[gsi-openssh/f18] Based on openssh-6.1p1-1.fc18
Mattias Ellert
ellert at fedoraproject.org
Tue Sep 18 08:11:45 UTC 2012
commit edfa524229447177c47f6e4a5e8eb4e6a813b029
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Tue Sep 18 10:05:50 2012 +0200
Based on openssh-6.1p1-1.fc18
gsi-openssh.spec | 54 +--
openssh-5.9p1-null-xcrypt.patch | 17 -
openssh-5.9p1-privsep-selinux.patch | 35 --
openssh-5.9p1-akc.patch => openssh-6.1p1-akc.patch | 103 +++---
...pass-ld.patch => openssh-6.1p1-askpass-ld.patch | 14 +-
...-coverity.patch => openssh-6.1p1-coverity.patch | 456 +++++++++-----------
....0p1-gsissh.patch => openssh-6.1p1-gsissh.patch | 332 +++++++-------
....9p1-gsskex.patch => openssh-6.1p1-gsskex.patch | 387 +++++++++++-------
...p1-kuserok.patch => openssh-6.1p1-kuserok.patch | 82 ++--
...m-no.patch => openssh-6.1p1-log-usepam-no.patch | 20 +-
openssh-6.1p1-privsep-selinux.patch | 39 ++
...=> openssh-6.1p1-required-authentications.patch | 114 +++---
....9p1-vendor.patch => openssh-6.1p1-vendor.patch | 89 ++--
sources | 2 +-
14 files changed, 889 insertions(+), 855 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index 3765823..6cb1deb 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -31,7 +31,7 @@
# Whether or not /sbin/nologin exists.
%global nologin 1
-%global openssh_ver 6.0p1
+%global openssh_ver 6.1p1
%global openssh_rel 1
Summary: An implementation of the SSH protocol with GSI authentication
@@ -55,7 +55,7 @@ Source13: gsisshd-keygen
Source99: README.sshd-and-gsisshd
#?
-Patch100: openssh-5.9p1-coverity.patch
+Patch100: openssh-6.1p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-5.8p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
@@ -64,7 +64,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
-Patch104: openssh-5.9p1-required-authentications.patch
+Patch104: openssh-6.1p1-required-authentications.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch
@@ -84,10 +84,10 @@ Patch400: openssh-6.0p1-role-mls.patch
#?
Patch402: openssh-5.9p1-sftp-chroot.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
-Patch404: openssh-5.9p1-privsep-selinux.patch
+Patch404: openssh-6.1p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
-Patch500: openssh-5.9p1-akc.patch
+Patch500: openssh-6.1p1-akc.patch
#?-- unwanted child :(
Patch501: openssh-6.0p1-ldap.patch
#?
@@ -108,7 +108,7 @@ Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
#?
-Patch608: openssh-5.8p2-askpass-ld.patch
+Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-5.5p1-x11.patch
@@ -131,35 +131,33 @@ Patch707: openssh-5.9p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.0p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
-Patch709: openssh-5.9p1-vendor.patch
+Patch709: openssh-6.1p1-vendor.patch
#?
Patch710: openssh-5.9p1-copy-id-restorecon.patch
# warn users for unsupported UsePAM=no (#757545)
-Patch711: openssh-5.9p1-log-usepam-no.patch
+Patch711: openssh-6.1p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-5.9p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr
Patch713: openssh-5.9p1-ctr-cavstest.patch
-#https://bugzilla.redhat.com/show_bug.cgi?id=815993
-Patch714: openssh-5.9p1-null-xcrypt.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
-Patch800: openssh-5.9p1-gsskex.patch
+Patch800: openssh-6.1p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-5.8p2-force_krb.patch
#?
Patch900: openssh-5.8p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-5.9p1-kuserok.patch
+Patch901: openssh-6.1p1-kuserok.patch
#---
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
# sctp
#https://bugzilla.mindrot.org/show_bug.cgi?id=1873 => https://bugzilla.redhat.com/show_bug.cgi?id=668993
# This is the patch that adds GSI support
-# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.0p1.patch
-Patch98: openssh-6.0p1-gsissh.patch
+# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.1p1.patch
+Patch98: openssh-6.1p1-gsissh.patch
License: BSD
Group: Applications/Internet
@@ -312,7 +310,6 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs
-%patch714 -p0 -b .null-xcrypt
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
@@ -364,8 +361,8 @@ fi
--libexecdir=%{_libexecdir}/gsissh \
--datadir=%{_datadir}/gsissh \
--with-tcp-wrappers \
- --with-default-path=/usr/local/bin:/bin:/usr/bin \
- --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+ --with-default-path=/usr/local/bin:/usr/bin \
+ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/gsisshd \
--enable-vendor-patchlevel="FC-%{version}-%{release}" \
--disable-strip \
@@ -474,23 +471,13 @@ getent passwd sshd >/dev/null || \
%endif
%post server
-if [ $1 -eq 1 ] ; then
- /bin/systemctl daemon-reload >/dev/null 2>&1 || :
-fi
-
-%postun server
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
- # Package upgrade, not uninstall
- /bin/systemctl try-restart gsisshd.service >/dev/null 2>&1 || :
-fi
+%systemd_post gsisshd.service
%preun server
-if [ $1 -eq 0 ] ; then
- # Package removal, not upgrade
- /bin/systemctl --no-reload disable gsisshd.service > /dev/null 2>&1 || :
- /bin/systemctl stop gsisshd.service > /dev/null 2>&1 || :
-fi
+%systemd_preun gsisshd.service
+
+%postun server
+%systemd_postun_with_restart gsisshd.service
%triggerun server -- gsi-openssh-server < 5.8p2-1
/usr/bin/systemd-sysv-convert --save gsisshd >/dev/null 2>&1 || :
@@ -543,6 +530,9 @@ fi
%attr(0644,root,root) %{_unitdir}/gsisshd.service
%changelog
+* Tue Sep 18 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.1p1-1
+- Based on openssh-6.1p1-1.fc18
+
* Mon Aug 13 2012 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.0p1-1
- Based on openssh-6.0p1-1.fc18
diff --git a/openssh-5.9p1-akc.patch b/openssh-6.1p1-akc.patch
similarity index 81%
rename from openssh-5.9p1-akc.patch
rename to openssh-6.1p1-akc.patch
index e50098f..49fa169 100644
--- a/openssh-5.9p1-akc.patch
+++ b/openssh-6.1p1-akc.patch
@@ -1,6 +1,6 @@
-diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
---- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
-+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
+diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
+--- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200
++++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200
@@ -27,6 +27,7 @@
#include <sys/types.h>
@@ -9,7 +9,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
#include <fcntl.h>
#include <pwd.h>
-@@ -276,27 +277,15 @@ match_principals_file(char *file, struct
+@@ -277,27 +278,15 @@ match_principals_file(char *file, struct
/* return 1 if user allows given key */
static int
@@ -38,7 +38,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
found_key = 0;
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-@@ -389,8 +378,6 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
@@ -47,7 +47,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
key_free(found);
if (!found_key)
debug2("key not found");
-@@ -452,13 +439,191 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw,
return ret;
}
@@ -240,10 +240,10 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
---- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
-+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
-@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
+diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac
+--- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200
++++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200
+@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit],
esac ]
)
@@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
arc4random \
-@@ -4239,6 +4251,7 @@ echo " SELinux support
+@@ -4407,6 +4419,7 @@ echo " SELinux support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
@@ -270,10 +270,10 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
-diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
-+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
-@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
+diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
+--- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200
++++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200
+@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@@ -282,18 +282,18 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
-@@ -329,6 +331,7 @@ typedef enum {
+@@ -334,6 +336,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- sKexAlgorithms, sIPQoS,
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs,
sDeprecated, sUnsupported
} ServerOpCodes;
-@@ -455,6 +458,13 @@ static struct {
- { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
+@@ -461,6 +464,14 @@ static struct {
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
+ { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL },
@@ -301,12 +301,13 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL },
+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL },
+#endif
++
{ NULL, sBadOption, 0 }
};
-@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
+@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions
}
- break;
+ return 0;
+ case sAuthorizedKeysCommand:
+ len = strspn(cp, WHITESPACE);
@@ -329,7 +330,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
-@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
+@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication);
@@ -338,30 +339,30 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd);
-@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
- dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
+@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
+ dump_cfg_string(sVersionAddendum, o->version_addendum);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas);
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
---- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
-+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
+diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
+--- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200
++++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200
@@ -169,6 +169,8 @@ typedef struct {
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
+ char *authorized_keys_command;
+ char *authorized_keys_command_runas;
- } ServerOptions;
- /*
-diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
---- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
-+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
+ char *version_addendum; /* Appended to SSH banner */
+ } ServerOptions;
+diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
+--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
++++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
@@ -369,12 +370,12 @@ diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
+ #AuthorizedPrincipalsFile none
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
- #RhostsRSAAuthentication no
- # similar for protocol version 2
-diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
---- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
-+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
+diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
+--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
++++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200
@@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns.
@@ -399,19 +400,19 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. The format is described in the
-@@ -401,7 +418,8 @@ DESCRIPTION
-
+@@ -402,7 +419,8 @@ DESCRIPTION
Only a subset of keywords may be used on the lines following a
- Match keyword. Available keywords are AllowAgentForwarding,
-- AllowTcpForwarding, AuthorizedKeysFile, AuthorizedPrincipalsFile,
-+ AllowTcpForwarding, AuthorizedKeysFile, AuthorizedKeysCommand,
-+ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile,
- Banner, ChrootDirectory, ForceCommand, GatewayPorts,
- GSSAPIAuthentication, HostbasedAuthentication,
+ Match keyword. Available keywords are AcceptEnv,
+ AllowAgentForwarding, AllowGroups, AllowTcpForwarding,
+- AllowUsers, AuthorizedKeysFile, AuthorizedPrincipalsFile, Banner,
++ AllowUsers, AuthorizedKeysFile, AuthorizedKeysCommand,
++ AuthorizedKeysCommandRunAs, AuthorizedPrincipalsFile, Banner,
+ ChrootDirectory, DenyGroups, DenyUsers, ForceCommand,
+ GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
-diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
---- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
-+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
+diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
+--- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200
++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200
@@ -151,6 +151,19 @@ See
in
.Xr ssh_config 5
@@ -432,16 +433,16 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
.It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication.
-@@ -706,6 +719,8 @@ Available keywords are
- .Cm AllowAgentForwarding ,
+@@ -712,6 +725,8 @@ Available keywords are
.Cm AllowTcpForwarding ,
+ .Cm AllowUsers ,
.Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
-@@ -718,6 +733,7 @@ Available keywords are
+@@ -726,6 +741,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
diff --git a/openssh-5.8p2-askpass-ld.patch b/openssh-6.1p1-askpass-ld.patch
similarity index 53%
rename from openssh-5.8p2-askpass-ld.patch
rename to openssh-6.1p1-askpass-ld.patch
index 5b85c80..f7a7fac 100644
--- a/openssh-5.8p2-askpass-ld.patch
+++ b/openssh-6.1p1-askpass-ld.patch
@@ -1,7 +1,7 @@
-diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
---- openssh-5.8p2/contrib/Makefile.askpass-ld 2011-08-08 22:54:06.050546199 +0200
-+++ openssh-5.8p2/contrib/Makefile 2011-08-08 22:54:43.364420118 +0200
-@@ -2,12 +2,12 @@ all:
+diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
+--- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
++++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
+@@ -4,12 +4,12 @@ all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
@@ -11,8 +11,8 @@ diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefil
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
-- $(CC) `pkg-config --cflags gtk+-2.0` \
-+ $(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
+- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
++ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
- `pkg-config --libs gtk+-2.0 x11`
+ `$(PKG_CONFIG) --libs gtk+-2.0 x11`
diff --git a/openssh-5.9p1-coverity.patch b/openssh-6.1p1-coverity.patch
similarity index 73%
rename from openssh-5.9p1-coverity.patch
rename to openssh-6.1p1-coverity.patch
index f3524e3..0c8fb23 100644
--- a/openssh-5.9p1-coverity.patch
+++ b/openssh-6.1p1-coverity.patch
@@ -1,6 +1,6 @@
-diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
---- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
-+++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200
+diff -up openssh-6.1p1/auth-pam.c.coverity openssh-6.1p1/auth-pam.c
+--- openssh-6.1p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
++++ openssh-6.1p1/auth-pam.c 2012-09-14 21:16:41.264906486 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
@@ -15,10 +15,31 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
return (status);
}
#endif
-diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
---- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
-+++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200
-@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
+diff -up openssh-6.1p1/clientloop.c.coverity openssh-6.1p1/clientloop.c
+--- openssh-6.1p1/clientloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
++++ openssh-6.1p1/clientloop.c 2012-09-14 21:16:41.267906501 +0200
+@@ -2006,14 +2006,15 @@ client_input_global_request(int type, u_
+ char *rtype;
+ int want_reply;
+ int success = 0;
++/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
+
+ rtype = packet_get_string(NULL);
+ want_reply = packet_get_char();
+ debug("client_input_global_request: rtype %s want_reply %d",
+ rtype, want_reply);
+ if (want_reply) {
+- packet_start(success ?
+- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
++ packet_start(/*success ?
++ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
+ packet_send();
+ packet_write_wait();
+ }
+diff -up openssh-6.1p1/channels.c.coverity openssh-6.1p1/channels.c
+--- openssh-6.1p1/channels.c.coverity 2012-04-23 10:21:05.000000000 +0200
++++ openssh-6.1p1/channels.c 2012-09-14 21:16:41.272906528 +0200
+@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
@@ -33,7 +54,7 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
-@@ -248,11 +248,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
@@ -48,31 +69,10 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
set_nonblock(efd);
}
}
-diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
---- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
-+++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200
-@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
- char *rtype;
- int want_reply;
- int success = 0;
-+/* success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
-
- rtype = packet_get_string(NULL);
- want_reply = packet_get_char();
- debug("client_input_global_request: rtype %s want_reply %d",
- rtype, want_reply);
- if (want_reply) {
-- packet_start(success ?
-- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
-+ packet_start(/*success ?
-+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
- packet_send();
- packet_write_wait();
- }
-diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
---- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
-+++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200
-@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
+diff -up openssh-6.1p1/key.c.coverity openssh-6.1p1/key.c
+--- openssh-6.1p1/key.c.coverity 2012-06-30 12:05:02.000000000 +0200
++++ openssh-6.1p1/key.c 2012-09-14 21:16:41.274906537 +0200
+@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
success = 1;
/*XXXX*/
key_free(k);
@@ -83,10 +83,9 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
/* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t')
cp++;
-diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
-diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
-+++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200
+diff -up openssh-6.1p1/monitor.c.coverity openssh-6.1p1/monitor.c
+--- openssh-6.1p1/monitor.c.coverity 2012-06-30 00:33:17.000000000 +0200
++++ openssh-6.1p1/monitor.c 2012-09-14 21:16:41.277906552 +0200
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
}
@@ -96,7 +95,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
;
if (!authctxt->valid)
-@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1159,6 +1159,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
@@ -107,7 +106,7 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
if (key != NULL)
key_free(key);
-@@ -1182,9 +1186,6 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1180,9 +1184,6 @@ mm_answer_keyallowed(int sock, Buffer *m
xfree(chost);
}
@@ -117,9 +116,9 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
-diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
---- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200
-+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200
+diff -up openssh-6.1p1/monitor_wrap.c.coverity openssh-6.1p1/monitor_wrap.c
+--- openssh-6.1p1/monitor_wrap.c.coverity 2011-06-20 06:42:23.000000000 +0200
++++ openssh-6.1p1/monitor_wrap.c 2012-09-14 21:16:41.280906568 +0200
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
@@ -134,9 +133,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
return 0;
}
close(tmp1);
-diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
---- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
-+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200
+diff -up openssh-6.1p1/openbsd-compat/bindresvport.c.coverity openssh-6.1p1/openbsd-compat/bindresvport.c
+--- openssh-6.1p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
++++ openssh-6.1p1/openbsd-compat/bindresvport.c 2012-09-14 21:16:41.281906573 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
@@ -146,9 +145,9 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
int i;
if (sa == NULL) {
-diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
---- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
-+++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200
+diff -up openssh-6.1p1/packet.c.coverity openssh-6.1p1/packet.c
+--- openssh-6.1p1/packet.c.coverity 2012-03-09 00:28:07.000000000 +0100
++++ openssh-6.1p1/packet.c 2012-09-14 21:16:41.284906588 +0200
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: "
@@ -157,7 +156,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of "
"service detected");
-@@ -1684,7 +1685,7 @@ void
+@@ -1678,7 +1679,7 @@ void
packet_write_wait(void)
{
fd_set *setp;
@@ -166,9 +165,9 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
struct timeval start, timeout, *timeoutp = NULL;
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
-diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
---- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200
+diff -up openssh-6.1p1/progressmeter.c.coverity openssh-6.1p1/progressmeter.c
+--- openssh-6.1p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
++++ openssh-6.1p1/progressmeter.c 2012-09-14 21:16:41.285906593 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
@@ -187,9 +186,9 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
{
start = last_update = time(NULL);
file = f;
-diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
---- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
-+++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200
+diff -up openssh-6.1p1/progressmeter.h.coverity openssh-6.1p1/progressmeter.h
+--- openssh-6.1p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
++++ openssh-6.1p1/progressmeter.h 2012-09-14 21:16:41.286906598 +0200
@@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
@@ -197,9 +196,9 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void);
-diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
---- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
-+++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200
+diff -up openssh-6.1p1/scp.c.coverity openssh-6.1p1/scp.c
+--- openssh-6.1p1/scp.c.coverity 2011-09-22 13:38:01.000000000 +0200
++++ openssh-6.1p1/scp.c 2012-09-14 21:16:41.288906608 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
@@ -209,19 +208,10 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
}
if (signo)
-diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200
-@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
- debug3("checking syntax for 'Match %s'", cp);
- else
- debug3("checking match for '%s' user %s host %s addr %s", cp,
-- user ? user : "(null)", host ? host : "(null)",
-+ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
- address ? address : "(null)");
-
- while ((attrib = strdelim(&cp)) && *attrib != '\0') {
-@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
+diff -up openssh-6.1p1/servconf.c.coverity openssh-6.1p1/servconf.c
+--- openssh-6.1p1/servconf.c.coverity 2012-07-31 04:22:38.000000000 +0200
++++ openssh-6.1p1/servconf.c 2012-09-14 21:16:41.291906623 +0200
+@@ -1249,7 +1249,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
@@ -230,7 +220,7 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
break;
}
for (i = 0; i < options->num_subsystems; i++)
-@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
+@@ -1340,8 +1340,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@@ -242,9 +232,9 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
}
break;
-diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
---- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
-+++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200
+diff -up openssh-6.1p1/serverloop.c.coverity openssh-6.1p1/serverloop.c
+--- openssh-6.1p1/serverloop.c.coverity 2012-06-20 14:31:27.000000000 +0200
++++ openssh-6.1p1/serverloop.c 2012-09-14 21:16:41.294906638 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
@@ -272,7 +262,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
debug2("notify_done: reading");
}
-@@ -330,7 +330,7 @@ wait_until_can_do_something(fd_set **rea
+@@ -336,7 +336,7 @@ wait_until_can_do_something(fd_set **rea
* If we have buffered data, try to write some of that data
* to the program.
