diff --git a/openssh-5.8p1-audit1a.patch b/openssh-5.8p1-audit1a.patch
index e69de29..dce297a 100644
--- a/openssh-5.8p1-audit1a.patch
+++ b/openssh-5.8p1-audit1a.patch
@@ -0,0 +1,21 @@
+diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
+--- openssh-5.8p1/audit-linux.c.audit1a	2011-02-28 14:45:40.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-02-28 14:46:50.000000000 +0100
+@@ -155,7 +155,7 @@ audit_end_command(const char *command)
+ {
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+ 	    NULL, "ssh", 1, AUDIT_USER_END);
+-	if (!--user_login_count) 
++	if (user_login_count && !--user_login_count) 
+ 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+ 		    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
+ }
+@@ -175,7 +175,7 @@ audit_session_close(struct logininfo *li
+ {
+ 	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ 	    NULL, li->line, 1, AUDIT_USER_END);
+-	if (!--user_login_count) 
++	if (user_login_count && !--user_login_count) 
+ 		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+ 		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
+ }
diff --git a/openssh.spec b/openssh.spec
index 1d2e5b9..03c5f8f 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 10
+%define openssh_rel 11
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30
 
@@ -92,6 +92,7 @@ Source2: sshd.pam
 Source3: sshd.init
 Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
 Source5: pam_ssh_agent-rmheaders
+Source6: ssh-keycat.pam
 
 Patch99: openssh-5.8p1-wIm.patch
 Patch0: openssh-5.6p1-redhat.patch
@@ -149,6 +150,8 @@ Patch54: openssh-4.3p2-askpass-grab-info.patch
 Patch56: openssh-5.2p1-edns.patch
 #?
 Patch57: openssh-5.1p1-scp-manpage.patch
+#?
+Patch58: openssh-5.8p1-keycat.patch
 #http://www.sxw.org.uk/computing/patches/openssh.html
 Patch60: openssh-5.8p1-gsskex.patch
 #?
@@ -229,6 +232,11 @@ Requires: openssh = %{version}-%{release}
 Group: System Environment/Daemons
 %endif
 
+%package keycat
+Summary: A mls keycat backend for openssh
+Requires: openssh = %{version}-%{release}
+Group: System Environment/Daemons
+
 %package askpass
 Summary: A passphrase dialog for OpenSSH and X
 Group: Applications/Internet
@@ -274,6 +282,10 @@ OpenSSH LDAP backend is a way how to distribute the authorized tokens
 among the servers in the network.
 %endif
 
+%description keycat
+OpenSSH mls keycat is backend for using the authorized keys in the
+openssh in the mls mode.
+
 %description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
@@ -334,6 +346,7 @@ popd
 %patch54 -p1 -b .grab-info
 %patch56 -p1 -b .edns
 %patch57 -p1 -b .manpage
+%patch58 -p1 -b .keycat
 %patch60 -p1 -b .gsskex
 %patch61 -p1 -b .canohost
 
@@ -473,6 +486,7 @@ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
 install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
 install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
@@ -605,6 +619,11 @@ fi
 %attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
 %endif
 
+%files keycat
+%defattr(-,root,root)
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
+%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
+
 %if ! %{no_gnome_askpass}
 %files askpass
 %defattr(-,root,root)
@@ -622,6 +641,9 @@ fi
 %endif
 
 %changelog
+* Mon Feb 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-11 + 0.9.2-30
+- add ssk-keycat
+
 * Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-10 + 0.9.2-30
 - reenable auth-keys ldap backend
 
diff --git a/ssh-keycat.pam b/ssh-keycat.pam
new file mode 100644
index 0000000..528177a
--- /dev/null
+++ b/ssh-keycat.pam
@@ -0,0 +1,9 @@
+#%PAM-1.0
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the
+user context
+session    required     pam_selinux.so open env_params
+session    required     pam_namespace.so
+