openssh-5.9p1/cipher.h.fips openssh-5.9p1/cipher.h
---- openssh-5.9p1/cipher.h.fips	2011-09-08 14:51:44.697501719 +0200
-+++ openssh-5.9p1/cipher.h	2011-09-08 14:51:58.800502283 +0200
+--- openssh-5.9p1/cipher.h.fips	2012-07-17 20:57:34.989153186 +0200
++++ openssh-5.9p1/cipher.h	2012-07-17 20:57:35.087155360 +0200
 @@ -87,7 +87,7 @@ void	 cipher_init(CipherContext *, Ciphe
      const u_char *, u_int, int);
  void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@@ -191,8 +147,8 @@ diff -up openssh-5.9p1/cipher.h.fips openssh-5.9p1/cipher.h
  u_int	 cipher_keylen(const Cipher *);
  u_int	 cipher_is_cbc(const Cipher *);
 diff -up openssh-5.9p1/key.c.fips openssh-5.9p1/key.c
---- openssh-5.9p1/key.c.fips	2011-09-08 14:51:49.002451595 +0200
-+++ openssh-5.9p1/key.c	2011-09-08 14:51:58.908501542 +0200
+--- openssh-5.9p1/key.c.fips	2012-07-17 20:57:35.007153585 +0200
++++ openssh-5.9p1/key.c	2012-07-17 20:57:35.087155360 +0200
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -219,8 +175,8 @@ diff -up openssh-5.9p1/key.c.fips openssh-5.9p1/key.c
  	}
  	return rv;
 diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
---- openssh-5.9p1/mac.c.fips	2011-09-08 14:51:46.755466816 +0200
-+++ openssh-5.9p1/mac.c	2011-09-08 14:51:59.029600712 +0200
+--- openssh-5.9p1/mac.c.fips	2012-07-17 20:57:34.996153341 +0200
++++ openssh-5.9p1/mac.c	2012-07-17 20:58:35.584497499 +0200
 @@ -28,6 +28,7 @@
  #include <sys/types.h>
  
@@ -246,12 +202,16 @@ diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
  	{ "hmac-sha1",			SSH_EVP, EVP_sha1, 0, -1, -1 },
  	{ "hmac-sha1-96",		SSH_EVP, EVP_sha1, 96, -1, -1 },
  #ifdef HAVE_EVP_SHA256
-@@ -71,9 +72,15 @@ struct {
+@@ -71,9 +72,19 @@ struct {
  	{ NULL,				0, NULL, 0, -1, -1 }
  };
  
 +struct Macs fips_macs[] = {
 +	{ "hmac-sha1",			SSH_EVP, EVP_sha1, 0, -1, -1 },
++#ifdef HAVE_EVP_SHA256
++	{ "hmac-sha2-256",		SSH_EVP, EVP_sha256, 0, -1, -1 },
++	{ "hmac-sha2-512",		SSH_EVP, EVP_sha512, 0, -1, -1 },
++#endif
 +	{ NULL,				0, NULL, 0, -1, -1 }
 +};
 +
@@ -262,7 +222,7 @@ diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
  	int evp_len;
  	mac->type = macs[which].type;
  	if (mac->type == SSH_EVP) {
-@@ -94,6 +101,7 @@ int
+@@ -94,6 +105,7 @@ int
  mac_setup(Mac *mac, char *name)
  {
  	int i;
@@ -270,10 +230,54 @@ diff -up openssh-5.9p1/mac.c.fips openssh-5.9p1/mac.c
  
  	for (i = 0; macs[i].name; i++) {
  		if (strcmp(name, macs[i].name) == 0) {
+diff -up openssh-5.9p1/Makefile.in.fips openssh-5.9p1/Makefile.in
+--- openssh-5.9p1/Makefile.in.fips	2012-07-17 20:57:35.069154962 +0200
++++ openssh-5.9p1/Makefile.in	2012-07-17 20:57:35.086155338 +0200
+@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS)
+ 	$(RANLIB) $@
+ 
+ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS)
++	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS)
+ 
+ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
+-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
+ 
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
+-	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ 
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
+-	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ 
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
+-	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ 
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
+-	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ 
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
+ 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -172,7 +172,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
+ 	$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
+ 
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+-	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ 
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
+ 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.9p1/myproposal.h.fips openssh-5.9p1/myproposal.h
 --- openssh-5.9p1/myproposal.h.fips	2011-08-17 02:29:03.000000000 +0200
-+++ openssh-5.9p1/myproposal.h	2011-09-08 14:51:59.150503573 +0200
-@@ -97,6 +97,12 @@
++++ openssh-5.9p1/myproposal.h	2012-07-17 21:01:12.685982807 +0200
+@@ -97,6 +97,19 @@
  #define	KEX_DEFAULT_COMP	"none,zlib at openssh.com,zlib"
  #define	KEX_DEFAULT_LANG	""
  
