diff --git a/SOURCES/openssh-5.8p1-glob.patch b/SOURCES/openssh-5.8p1-glob.patch
index cb45cd1..4b1d8a7 100644
--- a/SOURCES/openssh-5.8p1-glob.patch
+++ b/SOURCES/openssh-5.8p1-glob.patch
@@ -8,3 +8,18 @@ diff -up openssh-5.8p1/sftp-glob.c.glob openssh-5.8p1/sftp-glob.c
- return(glob(pattern, flags | GLOB_ALTDIRFUNC, errfunc, pglob));
+ return(glob(pattern, flags | GLOB_LIMIT | GLOB_ALTDIRFUNC, errfunc, pglob));
}
+diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
+index 742b4b9..acae399 100644
+--- a/openbsd-compat/glob.c
++++ b/openbsd-compat/glob.c
+@@ -130,8 +130,8 @@ typedef char Char;
+ #define M_CLASS META(':')
+ #define ismeta(c) (((c)&M_QUOTE) != 0)
+
+-#define GLOB_LIMIT_MALLOC 65536
+-#define GLOB_LIMIT_STAT 128
++#define GLOB_LIMIT_MALLOC 65536*64
++#define GLOB_LIMIT_STAT 128*64
+ #define GLOB_LIMIT_READDIR 16384
+
+ /* Limit of recursion during matching attempts. */
diff --git a/SOURCES/openssh-6.6p1-allowGroups-documentation.patch b/SOURCES/openssh-6.6p1-allowGroups-documentation.patch
new file mode 100644
index 0000000..9da6a1d
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-allowGroups-documentation.patch
@@ -0,0 +1,40 @@
+diff --git a/sshd_config.5 b/sshd_config.5
+index 2320128..6244e68 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -120,6 +120,8 @@ The allow/deny directives are processed in the following order:
+ .Cm DenyGroups ,
+ and finally
+ .Cm AllowGroups .
++All of the specified user and group tests must succeed, before user
++is allowed to log in.
+ .Pp
+ See PATTERNS in
+ .Xr ssh_config 5
+@@ -160,6 +162,8 @@ The allow/deny directives are processed in the following order:
+ .Cm DenyGroups ,
+ and finally
+ .Cm AllowGroups .
++All of the specified user and group tests must succeed, before user
++is allowed to log in.
+ .Pp
+ See PATTERNS in
+ .Xr ssh_config 5
+@@ -430,6 +434,8 @@ The allow/deny directives are processed in the following order:
+ .Cm DenyGroups ,
+ and finally
+ .Cm AllowGroups .
++All of the specified user and group tests must succeed, before user
++is allowed to log in.
+ .Pp
+ See PATTERNS in
+ .Xr ssh_config 5
+@@ -449,6 +455,8 @@ The allow/deny directives are processed in the following order:
+ .Cm DenyGroups ,
+ and finally
+ .Cm AllowGroups .
++All of the specified user and group tests must succeed, before user
++is allowed to log in.
+ .Pp
+ See PATTERNS in
+ .Xr ssh_config 5
diff --git a/SOURCES/openssh-6.6p1-audit.patch b/SOURCES/openssh-6.6p1-audit.patch
index f7720c4..dd0c06e 100644
--- a/SOURCES/openssh-6.6p1-audit.patch
+++ b/SOURCES/openssh-6.6p1-audit.patch
@@ -1040,7 +1040,7 @@ index bce2ab8..bc3e53e 100644
}
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-@@ -702,3 +718,34 @@ dump_digest(char *msg, u_char *digest, int len)
+@@ -702,3 +718,53 @@ dump_digest(char *msg, u_char *digest, int len)
fprintf(stderr, "\n");
}
#endif
@@ -1070,20 +1070,40 @@ index bce2ab8..bc3e53e 100644
+ if (newkeys == NULL)
+ return;
+
++ free(newkeys->enc.name);
+ enc_destroy(&newkeys->enc);
-+ mac_destroy(&newkeys->mac);
++
++ if (newkeys->mac.enabled) {
++ mac_clear(&newkeys->mac);
++ free(newkeys->mac.name);
++ mac_destroy(&newkeys->mac);
++ }
++
++ free(newkeys->comp.name);
++
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
++void
++newkeys_destroy_and_free(Newkeys *newkeys)
++{
++ if (newkeys == NULL)
++ return;
++
++ newkeys_destroy(newkeys);
++ free(newkeys);
++}
++
diff --git a/kex.h b/kex.h
index 313bb51..c643250 100644
--- a/kex.h
+++ b/kex.h
-@@ -182,6 +182,8 @@ void kexgss_client(Kex *);
+@@ -182,6 +182,9 @@ void kexgss_client(Kex *);
void kexgss_server(Kex *);
#endif
+void newkeys_destroy(Newkeys *newkeys);
++void newkeys_destroy_and_free(Newkeys *newkeys);
+
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
@@ -1394,7 +1414,7 @@ index 8b18086..5a65114 100644
}
-@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2277,3 +2374,84 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
#endif /* GSSAPI */
@@ -1476,7 +1496,6 @@ index 8b18086..5a65114 100644
+ free(fp);
+ buffer_clear(m);
+
-+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
@@ -1495,7 +1514,7 @@ index ff79fbb..6dfb234 100644
+ MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119,
+ MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121,
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE = 122, MONITOR_ANS_AUDIT_SESSION_KEY_FREE = 123,
-+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE = 124, MONITOR_ANS_AUDIT_SERVER_KEY_FREE = 125
++ MONITOR_REQ_AUDIT_SERVER_KEY_FREE = 124
};
@@ -1595,7 +1614,7 @@ index d1e1caa..6df236a 100644
buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */
-@@ -1354,3 +1391,71 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+@@ -1354,3 +1391,69 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
#endif /* GSSAPI */
@@ -1662,8 +1681,6 @@ index d1e1caa..6df236a 100644
+ buffer_put_int64(&m, uid);