*/
@@ -281,7 +271,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
FD_SET(fdin, *writesetp);
}
notify_prepare(*readsetp);
-@@ -470,7 +470,7 @@ process_output(fd_set *writeset)
+@@ -476,7 +476,7 @@ process_output(fd_set *writeset)
int len;
/* Write buffered data to program stdin. */
@@ -290,7 +280,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
-@@ -583,7 +583,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -589,7 +589,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
@@ -299,7 +289,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
-@@ -607,7 +607,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -613,7 +613,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
@@ -308,7 +298,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
max_fd = MAX(max_fd, fderr);
#endif
-@@ -637,7 +637,7 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -643,7 +643,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
@@ -317,7 +307,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
if (fdin != fdout)
close(fdin);
else
-@@ -735,15 +735,15 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
@@ -336,7 +326,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
close(fdin);
fdin = -1;
-@@ -937,7 +937,7 @@ server_input_window_size(int type, u_int
+@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
@@ -345,7 +335,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel);
}
-@@ -990,7 +990,7 @@ server_request_tun(void)
+@@ -996,7 +996,7 @@ server_request_tun(void)
}
tun = packet_get_int();
@@ -354,9 +344,111 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
-diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
---- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200
+diff -up openssh-6.1p1/sftp.c.coverity openssh-6.1p1/sftp.c
+--- openssh-6.1p1/sftp.c.coverity 2012-06-30 00:33:32.000000000 +0200
++++ openssh-6.1p1/sftp.c 2012-09-14 21:16:41.297906653 +0200
+@@ -206,7 +206,7 @@ killchild(int signo)
+ {
+ if (sshpid > 1) {
+ kill(sshpid, SIGTERM);
+- waitpid(sshpid, NULL, 0);
++ (void) waitpid(sshpid, NULL, 0);
+ }
+
+ _exit(1);
+@@ -316,7 +316,7 @@ local_do_ls(const char *args)
+
+ /* Strip one path (usually the pwd) from the start of another */
+ static char *
+-path_strip(char *path, char *strip)
++path_strip(const char *path, const char *strip)
+ {
+ size_t len;
+
+@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
+ }
+
+ static char *
+-make_absolute(char *p, char *pwd)
++make_absolute(char *p, const char *pwd)
+ {
+ char *abs_str;
+
+@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
+ }
+
+ static int
+-is_dir(char *path)
++is_dir(const char *path)
+ {
+ struct stat sb;
+
+@@ -494,7 +494,7 @@ is_dir(char *path)
+ }
+
+ static int
+-remote_is_dir(struct sftp_conn *conn, char *path)
++remote_is_dir(struct sftp_conn *conn, const char *path)
+ {
+ Attrib *a;
+
+@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
+
+ /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
+ static int
+-pathname_is_dir(char *pathname)
++pathname_is_dir(const char *pathname)
+ {
+ size_t l = strlen(pathname);
+
+@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
+ }
+
+ static int
+-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
++process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
+ int pflag, int rflag)
+ {
+ char *abs_src = NULL;
+@@ -590,7 +590,7 @@ out:
+ }
+
+ static int
+-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
++process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
+ int pflag, int rflag)
+ {
+ char *tmp_dst = NULL;
+@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
+
+ /* sftp ls.1 replacement for directories */
+ static int
+-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
++do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
+ {
+ int n;
+ u_int c = 1, colspace = 0, columns = 1;
+@@ -780,7 +780,7 @@ do_ls_dir(struct sftp_conn *conn, char *
+
+ /* sftp ls.1 replacement which handles path globs */
+ static int
+-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
++do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
+ int lflag)
+ {
+ char *fname, *lname;
+@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
+ }
+
+ static int
+-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
++do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
+ {
+ struct sftp_statvfs st;
+ char s_used[FMT_SCALED_STRSIZE];
+diff -up openssh-6.1p1/sftp-client.c.coverity openssh-6.1p1/sftp-client.c
+--- openssh-6.1p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
++++ openssh-6.1p1/sftp-client.c 2012-09-14 21:18:16.891332281 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
}
@@ -393,7 +485,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
SFTP_DIRENT ***dir)
{
Buffer msg;
-@@ -571,7 +571,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
+@@ -572,7 +572,7 @@ do_lsreaddir(struct sftp_conn *conn, cha
}
int
@@ -402,7 +494,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
return(do_lsreaddir(conn, path, 0, dir));
}
-@@ -589,7 +589,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
+@@ -590,7 +590,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
}
int
@@ -411,7 +503,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
-@@ -604,7 +604,7 @@ do_rm(struct sftp_conn *conn, char *path
+@@ -605,7 +605,7 @@ do_rm(struct sftp_conn *conn, char *path
}
int
@@ -420,7 +512,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
-@@ -620,7 +620,7 @@ do_mkdir(struct sftp_conn *conn, char *p
+@@ -621,7 +621,7 @@ do_mkdir(struct sftp_conn *conn, char *p
}
int
@@ -429,7 +521,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
-@@ -636,7 +636,7 @@ do_rmdir(struct sftp_conn *conn, char *p
+@@ -637,7 +637,7 @@ do_rmdir(struct sftp_conn *conn, char *p
}
Attrib *
@@ -438,7 +530,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int id;
-@@ -650,7 +650,7 @@ do_stat(struct sftp_conn *conn, char *pa
+@@ -651,7 +651,7 @@ do_stat(struct sftp_conn *conn, char *pa
}
Attrib *
@@ -447,7 +539,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int id;
-@@ -684,7 +684,7 @@ do_fstat(struct sftp_conn *conn, char *h
+@@ -685,7 +685,7 @@ do_fstat(struct sftp_conn *conn, char *h
#endif
int
@@ -456,7 +548,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
u_int status, id;
-@@ -701,7 +701,7 @@ do_setstat(struct sftp_conn *conn, char
+@@ -702,7 +702,7 @@ do_setstat(struct sftp_conn *conn, char
}
int
@@ -465,7 +557,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *a)
{
u_int status, id;
-@@ -718,12 +718,12 @@ do_fsetstat(struct sftp_conn *conn, char
+@@ -719,7 +719,7 @@ do_fsetstat(struct sftp_conn *conn, char
}
char *
@@ -474,22 +566,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int type, expected_id, count, id;
- char *filename, *longname;
-- Attrib *a;
-+/*UNUSED Attrib *a; */
-
- expected_id = id = conn->msg_id++;
- send_string_request(conn, id, SSH2_FXP_REALPATH, path,
-@@ -754,7 +754,7 @@ do_realpath(struct sftp_conn *conn, char
-
- filename = buffer_get_string(&msg, NULL);
- longname = buffer_get_string(&msg, NULL);
-- a = decode_attrib(&msg);
-+ /*a =*/ (void) decode_attrib(&msg);
-
- debug3("SSH_FXP_REALPATH %s -> %s", path, filename);
-
-@@ -766,7 +766,7 @@ do_realpath(struct sftp_conn *conn, char
+@@ -768,7 +768,7 @@ do_realpath(struct sftp_conn *conn, char
}
int
@@ -498,7 +575,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int status, id;
-@@ -800,7 +800,7 @@ do_rename(struct sftp_conn *conn, char *
+@@ -802,7 +802,7 @@ do_rename(struct sftp_conn *conn, char *
}
int
@@ -507,7 +584,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int status, id;
-@@ -833,7 +833,7 @@ do_hardlink(struct sftp_conn *conn, char
+@@ -835,7 +835,7 @@ do_hardlink(struct sftp_conn *conn, char
}
int
@@ -516,7 +593,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
Buffer msg;
u_int status, id;
-@@ -984,7 +984,7 @@ send_read_request(struct sftp_conn *conn
+@@ -987,7 +987,7 @@ send_read_request(struct sftp_conn *conn
}
int
@@ -525,7 +602,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *a, int pflag)
{
Attrib junk;
-@@ -1223,7 +1223,7 @@ do_download(struct sftp_conn *conn, char
+@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
}
static int
@@ -534,7 +611,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *dirattrib, int pflag, int printflag, int depth)
{
int i, ret = 0;
-@@ -1313,7 +1313,7 @@ download_dir_internal(struct sftp_conn *
+@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
}
int
@@ -543,7 +620,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
Attrib *dirattrib, int pflag, int printflag)
{
char *src_canon;
-@@ -1331,7 +1331,7 @@ download_dir(struct sftp_conn *conn, cha
+@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
}
int
@@ -552,7 +629,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag)
{
int local_fd;
-@@ -1514,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char *
+@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
}
static int
@@ -561,7 +638,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag, int printflag, int depth)
{
int ret = 0, status;
-@@ -1605,7 +1605,7 @@ upload_dir_internal(struct sftp_conn *co
+@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
}
int
@@ -570,7 +647,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
int pflag)
{
char *dst_canon;
-@@ -1622,7 +1622,7 @@ upload_dir(struct sftp_conn *conn, char
+@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
}
char *
@@ -579,9 +656,9 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
{
char *ret;
size_t len = strlen(p1) + strlen(p2) + 2;
-diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
---- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200
+diff -up openssh-6.1p1/sftp-client.h.coverity openssh-6.1p1/sftp-client.h
+--- openssh-6.1p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
++++ openssh-6.1p1/sftp-client.h 2012-09-14 21:16:41.301906674 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *);
@@ -679,124 +756,9 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
+char *path_append(const char *, const char *);
#endif
-diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
---- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200
-@@ -206,7 +206,7 @@ killchild(int signo)
- {
- if (sshpid > 1) {
- kill(sshpid, SIGTERM);
-- waitpid(sshpid, NULL, 0);
-+ (void) waitpid(sshpid, NULL, 0);
- }
-
- _exit(1);
-@@ -316,7 +316,7 @@ local_do_ls(const char *args)
-
- /* Strip one path (usually the pwd) from the start of another */
- static char *
--path_strip(char *path, char *strip)
-+path_strip(const char *path, const char *strip)
- {
- size_t len;
-
-@@ -334,7 +334,7 @@ path_strip(char *path, char *strip)
- }
-
- static char *
--make_absolute(char *p, char *pwd)
-+make_absolute(char *p, const char *pwd)
- {
- char *abs_str;
-
-@@ -482,7 +482,7 @@ parse_df_flags(const char *cmd, char **a
- }
-
- static int
--is_dir(char *path)
-+is_dir(const char *path)
- {
- struct stat sb;
-
-@@ -494,7 +494,7 @@ is_dir(char *path)
- }
-
- static int
--remote_is_dir(struct sftp_conn *conn, char *path)
-+remote_is_dir(struct sftp_conn *conn, const char *path)
- {
- Attrib *a;
-
-@@ -508,7 +508,7 @@ remote_is_dir(struct sftp_conn *conn, ch
-
- /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
- static int
--pathname_is_dir(char *pathname)
-+pathname_is_dir(const char *pathname)
- {
- size_t l = strlen(pathname);
-
-@@ -516,7 +516,7 @@ pathname_is_dir(char *pathname)
- }
-
- static int
--process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
- int pflag, int rflag)
- {
- char *abs_src = NULL;
-@@ -590,7 +590,7 @@ out:
- }
-
- static int
--process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
- int pflag, int rflag)
- {
- char *tmp_dst = NULL;
-@@ -695,7 +695,7 @@ sdirent_comp(const void *aa, const void
-
- /* sftp ls.1 replacement for directories */
- static int
--do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
-+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
- {
- int n;
- u_int c = 1, colspace = 0, columns = 1;
-@@ -780,10 +780,10 @@ do_ls_dir(struct sftp_conn *conn, char *
-
- /* sftp ls.1 replacement which handles path globs */
- static int
--do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
-+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
- int lflag)
- {
-- Attrib *a = NULL;
-+/*UNUSED Attrib *a = NULL;*/
- char *fname, *lname;
- glob_t g;
- int err;
-@@ -828,7 +828,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
- colspace = width / columns;
- }
-
-- for (i = 0; g.gl_pathv[i] && !interrupted; i++, a = NULL) {
-+ for (i = 0; g.gl_pathv[i] && !interrupted; i++/*, a = NULL*/) {
- fname = path_strip(g.gl_pathv[i], strip_path);
- if (lflag & LS_LONG_VIEW) {
- if (g.gl_statv[i] == NULL) {
-@@ -861,7 +861,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
- }
-
- static int
--do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
-+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
- {
- struct sftp_statvfs st;
- char s_used[FMT_SCALED_STRSIZE];
-diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
---- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
-+++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200
+diff -up openssh-6.1p1/ssh-agent.c.coverity openssh-6.1p1/ssh-agent.c
+--- openssh-6.1p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
++++ openssh-6.1p1/ssh-agent.c 2012-09-14 21:16:41.303906683 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
sanitise_stdfd();
@@ -808,10 +770,10 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
-diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
---- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
-+++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200
-@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
+diff -up openssh-6.1p1/sshd.c.coverity openssh-6.1p1/sshd.c
+--- openssh-6.1p1/sshd.c.coverity 2012-07-31 04:21:34.000000000 +0200
++++ openssh-6.1p1/sshd.c 2012-09-14 21:16:41.307906705 +0200