@@ -281,14 +285,21 @@ diff -up openssh-5.9p1/myproposal.h.fips openssh-5.9p1/myproposal.h
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
 +	"aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se"
++#ifdef HAVE_EVP_SHA256
++#define	KEX_FIPS_MAC \
++	"hmac-sha1," \
++	"hmac-sha2-256," \
++	"hmac-sha2-512"
++#else
 +#define	KEX_FIPS_MAC \
 +	"hmac-sha1"
++#endif
  
  static char *myproposal[PROPOSAL_MAX] = {
  	KEX_DEFAULT_KEX,
 diff -up openssh-5.9p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.9p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.9p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.9p1/openbsd-compat/bsd-arc4random.c	2011-09-08 14:51:59.262439903 +0200
++++ openssh-5.9p1/openbsd-compat/bsd-arc4random.c	2012-07-17 20:57:35.087155360 +0200
 @@ -37,25 +37,18 @@
  #define REKEY_BYTES	(1 << 24)
  
@@ -346,7 +357,7 @@ diff -up openssh-5.9p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.9p1/openbs
  
 diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c
 --- openssh-5.9p1/ssh.c.fips	2011-08-05 22:18:16.000000000 +0200
-+++ openssh-5.9p1/ssh.c	2011-09-08 14:51:59.369485419 +0200
++++ openssh-5.9p1/ssh.c	2012-07-17 20:57:35.088155382 +0200
 @@ -73,6 +73,8 @@
  
  #include <openssl/evp.h>
@@ -410,8 +421,8 @@ diff -up openssh-5.9p1/ssh.c.fips openssh-5.9p1/ssh.c
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
 diff -up openssh-5.9p1/sshconnect2.c.fips openssh-5.9p1/sshconnect2.c
---- openssh-5.9p1/sshconnect2.c.fips	2011-09-08 14:51:38.333470704 +0200
-+++ openssh-5.9p1/sshconnect2.c	2011-09-08 14:51:59.474500288 +0200
+--- openssh-5.9p1/sshconnect2.c.fips	2012-07-17 20:57:34.955152432 +0200
++++ openssh-5.9p1/sshconnect2.c	2012-07-17 20:57:35.088155382 +0200
 @@ -44,6 +44,8 @@
  #include <vis.h>
  #endif
@@ -445,8 +456,8 @@ diff -up openssh-5.9p1/sshconnect2.c.fips openssh-5.9p1/sshconnect2.c
  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
  		    options.hostkeyalgorithms;
 diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
---- openssh-5.9p1/sshd.c.fips	2011-09-08 14:51:52.866451334 +0200
-+++ openssh-5.9p1/sshd.c	2011-09-08 14:57:01.982447369 +0200
+--- openssh-5.9p1/sshd.c.fips	2012-07-17 20:57:35.049154517 +0200
++++ openssh-5.9p1/sshd.c	2012-07-17 20:57:35.089155405 +0200
 @@ -76,6 +76,8 @@
  #include <openssl/bn.h>
  #include <openssl/md5.h>
@@ -456,7 +467,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
  #include "openbsd-compat/openssl-compat.h"
  
  #ifdef HAVE_SECUREWARE
-@@ -1391,6 +1393,11 @@ main(int ac, char **av)
+@@ -1395,6 +1397,11 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
@@ -468,7 +479,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
-@@ -1550,8 +1557,6 @@ main(int ac, char **av)
+@@ -1554,8 +1561,6 @@ main(int ac, char **av)
  	else
  		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
  