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
-+ &m);
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
@@ -1756,32 +1773,6 @@ index 660a9fc..f5b122b 100644
}
/* Sets remote side protocol flags. */
-@@ -736,6 +747,25 @@ packet_send1(void)
- */
- }
-
-+static void
-+newkeys_destroy_and_free(Newkeys *newkeys)
-+{
-+ if (newkeys == NULL)
-+ return;
-+
-+ free(newkeys->enc.name);
-+
-+ if (newkeys->mac.enabled) {
-+ mac_clear(&newkeys->mac);
-+ free(newkeys->mac.name);
-+ }
-+
-+ free(newkeys->comp.name);
-+
-+ newkeys_destroy(newkeys);
-+ free(newkeys);
-+}
-+
- void
- set_newkeys(int mode)
- {
@@ -761,6 +791,7 @@ set_newkeys(int mode)
}
if (active_state->newkeys[mode] != NULL) {
@@ -1934,7 +1925,7 @@ index df43592..b186ca1 100644
- PRIVSEP(audit_run_command(shell));
+ s->command = xstrdup(shell);
}
-+ if (s->command != NULL)
++ if (s->command != NULL && s->ptyfd == -1)
+ s->command_handle = PRIVSEP(audit_run_command(s->command));
#endif
if (s->ttyfd != -1)
@@ -1979,7 +1970,7 @@ index df43592..b186ca1 100644
session_by_tty(char *tty)
{
int i;
-@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
+@@ -2531,6 +2560,32 @@ session_exit_message(Session *s, int status)
chan_write_failed(c);
}
@@ -1988,7 +1979,8 @@ index df43592..b186ca1 100644
+session_end_command2(Session *s)
+{
+ if (s->command != NULL) {
-+ audit_end_command(s->command_handle, s->command);
++ if (s->command_handle != -1)
++ audit_end_command(s->command_handle, s->command);
+ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
@@ -1999,7 +1991,8 @@ index df43592..b186ca1 100644
+session_end_command(Session *s)
+{
+ if (s->command != NULL) {
-+ PRIVSEP(audit_end_command(s->command_handle, s->command));
++ if (s->command_handle != -1)
++ PRIVSEP(audit_end_command(s->command_handle, s->command));
+ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
@@ -2215,7 +2208,7 @@ index 8a0740a..2813aa2 100644
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
-+ newkeys_destroy(current_keys[MODE_OUT]);
++ newkeys_destroy(current_keys[MODE_OUT]);
+ newkeys_destroy(current_keys[MODE_IN]);
+ audit_session_key_free_body(2, getpid(), getuid());
+ packet_destroy_all(0, 0);
diff --git a/SOURCES/openssh-6.6p1-authentication-limits-bypass.patch b/SOURCES/openssh-6.6p1-authentication-limits-bypass.patch
new file mode 100644
index 0000000..10bde94
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-authentication-limits-bypass.patch
@@ -0,0 +1,47 @@
+From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 18 Jul 2015 07:57:14 +0000
+Subject: upstream commit
+
+only query each keyboard-interactive device once per
+ authentication request regardless of how many times it is listed; ok markus@
+
+Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
+---
+ auth2-chall.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/auth2-chall.c b/auth2-chall.c
+index ddabe1a..4aff09d 100644
+--- a/auth2-chall.c
++++ b/auth2-chall.c
+@@ -83,6 +83,7 @@ struct KbdintAuthctxt
+ void *ctxt;
+ KbdintDevice *device;
+ u_int nreq;
++ u_int devices_done;
+ };
+
+ #ifdef USE_PAM
+@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
+ if (len == 0)
+ break;
+ for (i = 0; devices[i]; i++) {
+- if (!auth2_method_allowed(authctxt,
++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++ !auth2_method_allowed(authctxt,
+ "keyboard-interactive", devices[i]->name))
+ continue;
+- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++ if (strncmp(kbdintctxt->devices, devices[i]->name,
++ len) == 0) {
+ kbdintctxt->device = devices[i];
++ kbdintctxt->devices_done |= 1 << i;
++ }
+ }
+ t = kbdintctxt->devices;
+ kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
+--
+cgit v0.11.2
+
+
diff --git a/SOURCES/openssh-6.6p1-document-TERM-env.patch b/SOURCES/openssh-6.6p1-document-TERM-env.patch
new file mode 100644
index 0000000..66445d9
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-document-TERM-env.patch
@@ -0,0 +1,32 @@
+diff --git a/ssh_config.5 b/ssh_config.5
+index e7accd6..c95fda6 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -1253,6 +1253,10 @@ should be sent to the server.
+ Note that environment passing is only supported for protocol 2.
+ The server must also support it, and the server must be configured to
+ accept these environment variables.
++Note that the
++.Ev TERM
++environment variable is always sent whenever a
++pseudo-terminal is requested as it is required by the protocol.
+ Refer to
+ .Cm AcceptEnv
+ in
+diff --git a/sshd_config.5 b/sshd_config.5
+index aa9525d..2320128 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -70,7 +70,11 @@ See
+ in
+ .Xr ssh_config 5
+ for how to configure the client.
+-Note that environment passing is only supported for protocol 2.
++Note that environment passing is only supported for protocol 2, and
++that the
++.Ev TERM
++environment variable is always sent whenever the client
++requests a pseudo-terminal as it is required by the protocol.