+@@ -682,8 +682,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
@@ -823,7 +785,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
return 0;
}
-@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -1311,6 +1313,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
@@ -833,7 +795,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
}
-@@ -1774,7 +1779,7 @@ main(int ac, char **av)
+@@ -1768,7 +1773,7 @@ main(int ac, char **av)
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
diff --git a/openssh-6.0p1-gsissh.patch b/openssh-6.1p1-gsissh.patch
similarity index 90%
rename from openssh-6.0p1-gsissh.patch
rename to openssh-6.1p1-gsissh.patch
index 6b66a4d..be8ca1b 100644
--- a/openssh-6.0p1-gsissh.patch
+++ b/openssh-6.1p1-gsissh.patch
@@ -1,6 +1,6 @@
-diff -Nur openssh-6.0p1.orig/auth2.c openssh-6.0p1/auth2.c
---- openssh-6.0p1.orig/auth2.c 2012-08-13 19:04:08.505575345 +0200
-+++ openssh-6.0p1/auth2.c 2012-08-13 19:05:18.621695678 +0200
+diff -Nur openssh-6.1p1.orig/auth2.c openssh-6.1p1/auth2.c
+--- openssh-6.1p1.orig/auth2.c 2012-09-18 09:48:23.147614308 +0200
++++ openssh-6.1p1/auth2.c 2012-09-18 09:50:25.955837576 +0200
@@ -229,7 +229,27 @@
user = packet_get_cstring(NULL);
service = packet_get_cstring(NULL);
@@ -96,9 +96,9 @@ diff -Nur openssh-6.0p1.orig/auth2.c openssh-6.0p1/auth2.c
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
-diff -Nur openssh-6.0p1.orig/auth2-gss.c openssh-6.0p1/auth2-gss.c
---- openssh-6.0p1.orig/auth2-gss.c 2012-08-13 19:04:08.505575345 +0200
-+++ openssh-6.0p1/auth2-gss.c 2012-08-13 19:05:18.621695678 +0200
+diff -Nur openssh-6.1p1.orig/auth2-gss.c openssh-6.1p1/auth2-gss.c
+--- openssh-6.1p1.orig/auth2-gss.c 2012-09-18 09:48:23.148614318 +0200
++++ openssh-6.1p1/auth2-gss.c 2012-09-18 09:50:25.956837588 +0200
@@ -47,6 +47,7 @@
extern ServerOptions options;
@@ -279,9 +279,9 @@ diff -Nur openssh-6.0p1.orig/auth2-gss.c openssh-6.0p1/auth2-gss.c
Authmethod method_gsskeyex = {
"gssapi-keyex",
userauth_gsskeyex,
-diff -Nur openssh-6.0p1.orig/auth.c openssh-6.0p1/auth.c
---- openssh-6.0p1.orig/auth.c 2012-08-13 19:04:08.336577464 +0200
-+++ openssh-6.0p1/auth.c 2012-08-13 19:05:18.622695666 +0200
+diff -Nur openssh-6.1p1.orig/auth.c openssh-6.1p1/auth.c
+--- openssh-6.1p1.orig/auth.c 2012-09-18 09:48:22.728610048 +0200
++++ openssh-6.1p1/auth.c 2012-09-18 09:50:25.987837965 +0200
@@ -72,6 +72,9 @@
#include "authfile.h"
#include "monitor_wrap.h"
@@ -324,7 +324,7 @@ diff -Nur openssh-6.0p1.orig/auth.c openssh-6.0p1/auth.c
}
/*
-@@ -555,6 +574,10 @@
+@@ -557,6 +576,10 @@
#endif
pw = getpwnam(user);
@@ -335,7 +335,7 @@ diff -Nur openssh-6.0p1.orig/auth.c openssh-6.0p1/auth.c
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_restoreauthdb();
-@@ -574,7 +597,8 @@
+@@ -576,7 +599,8 @@
#endif
if (pw == NULL) {
logit("Invalid user %.100s from %.100s",
@@ -345,9 +345,9 @@ diff -Nur openssh-6.0p1.orig/auth.c openssh-6.0p1/auth.c
#ifdef CUSTOM_FAILED_LOGIN
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
-diff -Nur openssh-6.0p1.orig/auth.h openssh-6.0p1/auth.h
---- openssh-6.0p1.orig/auth.h 2012-08-13 19:04:08.390576787 +0200
-+++ openssh-6.0p1/auth.h 2012-08-13 19:05:18.622695666 +0200
+diff -Nur openssh-6.1p1.orig/auth.h openssh-6.1p1/auth.h
+--- openssh-6.1p1.orig/auth.h 2012-09-18 09:48:22.837611157 +0200
++++ openssh-6.1p1/auth.h 2012-09-18 09:50:26.007838210 +0200
@@ -148,6 +148,7 @@
void auth_log(Authctxt *, int, const char *, const char *, const char *);
void userauth_finish(Authctxt *, int, const char *, const char *);
@@ -356,9 +356,9 @@ diff -Nur openssh-6.0p1.orig/auth.h openssh-6.0p1/auth.h
void userauth_send_banner(const char *);
-diff -Nur openssh-6.0p1.orig/auth-pam.c openssh-6.0p1/auth-pam.c
---- openssh-6.0p1.orig/auth-pam.c 2012-08-13 19:04:08.391576774 +0200
-+++ openssh-6.0p1/auth-pam.c 2012-08-13 19:05:18.623695654 +0200
+diff -Nur openssh-6.1p1.orig/auth-pam.c openssh-6.1p1/auth-pam.c
+--- openssh-6.1p1.orig/auth-pam.c 2012-09-18 09:48:22.838611168 +0200
++++ openssh-6.1p1/auth-pam.c 2012-09-18 09:50:26.008838222 +0200
@@ -122,6 +122,10 @@
*/
typedef pthread_t sp_pthread_t;
@@ -488,9 +488,9 @@ diff -Nur openssh-6.0p1.orig/auth-pam.c openssh-6.0p1/auth-pam.c
sshpam_password = NULL;
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
-diff -Nur openssh-6.0p1.orig/auth-pam.h openssh-6.0p1/auth-pam.h
---- openssh-6.0p1.orig/auth-pam.h 2012-08-13 19:04:08.391576774 +0200
-+++ openssh-6.0p1/auth-pam.h 2012-08-13 19:05:18.623695654 +0200
+diff -Nur openssh-6.1p1.orig/auth-pam.h openssh-6.1p1/auth-pam.h
+--- openssh-6.1p1.orig/auth-pam.h 2012-09-18 09:48:22.838611168 +0200
++++ openssh-6.1p1/auth-pam.h 2012-09-18 09:50:26.009838234 +0200
@@ -46,5 +46,6 @@
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
@@ -498,9 +498,9 @@ diff -Nur openssh-6.0p1.orig/auth-pam.h openssh-6.0p1/auth-pam.h
+struct passwd *sshpam_getpw(const char *);
#endif /* USE_PAM */
-diff -Nur openssh-6.0p1.orig/canohost.c openssh-6.0p1/canohost.c
---- openssh-6.0p1.orig/canohost.c 2012-08-13 19:04:08.429576298 +0200
-+++ openssh-6.0p1/canohost.c 2012-08-13 19:05:18.624695641 +0200
+diff -Nur openssh-6.1p1.orig/canohost.c openssh-6.1p1/canohost.c
+--- openssh-6.1p1.orig/canohost.c 2012-09-18 09:48:23.029613109 +0200
++++ openssh-6.1p1/canohost.c 2012-09-18 09:50:26.009838234 +0200
@@ -16,6 +16,7 @@
#include <sys/types.h>
@@ -543,9 +543,9 @@ diff -Nur openssh-6.0p1.orig/canohost.c openssh-6.0p1/canohost.c
+ }
+ }
+}
-diff -Nur openssh-6.0p1.orig/canohost.h openssh-6.0p1/canohost.h
---- openssh-6.0p1.orig/canohost.h 2009-06-21 11:50:08.000000000 +0200
-+++ openssh-6.0p1/canohost.h 2012-08-13 19:05:18.624695641 +0200
+diff -Nur openssh-6.1p1.orig/canohost.h openssh-6.1p1/canohost.h
+--- openssh-6.1p1.orig/canohost.h 2009-06-21 11:50:08.000000000 +0200
++++ openssh-6.1p1/canohost.h 2012-09-18 09:50:26.010838246 +0200
@@ -26,4 +26,6 @@
int get_sock_port(int, int);
void clear_cached_addr(void);
@@ -553,10 +553,10 @@ diff -Nur openssh-6.0p1.orig/canohost.h openssh-6.0p1/canohost.h
+void resolve_localhost(char **host);
+
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
-diff -Nur openssh-6.0p1.orig/configure.ac openssh-6.0p1/configure.ac
---- openssh-6.0p1.orig/configure.ac 2012-08-13 19:04:08.508575307 +0200
-+++ openssh-6.0p1/configure.ac 2012-08-13 19:05:18.626695615 +0200
-@@ -3702,6 +3702,14 @@
+diff -Nur openssh-6.1p1.orig/configure.ac openssh-6.1p1/configure.ac
+--- openssh-6.1p1.orig/configure.ac 2012-09-18 09:48:23.151614348 +0200
++++ openssh-6.1p1/configure.ac 2012-09-18 09:50:26.012838270 +0200
+@@ -3765,6 +3765,14 @@
AC_CHECK_HEADER([gssapi_krb5.h], ,
[ CPPFLAGS="$oldCPP" ])
@@ -571,7 +571,7 @@ diff -Nur openssh-6.0p1.orig/configure.ac openssh-6.0p1/configure.ac
fi
if test ! -z "$need_dash_r" ; then
LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
-@@ -3721,6 +3729,50 @@
+@@ -3784,6 +3792,50 @@
]
)
@@ -622,9 +622,9 @@ diff -Nur openssh-6.0p1.orig/configure.ac openssh-6.0p1/configure.ac
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
-diff -Nur openssh-6.0p1.orig/gss-genr.c openssh-6.0p1/gss-genr.c
---- openssh-6.0p1.orig/gss-genr.c 2012-08-13 19:04:08.508575307 +0200
-+++ openssh-6.0p1/gss-genr.c 2012-08-13 19:05:18.626695615 +0200
+diff -Nur openssh-6.1p1.orig/gss-genr.c openssh-6.1p1/gss-genr.c
+--- openssh-6.1p1.orig/gss-genr.c 2012-09-18 09:48:23.153614368 +0200
++++ openssh-6.1p1/gss-genr.c 2012-09-18 09:50:26.013838282 +0200
@@ -38,6 +38,7 @@
#include "xmalloc.h"
#include "buffer.h"
@@ -661,9 +661,9 @@ diff -Nur openssh-6.0p1.orig/gss-genr.c openssh-6.0p1/gss-genr.c
xfree(gssbuf.value);
return (ctx->major);
}
-diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
---- openssh-6.0p1.orig/gss-serv.c 2012-08-13 19:04:08.509575294 +0200
-+++ openssh-6.0p1/gss-serv.c 2012-08-13 19:05:18.627695603 +0200
+diff -Nur openssh-6.1p1.orig/gss-serv.c openssh-6.1p1/gss-serv.c
+--- openssh-6.1p1.orig/gss-serv.c 2012-09-18 09:48:23.154614378 +0200
++++ openssh-6.1p1/gss-serv.c 2012-09-18 09:50:26.014838294 +0200
@@ -52,6 +52,7 @@
#include "monitor_wrap.h"
@@ -775,7 +775,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
return (ctx->major);
}
-@@ -391,6 +427,11 @@
+@@ -413,6 +449,11 @@
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
@@ -787,7 +787,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
(*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
-@@ -414,8 +455,9 @@
+@@ -436,8 +477,9 @@
}
/* Privileged */
@@ -798,7 +798,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
{
OM_uint32 lmin;
-@@ -424,6 +466,12 @@
+@@ -446,6 +488,12 @@
debug("No suitable client data");
return 0;
}
@@ -811,7 +811,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
if (gssapi_client.mech && gssapi_client.mech->userok)
if ((*gssapi_client.mech->userok)(&gssapi_client, user)) {
gssapi_client.used = 1;
-@@ -442,6 +490,24 @@
+@@ -464,6 +512,24 @@
return (0);
}
@@ -836,7 +836,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
/* These bits are only used for rekeying. The unpriviledged child is running
* as the user, the monitor is root.
*
-@@ -468,6 +534,7 @@
+@@ -490,6 +556,7 @@
pam_handle_t *pamh = NULL;
struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
char *envstr;
@@ -844,7 +844,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
#endif
if (gssapi_client.store.filename == NULL &&
-@@ -497,6 +564,18 @@
+@@ -519,6 +586,18 @@
if (ret)
return;
@@ -863,7 +863,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
gssapi_client.store.envval);
-@@ -528,4 +607,13 @@
+@@ -550,4 +629,13 @@
return ok;
}
@@ -877,9 +877,9 @@ diff -Nur openssh-6.0p1.orig/gss-serv.c openssh-6.0p1/gss-serv.c
+}
+
#endif
-diff -Nur openssh-6.0p1.orig/gss-serv-gsi.c openssh-6.0p1/gss-serv-gsi.c
---- openssh-6.0p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.0p1/gss-serv-gsi.c 2012-08-13 19:05:18.627695603 +0200
+diff -Nur openssh-6.1p1.orig/gss-serv-gsi.c openssh-6.1p1/gss-serv-gsi.c
+--- openssh-6.1p1.orig/gss-serv-gsi.c 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.1p1/gss-serv-gsi.c 2012-09-18 09:50:26.015838306 +0200
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1119,9 +1119,9 @@ diff -Nur openssh-6.0p1.orig/gss-serv-gsi.c openssh-6.0p1/gss-serv-gsi.c
+
+#endif /* GSI */
+#endif /* GSSAPI */
-diff -Nur openssh-6.0p1.orig/gss-serv-krb5.c openssh-6.0p1/gss-serv-krb5.c
---- openssh-6.0p1.orig/gss-serv-krb5.c 2012-08-13 19:04:08.533574993 +0200
-+++ openssh-6.0p1/gss-serv-krb5.c 2012-08-13 19:05:18.628695591 +0200
+diff -Nur openssh-6.1p1.orig/gss-serv-krb5.c openssh-6.1p1/gss-serv-krb5.c
+--- openssh-6.1p1.orig/gss-serv-krb5.c 2012-09-18 09:48:23.268615538 +0200
++++ openssh-6.1p1/gss-serv-krb5.c 2012-09-18 09:50:26.016838318 +0200
@@ -261,6 +261,34 @@
return found_principal;
}
@@ -1157,7 +1157,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv-krb5.c openssh-6.0p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-@@ -343,7 +371,7 @@
+@@ -345,7 +373,7 @@
return;
}
@@ -1166,7 +1166,7 @@ diff -Nur openssh-6.0p1.orig/gss-serv-krb5.c openssh-6.0p1/gss-serv-krb5.c
ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
ssh_gssapi_client *client)
{
-@@ -414,7 +442,7 @@
+@@ -416,7 +444,7 @@
{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
NULL,
&ssh_gssapi_krb5_userok,
@@ -1175,9 +1175,9 @@ diff -Nur openssh-6.0p1.orig/gss-serv-krb5.c openssh-6.0p1/gss-serv-krb5.c
&ssh_gssapi_krb5_storecreds,
&ssh_gssapi_krb5_updatecreds
};
-diff -Nur openssh-6.0p1.orig/kexgsss.c openssh-6.0p1/kexgsss.c
---- openssh-6.0p1.orig/kexgsss.c 2012-08-13 19:04:08.511575269 +0200
-+++ openssh-6.0p1/kexgsss.c 2012-08-13 19:05:18.628695591 +0200
+diff -Nur openssh-6.1p1.orig/kexgsss.c openssh-6.1p1/kexgsss.c
+--- openssh-6.1p1.orig/kexgsss.c 2012-09-18 09:48:23.159614431 +0200
++++ openssh-6.1p1/kexgsss.c 2012-09-18 09:50:26.016838318 +0200
@@ -44,6 +44,7 @@
#include "monitor_wrap.h"
#include "servconf.h"
@@ -1237,9 +1237,9 @@ diff -Nur openssh-6.0p1.orig/kexgsss.c openssh-6.0p1/kexgsss.c
+ }
+}
#endif /* GSSAPI */
-diff -Nur openssh-6.0p1.orig/LICENSE.globus_usage openssh-6.0p1/LICENSE.globus_usage
---- openssh-6.0p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.0p1/LICENSE.globus_usage 2012-08-13 19:05:18.629695579 +0200
+diff -Nur openssh-6.1p1.orig/LICENSE.globus_usage openssh-6.1p1/LICENSE.globus_usage
+--- openssh-6.1p1.orig/LICENSE.globus_usage 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.1p1/LICENSE.globus_usage 2012-09-18 09:50:26.017838330 +0200
@@ -0,0 +1,18 @@
+/*
+ * Portions of the Usage Metrics suport code are derived from the
@@ -1259,9 +1259,9 @@ diff -Nur openssh-6.0p1.orig/LICENSE.globus_usage openssh-6.0p1/LICENSE.globus_u
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
-diff -Nur openssh-6.0p1.orig/Makefile.in openssh-6.0p1/Makefile.in
---- openssh-6.0p1.orig/Makefile.in 2012-08-13 19:04:08.541574893 +0200
-+++ openssh-6.0p1/Makefile.in 2012-08-13 19:05:18.630695566 +0200
+diff -Nur openssh-6.1p1.orig/Makefile.in openssh-6.1p1/Makefile.in
+--- openssh-6.1p1.orig/Makefile.in 2012-09-18 09:48:23.243615284 +0200
++++ openssh-6.1p1/Makefile.in 2012-09-18 09:50:26.017838330 +0200
@@ -93,8 +93,10 @@
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
auth-krb5.o \
@@ -1273,9 +1273,9 @@ diff -Nur openssh-6.0p1.orig/Makefile.in openssh-6.0p1/Makefile.in
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o
-diff -Nur openssh-6.0p1.orig/misc.c openssh-6.0p1/misc.c
---- openssh-6.0p1.orig/misc.c 2012-08-13 19:04:08.393576750 +0200
-+++ openssh-6.0p1/misc.c 2012-08-13 19:05:18.630695566 +0200
+diff -Nur openssh-6.1p1.orig/misc.c openssh-6.1p1/misc.c
+--- openssh-6.1p1.orig/misc.c 2012-09-18 09:48:22.844611228 +0200
++++ openssh-6.1p1/misc.c 2012-09-18 09:50:26.018838342 +0200
@@ -158,11 +158,14 @@
#define WHITESPACE " \t\r\n"
#define QUOTE "\""
@@ -1335,9 +1335,9 @@ diff -Nur openssh-6.0p1.orig/misc.c openssh-6.0p1/misc.c
/*
* Convert ASCII string to TCP/IP port number.
* Port must be >=0 and <=65535.