@@ -477,7 +488,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
  	/*
  	 * Force logging to stderr until we have loaded the private host
  	 * key (unless started from inetd)
-@@ -1669,6 +1674,10 @@ main(int ac, char **av)
+@@ -1673,6 +1678,10 @@ main(int ac, char **av)
  		debug("private host key: #%d type %d %s", i, key->type,
  		    key_type(key));
  	}
@@ -488,7 +499,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
  	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
-@@ -1833,6 +1842,10 @@ main(int ac, char **av)
+@@ -1837,6 +1846,10 @@ main(int ac, char **av)
  	/* Initialize the random number generator. */
  	arc4random_stir();
  
@@ -499,7 +510,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
  	/* Chdir to the root directory so that the current disk can be
  	   unmounted if desired. */
  	(void) chdir("/");
-@@ -2375,6 +2388,9 @@ do_ssh2_kex(void)
+@@ -2379,6 +2392,9 @@ do_ssh2_kex(void)
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -509,7 +520,7 @@ diff -up openssh-5.9p1/sshd.c.fips openssh-5.9p1/sshd.c
  	}
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2384,6 +2400,9 @@ do_ssh2_kex(void)
+@@ -2388,6 +2404,9 @@ do_ssh2_kex(void)
  	if (options.macs != NULL) {
  		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
  		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
diff --git a/openssh-5.9p1-null-xcrypt.patch b/openssh-5.9p1-null-xcrypt.patch
new file mode 100644
index 0000000..50f32ff
--- /dev/null
+++ b/openssh-5.9p1-null-xcrypt.patch
@@ -0,0 +1,17 @@
+Index: auth-passwd.c
+===================================================================
+RCS file: /cvs/openssh/auth-passwd.c,v
+retrieving revision 1.90
+retrieving revision 1.91
+diff -u -r1.90 -r1.91
+--- auth-passwd.c	8 Mar 2009 00:40:28 -0000	1.90
++++ auth-passwd.c	25 Apr 2012 23:51:28 -0000	1.91
+@@ -209,6 +209,7 @@
+ 	 * Authentication is accepted if the encrypted passwords
+ 	 * are identical.
+ 	 */
+-	return (strcmp(encrypted_password, pw_password) == 0);
++	return encrypted_password != NULL &&
++	    strcmp(encrypted_password, pw_password) == 0;
+ }
+ #endif
diff --git a/openssh-5.9p1-privsep-selinux.patch b/openssh-5.9p1-privsep-selinux.patch
index 7819a46..b81a604 100644
--- a/openssh-5.9p1-privsep-selinux.patch
+++ b/openssh-5.9p1-privsep-selinux.patch
@@ -1,40 +1,35 @@
-diff --git a/session.c b/session.c
-index 436ea48..49c9321 100644
---- a/session.c
-+++ b/session.c
-@@ -1561,6 +1561,13 @@ do_setusercontext(struct passwd *pw)
+diff -up openssh-5.9p1/session.c.privsep-selinux openssh-5.9p1/session.c
+--- openssh-5.9p1/session.c.privsep-selinux	2012-08-01 15:36:33.397565915 +0200
++++ openssh-5.9p1/session.c	2012-08-02 18:18:15.038094629 +0200
+@@ -1536,6 +1536,13 @@ do_setusercontext(struct passwd *pw)
+ 		/* Permanently switch to the desired uid. */
+ 		permanently_set_uid(pw);
  #endif
++
++#ifdef WITH_SELINUX
++		if (options.chroot_directory == NULL ||
++		    strcasecmp(options.chroot_directory, "none") == 0) {
++			ssh_selinux_copy_context();
++		}
++#endif
  	}
  