+ Variables are specified by name, which may contain the wildcard characters
+ .Ql *
+ and
diff --git a/SOURCES/openssh-6.6p1-fips.patch b/SOURCES/openssh-6.6p1-fips.patch
index 9227b37..77760db 100644
--- a/SOURCES/openssh-6.6p1-fips.patch
+++ b/SOURCES/openssh-6.6p1-fips.patch
@@ -1,7 +1,6 @@
-diff --git a/Makefile.in b/Makefile.in
-index 3bb7f00..294bef5 100644
---- a/Makefile.in
-+++ b/Makefile.in
+diff -up openssh-6.6p1/Makefile.in.fips openssh-6.6p1/Makefile.in
+--- openssh-6.6p1/Makefile.in.fips 2015-08-13 15:09:43.343350136 +0200
++++ openssh-6.6p1/Makefile.in 2015-08-13 15:09:43.356350114 +0200
@@ -154,25 +154,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@@ -34,7 +33,7 @@ index 3bb7f00..294bef5 100644
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libs
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@@ -43,11 +42,10 @@ index 3bb7f00..294bef5 100644
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff --git a/auth-rsa.c b/auth-rsa.c
-index f225b0b..8bafcd6 100644
---- a/auth-rsa.c
-+++ b/auth-rsa.c
-@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
+diff -up openssh-6.6p1/auth-rsa.c.fips openssh-6.6p1/auth-rsa.c
+--- openssh-6.6p1/auth-rsa.c.fips 2015-08-13 15:09:43.344350134 +0200
++++ openssh-6.6p1/auth-rsa.c 2015-08-13 15:09:43.354350118 +0200
+@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *p
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
@@ -56,11 +54,10 @@ index f225b0b..8bafcd6 100644
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 6d1c872..3808ec8 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
+diff -up openssh-6.6p1/auth2-pubkey.c.fips openssh-6.6p1/auth2-pubkey.c
+--- openssh-6.6p1/auth2-pubkey.c.fips 2015-08-13 15:09:43.345350133 +0200
++++ openssh-6.6p1/auth2-pubkey.c 2015-08-13 15:09:43.353350119 +0200
+@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, con
}
if (key_is_cert(key)) {
@@ -70,7 +67,7 @@ index 6d1c872..3808ec8 100644
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
key_type(key), key->cert->key_id,
(unsigned long long)key->cert->serial,
-@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
+@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, con
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
} else {
@@ -79,10 +76,9 @@ index 6d1c872..3808ec8 100644
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
-diff --git a/authfile.c b/authfile.c
-index ec4f4ff..2b3d650 100644
---- a/authfile.c
-+++ b/authfile.c
+diff -up openssh-6.6p1/authfile.c.fips openssh-6.6p1/authfile.c
+--- openssh-6.6p1/authfile.c.fips 2015-08-13 15:09:43.213350355 +0200
++++ openssh-6.6p1/authfile.c 2015-08-13 15:09:43.354350118 +0200
@@ -46,6 +46,7 @@
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -91,7 +87,19 @@ index ec4f4ff..2b3d650 100644
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
-@@ -1068,7 +1069,7 @@ Key *
+@@ -1008,7 +1009,10 @@ key_parse_private_type(Buffer *blob, int
+
+ switch (type) {
+ case KEY_RSA1:
+- return key_parse_private_rsa1(blob, passphrase, commentp);
++ if (! FIPS_mode())
++ return key_parse_private_rsa1(blob, passphrase, commentp);
++ error("%s: cannot parse rsa1 key in FIPS mode", __func__);
++ break;
+ case KEY_DSA:
+ case KEY_ECDSA:
+ case KEY_RSA:
+@@ -1068,7 +1072,7 @@ Key *
key_parse_private(Buffer *buffer, const char *filename,
const char *passphrase, char **commentp)
{
@@ -100,7 +108,7 @@ index ec4f4ff..2b3d650 100644
/* it's a SSH v1 key if the public key part is readable */
pub = key_parse_public_rsa1(buffer, commentp);
-@@ -1080,9 +1081,10 @@ key_parse_private(Buffer *buffer, const char *filename,
+@@ -1080,9 +1084,10 @@ key_parse_private(Buffer *buffer, const
*commentp = xstrdup(filename);
} else {
key_free(pub);
@@ -114,10 +122,9 @@ index ec4f4ff..2b3d650 100644
}
return prv;
}
-diff --git a/cipher-ctr.c b/cipher-ctr.c
-index 73e9c7c..40ee395 100644
---- a/cipher-ctr.c
-+++ b/cipher-ctr.c
+diff -up openssh-6.6p1/cipher-ctr.c.fips openssh-6.6p1/cipher-ctr.c
+--- openssh-6.6p1/cipher-ctr.c.fips 2015-08-13 15:09:43.254350286 +0200
++++ openssh-6.6p1/cipher-ctr.c 2015-08-13 15:09:43.354350118 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@@ -128,10 +135,9 @@ index 73e9c7c..40ee395 100644
#endif
return (&aes_ctr);
}
-diff --git a/cipher.c b/cipher.c
-index 226e56d..b19443c 100644
---- a/cipher.c
-+++ b/cipher.c
+diff -up openssh-6.6p1/cipher.c.fips openssh-6.6p1/cipher.c
+--- openssh-6.6p1/cipher.c.fips 2015-08-13 15:09:43.345350133 +0200
++++ openssh-6.6p1/cipher.c 2015-08-13 15:09:43.354350118 +0200
@@ -39,6 +39,8 @@
#include <sys/types.h>
@@ -203,10 +209,9 @@ index 226e56d..b19443c 100644
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
-diff --git a/dh.h b/dh.h
-index 48f7b68..9ff39f4 100644
---- a/dh.h
-+++ b/dh.h
+diff -up openssh-6.6p1/dh.h.fips openssh-6.6p1/dh.h
+--- openssh-6.6p1/dh.h.fips 2013-10-10 01:32:40.000000000 +0200
++++ openssh-6.6p1/dh.h 2015-08-13 15:09:43.354350118 +0200
@@ -45,6 +45,7 @@ int dh_estimate(int);
/* Min and max values from RFC4419. */
@@ -215,10 +220,9 @@ index 48f7b68..9ff39f4 100644
#define DH_GRP_MAX 8192
/*
-diff --git a/entropy.c b/entropy.c
-index b361a04..5616643 100644
---- a/entropy.c
-+++ b/entropy.c
+diff -up openssh-6.6p1/entropy.c.fips openssh-6.6p1/entropy.c
+--- openssh-6.6p1/entropy.c.fips 2015-08-13 15:09:43.238350313 +0200
++++ openssh-6.6p1/entropy.c 2015-08-13 15:09:43.355350116 +0200
@@ -222,6 +222,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@@ -229,10 +233,9 @@ index b361a04..5616643 100644
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
-diff --git a/kex.c b/kex.c
-index bc3e53e..ede7b67 100644