-diff -Nur openssh-6.0p1.orig/misc.h openssh-6.0p1/misc.h
---- openssh-6.0p1.orig/misc.h 2011-05-05 06:14:34.000000000 +0200
-+++ openssh-6.0p1/misc.h 2012-08-13 19:05:18.630695566 +0200
+diff -Nur openssh-6.1p1.orig/misc.h openssh-6.1p1/misc.h
+--- openssh-6.1p1.orig/misc.h 2011-05-05 06:14:34.000000000 +0200
++++ openssh-6.1p1/misc.h 2012-09-18 09:50:26.020838366 +0200
@@ -38,6 +38,7 @@
void sock_set_v6only(int);
@@ -1346,9 +1346,9 @@ diff -Nur openssh-6.0p1.orig/misc.h openssh-6.0p1/misc.h
const char *ssh_gai_strerror(int);
typedef struct arglist arglist;
-diff -Nur openssh-6.0p1.orig/monitor.c openssh-6.0p1/monitor.c
---- openssh-6.0p1.orig/monitor.c 2012-08-13 19:04:08.515575219 +0200
-+++ openssh-6.0p1/monitor.c 2012-08-13 19:05:18.635695503 +0200
+diff -Nur openssh-6.1p1.orig/monitor.c openssh-6.1p1/monitor.c
+--- openssh-6.1p1.orig/monitor.c 2012-09-18 09:48:23.244615294 +0200
++++ openssh-6.1p1/monitor.c 2012-09-18 09:50:26.058838829 +0200
@@ -187,6 +187,9 @@
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1423,7 +1423,7 @@ diff -Nur openssh-6.0p1.orig/monitor.c openssh-6.0p1/monitor.c
#endif
} else {
mon_dispatch = mon_dispatch_postauth15;
-@@ -796,14 +808,17 @@
+@@ -793,14 +805,17 @@
debug3("%s", __func__);
@@ -1444,7 +1444,7 @@ diff -Nur openssh-6.0p1.orig/monitor.c openssh-6.0p1/monitor.c
setproctitle("%s [priv]", pwent ? username : "unknown");
xfree(username);
-@@ -2279,12 +2294,15 @@
+@@ -2276,12 +2291,15 @@
mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
@@ -1461,7 +1461,7 @@ diff -Nur openssh-6.0p1.orig/monitor.c openssh-6.0p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2292,13 +2310,78 @@
+@@ -2289,13 +2307,78 @@
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
@@ -1541,9 +1541,9 @@ diff -Nur openssh-6.0p1.orig/monitor.c openssh-6.0p1/monitor.c
int
mm_answer_gss_sign(int socket, Buffer *m)
{
-diff -Nur openssh-6.0p1.orig/monitor.h openssh-6.0p1/monitor.h
---- openssh-6.0p1.orig/monitor.h 2012-08-13 19:04:08.515575219 +0200
-+++ openssh-6.0p1/monitor.h 2012-08-13 19:05:18.635695503 +0200
+diff -Nur openssh-6.1p1.orig/monitor.h openssh-6.1p1/monitor.h
+--- openssh-6.1p1.orig/monitor.h 2012-09-18 09:48:23.245615304 +0200
++++ openssh-6.1p1/monitor.h 2012-09-18 09:50:26.059838841 +0200
@@ -55,6 +55,9 @@
MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP,
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
@@ -1554,9 +1554,9 @@ diff -Nur openssh-6.0p1.orig/monitor.h openssh-6.0p1/monitor.h
MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC,
MONITOR_REQ_GSSSIGN, MONITOR_ANS_GSSSIGN,
MONITOR_REQ_GSSUPCREDS, MONITOR_ANS_GSSUPCREDS,
-diff -Nur openssh-6.0p1.orig/monitor_wrap.c openssh-6.0p1/monitor_wrap.c
---- openssh-6.0p1.orig/monitor_wrap.c 2012-08-13 19:04:08.516575206 +0200
-+++ openssh-6.0p1/monitor_wrap.c 2012-08-13 19:05:18.637695478 +0200
+diff -Nur openssh-6.1p1.orig/monitor_wrap.c openssh-6.1p1/monitor_wrap.c
+--- openssh-6.1p1.orig/monitor_wrap.c 2012-09-18 09:48:23.246615314 +0200
++++ openssh-6.1p1/monitor_wrap.c 2012-09-18 09:50:26.060838853 +0200
@@ -1326,12 +1326,13 @@
}
@@ -1656,9 +1656,9 @@ diff -Nur openssh-6.0p1.orig/monitor_wrap.c openssh-6.0p1/monitor_wrap.c
OM_uint32
mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash)
{
-diff -Nur openssh-6.0p1.orig/monitor_wrap.h openssh-6.0p1/monitor_wrap.h
---- openssh-6.0p1.orig/monitor_wrap.h 2012-08-13 19:04:08.516575206 +0200
-+++ openssh-6.0p1/monitor_wrap.h 2012-08-13 19:05:18.637695478 +0200
+diff -Nur openssh-6.1p1.orig/monitor_wrap.h openssh-6.1p1/monitor_wrap.h
+--- openssh-6.1p1.orig/monitor_wrap.h 2012-09-18 09:48:23.246615314 +0200
++++ openssh-6.1p1/monitor_wrap.h 2012-09-18 09:50:26.060838853 +0200
@@ -62,9 +62,13 @@
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -1674,9 +1674,9 @@ diff -Nur openssh-6.0p1.orig/monitor_wrap.h openssh-6.0p1/monitor_wrap.h
int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *);
#endif
-diff -Nur openssh-6.0p1.orig/readconf.c openssh-6.0p1/readconf.c
---- openssh-6.0p1.orig/readconf.c 2012-08-13 19:04:08.517575193 +0200
-+++ openssh-6.0p1/readconf.c 2012-08-13 19:05:18.638695465 +0200
+diff -Nur openssh-6.1p1.orig/readconf.c openssh-6.1p1/readconf.c
+--- openssh-6.1p1.orig/readconf.c 2012-09-18 09:48:23.247615324 +0200
++++ openssh-6.1p1/readconf.c 2012-09-18 09:50:26.061838865 +0200
@@ -1274,13 +1274,13 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
@@ -1695,9 +1695,9 @@ diff -Nur openssh-6.0p1.orig/readconf.c openssh-6.0p1/readconf.c
if (options->gss_renewal_rekey == -1)
options->gss_renewal_rekey = 0;
if (options->password_authentication == -1)
-diff -Nur openssh-6.0p1.orig/readconf.h openssh-6.0p1/readconf.h
---- openssh-6.0p1.orig/readconf.h 2012-08-13 19:04:08.517575193 +0200
-+++ openssh-6.0p1/readconf.h 2012-08-13 19:05:18.639695452 +0200
+diff -Nur openssh-6.1p1.orig/readconf.h openssh-6.1p1/readconf.h
+--- openssh-6.1p1.orig/readconf.h 2012-09-18 09:48:23.247615324 +0200
++++ openssh-6.1p1/readconf.h 2012-09-18 09:50:26.062838877 +0200
@@ -88,6 +88,8 @@
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
@@ -1707,10 +1707,10 @@ diff -Nur openssh-6.0p1.orig/readconf.h openssh-6.0p1/readconf.h
int escape_char; /* Escape character; -2 = none */
u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */
-diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
---- openssh-6.0p1.orig/servconf.c 2012-08-13 19:04:08.534574981 +0200
-+++ openssh-6.0p1/servconf.c 2012-08-13 19:05:18.640695440 +0200
-@@ -64,6 +64,7 @@
+diff -Nur openssh-6.1p1.orig/servconf.c openssh-6.1p1/servconf.c
+--- openssh-6.1p1.orig/servconf.c 2012-09-18 09:48:23.270615559 +0200
++++ openssh-6.1p1/servconf.c 2012-09-18 09:50:26.064838901 +0200
+@@ -67,6 +67,7 @@
/* Portable-specific options */
options->use_pam = -1;
@@ -1718,7 +1718,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
/* Standard Options */
options->num_ports = 0;
-@@ -99,9 +100,11 @@
+@@ -102,9 +103,11 @@
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -1730,7 +1730,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
options->gss_store_rekey = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
-@@ -143,6 +146,8 @@
+@@ -146,6 +149,8 @@
options->authorized_keys_command = NULL;
options->authorized_keys_command_runas = NULL;
options->zero_knowledge_password_authentication = -1;
@@ -1739,7 +1739,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
options->authorized_principals_file = NULL;
-@@ -157,6 +162,8 @@
+@@ -161,6 +166,8 @@
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
@@ -1748,7 +1748,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
/* Standard Options */
if (options->protocol == SSH_PROTO_UNKNOWN)
-@@ -235,13 +242,17 @@
+@@ -239,13 +246,17 @@
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
@@ -1768,7 +1768,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
if (options->password_authentication == -1)
-@@ -318,7 +329,7 @@
+@@ -324,7 +335,7 @@
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
@@ -1777,7 +1777,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
/* Standard Options */
sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -339,12 +350,16 @@
+@@ -345,12 +356,16 @@
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -1793,8 +1793,8 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
+ sDisUsageStats, sUsageStatsTarg,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
- sKexAlgorithms, sIPQoS,
-@@ -365,8 +380,10 @@
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+@@ -371,8 +386,10 @@
/* Portable-specific options */
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
@@ -1805,7 +1805,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
-@@ -408,15 +425,25 @@
+@@ -414,15 +431,25 @@
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
@@ -1831,7 +1831,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
-@@ -480,6 +507,8 @@
+@@ -486,6 +513,8 @@
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@@ -1840,7 +1840,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
-@@ -805,6 +834,10 @@
+@@ -876,6 +905,10 @@
intptr = &options->use_pam;
goto parse_flag;
@@ -1851,7 +1851,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
/* Standard Options */
case sBadOption:
return -1;
-@@ -1009,6 +1042,10 @@
+@@ -1080,6 +1113,10 @@
intptr = &options->gss_authentication;
goto parse_flag;
@@ -1862,7 +1862,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
case sGssKeyEx:
intptr = &options->gss_keyex;
goto parse_flag;
-@@ -1017,6 +1054,10 @@
+@@ -1088,6 +1125,10 @@
intptr = &options->gss_cleanup_creds;
goto parse_flag;
@@ -1873,7 +1873,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
case sGssStrictAcceptor:
intptr = &options->gss_strict_acceptor;
goto parse_flag;
-@@ -1025,6 +1066,12 @@
+@@ -1096,6 +1137,12 @@
intptr = &options->gss_store_rekey;
goto parse_flag;
@@ -1886,7 +1886,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -1465,6 +1512,18 @@
+@@ -1553,6 +1600,18 @@
*charptr = xstrdup(arg);
break;
@@ -1905,7 +1905,7 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
case sTrustedUserCAKeys:
charptr = &options->trusted_user_ca_keys;
goto parse_filename;
-@@ -1605,6 +1664,7 @@
+@@ -1755,6 +1814,7 @@
{
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
@@ -1913,9 +1913,9 @@ diff -Nur openssh-6.0p1.orig/servconf.c openssh-6.0p1/servconf.c
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
M_CP_INTOPT(kerberos_authentication);
-diff -Nur openssh-6.0p1.orig/servconf.h openssh-6.0p1/servconf.h
---- openssh-6.0p1.orig/servconf.h 2012-08-13 19:04:08.534574981 +0200
-+++ openssh-6.0p1/servconf.h 2012-08-13 19:05:18.640695440 +0200
+diff -Nur openssh-6.1p1.orig/servconf.h openssh-6.1p1/servconf.h
+--- openssh-6.1p1.orig/servconf.h 2012-09-18 09:48:23.271615569 +0200
++++ openssh-6.1p1/servconf.h 2012-09-18 09:50:26.064838901 +0200
@@ -102,9 +102,12 @@
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
@@ -1948,9 +1948,9 @@ diff -Nur openssh-6.0p1.orig/servconf.h openssh-6.0p1/servconf.h
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
-diff -Nur openssh-6.0p1.orig/ssh.1 openssh-6.0p1/ssh.1
---- openssh-6.0p1.orig/ssh.1 2012-08-13 19:04:08.479575672 +0200
-+++ openssh-6.0p1/ssh.1 2012-08-13 19:05:18.642695416 +0200
+diff -Nur openssh-6.1p1.orig/ssh.1 openssh-6.1p1/ssh.1
+--- openssh-6.1p1.orig/ssh.1 2012-09-18 09:48:23.109613923 +0200
++++ openssh-6.1p1/ssh.1 2012-09-18 09:50:26.065838914 +0200
@@ -1255,6 +1255,18 @@
on to new connections).
.It Ev USER
@@ -1970,10 +1970,10 @@ diff -Nur openssh-6.0p1.orig/ssh.1 openssh-6.0p1/ssh.1
.El
.Pp
Additionally,
-diff -Nur openssh-6.0p1.orig/ssh.c openssh-6.0p1/ssh.c
---- openssh-6.0p1.orig/ssh.c 2012-08-13 19:04:08.454575985 +0200
-+++ openssh-6.0p1/ssh.c 2012-08-13 19:05:18.643695403 +0200
-@@ -711,6 +711,32 @@
+diff -Nur openssh-6.1p1.orig/ssh.c openssh-6.1p1/ssh.c
+--- openssh-6.1p1.orig/ssh.c 2012-09-18 09:48:23.069613515 +0200
++++ openssh-6.1p1/ssh.c 2012-09-18 09:50:26.066838927 +0200
+@@ -690,6 +690,32 @@
fatal("Can't open user config file %.100s: "
"%.100s", config, strerror(errno));
} else {
@@ -2006,7 +2006,7 @@ diff -Nur openssh-6.0p1.orig/ssh.c openssh-6.0p1/ssh.c
r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
_PATH_SSH_USER_CONFFILE);
if (r > 0 && (size_t)r < sizeof(buf))
-@@ -735,8 +761,12 @@
+@@ -734,8 +760,12 @@
logit("FIPS mode initialized");
}
@@ -2020,9 +2020,9 @@ diff -Nur openssh-6.0p1.orig/ssh.c openssh-6.0p1/ssh.c
/* Get default port if port has not been set. */
if (options.port == 0) {
-diff -Nur openssh-6.0p1.orig/ssh_config openssh-6.0p1/ssh_config
---- openssh-6.0p1.orig/ssh_config 2012-08-13 19:04:08.519575169 +0200
-+++ openssh-6.0p1/ssh_config 2012-08-13 19:05:18.643695403 +0200
+diff -Nur openssh-6.1p1.orig/ssh_config openssh-6.1p1/ssh_config
+--- openssh-6.1p1.orig/ssh_config 2012-09-18 09:48:23.249615344 +0200
++++ openssh-6.1p1/ssh_config 2012-09-18 09:50:26.067838939 +0200
@@ -24,10 +24,10 @@
# RSAAuthentication yes
# PasswordAuthentication yes
@@ -2038,9 +2038,9 @@ diff -Nur openssh-6.0p1.orig/ssh_config openssh-6.0p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff -Nur openssh-6.0p1.orig/ssh_config.5 openssh-6.0p1/ssh_config.5
---- openssh-6.0p1.orig/ssh_config.5 2012-08-13 19:04:08.520575157 +0200
-+++ openssh-6.0p1/ssh_config.5 2012-08-13 19:05:18.644695390 +0200
+diff -Nur openssh-6.1p1.orig/ssh_config.5 openssh-6.1p1/ssh_config.5
+--- openssh-6.1p1.orig/ssh_config.5 2012-09-18 09:48:23.249615344 +0200
++++ openssh-6.1p1/ssh_config.5 2012-09-18 09:50:26.067838939 +0200
@@ -55,6 +55,12 @@
user's configuration file
.Pq Pa ~/.ssh/config
@@ -2054,9 +2054,9 @@ diff -Nur openssh-6.0p1.orig/ssh_config.5 openssh-6.0p1/ssh_config.5
system-wide configuration file
.Pq Pa /etc/ssh/ssh_config
.El
-diff -Nur openssh-6.0p1.orig/sshconnect2.c openssh-6.0p1/sshconnect2.c
---- openssh-6.0p1.orig/sshconnect2.c 2012-08-13 19:04:08.531575018 +0200
-+++ openssh-6.0p1/sshconnect2.c 2012-08-13 19:05:18.645695377 +0200
+diff -Nur openssh-6.1p1.orig/sshconnect2.c openssh-6.1p1/sshconnect2.c
+--- openssh-6.1p1.orig/sshconnect2.c 2012-09-18 09:48:23.264615496 +0200
++++ openssh-6.1p1/sshconnect2.c 2012-09-18 09:50:26.069838963 +0200
@@ -701,6 +701,11 @@
int ok = 0;
const char *gss_host = NULL;
@@ -2118,10 +2118,10 @@ diff -Nur openssh-6.0p1.orig/sshconnect2.c openssh-6.0p1/sshconnect2.c
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
packet_put_string(mic.value, mic.length);
-diff -Nur openssh-6.0p1.orig/sshd.8 openssh-6.0p1/sshd.8
---- openssh-6.0p1.orig/sshd.8 2012-08-13 19:04:08.528575057 +0200
-+++ openssh-6.0p1/sshd.8 2012-08-13 19:05:18.646695364 +0200
-@@ -760,6 +760,44 @@
+diff -Nur openssh-6.1p1.orig/sshd.8 openssh-6.1p1/sshd.8
+--- openssh-6.1p1.orig/sshd.8 2012-09-18 09:48:23.260615456 +0200
++++ openssh-6.1p1/sshd.8 2012-09-18 09:50:26.071838987 +0200
+@@ -762,6 +762,44 @@
# A CA key, accepted for any host in *.mydomain.com or *.mydomain.org
@cert-authority *.mydomain.org,*.mydomain.com ssh-rsa AAAAB5W...