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+diff -up openssh-5.9p1/sshd.c.privsep-selinux openssh-5.9p1/sshd.c
+--- openssh-5.9p1/sshd.c.privsep-selinux	2012-08-01 16:09:22.949423356 +0200
++++ openssh-5.9p1/sshd.c	2012-08-02 18:07:22.912225684 +0200
+@@ -790,6 +790,14 @@ privsep_postauth(Authctxt *authctxt)
+ 	do_setusercontext(authctxt->pw);
+ 
+  skip:
 +#ifdef WITH_SELINUX
-+	if (options.chroot_directory == NULL ||
-+	    strcasecmp(options.chroot_directory, "none") == 0) {
++	/* switch SELinux content for root too */
++	if (authctxt->pw->pw_uid == 0 && (options.chroot_directory == NULL ||
++	    strcasecmp(options.chroot_directory, "none") == 0)) {
 +		ssh_selinux_copy_context();
 +	}
 +#endif
 +
- 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
- 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
- }
-@@ -1670,7 +1677,9 @@ do_child(Session *s, const char *command
- 		/* When PAM is enabled we rely on it to do the nologin check */
- 		if (!options.use_pam)
- 			do_nologin(pw);
--		do_setusercontext(pw);
-+		/* We are already separated */
-+		if (!use_privsep)
-+			do_setusercontext(pw);
- 		/*
- 		 * PAM session modules in do_setusercontext may have
- 		 * generated messages, so if this in an interactive
-@@ -1791,8 +1800,8 @@ do_child(Session *s, const char *command
- 		optind = optreset = 1;
- 		__progname = argv[0];
- #ifdef WITH_SELINUX
--		if (options.chroot_directory == NULL ||
--		    strcasecmp(options.chroot_directory, "none") == 0) {
-+		if (!use_privsep &&
-+		    (options.chroot_directory == NULL || strcasecmp(options.chroot_directory, "none") == 0)) {
- 			ssh_selinux_copy_context();
- 		}
- #endif
+ 	/* It is safe now to apply the key state */
+ 	monitor_apply_keystate(pmonitor);
+ 
diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-5.9p1-required-authentications.patch
index 491069a..cecbffc 100644
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
---- openssh-5.9p1/auth.c.required-authentication	2012-03-30 18:37:59.990184619 +0200
-+++ openssh-5.9p1/auth.c	2012-03-30 18:38:00.003189876 +0200
+--- openssh-5.9p1/auth.c.required-authentication	2012-07-27 12:21:41.181601972 +0200
++++ openssh-5.9p1/auth.c	2012-07-27 12:21:41.203602020 +0200
 @@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
  }
  
@@ -92,7 +92,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
 +}
 diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
 --- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h	2012-03-30 18:38:00.003189876 +0200
++++ openssh-5.9p1/auth.h	2012-07-27 12:21:41.204602022 +0200
 @@ -142,10 +142,11 @@ void disable_forwarding(void);
  void	do_authentication(Authctxt *);
  void	do_authentication2(Authctxt *);
@@ -122,8 +122,8 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
  
 diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 --- openssh-5.9p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c	2012-03-30 18:38:00.004189905 +0200
-@@ -98,6 +98,54 @@ static const struct AuthMethod1
++++ openssh-5.9p1/auth1.c	2012-07-27 12:50:50.708706675 +0200
+@@ -98,6 +98,55 @@ static const struct AuthMethod1
  	return (NULL);
  }
  
@@ -160,6 +160,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 +			debug("auth1_check_required: unknown method "
 +			    "\"%s\"", cp);
 +			ret = -1;
++			break;
 +		}
 +		if (*(m->enabled) == 0) {
 +			debug("auth1_check_required: method %s explicitly "
@@ -178,7 +179,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  static char *
  get_authname(int type)
  {
-@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
+@@ -237,6 +286,7 @@ do_authloop(Authctxt *authctxt)
  {
  	int authenticated = 0;
  	char info[1024];
@@ -186,7 +187,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  	int prev = 0, type = 0;
  	const struct AuthMethod1 *meth;
  
-@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
+@@ -244,7 +294,7 @@ do_authloop(Authctxt *authctxt)
  	    authctxt->valid ? "" : "invalid user ", authctxt->user);
  
  	/* If the user has no password, accept authentication immediately. */
@@ -195,7 +196,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  #ifdef KRB5
  	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
  #endif
-@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
+@@ -253,7 +303,7 @@ do_authloop(Authctxt *authctxt)
  		if (options.use_pam && (PRIVSEP(do_pam_account())))
  #endif
  		{
@@ -204,7 +205,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  			return;
  		}
  	}
-@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
+@@ -272,6 +322,7 @@ do_authloop(Authctxt *authctxt)
  		/* Get a packet from the client. */
  		prev = type;
  		type = packet_read();
@@ -212,7 +213,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  
  		/*
  		 * If we started challenge-response authentication but the
-@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
+@@ -287,8 +338,8 @@ do_authloop(Authctxt *authctxt)
  		if (authctxt->failures >= options.max_authtries)
  			goto skip;
  		if ((meth = lookup_authmethod1(type)) == NULL) {
@@ -223,7 +224,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  			goto skip;
  		}
  