---- a/kex.c
-+++ b/kex.c
+diff -up openssh-6.6p1/kex.c.fips openssh-6.6p1/kex.c
+--- openssh-6.6p1/kex.c.fips 2015-08-13 15:09:43.350350124 +0200
++++ openssh-6.6p1/kex.c 2015-08-13 15:09:43.355350116 +0200
@@ -34,6 +34,7 @@
#include <string.h>
@@ -288,10 +291,9 @@ index bc3e53e..ede7b67 100644
free(s);
return 0;
}
-diff --git a/kexecdhc.c b/kexecdhc.c
-index 2f7629c..20c9946 100644
---- a/kexecdhc.c
-+++ b/kexecdhc.c
+diff -up openssh-6.6p1/kexecdhc.c.fips openssh-6.6p1/kexecdhc.c
+--- openssh-6.6p1/kexecdhc.c.fips 2014-02-04 01:20:15.000000000 +0100
++++ openssh-6.6p1/kexecdhc.c 2015-08-13 15:09:43.355350116 +0200
@@ -154,6 +154,7 @@ kexecdh_client(Kex *kex)
kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
@@ -300,10 +302,9 @@ index 2f7629c..20c9946 100644
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
-diff --git a/kexecdhs.c b/kexecdhs.c
-index 2700b72..0820894 100644
---- a/kexecdhs.c
-+++ b/kexecdhs.c
+diff -up openssh-6.6p1/kexecdhs.c.fips openssh-6.6p1/kexecdhs.c
+--- openssh-6.6p1/kexecdhs.c.fips 2014-02-04 01:20:15.000000000 +0100
++++ openssh-6.6p1/kexecdhs.c 2015-08-13 15:09:43.355350116 +0200
@@ -150,6 +150,7 @@ kexecdh_server(Kex *kex)
kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
@@ -312,10 +313,9 @@ index 2700b72..0820894 100644
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
-diff --git a/kexgexc.c b/kexgexc.c
-index 355b7ba..427e11f 100644
---- a/kexgexc.c
-+++ b/kexgexc.c
+diff -up openssh-6.6p1/kexgexc.c.fips openssh-6.6p1/kexgexc.c
+--- openssh-6.6p1/kexgexc.c.fips 2014-02-04 01:20:15.000000000 +0100
++++ openssh-6.6p1/kexgexc.c 2015-08-13 15:09:43.355350116 +0200
@@ -26,6 +26,8 @@
#include "includes.h"
@@ -341,10 +341,9 @@ index 355b7ba..427e11f 100644
max = DH_GRP_MAX;
packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
packet_put_int(min);
-diff --git a/kexgexs.c b/kexgexs.c
-index 770ad28..9d4fc6d 100644
---- a/kexgexs.c
-+++ b/kexgexs.c
+diff -up openssh-6.6p1/kexgexs.c.fips openssh-6.6p1/kexgexs.c
+--- openssh-6.6p1/kexgexs.c.fips 2014-02-04 01:20:15.000000000 +0100
++++ openssh-6.6p1/kexgexs.c 2015-08-13 15:09:43.355350116 +0200
@@ -76,16 +76,16 @@ kexgex_server(Kex *kex)
omin = min = packet_get_int();
onbits = nbits = packet_get_int();
@@ -365,10 +364,9 @@ index 770ad28..9d4fc6d 100644
omax = max = DH_GRP_MAX;
break;
default:
-diff --git a/key.c b/key.c
-index 62f3edb..a2050f6 100644
---- a/key.c
-+++ b/key.c
+diff -up openssh-6.6p1/key.c.fips openssh-6.6p1/key.c
+--- openssh-6.6p1/key.c.fips 2015-08-13 15:09:43.345350133 +0200
++++ openssh-6.6p1/key.c 2015-08-13 15:09:43.356350114 +0200
@@ -42,6 +42,7 @@
#include "crypto_api.h"
@@ -407,10 +405,9 @@ index 62f3edb..a2050f6 100644
BN_free(f4);
return private;
}
-diff --git a/mac.c b/mac.c
-index 9388af4..cd7b034 100644
---- a/mac.c
-+++ b/mac.c
+diff -up openssh-6.6p1/mac.c.fips openssh-6.6p1/mac.c
+--- openssh-6.6p1/mac.c.fips 2015-08-13 15:09:43.346350131 +0200
++++ openssh-6.6p1/mac.c 2015-08-13 15:09:43.356350114 +0200
@@ -27,6 +27,8 @@
#include <sys/types.h>
@@ -472,10 +469,9 @@ index 9388af4..cd7b034 100644
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL) {
-diff --git a/myproposal.h b/myproposal.h
-index 3a0f5ae..4f35a44 100644
---- a/myproposal.h
-+++ b/myproposal.h
+diff -up openssh-6.6p1/myproposal.h.fips openssh-6.6p1/myproposal.h
+--- openssh-6.6p1/myproposal.h.fips 2013-12-07 01:24:02.000000000 +0100
++++ openssh-6.6p1/myproposal.h 2015-08-13 15:10:30.288271102 +0200
@@ -88,6 +88,12 @@
"diffie-hellman-group14-sha1," \
"diffie-hellman-group1-sha1"
@@ -512,11 +508,10 @@ index 3a0f5ae..4f35a44 100644
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 66198e6..ccf22c8 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bitsp)
+diff -up openssh-6.6p1/ssh-keygen.c.fips openssh-6.6p1/ssh-keygen.c
+--- openssh-6.6p1/ssh-keygen.c.fips 2015-08-13 15:09:43.296350215 +0200
++++ openssh-6.6p1/ssh-keygen.c 2015-08-13 15:09:43.360350107 +0200
+@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bit
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
exit(1);
}
@@ -548,10 +543,9 @@ index 66198e6..ccf22c8 100644
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
fp, key_type(keys[i]));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
-diff --git a/ssh.c b/ssh.c
-index 1e6cb90..ea9193f 100644
---- a/ssh.c
-+++ b/ssh.c
+diff -up openssh-6.6p1/ssh.c.fips openssh-6.6p1/ssh.c
+--- openssh-6.6p1/ssh.c.fips 2014-02-27 00:17:13.000000000 +0100
++++ openssh-6.6p1/ssh.c 2015-08-13 15:09:43.357350112 +0200
@@ -73,6 +73,8 @@
#include <openssl/evp.h>
@@ -617,11 +611,10 @@ index 1e6cb90..ea9193f 100644
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
-diff --git a/sshconnect2.c b/sshconnect2.c
-index b00658b..6a1562c 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -44,6 +44,8 @@
+diff -up openssh-6.6p1/sshconnect2.c.fips openssh-6.6p1/sshconnect2.c
+--- openssh-6.6p1/sshconnect2.c.fips 2015-08-13 15:09:43.342350138 +0200
++++ openssh-6.6p1/sshconnect2.c 2015-08-13 15:09:43.357350112 +0200
+@@ -46,6 +46,8 @@
#include <vis.h>
#endif
@@ -630,7 +623,7 @@ index b00658b..6a1562c 100644
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
-@@ -168,20 +170,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -170,21 +172,26 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
@@ -643,7 +636,8 @@ index b00658b..6a1562c 100644
- else
- gss_host = host;
-
-- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+- gss = ssh_gssapi_client_mechanisms(gss_host,
+- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
@@ -652,7 +646,7 @@ index b00658b..6a1562c 100644