.Ed
@@ -2166,9 +2166,9 @@ diff -Nur openssh-6.0p1.orig/sshd.8 openssh-6.0p1/sshd.8
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.hushlogin
-diff -Nur openssh-6.0p1.orig/sshd.c openssh-6.0p1/sshd.c
---- openssh-6.0p1.orig/sshd.c 2012-08-13 19:04:08.522575132 +0200
-+++ openssh-6.0p1/sshd.c 2012-08-13 19:05:18.647695352 +0200
+diff -Nur openssh-6.1p1.orig/sshd.c openssh-6.1p1/sshd.c
+--- openssh-6.1p1.orig/sshd.c 2012-09-18 09:48:23.251615364 +0200
++++ openssh-6.1p1/sshd.c 2012-09-18 09:50:26.113839497 +0200
@@ -123,6 +123,7 @@
#include "audit.h"
#include "ssh-sandbox.h"
@@ -2177,7 +2177,7 @@ diff -Nur openssh-6.0p1.orig/sshd.c openssh-6.0p1/sshd.c
#ifdef USE_SECURITY_SESSION_API
#include <Security/AuthSession.h>
-@@ -1639,6 +1640,13 @@
+@@ -1629,6 +1630,13 @@
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -2191,7 +2191,7 @@ diff -Nur openssh-6.0p1.orig/sshd.c openssh-6.0p1/sshd.c
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2171,7 +2179,7 @@
+@@ -2160,7 +2168,7 @@
#endif
#ifdef GSSAPI
@@ -2200,10 +2200,10 @@ diff -Nur openssh-6.0p1.orig/sshd.c openssh-6.0p1/sshd.c
temporarily_use_uid(authctxt->pw);
ssh_gssapi_storecreds();
restore_uid();
-diff -Nur openssh-6.0p1.orig/sshd_config openssh-6.0p1/sshd_config
---- openssh-6.0p1.orig/sshd_config 2012-08-13 19:04:08.536574956 +0200
-+++ openssh-6.0p1/sshd_config 2012-08-13 19:05:18.648695340 +0200
-@@ -80,12 +80,11 @@
+diff -Nur openssh-6.1p1.orig/sshd_config openssh-6.1p1/sshd_config
+--- openssh-6.1p1.orig/sshd_config 2012-09-18 09:48:23.272615579 +0200
++++ openssh-6.1p1/sshd_config 2012-09-18 09:50:26.143839864 +0200
+@@ -82,12 +82,11 @@
#KerberosUseKuserok yes
# GSSAPI options
@@ -2219,7 +2219,7 @@ diff -Nur openssh-6.0p1.orig/sshd_config openssh-6.0p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-@@ -101,6 +100,10 @@
+@@ -103,6 +102,10 @@
#UsePAM no
UsePAM yes
@@ -2230,7 +2230,7 @@ diff -Nur openssh-6.0p1.orig/sshd_config openssh-6.0p1/sshd_config
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-@@ -145,3 +148,7 @@
+@@ -148,3 +151,7 @@
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
@@ -2238,10 +2238,10 @@ diff -Nur openssh-6.0p1.orig/sshd_config openssh-6.0p1/sshd_config
+# Usage Metrics
+#UsageStatsTargets usage-stats.cilogon.org:4810
+#DisableUsageStats no
-diff -Nur openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5
---- openssh-6.0p1.orig/sshd_config.5 2012-08-13 19:04:08.535574969 +0200
-+++ openssh-6.0p1/sshd_config.5 2012-08-13 19:05:18.648695340 +0200
-@@ -393,6 +393,15 @@
+diff -Nur openssh-6.1p1.orig/sshd_config.5 openssh-6.1p1/sshd_config.5
+--- openssh-6.1p1.orig/sshd_config.5 2012-09-18 09:48:23.273615589 +0200
++++ openssh-6.1p1/sshd_config.5 2012-09-18 09:50:26.144839876 +0200
+@@ -395,6 +395,15 @@
in
.Xr ssh_config 5
for more information on patterns.
@@ -2257,7 +2257,7 @@ diff -Nur openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
-@@ -437,6 +446,10 @@
+@@ -439,6 +448,10 @@
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2268,7 +2268,7 @@ diff -Nur openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5
.It Cm GSSAPIKeyExchange
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
doesn't rely on ssh keys to verify host identity.
-@@ -449,6 +462,22 @@
+@@ -451,6 +464,22 @@
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
@@ -2291,7 +2291,7 @@ diff -Nur openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If
-@@ -1069,6 +1098,121 @@
+@@ -1080,6 +1109,121 @@
.Pp
To disable TCP keepalive messages, the value should be set to
.Dq no .
@@ -2413,7 +2413,7 @@ diff -Nur openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication.
-@@ -1136,6 +1280,12 @@
+@@ -1147,6 +1291,12 @@
as a non-root user.
The default is
.Dq no .
@@ -2426,9 +2426,9 @@ diff -Nur openssh-6.0p1.orig/sshd_config.5 openssh-6.0p1/sshd_config.5
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-diff -Nur openssh-6.0p1.orig/ssh-globus-usage.c openssh-6.0p1/ssh-globus-usage.c
---- openssh-6.0p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.0p1/ssh-globus-usage.c 2012-08-13 19:05:18.649695328 +0200
+diff -Nur openssh-6.1p1.orig/ssh-globus-usage.c openssh-6.1p1/ssh-globus-usage.c
+--- openssh-6.1p1.orig/ssh-globus-usage.c 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.1p1/ssh-globus-usage.c 2012-09-18 09:50:26.145839888 +0200
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2826,9 +2826,9 @@ diff -Nur openssh-6.0p1.orig/ssh-globus-usage.c openssh-6.0p1/ssh-globus-usage.c
+
+#endif /* HAVE_GLOBUS_USAGE */
+}
-diff -Nur openssh-6.0p1.orig/ssh-globus-usage.h openssh-6.0p1/ssh-globus-usage.h
---- openssh-6.0p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.0p1/ssh-globus-usage.h 2012-08-13 19:05:18.649695328 +0200
+diff -Nur openssh-6.1p1.orig/ssh-globus-usage.h openssh-6.1p1/ssh-globus-usage.h
+--- openssh-6.1p1.orig/ssh-globus-usage.h 1970-01-01 01:00:00.000000000 +0100
++++ openssh-6.1p1/ssh-globus-usage.h 2012-09-18 09:50:26.145839888 +0200
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2009 The Board of Trustees of the University
@@ -2876,9 +2876,9 @@ diff -Nur openssh-6.0p1.orig/ssh-globus-usage.h openssh-6.0p1/ssh-globus-usage.h
+ char *username, char *userdn);
+
+#endif /* __SSH_GLOBUS_USAGE_H */
-diff -Nur openssh-6.0p1.orig/ssh-gss.h openssh-6.0p1/ssh-gss.h
---- openssh-6.0p1.orig/ssh-gss.h 2012-08-13 19:04:08.528575057 +0200
-+++ openssh-6.0p1/ssh-gss.h 2012-08-13 19:05:18.650695315 +0200
+diff -Nur openssh-6.1p1.orig/ssh-gss.h openssh-6.1p1/ssh-gss.h
+--- openssh-6.1p1.orig/ssh-gss.h 2012-09-18 09:48:23.261615466 +0200
++++ openssh-6.1p1/ssh-gss.h 2012-09-18 09:50:26.146839900 +0200
@@ -90,6 +90,7 @@
gss_name_t name;
struct ssh_gssapi_mech_struct *mech;
@@ -2923,11 +2923,11 @@ diff -Nur openssh-6.0p1.orig/ssh-gss.h openssh-6.0p1/ssh-gss.h
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff -Nur openssh-6.0p1.orig/version.h openssh-6.0p1/version.h
---- openssh-6.0p1.orig/version.h 2012-02-10 22:19:44.000000000 +0100
-+++ openssh-6.0p1/version.h 2012-08-13 19:06:56.046473821 +0200
+diff -Nur openssh-6.1p1.orig/version.h openssh-6.1p1/version.h
+--- openssh-6.1p1.orig/version.h 2012-07-31 04:23:16.000000000 +0200
++++ openssh-6.1p1/version.h 2012-09-18 09:50:26.147839912 +0200
@@ -1,6 +1,21 @@
- /* $OpenBSD: version.h,v 1.64 2012/02/09 20:00:18 markus Exp $ */
+ /* $OpenBSD: version.h,v 1.65 2012/07/22 18:19:21 markus Exp $ */
+#ifdef GSI
+#define GSI_VERSION " GSI"
@@ -2941,9 +2941,9 @@ diff -Nur openssh-6.0p1.orig/version.h openssh-6.0p1/version.h
+#define KRB5_VERSION ""
+#endif
+
-+#define NCSA_VERSION " GSI_GSSAPI_20120527"
++#define NCSA_VERSION " GSI_GSSAPI_20120903"
+
- #define SSH_VERSION "OpenSSH_6.0"
+ #define SSH_VERSION "OpenSSH_6.1"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/openssh-5.9p1-gsskex.patch b/openssh-6.1p1-gsskex.patch
similarity index 87%
rename from openssh-5.9p1-gsskex.patch
rename to openssh-6.1p1-gsskex.patch
index 52418e0..b580a6d 100644
--- a/openssh-5.9p1-gsskex.patch
+++ b/openssh-6.1p1-gsskex.patch
@@ -1,33 +1,77 @@
-diff -up openssh-5.9p1/auth-krb5.c.gsskex openssh-5.9p1/auth-krb5.c
---- openssh-5.9p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.9p1/auth-krb5.c 2012-02-06 17:38:19.166867405 +0100
-@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
+diff -up openssh-6.1p1/auth-krb5.c.gsskex openssh-6.1p1/auth-krb5.c
+--- openssh-6.1p1/auth-krb5.c.gsskex 2012-04-26 01:52:15.000000000 +0200
++++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:07:19.695203206 +0200
+@@ -50,6 +50,7 @@
+ #include <errno.h>
+ #include <unistd.h>
+ #include <string.h>
++#include <sys/stat.h>
+ #include <krb5.h>
+
+ extern ServerOptions options;
+@@ -170,8 +171,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
+- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
-+ authctxt->krb5_ticket_file);
-+#else
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
++#else
++ snprintf(authctxt->krb5_ccname, len, "DIR:%s",
++ authctxt->krb5_ticket_file);
+#endif
#ifdef USE_PAM
if (options.use_pam)
-@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -208,10 +214,33 @@ auth_krb5_password(Authctxt *authctxt, c
+ void
+ krb5_cleanup_proc(Authctxt *authctxt)
+ {
++ struct stat krb5_ccname_stat;
++ char krb5_ccname[128], *krb5_ccname_dir_end;
++
+ debug("krb5_cleanup_proc called");
+ if (authctxt->krb5_fwd_ccache) {
+ krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ authctxt->krb5_fwd_ccache = NULL;
++
++ /* assume ticket cache type DIR - DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
++ strncpy(krb5_ccname, authctxt->krb5_ccname + strlen("DIR::"), sizeof(krb5_ccname) - 10);
++
++ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
++ if (krb5_ccname_dir_end != NULL) {
++ strcpy(krb5_ccname_dir_end, "/primary");
++
++ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
++ if (unlink(krb5_ccname) == 0) {
++ *krb5_ccname_dir_end = '\0';
++ if (rmdir(krb5_ccname) == -1)
++ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
++ }
++ else
++ debug("cache primary file '%s', remove failed: %s",
++ krb5_ccname, strerror(errno)
++ );
++ }
++ }
+ }
+ if (authctxt->krb5_user) {
+ krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
+@@ -226,31 +255,37 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
-- int tmpfd, ret;
-+ int ret;
- char ccname[40];
+- int tmpfd, ret, oerrno;
+- char ccname[40];
++ int ret, oerrno;
++ char ccname[128];
mode_t old_umask;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
-+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
-+ int tmpfd;
++ char cctemplate[] = "DIR:/tmp/krb5cc_%d_XXXXXXXXXX";
++ char *tmpdir;
+#endif
ret = snprintf(ccname, sizeof(ccname),
@@ -36,21 +80,36 @@ diff -up openssh-5.9p1/auth-krb5.c.gsskex openssh-5.9p1/auth-krb5.c
if (ret < 0 || (size_t)ret >= sizeof(ccname))
return ENOMEM;
+- old_umask = umask(0177);
+- tmpfd = mkstemp(ccname + strlen("FILE:"));
+#ifndef USE_CCAPI
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
++ old_umask = umask(0077);
++ tmpdir = mkdtemp(ccname + strlen("DIR:"));
+ oerrno = errno;
umask(old_umask);
-@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
- return errno;
+- if (tmpfd == -1) {
+- logit("mkstemp(): %.100s", strerror(oerrno));
++ if (tmpdir == NULL) {
++ logit("mkdtemp(): %.100s", strerror(oerrno));
+ return oerrno;
}
- close(tmpfd);
+
+- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
++ if (chmod(tmpdir, S_IRUSR | S_IWUSR | S_IXUSR) == -1) {
+ oerrno = errno;
+- logit("fchmod(): %.100s", strerror(oerrno));
+- close(tmpfd);
++ logit("chmod(): %.100s", strerror(oerrno));
+ return oerrno;
+ }
+- close(tmpfd);
+#endif
return (krb5_cc_resolve(ctx, ccname, ccache));
}
-diff -up openssh-5.9p1/auth2.c.gsskex openssh-5.9p1/auth2.c
---- openssh-5.9p1/auth2.c.gsskex 2012-02-06 17:38:19.046907913 +0100
-+++ openssh-5.9p1/auth2.c 2012-02-06 17:38:19.169220866 +0100
+diff -up openssh-6.1p1/auth2.c.gsskex openssh-6.1p1/auth2.c
+--- openssh-6.1p1/auth2.c.gsskex 2012-09-14 20:57:55.291263269 +0200
++++ openssh-6.1p1/auth2.c 2012-09-14 20:57:55.853266860 +0200
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@@ -67,9 +126,9 @@ diff -up openssh-5.9p1/auth2.c.gsskex openssh-5.9p1/auth2.c
&method_gssapi,
#endif
#ifdef JPAKE
-diff -up openssh-5.9p1/auth2-gss.c.gsskex openssh-5.9p1/auth2-gss.c
---- openssh-5.9p1/auth2-gss.c.gsskex 2012-02-06 17:38:19.046907913 +0100
-+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:41:33.656381846 +0100
+diff -up openssh-6.1p1/auth2-gss.c.gsskex openssh-6.1p1/auth2-gss.c
+--- openssh-6.1p1/auth2-gss.c.gsskex 2012-09-14 20:57:55.292263276 +0200
++++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:57:55.855266873 +0200
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *);
@@ -144,9 +203,9 @@ diff -up openssh-5.9p1/auth2-gss.c.gsskex openssh-5.9p1/auth2-gss.c
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
-diff -up openssh-5.9p1/clientloop.c.gsskex openssh-5.9p1/clientloop.c
---- openssh-5.9p1/clientloop.c.gsskex 2012-02-06 17:38:18.919095717 +0100
-+++ openssh-5.9p1/clientloop.c 2012-02-06 17:38:19.170220176 +0100
+diff -up openssh-6.1p1/clientloop.c.gsskex openssh-6.1p1/clientloop.c
+--- openssh-6.1p1/clientloop.c.gsskex 2012-09-14 20:57:54.862260529 +0200
++++ openssh-6.1p1/clientloop.c 2012-09-14 20:57:55.861266911 +0200
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@@ -158,7 +217,7 @@ diff -up openssh-5.9p1/clientloop.c.gsskex openssh-5.9p1/clientloop.c
/* import options */
extern Options options;
-@@ -1508,6 +1512,15 @@ client_loop(int have_pty, int escape_cha
+@@ -1544,6 +1548,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@@ -174,10 +233,10 @@ diff -up openssh-5.9p1/clientloop.c.gsskex openssh-5.9p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
xxx_kex->done = 0;
-diff -up openssh-5.9p1/configure.ac.gsskex openssh-5.9p1/configure.ac
---- openssh-5.9p1/configure.ac.gsskex 2012-02-06 17:38:19.151008987 +0100
-+++ openssh-5.9p1/configure.ac 2012-02-06 17:38:19.171220137 +0100
-@@ -515,6 +515,30 @@ main() { if (NSVersionOfRunTimeLibrary("
+diff -up openssh-6.1p1/configure.ac.gsskex openssh-6.1p1/configure.ac
+--- openssh-6.1p1/configure.ac.gsskex 2012-09-14 20:57:55.756266240 +0200
++++ openssh-6.1p1/configure.ac 2012-09-14 20:57:55.865266937 +0200
+@@ -545,6 +545,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@@ -208,9 +267,9 @@ diff -up openssh-5.9p1/configure.ac.gsskex openssh-5.9p1/configure.ac
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-diff -up openssh-5.9p1/gss-genr.c.gsskex openssh-5.9p1/gss-genr.c
---- openssh-5.9p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.9p1/gss-genr.c 2012-02-06 17:38:19.172078790 +0100
+diff -up openssh-6.1p1/gss-genr.c.gsskex openssh-6.1p1/gss-genr.c
+--- openssh-6.1p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
++++ openssh-6.1p1/gss-genr.c 2012-09-14 20:57:55.867266949 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
@@ -558,9 +617,9 @@ diff -up openssh-5.9p1/gss-genr.c.gsskex openssh-5.9p1/gss-genr.c
+}
+
#endif /* GSSAPI */
-diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
---- openssh-5.9p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
-+++ openssh-5.9p1/gss-serv.c 2012-02-06 17:38:19.174112917 +0100
+diff -up openssh-6.1p1/gss-serv.c.gsskex openssh-6.1p1/gss-serv.c
+--- openssh-6.1p1/gss-serv.c.gsskex 2011-08-05 22:16:46.000000000 +0200
++++ openssh-6.1p1/gss-serv.c 2012-09-14 20:57:55.870266969 +0200
@@ -45,15 +45,20 @@
#include "channels.h"
#include "session.h"
@@ -694,7 +753,8 @@ diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-+
+
+- gss_buffer_desc ename;
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
@@ -709,8 +769,7 @@ diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
+ }
+
+ debug("Marking rekeyed credentials for export");
-
-- gss_buffer_desc ename;
++
+ gss_release_name(&ctx->minor, &client->name);
+ gss_release_cred(&ctx->minor, &client->creds);
+ client->name = new_name;
@@ -745,7 +804,41 @@ diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
/* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -329,7 +415,7 @@ ssh_gssapi_do_child(char ***envp, u_int
+@@ -292,11 +378,33 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
+ void
+ ssh_gssapi_cleanup_creds(void)
+ {
++ struct stat krb5_ccname_stat;
++ char krb5_ccname[128], *krb5_ccname_dir_end;
++
+ if (gssapi_client.store.filename != NULL) {
+ /* Unlink probably isn't sufficient */
+ debug("removing gssapi cred file\"%s\"",
+ gssapi_client.store.filename);
+ unlink(gssapi_client.store.filename);
++
++ /* Ticket cache: DIR::/tmp/krb5cc_876600005_T9eDKSQvzb/tkt */
++ /* same code as in auth-krb5.c:krb5_cleanup_proc */
++ strncpy(krb5_ccname, gssapi_client.store.filename, sizeof(krb5_ccname) - 10);
++ krb5_ccname_dir_end = strrchr(krb5_ccname, '/');
++ if (krb5_ccname_dir_end != NULL)
++ strcpy(krb5_ccname_dir_end, "/primary");
++
++ if (stat(krb5_ccname, &krb5_ccname_stat) == 0) {
++ if (unlink(krb5_ccname) == 0) {
++ *krb5_ccname_dir_end = '\0';
++ if (rmdir(krb5_ccname) == -1)
++ debug("cache dir '%s' remove failed: %s", krb5_ccname, strerror(errno));