-@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
+@@ -297,6 +348,17 @@ do_authloop(Authctxt *authctxt)
  			goto skip;
  		}
  
@@ -241,7 +242,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  		authenticated = meth->method(authctxt, info, sizeof(info));
  		if (authenticated == -1)
  			continue; /* "postponed" */
-@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
+@@ -352,7 +414,29 @@ do_authloop(Authctxt *authctxt)
  
   skip:
  		/* Log before sending the reply */
@@ -251,7 +252,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 +		/* Loop until the required authmethods are done */
 +		if (authenticated && options.required_auth1 != NULL) {
 +			if (auth_remove_from_list(&options.required_auth1,
-+			    meth_name) != 1)
++			    meth_name) == 0)
 +				fatal("INTERNAL ERROR: authenticated method "
 +				    "\"%s\" not in required list \"%s\"",
 +				    meth_name, options.required_auth1);
@@ -272,7 +273,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  
  		if (client_user != NULL) {
  			xfree(client_user);
-@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
+@@ -368,6 +452,7 @@ do_authloop(Authctxt *authctxt)
  #endif
  			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
  		}
@@ -282,7 +283,7 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
  		packet_send();
 diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 --- openssh-5.9p1/auth2.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c	2012-03-30 18:38:04.560122485 +0200
++++ openssh-5.9p1/auth2.c	2012-07-27 12:51:59.048241612 +0200
 @@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
  {
  	Authctxt *authctxt = ctxt;
@@ -331,7 +332,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
  
  	if (!authctxt->valid && authenticated)
  		fatal("INTERNAL ERROR: authenticated invalid user %s",
-@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int
  #endif /* _UNICOS */
  
  	/* Log before sending the reply */
@@ -347,7 +348,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +		if ((m = authmethod_lookup(method)) == NULL)
 +			fatal("INTERNAL ERROR: authenticated method "
 +			    "\"%s\" unknown", method);
-+		if (auth_remove_from_list(&options.required_auth2, method) != 1)
++		if (auth_remove_from_list(&options.required_auth2, method) == 0)
 +			fatal("INTERNAL ERROR: authenticated method "
 +			    "\"%s\" not in required list \"%s\"", 
 +			    method, options.required_auth2);
@@ -376,7 +377,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
  	if (authenticated == 1) {
  		/* turn off userauth */
  		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
-@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int
  		/* now we can break out */
  		authctxt->success = 1;
  	} else {
@@ -384,7 +385,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
  		/* Allow initial try of "none" auth without failure penalty */
  		if (!authctxt->server_caused_failure &&
  		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
-@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int 
+@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int
  #endif
  			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
  		}
@@ -453,7 +454,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 +
 diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
 --- openssh-5.9p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c	2012-03-30 18:38:00.005184630 +0200
++++ openssh-5.9p1/auth2-gss.c	2012-07-27 12:21:41.206602026 +0200
 @@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
  		}
  		authctxt->postponed = 0;
@@ -483,7 +484,7 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
  Authmethod method_gssapi = {
 diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
 --- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c	2012-03-30 19:25:49.049897712 +0200
++++ openssh-5.9p1/auth2-chall.c	2012-07-27 12:21:41.206602026 +0200
 @@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
  			auth2_challenge_start(authctxt);
  		}
@@ -496,7 +497,7 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
  
 diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
 --- openssh-5.9p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c	2012-03-30 18:38:00.006184515 +0200
++++ openssh-5.9p1/auth2-none.c	2012-07-27 12:21:41.207602028 +0200
 @@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
  {
  	none_enabled = 0;
@@ -507,8 +508,8 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
  	return (0);
  }
 diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.required-authentication	2012-03-30 18:37:59.976189954 +0200
-+++ openssh-5.9p1/monitor.c	2012-03-30 18:38:04.555127442 +0200
+--- openssh-5.9p1/monitor.c.required-authentication	2012-07-27 12:21:41.161601930 +0200
++++ openssh-5.9p1/monitor.c	2012-07-27 12:51:18.884927066 +0200
 @@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
  static char *hostbased_cuser = NULL;
  static char *hostbased_chost = NULL;
@@ -517,12 +518,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  static u_int session_id2_len = 0;
  static u_char *session_id2 = NULL;
  static pid_t monitor_child_pid;
-@@ -352,7 +353,8 @@ void
- monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -353,6 +354,7 @@ monitor_child_preauth(Authctxt *_authctx
  {
  	struct mon_table *ent;
--	int authenticated = 0;
-+	int no_increment, authenticated = 0;
+ 	int authenticated = 0;
 +	char **req_auth;
  
  	debug3("preauth child monitor started");
@@ -542,43 +541,45 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
  	}
-@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -380,6 +384,7 @@ monitor_child_preauth(Authctxt *_authctx
  	/* The first few requests do not require asynchronous access */
  	while (!authenticated) {
  		auth_method = "unknown";
 +		auth_submethod = NULL;
-+		no_increment = 1;
  		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
  		if (authenticated) {
  			if (!(ent->flags & MON_AUTHDECIDE))
-@@ -401,11 +407,24 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -401,10 +406,19 @@ monitor_child_preauth(Authctxt *_authctx
  			}
  #endif
  		}
 +		/* Loop until the required authmethods are done */
 +		if (authenticated && *req_auth != NULL) {
-+			if (auth_remove_from_list(req_auth, auth_method) != 1)
++			if (auth_remove_from_list(req_auth, auth_method) == 0)
 +				fatal("INTERNAL ERROR: authenticated method "
 +				    "\"%s\" not in required list \"%s\"",
 +				    auth_method, *req_auth);
 +			debug2("monitor_child_preauth: required list now: %s",
 +			    *req_auth == NULL ? "DONE" : *req_auth);
-+			if (*req_auth != NULL) {
-+				authenticated = 0;
-+				no_increment = 1;
-+			}
 +		}
  
  		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
  			auth_log(authctxt, authenticated, auth_method,
 -			    compat20 ? " ssh2" : "");
--			if (!authenticated)
 +				 auth_submethod, compat20 ? " ssh2" : "");
-+			if (!authenticated && !no_increment)
+ 			if (!authenticated)
  				authctxt->failures++;
  		}
- #ifdef JPAKE
-@@ -862,6 +881,7 @@ mm_answer_authpassword(int sock, Buffer 
+@@ -417,6 +431,8 @@ monitor_child_preauth(Authctxt *_authctx
+ 			}
+ 		}
+ #endif
++		if (*req_auth != NULL)
++			authenticated = 0;
+ 	}
+ 
+ 	/* Drain any buffered messages from the child */
+@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer
  		auth_method = "none";
  	else
  		auth_method = "password";
@@ -586,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	/* Causes monitor loop to terminate if authenticated */
  	return (authenticated);
-@@ -921,6 +941,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
+@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
  	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
  
  	auth_method = "bsdauth";
@@ -594,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	return (authok != 0);
  }
-@@ -970,6 +991,7 @@ mm_answer_skeyrespond(int sock, Buffer *
+@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *
  	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
  