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
-+ /* Add the GSSAPI mechanisms currently supported on this
++ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
@@ -661,7 +655,8 @@ index b00658b..6a1562c 100644
+ else
+ gss_host = host;
+
-+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
++ gss = ssh_gssapi_client_mechanisms(gss_host,
++ options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
@@ -670,7 +665,7 @@ index b00658b..6a1562c 100644
}
}
#endif
-@@ -193,6 +200,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -681,7 +676,7 @@ index b00658b..6a1562c 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -208,7 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -693,7 +688,7 @@ index b00658b..6a1562c 100644
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
-@@ -220,9 +235,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *ho
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -706,10 +701,9 @@ index b00658b..6a1562c 100644
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
-diff --git a/sshd.c b/sshd.c
-index b561ec8..e977de3 100644
---- a/sshd.c
-+++ b/sshd.c
+diff -up openssh-6.6p1/sshd.c.fips openssh-6.6p1/sshd.c
+--- openssh-6.6p1/sshd.c.fips 2015-08-13 15:09:43.352350121 +0200
++++ openssh-6.6p1/sshd.c 2015-08-13 15:09:43.359350109 +0200
@@ -75,6 +75,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
@@ -719,7 +713,7 @@ index b561ec8..e977de3 100644
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
-@@ -1468,6 +1470,18 @@ main(int ac, char **av)
+@@ -1473,6 +1475,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@@ -738,7 +732,7 @@ index b561ec8..e977de3 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1619,8 +1633,6 @@ main(int ac, char **av)
+@@ -1624,8 +1638,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@@ -747,7 +741,7 @@ index b561ec8..e977de3 100644
/* If requested, redirect the logs to the specified logfile. */
if (logfile != NULL) {
log_redirect_stderr_to(logfile);
-@@ -1798,6 +1810,10 @@ main(int ac, char **av)
+@@ -1803,6 +1815,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, keytype,
key_type(key ? key : pubkey));
}
@@ -758,7 +752,7 @@ index b561ec8..e977de3 100644
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
-@@ -1961,6 +1977,10 @@ main(int ac, char **av)
+@@ -1966,6 +1982,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -769,7 +763,7 @@ index b561ec8..e977de3 100644
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
-@@ -2530,6 +2550,9 @@ do_ssh2_kex(void)
+@@ -2537,6 +2557,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -779,7 +773,7 @@ index b561ec8..e977de3 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2539,6 +2562,9 @@ do_ssh2_kex(void)
+@@ -2546,6 +2569,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -789,7 +783,7 @@ index b561ec8..e977de3 100644
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-@@ -2549,6 +2575,8 @@ do_ssh2_kex(void)
+@@ -2556,6 +2582,8 @@ do_ssh2_kex(void)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -798,7 +792,7 @@ index b561ec8..e977de3 100644
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
-@@ -2575,10 +2603,14 @@ do_ssh2_kex(void)
+@@ -2582,10 +2610,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
diff --git a/SOURCES/openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch b/SOURCES/openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch
new file mode 100644
index 0000000..358986b
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch
@@ -0,0 +1,15 @@
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 8e1091c..4bba5d6 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -274,9 +274,7 @@ case "$REMOTE_VERSION" in
+ populate_new_ids 0
+ fi
+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
+- umask 077 ;
++ exec sh -c 'umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \
+- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
+- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
+ || exit 1
+ ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
+ ;;
diff --git a/SOURCES/openssh-6.6p1-gssKexAlgorithms.patch b/SOURCES/openssh-6.6p1-gssKexAlgorithms.patch
new file mode 100644
index 0000000..fec7e7f
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-gssKexAlgorithms.patch
@@ -0,0 +1,398 @@
+diff -up openssh-6.6p1/gss-genr.c.gsskexalg openssh-6.6p1/gss-genr.c
+--- openssh-6.6p1/gss-genr.c.gsskexalg 2015-08-14 16:07:33.271343064 +0200
++++ openssh-6.6p1/gss-genr.c 2015-08-14 16:07:33.338342936 +0200
+@@ -76,7 +76,8 @@ ssh_gssapi_oid_table_ok() {
+ */
+
+ char *
+-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
++ssh_gssapi_client_mechanisms(const char *host, const char *client,
++ const char *kex) {
+ gss_OID_set gss_supported;
+ OM_uint32 min_status;
+
+@@ -84,12 +85,12 @@ ssh_gssapi_client_mechanisms(const char
+ return NULL;
+
+ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
+- host, client));
++ host, client, kex));
+ }
+
+ char *
+ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
+- const char *host, const char *client) {
++ const char *host, const char *client, const char *kex) {
+ Buffer buf;
+ size_t i;
+ int oidpos, enclen;
+@@ -98,6 +99,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+ char deroid[2];
+ const EVP_MD *evp_md = EVP_md5();
+ EVP_MD_CTX md;
++ char *s, *cp, *p;
+
+ if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
+@@ -111,6 +113,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+ buffer_init(&buf);
+
+ oidpos = 0;
++ s = cp = xstrdup(kex);
+ for (i = 0; i < gss_supported->count; i++) {
+ if (gss_supported->elements[i].length < 128 &&
+ (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