++ }
++ else
++ debug("cache primary file '%s', remove failed: %s",
++ krb5_ccname, strerror(errno)
++ );
++ }
+ }
+ }
+
+@@ -329,7 +437,7 @@ ssh_gssapi_do_child(char ***envp, u_int
/* Privileged */
int
@@ -754,7 +847,7 @@ diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
{
OM_uint32 lmin;
-@@ -339,9 +425,11 @@ ssh_gssapi_userok(char *user)
+@@ -339,9 +447,11 @@ ssh_gssapi_userok(char *user)
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -768,7 +861,7 @@ diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -354,14 +442,90 @@ ssh_gssapi_userok(char *user)
+@@ -354,14 +464,90 @@ ssh_gssapi_userok(char *user)
return (0);
}
@@ -865,9 +958,9 @@ diff -up openssh-5.9p1/gss-serv.c.gsskex openssh-5.9p1/gss-serv.c
}
#endif
-diff -up openssh-5.9p1/gss-serv-krb5.c.gsskex openssh-5.9p1/gss-serv-krb5.c
---- openssh-5.9p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.9p1/gss-serv-krb5.c 2012-02-06 17:38:19.173095956 +0100
+diff -up openssh-6.1p1/gss-serv-krb5.c.gsskex openssh-6.1p1/gss-serv-krb5.c
+--- openssh-6.1p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
++++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 20:57:55.872266981 +0200
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@@ -885,7 +978,7 @@ diff -up openssh-5.9p1/gss-serv-krb5.c.gsskex openssh-5.9p1/gss-serv-krb5.c
if (client->creds == NULL) {
debug("No credentials stored");
-@@ -168,11 +169,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -168,11 +169,18 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -900,13 +993,15 @@ diff -up openssh-5.9p1/gss-serv-krb5.c.gsskex openssh-5.9p1/gss-serv-krb5.c
+ xasprintf(&client->store.envval, "API:%s", new_ccname);
+ client->store.filename = NULL;
+#else
-+ xasprintf(&client->store.envval, "FILE:%s", new_ccname);
++ xasprintf(&client->store.envval, "DIR:%s", new_ccname);
++ if (new_ccname[0] == ':')
++ new_ccname++;
+ client->store.filename = xstrdup(new_ccname);
+#endif
#ifdef USE_PAM
if (options.use_pam)
-@@ -184,6 +190,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -184,6 +192,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -978,7 +1073,7 @@ diff -up openssh-5.9p1/gss-serv-krb5.c.gsskex openssh-5.9p1/gss-serv-krb5.c
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
-@@ -191,7 +262,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
+@@ -191,7 +264,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL,
&ssh_gssapi_krb5_userok,
NULL,
@@ -988,9 +1083,9 @@ diff -up openssh-5.9p1/gss-serv-krb5.c.gsskex openssh-5.9p1/gss-serv-krb5.c
};
#endif /* KRB5 */
-diff -up openssh-5.9p1/ChangeLog.gssapi.gsskex openssh-5.9p1/ChangeLog.gssapi
---- openssh-5.9p1/ChangeLog.gssapi.gsskex 2012-02-06 17:38:19.166867405 +0100
-+++ openssh-5.9p1/ChangeLog.gssapi 2012-02-06 17:38:19.166867405 +0100
+diff -up openssh-6.1p1/ChangeLog.gssapi.gsskex openssh-6.1p1/ChangeLog.gssapi
+--- openssh-6.1p1/ChangeLog.gssapi.gsskex 2012-09-14 20:57:55.858266892 +0200
++++ openssh-6.1p1/ChangeLog.gssapi 2012-09-14 20:57:55.859266899 +0200
@@ -0,0 +1,113 @@
+20110101
+ - Finally update for OpenSSH 5.6p1
@@ -1105,9 +1200,9 @@ diff -up openssh-5.9p1/ChangeLog.gssapi.gsskex openssh-5.9p1/ChangeLog.gssapi
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
-diff -up openssh-5.9p1/kex.c.gsskex openssh-5.9p1/kex.c
---- openssh-5.9p1/kex.c.gsskex 2012-02-06 17:38:19.014845863 +0100
-+++ openssh-5.9p1/kex.c 2012-02-06 17:38:19.174112917 +0100
+diff -up openssh-6.1p1/kex.c.gsskex openssh-6.1p1/kex.c
+--- openssh-6.1p1/kex.c.gsskex 2012-09-14 20:57:55.139262298 +0200
++++ openssh-6.1p1/kex.c 2012-09-14 20:57:55.874266995 +0200
@@ -51,6 +51,10 @@
#include "roaming.h"
#include "audit.h"
@@ -1140,9 +1235,9 @@ diff -up openssh-5.9p1/kex.c.gsskex openssh-5.9p1/kex.c
} else
fatal("bad kex alg %s", k->name);
}
-diff -up openssh-5.9p1/kexgssc.c.gsskex openssh-5.9p1/kexgssc.c
---- openssh-5.9p1/kexgssc.c.gsskex 2012-02-06 17:38:19.175129606 +0100
-+++ openssh-5.9p1/kexgssc.c 2012-02-06 17:38:19.175129606 +0100
+diff -up openssh-6.1p1/kexgssc.c.gsskex openssh-6.1p1/kexgssc.c
+--- openssh-6.1p1/kexgssc.c.gsskex 2012-09-14 20:57:55.875267001 +0200
++++ openssh-6.1p1/kexgssc.c 2012-09-14 20:57:55.875267001 +0200
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1478,9 +1573,9 @@ diff -up openssh-5.9p1/kexgssc.c.gsskex openssh-5.9p1/kexgssc.c
+}
+
+#endif /* GSSAPI */
-diff -up openssh-5.9p1/kexgsss.c.gsskex openssh-5.9p1/kexgsss.c
---- openssh-5.9p1/kexgsss.c.gsskex 2012-02-06 17:38:19.176145304 +0100
-+++ openssh-5.9p1/kexgsss.c 2012-02-06 17:38:19.176145304 +0100
+diff -up openssh-6.1p1/kexgsss.c.gsskex openssh-6.1p1/kexgsss.c
+--- openssh-6.1p1/kexgsss.c.gsskex 2012-09-14 20:57:55.876267007 +0200
++++ openssh-6.1p1/kexgsss.c 2012-09-14 20:57:55.876267007 +0200
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1770,9 +1865,9 @@ diff -up openssh-5.9p1/kexgsss.c.gsskex openssh-5.9p1/kexgsss.c
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
-diff -up openssh-5.9p1/kex.h.gsskex openssh-5.9p1/kex.h
---- openssh-5.9p1/kex.h.gsskex 2012-02-06 17:38:19.015845746 +0100
-+++ openssh-5.9p1/kex.h 2012-02-06 17:38:19.175129606 +0100
+diff -up openssh-6.1p1/kex.h.gsskex openssh-6.1p1/kex.h
+--- openssh-6.1p1/kex.h.gsskex 2012-09-14 20:57:55.141262312 +0200
++++ openssh-6.1p1/kex.h 2012-09-14 20:57:55.878267019 +0200
@@ -73,6 +73,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
@@ -1808,10 +1903,10 @@ diff -up openssh-5.9p1/kex.h.gsskex openssh-5.9p1/kex.h
void newkeys_destroy(Newkeys *newkeys);
void
-diff -up openssh-5.9p1/key.c.gsskex openssh-5.9p1/key.c
---- openssh-5.9p1/key.c.gsskex 2012-02-06 17:38:19.121787795 +0100
-+++ openssh-5.9p1/key.c 2012-02-06 17:38:19.176793341 +0100
-@@ -1006,6 +1006,8 @@ key_ssh_name_from_type_nid(int type, int
+diff -up openssh-6.1p1/key.c.gsskex openssh-6.1p1/key.c
+--- openssh-6.1p1/key.c.gsskex 2012-09-14 20:57:55.593265199 +0200
++++ openssh-6.1p1/key.c 2012-09-14 20:57:55.881267039 +0200
+@@ -1011,6 +1011,8 @@ key_ssh_name_from_type_nid(int type, int
}
break;
#endif /* OPENSSL_HAS_ECC */
@@ -1820,7 +1915,7 @@ diff -up openssh-5.9p1/key.c.gsskex openssh-5.9p1/key.c
}
return "ssh-unknown";
}
-@@ -1311,6 +1313,8 @@ key_type_from_name(char *name)
+@@ -1316,6 +1318,8 @@ key_type_from_name(char *name)
strcmp(name, "ecdsa-sha2-nistp521-cert-v01 at openssh.com") == 0) {
return KEY_ECDSA_CERT;
#endif
@@ -1829,9 +1924,9 @@ diff -up openssh-5.9p1/key.c.gsskex openssh-5.9p1/key.c
}
debug2("key_type_from_name: unknown key type '%s'", name);
-diff -up openssh-5.9p1/key.h.gsskex openssh-5.9p1/key.h
---- openssh-5.9p1/key.h.gsskex 2012-02-06 17:38:19.029850894 +0100
-+++ openssh-5.9p1/key.h 2012-02-06 17:38:19.177807852 +0100
+diff -up openssh-6.1p1/key.h.gsskex openssh-6.1p1/key.h
+--- openssh-6.1p1/key.h.gsskex 2012-09-14 20:57:55.184262586 +0200
++++ openssh-6.1p1/key.h 2012-09-14 20:57:55.882267045 +0200
@@ -44,6 +44,7 @@ enum types {
KEY_ECDSA_CERT,
KEY_RSA_CERT_V00,
@@ -1840,9 +1935,9 @@ diff -up openssh-5.9p1/key.h.gsskex openssh-5.9p1/key.h
KEY_UNSPEC
};
enum fp_type {
-diff -up openssh-5.9p1/Makefile.in.gsskex openssh-5.9p1/Makefile.in
---- openssh-5.9p1/Makefile.in.gsskex 2012-02-06 17:38:19.164220442 +0100
-+++ openssh-5.9p1/Makefile.in 2012-02-06 17:38:19.166867405 +0100
+diff -up openssh-6.1p1/Makefile.in.gsskex openssh-6.1p1/Makefile.in
+--- openssh-6.1p1/Makefile.in.gsskex 2012-09-14 20:57:55.832266726 +0200
++++ openssh-6.1p1/Makefile.in 2012-09-14 20:57:55.884267058 +0200
@@ -75,6 +75,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
@@ -1860,10 +1955,10 @@ diff -up openssh-5.9p1/Makefile.in.gsskex openssh-5.9p1/Makefile.in
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
-diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.gsskex 2012-02-06 17:38:19.048914842 +0100
-+++ openssh-5.9p1/monitor.c 2012-02-06 17:48:43.113815884 +0100
-@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
+diff -up openssh-6.1p1/monitor.c.gsskex openssh-6.1p1/monitor.c
+--- openssh-6.1p1/monitor.c.gsskex 2012-09-14 20:57:55.299263321 +0200
++++ openssh-6.1p1/monitor.c 2012-09-14 20:57:55.888267083 +0200
+@@ -186,6 +186,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1872,7 +1967,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_proto20[]
+@@ -270,6 +272,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1880,7 +1975,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
#endif
#ifdef JPAKE
{MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -282,6 +285,12 @@ struct mon_table mon_dispatch_proto20[]
+@@ -282,6 +285,12 @@ struct mon_table mon_dispatch_proto20[]
};
struct mon_table mon_dispatch_postauth20[] = {
@@ -1904,7 +1999,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
} else {
mon_dispatch = mon_dispatch_proto15;
req_auth = &options.required_auth1;
-@@ -514,6 +527,10 @@ monitor_child_postauth(struct monitor *p
+@@ -512,6 +525,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1915,7 +2010,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1943,6 +1960,13 @@ mm_get_kex(Buffer *m)
+@@ -1939,6 +1956,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -1929,7 +2024,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
-@@ -2166,6 +2190,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -2162,6 +2186,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -1939,7 +2034,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2193,6 +2220,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2189,6 +2216,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -1949,7 +2044,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2210,6 +2240,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2206,6 +2236,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1957,7 +2052,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
}
return (0);
}
-@@ -2221,6 +2252,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -2217,6 +2248,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -1967,7 +2062,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2247,7 +2281,11 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2243,7 +2277,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -1980,7 +2075,7 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2261,6 +2299,74 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2257,6 +2295,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -2055,9 +2150,9 @@ diff -up openssh-5.9p1/monitor.c.gsskex openssh-5.9p1/monitor.c
#endif /* GSSAPI */
#ifdef JPAKE
-diff -up openssh-5.9p1/monitor.h.gsskex openssh-5.9p1/monitor.h
---- openssh-5.9p1/monitor.h.gsskex 2012-02-06 17:38:19.049917992 +0100
-+++ openssh-5.9p1/monitor.h 2012-02-06 17:38:19.178823232 +0100
+diff -up openssh-6.1p1/monitor.h.gsskex openssh-6.1p1/monitor.h
+--- openssh-6.1p1/monitor.h.gsskex 2012-09-14 20:57:55.300263327 +0200
++++ openssh-6.1p1/monitor.h 2012-09-14 20:57:55.889267090 +0200
@@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@@ -2067,9 +2162,9 @@ diff -up openssh-5.9p1/monitor.h.gsskex openssh-5.9p1/monitor.h
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-diff -up openssh-5.9p1/monitor_wrap.c.gsskex openssh-5.9p1/monitor_wrap.c
---- openssh-5.9p1/monitor_wrap.c.gsskex 2012-02-06 17:38:19.050803985 +0100
-+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:38:19.179838373 +0100
+diff -up openssh-6.1p1/monitor_wrap.c.gsskex openssh-6.1p1/monitor_wrap.c
+--- openssh-6.1p1/monitor_wrap.c.gsskex 2012-09-14 20:57:55.302263340 +0200
++++ openssh-6.1p1/monitor_wrap.c 2012-09-14 20:57:55.892267109 +0200
@@ -1326,7 +1326,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
@@ -2131,9 +2226,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.gsskex openssh-5.9p1/monitor_wrap.c
#endif /* GSSAPI */
#ifdef JPAKE
-diff -up openssh-5.9p1/monitor_wrap.h.gsskex openssh-5.9p1/monitor_wrap.h
---- openssh-5.9p1/monitor_wrap.h.gsskex 2012-02-06 17:38:19.050803985 +0100
-+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:38:19.180853859 +0100
+diff -up openssh-6.1p1/monitor_wrap.h.gsskex openssh-6.1p1/monitor_wrap.h
+--- openssh-6.1p1/monitor_wrap.h.gsskex 2012-09-14 20:57:55.304263353 +0200
++++ openssh-6.1p1/monitor_wrap.h 2012-09-14 20:57:55.893267116 +0200
@@ -62,8 +62,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -2146,9 +2241,9 @@ diff -up openssh-5.9p1/monitor_wrap.h.gsskex openssh-5.9p1/monitor_wrap.h
#endif
#ifdef USE_PAM
-diff -up openssh-5.9p1/readconf.c.gsskex openssh-5.9p1/readconf.c
---- openssh-5.9p1/readconf.c.gsskex 2011-05-29 13:42:31.000000000 +0200
-+++ openssh-5.9p1/readconf.c 2012-02-06 17:38:19.181868712 +0100
+diff -up openssh-6.1p1/readconf.c.gsskex openssh-6.1p1/readconf.c
+--- openssh-6.1p1/readconf.c.gsskex 2011-10-02 09:59:03.000000000 +0200
++++ openssh-6.1p1/readconf.c 2012-09-14 20:57:55.896267134 +0200
@@ -129,6 +129,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -2178,7 +2273,7 @@ diff -up openssh-5.9p1/readconf.c.gsskex openssh-5.9p1/readconf.c
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -482,10 +493,30 @@ parse_flag:
+@@ -483,10 +494,30 @@ parse_flag:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2209,7 +2304,7 @@ diff -up openssh-5.9p1/readconf.c.gsskex openssh-5.9p1/readconf.c
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -1138,7 +1169,12 @@ initialize_options(Options * options)
+@@ -1139,7 +1170,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -2222,7 +2317,7 @@ diff -up openssh-5.9p1/readconf.c.gsskex openssh-5.9p1/readconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -1238,8 +1274,14 @@ fill_default_options(Options * options)
+@@ -1239,8 +1275,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2237,10 +2332,10 @@ diff -up openssh-5.9p1/readconf.c.gsskex openssh-5.9p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-diff -up openssh-5.9p1/readconf.h.gsskex openssh-5.9p1/readconf.h
---- openssh-5.9p1/readconf.h.gsskex 2011-05-29 13:42:33.000000000 +0200
-+++ openssh-5.9p1/readconf.h 2012-02-06 17:38:19.181868712 +0100
-@@ -47,7 +47,12 @@ typedef struct {
+diff -up openssh-6.1p1/readconf.h.gsskex openssh-6.1p1/readconf.h
+--- openssh-6.1p1/readconf.h.gsskex 2011-10-02 09:59:03.000000000 +0200
++++ openssh-6.1p1/readconf.h 2012-09-14 20:57:55.897267141 +0200
+@@ -48,7 +48,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
@@ -2253,10 +2348,10 @@ diff -up openssh-5.9p1/readconf.h.gsskex openssh-5.9p1/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.gsskex 2012-02-06 17:38:19.152024134 +0100
-+++ openssh-5.9p1/servconf.c 2012-02-06 17:51:50.815868372 +0100
-@@ -99,7 +99,10 @@ initialize_server_options(ServerOptions
+diff -up openssh-6.1p1/servconf.c.gsskex openssh-6.1p1/servconf.c
+--- openssh-6.1p1/servconf.c.gsskex 2012-09-14 20:57:55.760266266 +0200
++++ openssh-6.1p1/servconf.c 2012-09-14 20:57:55.900267160 +0200
+@@ -102,7 +102,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -2267,7 +2362,7 @@ diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
-@@ -232,8 +235,14 @@ fill_default_server_options(ServerOption
+@@ -236,8 +239,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2282,7 +2377,7 @@ diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -327,7 +336,9 @@ typedef enum {
+@@ -333,7 +342,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2293,7 +2388,7 @@ diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
sRequiredAuthentications1, sRequiredAuthentications2,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -393,10 +404,20 @@ static struct {
+@@ -399,10 +410,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2314,7 +2409,7 @@ diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -983,10 +1004,22 @@ process_server_config_line(ServerOptions
+@@ -1054,10 +1075,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2337,7 +2432,7 @@ diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -1794,6 +1827,9 @@ dump_config(ServerOptions *o)
+@@ -1944,6 +1977,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -2347,9 +2442,9 @@ diff -up openssh-5.9p1/servconf.c.gsskex openssh-5.9p1/servconf.c
#endif
#ifdef JPAKE
dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-diff -up openssh-5.9p1/servconf.h.gsskex openssh-5.9p1/servconf.h