  	auth_method = "skey";
@@ -602,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	return (authok != 0);
  }
-@@ -1059,7 +1081,8 @@ mm_answer_pam_query(int sock, Buffer *m)
+@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m)
  		xfree(prompts);
  	if (echo_on != NULL)
  		xfree(echo_on);
@@ -612,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
  	return (0);
  }
-@@ -1088,7 +1111,8 @@ mm_answer_pam_respond(int sock, Buffer *
+@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer *
  	buffer_clear(m);
  	buffer_put_int(m, ret);
  	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@@ -622,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	if (ret == 0)
  		sshpam_authok = sshpam_ctxt;
  	return (0);
-@@ -1102,7 +1126,8 @@ mm_answer_pam_free_ctx(int sock, Buffer 
+@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
  	(sshpam_device.free_ctx)(sshpam_ctxt);
  	buffer_clear(m);
  	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@@ -632,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	return (sshpam_authok == sshpam_ctxt);
  }
  #endif
-@@ -1138,6 +1163,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m
  			allowed = options.pubkey_authentication &&
  			    user_key_allowed(authctxt->pw, key);
  			auth_method = "publickey";
@@ -640,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  			if (options.pubkey_authentication && allowed != 1)
  				auth_clear_options();
  			break;
-@@ -1146,6 +1172,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m
  			    hostbased_key_allowed(authctxt->pw,
  			    cuser, chost, key);
  			auth_method = "hostbased";
@@ -648,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  			break;
  		case MM_RSAHOSTKEY:
  			key->type = KEY_RSA1; /* XXX */
-@@ -1155,6 +1182,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m
  			if (options.rhosts_rsa_authentication && allowed != 1)
  				auth_clear_options();
  			auth_method = "rsa";
@@ -656,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  			break;
  		default:
  			fatal("%s: unknown key type %d", __func__, type);
-@@ -1180,7 +1208,8 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m
  		hostbased_chost = chost;
  	} else {
  		/* Log failed attempt */
@@ -666,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  		xfree(blob);
  		xfree(cuser);
  		xfree(chost);
-@@ -1356,6 +1385,7 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m)
  	xfree(data);
  
  	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@@ -674,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	monitor_reset_key_state();
  
-@@ -1545,6 +1575,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
+@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
  	debug3("%s entering", __func__);
  
  	auth_method = "rsa";
@@ -682,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  	if (options.rsa_authentication && authctxt->valid) {
  		if ((client_n = BN_new()) == NULL)
  			fatal("%s: BN_new", __func__);
-@@ -1650,6 +1681,7 @@ mm_answer_rsa_response(int sock, Buffer 
+@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer
  	xfree(response);
  
  	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@@ -690,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	/* reset state */
  	BN_clear_free(ssh1_challenge);
-@@ -2099,6 +2131,7 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m
  	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
  
  	auth_method = "gssapi-with-mic";
@@ -698,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  
  	/* Monitor loop will terminate if authenticated */
  	return (authenticated);
-@@ -2303,6 +2336,7 @@ mm_answer_jpake_check_confirm(int sock, 
+@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock,
  	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
  
  	auth_method = "jpake-01 at openssh.com";
@@ -707,8 +708,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
  }
  
 diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.required-authentication	2012-03-30 18:37:59.981184513 +0200
-+++ openssh-5.9p1/servconf.c	2012-03-30 18:38:04.558121635 +0200
+--- openssh-5.9p1/servconf.c.required-authentication	2012-07-27 12:21:41.167601942 +0200
++++ openssh-5.9p1/servconf.c	2012-07-27 12:21:41.209602032 +0200
 @@ -42,6 +42,8 @@
  #include "key.h"
  #include "kex.h"
@@ -718,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
  #include "match.h"
  #include "channels.h"
  #include "groupaccess.h"
-@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions 
+@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
  	options->num_authkeys_files = 0;
  	options->num_accept_env = 0;
  	options->permit_tun = -1;
@@ -780,7 +781,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
  		goto parse_int;
 diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
 --- openssh-5.9p1/servconf.h.required-authentication	2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h	2012-03-30 18:38:00.009184624 +0200
++++ openssh-5.9p1/servconf.h	2012-07-27 12:21:41.210602035 +0200
 @@ -154,6 +154,9 @@ typedef struct {
  	u_int num_authkeys_files;	/* Files containing public keys */
  	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
@@ -793,7 +794,7 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
  	int	use_pam;		/* Enable auth via PAM */
 diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
 --- openssh-5.9p1/sshd_config.5.required-authentication	2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5	2012-03-30 18:38:00.009184624 +0200
++++ openssh-5.9p1/sshd_config.5	2012-07-27 12:38:47.607222070 +0200
 @@ -723,6 +723,8 @@ Available keywords are
  .Cm PermitOpen ,
  .Cm PermitRootLogin ,
@@ -808,7 +809,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
  Note that if this file is not readable, then public key authentication will
  be refused for all users.
 +.It Cm RequiredAuthentications[12]
-+ Requires two authentication methods to succeed before authorizing the connection.
++ Specifies required methods of authentications that has to succeed before authorizing the connection.
 + (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
 +
 + RequiredAuthentications1 method[,method...]

More information about the scm-commits mailing list