+@@ -129,26 +132,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
+ encoded, EVP_MD_size(evp_md) * 2);
+
+- if (oidpos != 0)
+- buffer_put_char(&buf, ',');
+-
+- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
+- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
+- buffer_append(&buf, encoded, enclen);
+- buffer_put_char(&buf, ',');
+- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
+- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
+- buffer_append(&buf, encoded, enclen);
+- buffer_put_char(&buf, ',');
+- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
+- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
+- buffer_append(&buf, encoded, enclen);
++ cp = strncpy(s, kex, strlen(kex));
++ for ((p = strsep(&cp, ",")); p && *p != '\0';
++ (p = strsep(&cp, ","))) {
++ if (buffer_len(&buf) != 0)
++ buffer_put_char(&buf, ',');
++ buffer_append(&buf, p,
++ strlen(p));
++ buffer_append(&buf, encoded, enclen);
++ }
+
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+ gss_enc2oid[oidpos].encoded = encoded;
+ oidpos++;
+ }
+ }
++ free(s);
+ gss_enc2oid[oidpos].oid = NULL;
+ gss_enc2oid[oidpos].encoded = NULL;
+
+diff -up openssh-6.6p1/gss-serv.c.gsskexalg openssh-6.6p1/gss-serv.c
+--- openssh-6.6p1/gss-serv.c.gsskexalg 2015-08-14 16:07:33.296343016 +0200
++++ openssh-6.6p1/gss-serv.c 2015-08-14 16:07:33.338342936 +0200
+@@ -151,7 +151,7 @@ ssh_gssapi_server_mechanisms() {
+
+ ssh_gssapi_supported_oids(&supported);
+ return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
+- NULL, NULL));
++ NULL, NULL, options.gss_kex_algorithms));
+ }
+
+ /* Unprivileged */
+diff -up openssh-6.6p1/kex.c.gsskexalg openssh-6.6p1/kex.c
+--- openssh-6.6p1/kex.c.gsskexalg 2015-08-14 16:07:33.271343064 +0200
++++ openssh-6.6p1/kex.c 2015-08-14 16:07:33.339342935 +0200
+@@ -160,6 +160,29 @@ kex_names_valid(const char *names)
+ return 1;
+ }
+
++/* Validate GSS KEX method name list */
++int
++gss_kex_names_valid(const char *names)
++{
++ char *s, *cp, *p;
++
++ if (names == NULL || *names == '\0')
++ return 0;
++ s = cp = xstrdup(names);
++ for ((p = strsep(&cp, ",")); p && *p != '\0';
++ (p = strsep(&cp, ","))) {
++ if (strncmp(p, "gss-", 4) != 0
++ || kex_alg_by_name(p) == NULL) {
++ error("Unsupported KEX algorithm \"%.100s\"", p);
++ free(s);
++ return 0;
++ }
++ }
++ debug3("gss kex names ok: [%s]", names);
++ free(s);
++ return 1;
++}
++
+ /* put algorithm proposal into buffer */
+ static void
+ kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
+diff -up openssh-6.6p1/readconf.c.gsskexalg openssh-6.6p1/readconf.c
+--- openssh-6.6p1/readconf.c.gsskexalg 2015-08-14 16:07:33.274343058 +0200
++++ openssh-6.6p1/readconf.c 2015-08-14 16:14:17.600574919 +0200
+@@ -55,6 +55,7 @@
+ #include "kex.h"
+ #include "mac.h"
+ #include "uidswap.h"
++#include "ssh-gss.h"
+
+ /* Format of the configuration file:
+
+@@ -142,7 +143,7 @@ typedef enum {
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
+- oGssServerIdentity,
++ oGssServerIdentity, oGssKexAlgorithms,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ oHashKnownHosts,
+@@ -191,6 +192,7 @@ static struct {
+ { "gssapiclientidentity", oGssClientIdentity },
+ { "gssapiserveridentity", oGssServerIdentity },
+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
++ { "gssapikexalgorithms", oGssKexAlgorithms },
+ #else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapikeyexchange", oUnsupported },
+@@ -198,6 +200,7 @@ static struct {
+ { "gssapitrustdns", oUnsupported },
+ { "gssapiclientidentity", oUnsupported },
+ { "gssapirenewalforcesrekey", oUnsupported },
++ { "gssapikexalgorithms", oUnsupported },
+ #endif
+ { "fallbacktorsh", oDeprecated },
+ { "usersh", oDeprecated },
+@@ -876,6 +879,18 @@ parse_time:
+ intptr = &options->gss_renewal_rekey;
+ goto parse_flag;
+
++ case oGssKexAlgorithms:
++ arg = strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing argument.",
++ filename, linenum);
++ if (!gss_kex_names_valid(arg))
++ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
++ filename, linenum, arg ? arg : "<NONE>");
++ if (*activep && options->gss_kex_algorithms == NULL)
++ options->gss_kex_algorithms = xstrdup(arg);
++ break;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1534,6 +1549,7 @@ initialize_options(Options * options)
+ options->gss_renewal_rekey = -1;
+ options->gss_client_identity = NULL;
+ options->gss_server_identity = NULL;
++ options->gss_kex_algorithms = NULL;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1660,6 +1676,8 @@ fill_default_options(Options * options)
+ options->gss_trust_dns = 0;
+ if (options->gss_renewal_rekey == -1)
+ options->gss_renewal_rekey = 0;
++ if (options->gss_kex_algorithms == NULL)
++ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+diff -up openssh-6.6p1/readconf.h.gsskexalg openssh-6.6p1/readconf.h
+--- openssh-6.6p1/readconf.h.gsskexalg 2015-08-14 16:07:33.274343058 +0200
++++ openssh-6.6p1/readconf.h 2015-08-14 16:07:33.339342935 +0200
+@@ -60,6 +60,7 @@ typedef struct {
+ int gss_renewal_rekey; /* Credential renewal forces rekey */
+ char *gss_client_identity; /* Principal to initiate GSSAPI with */
+ char *gss_server_identity; /* GSSAPI target principal */
++ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+diff -up openssh-6.6p1/servconf.c.gsskexalg openssh-6.6p1/servconf.c
+--- openssh-6.6p1/servconf.c.gsskexalg 2015-08-14 16:07:45.704319443 +0200
++++ openssh-6.6p1/servconf.c 2015-08-14 16:14:15.306579277 +0200
+@@ -54,6 +54,7 @@
+ #include "packet.h"
+ #include "hostfile.h"
+ #include "auth.h"
++#include "ssh-gss.h"
+