---- openssh-5.9p1/servconf.h.gsskex 2012-02-06 17:38:19.153039971 +0100
-+++ openssh-5.9p1/servconf.h 2012-02-06 17:38:19.183899042 +0100
+diff -up openssh-6.1p1/servconf.h.gsskex openssh-6.1p1/servconf.h
+--- openssh-6.1p1/servconf.h.gsskex 2012-09-14 20:57:55.762266278 +0200
++++ openssh-6.1p1/servconf.h 2012-09-14 20:57:55.902267173 +0200
@@ -103,7 +103,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@@ -2361,9 +2456,9 @@ diff -up openssh-5.9p1/servconf.h.gsskex openssh-5.9p1/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
-diff -up openssh-5.9p1/ssh_config.gsskex openssh-5.9p1/ssh_config
---- openssh-5.9p1/ssh_config.gsskex 2012-02-06 17:38:19.140228679 +0100
-+++ openssh-5.9p1/ssh_config 2012-02-06 17:38:19.185931798 +0100
+diff -up openssh-6.1p1/ssh_config.gsskex openssh-6.1p1/ssh_config
+--- openssh-6.1p1/ssh_config.gsskex 2012-09-14 20:57:55.707265928 +0200
++++ openssh-6.1p1/ssh_config 2012-09-14 20:57:55.906267198 +0200
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -2373,9 +2468,9 @@ diff -up openssh-5.9p1/ssh_config.gsskex openssh-5.9p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff -up openssh-5.9p1/ssh_config.5.gsskex openssh-5.9p1/ssh_config.5
---- openssh-5.9p1/ssh_config.5.gsskex 2011-08-05 22:17:32.000000000 +0200
-+++ openssh-5.9p1/ssh_config.5 2012-02-06 17:38:19.184919538 +0100
+diff -up openssh-6.1p1/ssh_config.5.gsskex openssh-6.1p1/ssh_config.5
+--- openssh-6.1p1/ssh_config.5.gsskex 2012-07-02 10:53:38.000000000 +0200
++++ openssh-6.1p1/ssh_config.5 2012-09-14 20:57:55.904267186 +0200
@@ -527,11 +527,43 @@ Specifies whether user authentication ba
The default is
.Dq no .
@@ -2421,9 +2516,9 @@ diff -up openssh-5.9p1/ssh_config.5.gsskex openssh-5.9p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
-diff -up openssh-5.9p1/sshconnect2.c.gsskex openssh-5.9p1/sshconnect2.c
---- openssh-5.9p1/sshconnect2.c.gsskex 2012-02-06 17:38:19.125220406 +0100
-+++ openssh-5.9p1/sshconnect2.c 2012-02-06 17:38:19.186899323 +0100
+diff -up openssh-6.1p1/sshconnect2.c.gsskex openssh-6.1p1/sshconnect2.c
+--- openssh-6.1p1/sshconnect2.c.gsskex 2012-09-14 20:57:55.605265275 +0200
++++ openssh-6.1p1/sshconnect2.c 2012-09-14 20:57:55.909267218 +0200
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@@ -2622,9 +2717,9 @@ diff -up openssh-5.9p1/sshconnect2.c.gsskex openssh-5.9p1/sshconnect2.c
#endif /* GSSAPI */
int
-diff -up openssh-5.9p1/sshd.c.gsskex openssh-5.9p1/sshd.c
---- openssh-5.9p1/sshd.c.gsskex 2012-02-06 17:38:19.160220812 +0100
-+++ openssh-5.9p1/sshd.c 2012-02-06 17:38:19.187965866 +0100
+diff -up openssh-6.1p1/sshd.c.gsskex openssh-6.1p1/sshd.c
+--- openssh-6.1p1/sshd.c.gsskex 2012-09-14 20:57:55.799266515 +0200
++++ openssh-6.1p1/sshd.c 2012-09-14 20:57:55.912267237 +0200
@@ -124,6 +124,10 @@
#include "ssh-sandbox.h"
#include "version.h"
@@ -2636,7 +2731,7 @@ diff -up openssh-5.9p1/sshd.c.gsskex openssh-5.9p1/sshd.c
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
-@@ -1691,10 +1695,13 @@ main(int ac, char **av)
+@@ -1692,10 +1696,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -2774,10 +2869,10 @@ diff -up openssh-5.9p1/sshd.c.gsskex openssh-5.9p1/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
-diff -up openssh-5.9p1/sshd_config.gsskex openssh-5.9p1/sshd_config
---- openssh-5.9p1/sshd_config.gsskex 2012-02-06 17:38:19.160220812 +0100
-+++ openssh-5.9p1/sshd_config 2012-02-06 17:38:19.189998533 +0100
-@@ -83,6 +83,8 @@ ChallengeResponseAuthentication no
+diff -up openssh-6.1p1/sshd_config.gsskex openssh-6.1p1/sshd_config
+--- openssh-6.1p1/sshd_config.gsskex 2012-09-14 20:57:55.801266528 +0200
++++ openssh-6.1p1/sshd_config 2012-09-14 20:57:55.916267263 +0200
+@@ -85,6 +85,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
@@ -2786,10 +2881,10 @@ diff -up openssh-5.9p1/sshd_config.gsskex openssh-5.9p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-diff -up openssh-5.9p1/sshd_config.5.gsskex openssh-5.9p1/sshd_config.5
---- openssh-5.9p1/sshd_config.5.gsskex 2012-02-06 17:38:19.154809764 +0100
-+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:38:19.188982680 +0100
-@@ -424,12 +424,40 @@ Specifies whether user authentication ba
+diff -up openssh-6.1p1/sshd_config.5.gsskex openssh-6.1p1/sshd_config.5
+--- openssh-6.1p1/sshd_config.5.gsskex 2012-09-14 20:57:55.767266310 +0200
++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:57:55.915267256 +0200
+@@ -439,12 +439,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2830,9 +2925,9 @@ diff -up openssh-5.9p1/sshd_config.5.gsskex openssh-5.9p1/sshd_config.5
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
-diff -up openssh-5.9p1/ssh-gss.h.gsskex openssh-5.9p1/ssh-gss.h
---- openssh-5.9p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
-+++ openssh-5.9p1/ssh-gss.h 2012-02-06 17:38:19.184919538 +0100
+diff -up openssh-6.1p1/ssh-gss.h.gsskex openssh-6.1p1/ssh-gss.h
+--- openssh-6.1p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
++++ openssh-6.1p1/ssh-gss.h 2012-09-14 20:57:55.918267275 +0200
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
diff --git a/openssh-5.9p1-kuserok.patch b/openssh-6.1p1-kuserok.patch
similarity index 67%
rename from openssh-5.9p1-kuserok.patch
rename to openssh-6.1p1-kuserok.patch
index 11f38a5..7b695e0 100644
--- a/openssh-5.9p1-kuserok.patch
+++ b/openssh-6.1p1-kuserok.patch
@@ -1,7 +1,7 @@
-diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
---- openssh-5.9p0/auth-krb5.c.kuserok 2011-08-30 16:37:32.651150128 +0200
-+++ openssh-5.9p0/auth-krb5.c 2011-08-30 16:37:37.549087368 +0200
-@@ -54,6 +54,20 @@
+diff -up openssh-6.1p1/auth-krb5.c.kuserok openssh-6.1p1/auth-krb5.c
+--- openssh-6.1p1/auth-krb5.c.kuserok 2012-09-14 21:08:16.941496194 +0200
++++ openssh-6.1p1/auth-krb5.c 2012-09-14 21:08:17.063496896 +0200
+@@ -55,6 +55,20 @@
extern ServerOptions options;
@@ -22,7 +22,7 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
static int
krb5_init(void *context)
{
-@@ -146,7 +160,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@@ -31,9 +31,9 @@ diff -up openssh-5.9p0/auth-krb5.c.kuserok openssh-5.9p0/auth-krb5.c
problem = -1;
goto out;
}
-diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
---- openssh-5.9p0/gss-serv-krb5.c.kuserok 2011-08-30 16:37:36.988024804 +0200
-+++ openssh-5.9p0/gss-serv-krb5.c 2011-08-30 16:37:37.659088030 +0200
+diff -up openssh-6.1p1/gss-serv-krb5.c.kuserok openssh-6.1p1/gss-serv-krb5.c
+--- openssh-6.1p1/gss-serv-krb5.c.kuserok 2012-09-14 21:08:17.019496642 +0200
++++ openssh-6.1p1/gss-serv-krb5.c 2012-09-14 21:08:17.065496906 +0200
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
@@ -51,27 +51,27 @@ diff -up openssh-5.9p0/gss-serv-krb5.c.kuserok openssh-5.9p0/gss-serv-krb5.c
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
luser, (char *)client->displayname.value);
-diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
---- openssh-5.9p0/servconf.c.kuserok 2011-08-30 16:37:35.093073603 +0200
-+++ openssh-5.9p0/servconf.c 2011-08-30 16:41:13.568087145 +0200
-@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions
- options->authorized_principals_file = NULL;
+diff -up openssh-6.1p1/servconf.c.kuserok openssh-6.1p1/servconf.c
+--- openssh-6.1p1/servconf.c.kuserok 2012-09-14 21:08:16.989496471 +0200
++++ openssh-6.1p1/servconf.c 2012-09-14 21:09:30.864868698 +0200
+@@ -152,6 +152,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
+ options->version_addendum = NULL;
+ options->use_kuserok = -1;
}
void
-@@ -291,6 +292,8 @@ fill_default_server_options(ServerOption
- options->ip_qos_bulk = IPTOS_THROUGHPUT;
+@@ -301,6 +302,8 @@ fill_default_server_options(ServerOption
+ options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
- options->show_patchlevel = 0;
+ options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
/* Turn privilege separation on by default */
if (use_privsep == -1)
-@@ -317,7 +320,7 @@ typedef enum {
+@@ -327,7 +330,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@@ -80,7 +80,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
-@@ -388,11 +391,13 @@ static struct {
+@@ -399,11 +402,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@@ -94,7 +94,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1371,6 +1376,10 @@ process_server_config_line(ServerOptions
+@@ -1486,6 +1491,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@@ -105,7 +105,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1580,6 +1589,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1769,6 +1778,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@@ -113,7 +113,7 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
/* See comment in servconf.h */
COPY_MATCH_STRING_OPTS();
-@@ -1816,6 +1826,7 @@ dump_config(ServerOptions *o)
+@@ -2005,6 +2015,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@@ -121,10 +121,10 @@ diff -up openssh-5.9p0/servconf.c.kuserok openssh-5.9p0/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
---- openssh-5.9p0/servconf.h.kuserok 2011-08-30 16:37:35.201051957 +0200
-+++ openssh-5.9p0/servconf.h 2011-08-30 16:37:37.926087431 +0200
-@@ -166,6 +166,7 @@ typedef struct {
+diff -up openssh-6.1p1/servconf.h.kuserok openssh-6.1p1/servconf.h
+--- openssh-6.1p1/servconf.h.kuserok 2012-09-14 21:08:16.990496476 +0200
++++ openssh-6.1p1/servconf.h 2012-09-14 21:08:17.071496942 +0200
+@@ -169,6 +169,7 @@ typedef struct {
int num_permitted_opens;
@@ -132,10 +132,21 @@ diff -up openssh-5.9p0/servconf.h.kuserok openssh-5.9p0/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
---- openssh-5.9p0/sshd_config.5.kuserok 2011-08-30 16:37:35.979024607 +0200
-+++ openssh-5.9p0/sshd_config.5 2011-08-30 16:37:38.040087843 +0200
-@@ -603,6 +603,10 @@ Specifies whether to automatically destr
+diff -up openssh-6.1p1/sshd_config.kuserok openssh-6.1p1/sshd_config
+--- openssh-6.1p1/sshd_config.kuserok 2012-09-14 21:08:17.002496545 +0200
++++ openssh-6.1p1/sshd_config 2012-09-14 21:08:17.074496957 +0200
+@@ -79,6 +79,7 @@ ChallengeResponseAuthentication no
+ #KerberosOrLocalPasswd yes
+ #KerberosTicketCleanup yes
+ #KerberosGetAFSToken no
++#KerberosUseKuserok yes
+
+ # GSSAPI options
+ #GSSAPIAuthentication no
+diff -up openssh-6.1p1/sshd_config.5.kuserok openssh-6.1p1/sshd_config.5
+--- openssh-6.1p1/sshd_config.5.kuserok 2012-09-14 21:08:17.004496556 +0200
++++ openssh-6.1p1/sshd_config.5 2012-09-14 21:08:17.073496952 +0200
+@@ -618,6 +618,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
@@ -146,7 +157,7 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -746,6 +750,7 @@ Available keywords are
+@@ -767,6 +771,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
@@ -154,14 +165,3 @@ diff -up openssh-5.9p0/sshd_config.5.kuserok openssh-5.9p0/sshd_config.5
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PubkeyAuthentication ,
-diff -up openssh-5.9p0/sshd_config.kuserok openssh-5.9p0/sshd_config
---- openssh-5.9p0/sshd_config.kuserok 2011-08-30 16:37:36.808026328 +0200
-+++ openssh-5.9p0/sshd_config 2011-08-30 16:37:38.148071520 +0200
-@@ -77,6 +77,7 @@ ChallengeResponseAuthentication no
- #KerberosOrLocalPasswd yes
- #KerberosTicketCleanup yes
- #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
-
- # GSSAPI options
- #GSSAPIAuthentication no
diff --git a/openssh-5.9p1-log-usepam-no.patch b/openssh-6.1p1-log-usepam-no.patch
similarity index 54%
rename from openssh-5.9p1-log-usepam-no.patch
rename to openssh-6.1p1-log-usepam-no.patch
index 614d2cd..4ed52b1 100644
--- a/openssh-5.9p1-log-usepam-no.patch
+++ b/openssh-6.1p1-log-usepam-no.patch
@@ -1,10 +1,9 @@
-diff --git a/sshd.c b/sshd.c
-index 8dcfdf2..95b63ad 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -1592,6 +1592,10 @@ main(int ac, char **av)
+diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
+--- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
++++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
+@@ -1617,6 +1617,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
- &cfg, NULL, NULL, NULL);
+ &cfg, NULL);
+ /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam)
@@ -13,11 +12,10 @@ index 8dcfdf2..95b63ad 100644
seed_rng();
/* Fill in default values for those options not explicitly set. */
-diff --git a/sshd_config b/sshd_config
-index 8c16754..9f28b04 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
+diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
+--- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
++++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
+@@ -95,6 +95,8 @@ GSSAPICleanupCredentials yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
diff --git a/openssh-6.1p1-privsep-selinux.patch b/openssh-6.1p1-privsep-selinux.patch
new file mode 100644
index 0000000..b3f96c4
--- /dev/null
+++ b/openssh-6.1p1-privsep-selinux.patch
@@ -0,0 +1,39 @@
+diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
+--- openssh-6.1p1/session.c.privsep-selinux 2012-09-15 13:45:26.079476022 +0200
++++ openssh-6.1p1/session.c 2012-09-15 13:45:28.460522390 +0200
+@@ -1513,6 +1513,7 @@ do_setusercontext(struct passwd *pw)
+
+ platform_setusercontext_post_groups(pw);
+
++
+ if (options.chroot_directory != NULL &&
+ strcasecmp(options.chroot_directory, "none") != 0) {
+ tmp = tilde_expand_filename(options.chroot_directory,
+@@ -1536,6 +1537,10 @@ do_setusercontext(struct passwd *pw)
+ /* Permanently switch to the desired uid. */
+ permanently_set_uid(pw);
+ #endif
++
++#ifdef WITH_SELINUX
++ ssh_selinux_copy_context();
++#endif
+ }
+
+ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
+--- openssh-6.1p1/sshd.c.privsep-selinux 2012-09-15 13:45:26.062475676 +0200
++++ openssh-6.1p1/sshd.c 2012-09-15 13:45:28.467522539 +0200
+@@ -794,6 +794,13 @@ privsep_postauth(Authctxt *authctxt)
+ do_setusercontext(authctxt->pw);
+
+ skip:
++#ifdef WITH_SELINUX
++ /* switch SELinux content for root too */
++ if (authctxt->pw->pw_uid == 0) {
++ ssh_selinux_copy_context();
++ }
++#endif
++
+ /* It is safe now to apply the key state */
+ monitor_apply_keystate(pmonitor);
+
diff --git a/openssh-5.9p1-required-authentications.patch b/openssh-6.1p1-required-authentications.patch
similarity index 85%
rename from openssh-5.9p1-required-authentications.patch
rename to openssh-6.1p1-required-authentications.patch
index cecbffc..d10606a 100644
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-6.1p1-required-authentications.patch
@@ -1,6 +1,6 @@
-diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
---- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200
-+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200
+diff -up openssh-6.1p1/auth.c.required-authentication openssh-6.1p1/auth.c
+--- openssh-6.1p1/auth.c.required-authentication 2012-09-14 20:17:56.730488188 +0200
++++ openssh-6.1p1/auth.c 2012-09-14 20:17:56.795488498 +0200
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
}
@@ -32,7 +32,7 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
{
switch (options.permit_root_login) {
case PERMIT_YES:
-@@ -694,3 +696,57 @@ fakepw(void)
+@@ -696,3 +698,57 @@ fakepw(void)
return (&fake);
}
@@ -90,9 +90,9 @@ diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
+
+ return (ret);
+}
-diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
---- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200
+diff -up openssh-6.1p1/auth.h.required-authentication openssh-6.1p1/auth.h
+--- openssh-6.1p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
++++ openssh-6.1p1/auth.h 2012-09-14 20:17:56.796488502 +0200
@@ -142,10 +142,11 @@ void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
@@ -120,9 +120,9 @@ diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
int sys_auth_passwd(Authctxt *, const char *);
-diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
---- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
-+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200
+diff -up openssh-6.1p1/auth1.c.required-authentication openssh-6.1p1/auth1.c
+--- openssh-6.1p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
++++ openssh-6.1p1/auth1.c 2012-09-14 20:17:56.798488515 +0200
@@ -98,6 +98,55 @@ static const struct AuthMethod1
return (NULL);
}
@@ -281,9 +281,9 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
packet_start(SSH_SMSG_FAILURE);
packet_send();
-diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
---- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200
+diff -up openssh-6.1p1/auth2.c.required-authentication openssh-6.1p1/auth2.c
+--- openssh-6.1p1/auth2.c.required-authentication 2011-12-19 00:52:51.000000000 +0100
++++ openssh-6.1p1/auth2.c 2012-09-14 20:17:56.799488520 +0200
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{
Authctxt *authctxt = ctxt;
@@ -452,9 +452,9 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
+ return (ret);
+}
+
-diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
---- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200
+diff -up openssh-6.1p1/auth2-gss.c.required-authentication openssh-6.1p1/auth2-gss.c
+--- openssh-6.1p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
++++ openssh-6.1p1/auth2-gss.c 2012-09-14 20:17:56.801488528 +0200
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
}
authctxt->postponed = 0;
@@ -482,9 +482,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
}
Authmethod method_gssapi = {
-diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
---- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
-+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200
+diff -up openssh-6.1p1/auth2-chall.c.required-authentication openssh-6.1p1/auth2-chall.c
+--- openssh-6.1p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
++++ openssh-6.1p1/auth2-chall.c 2012-09-14 20:17:56.802488532 +0200
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
auth2_challenge_start(authctxt);
}
@@ -495,9 +495,9 @@ diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2
xfree(method);
}
-diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
---- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
-+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200
+diff -up openssh-6.1p1/auth2-none.c.required-authentication openssh-6.1p1/auth2-none.c
+--- openssh-6.1p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
++++ openssh-6.1p1/auth2-none.c 2012-09-14 20:17:56.803488537 +0200
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
@@ -507,9 +507,9 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}
-diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
---- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200
-+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200
+diff -up openssh-6.1p1/monitor.c.required-authentication openssh-6.1p1/monitor.c
+--- openssh-6.1p1/monitor.c.required-authentication 2012-09-14 20:17:56.685487974 +0200
++++ openssh-6.1p1/monitor.c 2012-09-14 20:17:56.806488552 +0200
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
@@ -579,7 +579,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
}
/* Drain any buffered messages from the child */
-@@ -862,6 +878,7 @@ mm_answer_authpassword(int sock, Buffer
+@@ -860,6 +876,7 @@ mm_answer_authpassword(int sock, Buffer
auth_method = "none";
else
auth_method = "password";
@@ -587,7 +587,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
-@@ -921,6 +938,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
+@@ -919,6 +936,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
@@ -595,7 +595,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0);
}
-@@ -970,6 +988,7 @@ mm_answer_skeyrespond(int sock, Buffer *
+@@ -968,6 +986,7 @@ mm_answer_skeyrespond(int sock, Buffer *
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
@@ -603,7 +603,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (authok != 0);
}
-@@ -1059,7 +1078,8 @@ mm_answer_pam_query(int sock, Buffer *m)
+@@ -1057,7 +1076,8 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
@@ -613,7 +613,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
-@@ -1088,7 +1108,8 @@ mm_answer_pam_respond(int sock, Buffer *
+@@ -1086,7 +1106,8 @@ mm_answer_pam_respond(int sock, Buffer *
buffer_clear(m);
buffer_put_int(m, ret);
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
@@ -623,7 +623,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (ret == 0)
sshpam_authok = sshpam_ctxt;
return (0);
-@@ -1102,7 +1123,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
+@@ -1100,7 +1121,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
@@ -633,7 +633,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return (sshpam_authok == sshpam_ctxt);
}
#endif
-@@ -1138,6 +1160,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1136,6 +1158,7 @@ mm_answer_keyallowed(int sock, Buffer *m
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
auth_method = "publickey";
@@ -641,7 +641,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.pubkey_authentication && allowed != 1)
auth_clear_options();
break;
-@@ -1146,6 +1169,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1144,6 +1167,7 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
auth_method = "hostbased";
@@ -649,7 +649,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
-@@ -1155,6 +1179,7 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1153,6 +1177,7 @@ mm_answer_keyallowed(int sock, Buffer *m
if (options.rhosts_rsa_authentication && allowed != 1)
auth_clear_options();
auth_method = "rsa";
@@ -657,7 +657,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
break;
default:
fatal("%s: unknown key type %d", __func__, type);
-@@ -1180,7 +1205,8 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1178,7 +1203,8 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_chost = chost;
} else {
/* Log failed attempt */
@@ -667,7 +667,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
xfree(blob);
xfree(cuser);
xfree(chost);
-@@ -1356,6 +1382,7 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1354,6 +1380,7 @@ mm_answer_keyverify(int sock, Buffer *m)
xfree(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
@@ -675,7 +675,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
monitor_reset_key_state();
-@@ -1545,6 +1572,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
+@@ -1543,6 +1570,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
debug3("%s entering", __func__);
auth_method = "rsa";
@@ -683,7 +683,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
-@@ -1650,6 +1678,7 @@ mm_answer_rsa_response(int sock, Buffer
+@@ -1648,6 +1676,7 @@ mm_answer_rsa_response(int sock, Buffer
xfree(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
@@ -691,7 +691,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* reset state */
BN_clear_free(ssh1_challenge);
-@@ -2099,6 +2128,7 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2097,6 +2126,7 @@ mm_answer_gss_userok(int sock, Buffer *m
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
auth_method = "gssapi-with-mic";
@@ -699,7 +699,7 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
/* Monitor loop will terminate if authenticated */
return (authenticated);
-@@ -2303,6 +2333,7 @@ mm_answer_jpake_check_confirm(int sock,
+@@ -2301,6 +2331,7 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "jpake-01 at openssh.com";
@@ -707,10 +707,10 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
return authenticated;
}
-diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200
-+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200
-@@ -42,6 +42,8 @@
+diff -up openssh-6.1p1/servconf.c.required-authentication openssh-6.1p1/servconf.c
+--- openssh-6.1p1/servconf.c.required-authentication 2012-09-14 20:17:56.699488040 +0200
++++ openssh-6.1p1/servconf.c 2012-09-14 20:19:49.179983651 +0200
+@@ -43,6 +43,8 @@
#include "key.h"
#include "kex.h"
#include "mac.h"
@@ -719,7 +719,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
#include "match.h"
#include "channels.h"
#include "groupaccess.h"
-@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
+@@ -132,6 +134,8 @@ initialize_server_options(ServerOptions
options->num_authkeys_files = 0;
options->num_accept_env = 0;
options->permit_tun = -1;
@@ -728,7 +728,7 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
-@@ -319,6 +323,7 @@ typedef enum {
+@@ -324,6 +328,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -736,16 +736,16 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -447,6 +452,8 @@ static struct {
+@@ -452,6 +457,8 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
+ { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
- };
-@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
+@@ -1298,6 +1305,33 @@ process_server_config_line(ServerOptions
options->max_startups = options->max_startups_begin;
break;
@@ -779,9 +779,9 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
-diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
---- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200
+diff -up openssh-6.1p1/servconf.h.required-authentication openssh-6.1p1/servconf.h
+--- openssh-6.1p1/servconf.h.required-authentication 2012-07-31 04:21:34.000000000 +0200
++++ openssh-6.1p1/servconf.h 2012-09-14 20:17:56.810488571 +0200
@@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
@@ -792,10 +792,10 @@ diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
-diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
---- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200
-@@ -723,6 +723,8 @@ Available keywords are
+diff -up openssh-6.1p1/sshd_config.5.required-authentication openssh-6.1p1/sshd_config.5
+--- openssh-6.1p1/sshd_config.5.required-authentication 2012-07-02 10:53:38.000000000 +0200
++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:17:56.812488582 +0200
+@@ -731,6 +731,8 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
@@ -804,7 +804,7 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
-@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
+@@ -931,6 +933,21 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
diff --git a/openssh-5.9p1-vendor.patch b/openssh-6.1p1-vendor.patch
similarity index 63%
rename from openssh-5.9p1-vendor.patch
rename to openssh-6.1p1-vendor.patch
index 1413fa6..9cb326d 100644
--- a/openssh-5.9p1-vendor.patch
+++ b/openssh-6.1p1-vendor.patch
@@ -1,7 +1,7 @@
-diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
---- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
-+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
-@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
+diff -up openssh-6.1p1/configure.ac.vendor openssh-6.1p1/configure.ac
+--- openssh-6.1p1/configure.ac.vendor 2012-09-14 20:36:49.153085211 +0200
++++ openssh-6.1p1/configure.ac 2012-09-14 20:36:49.559088133 +0200
+@@ -4303,6 +4303,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@@ -14,7 +14,7 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
-@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
+@@ -4529,6 +4535,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@@ -22,10 +22,10 @@ diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
echo ""
-diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
---- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
-+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
-@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
+diff -up openssh-6.1p1/servconf.c.vendor openssh-6.1p1/servconf.c
+--- openssh-6.1p1/servconf.c.vendor 2012-09-14 20:36:49.124085002 +0200
++++ openssh-6.1p1/servconf.c 2012-09-14 20:50:34.995972516 +0200
+@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@@ -33,16 +33,17 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
-@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
+@@ -289,6 +290,9 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->version_addendum == NULL)
+ options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1)
-+ options->show_patchlevel = 0;
-
++ options->show_patchlevel = 0;
++
/* Turn privilege separation on by default */
if (use_privsep == -1)
-@@ -321,7 +324,7 @@ typedef enum {
+ use_privsep = PRIVSEP_NOSANDBOX;
+@@ -326,7 +330,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -51,7 +52,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-@@ -436,6 +439,7 @@ static struct {
+@@ -441,6 +445,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@@ -59,7 +60,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
+@@ -1162,6 +1167,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@@ -70,7 +71,7 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
+@@ -1956,6 +1965,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@@ -78,9 +79,9 @@ diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
---- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
-+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
+diff -up openssh-6.1p1/servconf.h.vendor openssh-6.1p1/servconf.h
+--- openssh-6.1p1/servconf.h.vendor 2012-09-14 20:36:49.125085009 +0200
++++ openssh-6.1p1/servconf.h 2012-09-14 20:36:49.564088168 +0200
@@ -140,6 +140,7 @@ typedef struct {
int max_authtries;
int max_sessions;
@@ -89,10 +90,10 @@ diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
int use_dns;
int client_alive_interval; /*
* poke the client this often to
-diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
---- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
-+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
-@@ -112,6 +112,7 @@ X11Forwarding yes
+diff -up openssh-6.1p1/sshd_config.vendor openssh-6.1p1/sshd_config
+--- openssh-6.1p1/sshd_config.vendor 2012-09-14 20:36:49.507087759 +0200
++++ openssh-6.1p1/sshd_config 2012-09-14 20:36:49.565088175 +0200
+@@ -114,6 +114,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
@@ -100,10 +101,10 @@ diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
-diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
---- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
-+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
-@@ -556,6 +556,11 @@ DESCRIPTION
+diff -up openssh-6.1p1/sshd_config.0.vendor openssh-6.1p1/sshd_config.0
+--- openssh-6.1p1/sshd_config.0.vendor 2012-09-14 20:36:49.510087780 +0200
++++ openssh-6.1p1/sshd_config.0 2012-09-14 20:36:49.567088190 +0200
+@@ -558,6 +558,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
@@ -115,10 +116,10 @@ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
-diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
---- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
-+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
-@@ -982,6 +982,14 @@ This option applies to protocol version
+diff -up openssh-6.1p1/sshd_config.5.vendor openssh-6.1p1/sshd_config.5
+--- openssh-6.1p1/sshd_config.5.vendor 2012-09-14 20:36:49.512087794 +0200
++++ openssh-6.1p1/sshd_config.5 2012-09-14 20:36:49.568088198 +0200
+@@ -978,6 +978,14 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
@@ -133,19 +134,19 @@ diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
.It Cm StrictModes
Specifies whether
.Xr sshd 8
-diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
---- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
-+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
-@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
- minor = PROTOCOL_MINOR_1;
+diff -up openssh-6.1p1/sshd.c.vendor openssh-6.1p1/sshd.c
+--- openssh-6.1p1/sshd.c.vendor 2012-09-14 20:36:49.399086981 +0200
++++ openssh-6.1p1/sshd.c 2012-09-14 20:47:30.696088744 +0200
+@@ -433,7 +433,7 @@ sshd_exchange_identification(int sock_in
}
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
-- SSH_VERSION, newline);
-+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
- server_version_string = xstrdup(buf);
- /* Send our protocol version identification. */
-@@ -1634,7 +1634,8 @@ main(int ac, char **av)
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+- major, minor, SSH_VERSION,
++ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
+@@ -1635,7 +1635,8 @@ main(int ac, char **av)
exit(1);
}
diff --git a/sources b/sources
index 92cfcf9..d7edfa5 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-a7223e1a501bdd60a183bed87b6ce485 openssh-6.0p1-noacss.tar.bz2
+688b37a843ea1c9217f45b1f5c21b791 openssh-6.1p1-noacss.tar.bz2
More information about the scm-commits
mailing list