+ static void add_listen_addr(ServerOptions *, char *, int);
+ static void add_one_listen_addr(ServerOptions *, char *, int);
+@@ -112,6 +113,7 @@ initialize_server_options(ServerOptions
+ options->gss_cleanup_creds = -1;
+ options->gss_strict_acceptor = -1;
+ options->gss_store_rekey = -1;
++ options->gss_kex_algorithms = NULL;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->challenge_response_authentication = -1;
+@@ -258,6 +260,8 @@ fill_default_server_options(ServerOption
+ options->gss_strict_acceptor = 1;
+ if (options->gss_store_rekey == -1)
+ options->gss_store_rekey = 0;
++ if (options->gss_kex_algorithms == NULL)
++ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+@@ -360,7 +364,7 @@ typedef enum {
+ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ sClientAliveCountMax, sAuthorizedKeysFile,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
+- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
++ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sHostCertificate,
+@@ -434,6 +438,7 @@ static struct {
+ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
++ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
+ #else
+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+@@ -442,6 +447,7 @@ static struct {
+ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
++ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+@@ -1137,6 +1143,18 @@ process_server_config_line(ServerOptions
+ intptr = &options->gss_store_rekey;
+ goto parse_flag;
+
++ case sGssKexAlgorithms:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing argument.",
++ filename, linenum);
++ if (!gss_kex_names_valid(arg))
++ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
++ filename, linenum, arg ? arg : "<NONE>");
++ if (*activep && options->gss_kex_algorithms == NULL)
++ options->gss_kex_algorithms = xstrdup(arg);
++ break;
++
+ case sPasswordAuthentication:
+ intptr = &options->password_authentication;
+ goto parse_flag;
+@@ -2068,6 +2086,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
++ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
+ #endif
+ dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+ dump_cfg_fmtint(sKbdInteractiveAuthentication,
+diff -up openssh-6.6p1/servconf.h.gsskexalg openssh-6.6p1/servconf.h
+--- openssh-6.6p1/servconf.h.gsskexalg 2015-08-14 16:07:48.160314777 +0200
++++ openssh-6.6p1/servconf.h 2015-08-14 16:09:34.447112854 +0200
+@@ -116,6 +116,7 @@ typedef struct {
+ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
+ int gss_store_rekey;
++ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
+ int password_authentication; /* If true, permit password
+ * authentication. */
+ int kbd_interactive_authentication; /* If true, permit */
+diff -up openssh-6.6p1/sshconnect2.c.gsskexalg openssh-6.6p1/sshconnect2.c
+--- openssh-6.6p1/sshconnect2.c.gsskexalg 2015-08-14 16:07:33.304343001 +0200
++++ openssh-6.6p1/sshconnect2.c 2015-08-14 16:07:33.339342935 +0200
+@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ else
+ gss_host = host;
+
+- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
++ gss = ssh_gssapi_client_mechanisms(gss_host,
++ options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+diff -up openssh-6.6p1/ssh-gss.h.gsskexalg openssh-6.6p1/ssh-gss.h
+--- openssh-6.6p1/ssh-gss.h.gsskexalg 2015-08-14 16:07:33.278343050 +0200
++++ openssh-6.6p1/ssh-gss.h 2015-08-14 16:07:33.340342932 +0200
+@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
+ #define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
+ #define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
+
++#define GSS_KEX_DEFAULT_KEX \
++ KEX_GSS_GEX_SHA1_ID "," \
++ KEX_GSS_GRP1_SHA1_ID "," \
++ KEX_GSS_GRP14_SHA1_ID
++
+ typedef struct {
+ char *filename;
+ char *envvar;
+@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct
+ /* In the server */
+ typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
+ const char *);
+-char *ssh_gssapi_client_mechanisms(const char *, const char *);
++char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
+ char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
+- const char *);
++ const char *, const char *);
+ gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
+ int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
+ const char *);
+diff --git a/ssh.1 b/ssh.1
+index 4a7d1cd..c795c40 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -449,6 +449,7 @@ For full details of the options listed below, and their possible values, see
+ .It GSSAPIDelegateCredentials
+ .It GSSAPIRenewalForcesRekey
+ .It GSSAPITrustDns
++.It GSSAPIKexAlgorithms
+ .It HashKnownHosts
+ .It Host
+ .It HostbasedAuthentication
+diff --git a/ssh_config.5 b/ssh_config.5
+index c95fda6..a2af9c4 100644
+--- a/ssh_config.5
++++ b/ssh_config.5
+@@ -719,6 +719,18 @@ command line will be passed untouched to the GSSAPI library.
+ The default is
+ .Dq no .
+ This option only applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPIKexAlgorithms
++The list of key exchange algorithms that are offered for GSSAPI
++key exchange. Possible values are
++.Bd -literal -offset 3n
++gss-gex-sha1-,
++gss-group1-sha1-,
++gss-group14-sha1-
++.Ed
++.Pp
++The default is
++.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+diff --git a/sshd_config.5 b/sshd_config.5
+index 5e8c6c6..4c670aa 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -545,6 +545,18 @@ Controls whether the user's GSSAPI credentials should be updated following a
+ successful connection rekeying. This option can be used to accepted renewed
+ or updated credentials from a compatible client. The default is
+ .Dq no .
++.It Cm GSSAPIKexAlgorithms
++The list of key exchange algorithms that are accepted by GSSAPI
++key exchange. Possible values are
++.Bd -literal -offset 3n
++gss-gex-sha1-,
++gss-group1-sha1-,
++gss-group14-sha1-
++.Ed
++.Pp
++The default is
++.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HostbasedAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication together
+ with successful public key client host authentication is allowed
diff --git a/SOURCES/openssh-6.6p1-ldap.patch b/SOURCES/openssh-6.6p1-ldap.patch
index 961cdf5..fb8dd2b 100644
--- a/SOURCES/openssh-6.6p1-ldap.patch
+++ b/SOURCES/openssh-6.6p1-ldap.patch
@@ -3,7 +3,7 @@ new file mode 100644
index 0000000..dd5f5cc
--- /dev/null
+++ b/HOWTO.ldap-keys
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,125 @@
+
+HOW TO START
+
@@ -51,6 +51,9 @@ index 0000000..dd5f5cc
+ * There are some debug options
+ * Example
+ /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
++7) Configure SELinux boolean which allows ldap-helper to bind ldap server
++ Run this command
++ # setsebool -P authlogin_nsswitch_use_ldap on
+
+HOW TO MIGRATE FROM LPK
+
@@ -66,6 +69,20 @@ index 0000000..dd5f5cc
+ * ssh-ldap-helper -d -d -d -d -s <username>
+3) use tcpdump ... other ldap client etc.
+
++HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA
++
++You can adjust search format string in /etc/ldap.conf using
++ 1) SSH_Filter option to limit results for only specified users
++ (this appends search condition after original query)
++ 2) Account_Class option to define own user class name
++ (default is posixAccount)
++ 3) Search_Format option to define your own search string using expansion
++ characters %u for username and %f for above mentioned filter and
++ %c for above mentioned object class.
++
++Example:
++Search_Format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)
++
+ADVANTAGES
+
+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
@@ -619,7 +636,7 @@ new file mode 100644
index 0000000..3029108
--- /dev/null
+++ b/ldapbody.c
-@@ -0,0 +1,494 @@
+@@ -0,0 +1,493 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -653,8 +670,9 @@ index 0000000..3029108
+#include "ldapbody.h"
+#include <stdio.h>
+#include <unistd.h>
++#include "misc.h"
+
-+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
++#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)"
+#define PUBKEYATTR "sshPublicKey"
+#define LDAP_LOGFILE "%s/ldap.%d"
+
@@ -1041,8 +1059,8 @@ index 0000000..3029108
+process_user (const char *user, FILE *output)
+{
+ LDAPMessage *res, *e;
-+ char *buffer;
-+ int bufflen, rc, i;
++ char *buffer, *format;
++ int rc, i;
+ struct timeval timeout;
+
+ debug ("LDAP process user");
@@ -1055,12 +1073,10 @@ index 0000000..3029108
+ }
+
+ /* build filter for LDAP request */
-+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
-+ if (options.ssh_filter != NULL)
-+ bufflen += strlen (options.ssh_filter);
-+ buffer = xmalloc (bufflen);
-+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
-+ buffer[bufflen - 1] = 0;
++ format = LDAPSEARCH_FORMAT;
++ if (options.search_format != NULL)
++ format = options.search_format;
++ buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL);
+
+ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
+
@@ -1162,7 +1178,7 @@ new file mode 100644
index 0000000..525060a
--- /dev/null
+++ b/ldapconf.c
-@@ -0,0 +1,720 @@
+@@ -0,0 +1,729 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -1206,7 +1222,7 @@ index 0000000..525060a
+ lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
-+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
++ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format,
+ lAccountClass, lDeprecated, lUnsupported
+} OpCodes;
+
@@ -1259,6 +1275,7 @@ index 0000000..525060a
+ { "LogDir", lLogDir },
+ { "Debug", lDebug },
+ { "SSH_Filter", lSSH_Filter },
++ { "Search_Format", lSearch_Format },
+ { "AccountClass", lAccountClass },
+ { NULL, lBadOption }
+};
@@ -1479,6 +1496,7 @@ index 0000000..525060a
+ else
+ fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
+ if (*intptr == -1)
++ *intptr = value;
+ break;
+
+ case lSSLPath:
@@ -1543,6 +1561,7 @@ index 0000000..525060a
+ else
+ fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
+ if (*intptr == -1)
++ *intptr = value;
+ break;
+
+ case lTLS_CaCertFile:
@@ -1581,6 +1600,10 @@ index 0000000..525060a
+ xstringptr = &options.ssh_filter;
+ goto parse_xstring;
+
++ case lSearch_Format:
++ charptr = &options.search_format;
++ goto parse_string;
++
+ case lAccountClass:
+ charptr = &options.account_class;
+ goto parse_string;
@@ -1688,6 +1711,7 @@ index 0000000..525060a
+ options.logdir = NULL;
+ options.debug = -1;
+ options.ssh_filter = NULL;
++ options.search_format = NULL;
+ options.account_class = NULL;
+}
+
@@ -1880,6 +1904,7 @@ index 0000000..525060a
+ dump_cfg_string(lLogDir, options.logdir);
+ dump_cfg_int(lDebug, options.debug);
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
++ dump_cfg_string(lSearch_Format, options.search_format);
+ dump_cfg_string(lAccountClass, options.logdir);
+}
+
@@ -1888,7 +1913,7 @@ new file mode 100644
index 0000000..2cb550c
--- /dev/null
+++ b/ldapconf.h
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,73 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -1950,6 +1975,7 @@ index 0000000..2cb550c
+ char *logdir;
+ int debug;
+ char *ssh_filter;
++ char *search_format;
+ char *account_class;
+} Options;
+
@@ -2649,8 +2675,14 @@ index 0000000..f7081b8
+Specifies the debug level used for logging by the LDAP client library.
+There is no default.
+.It Cm SSH_Filter
-+Specifies the user filter applied on the LDAP serch.
++Specifies the user filter applied on the LDAP search.
+The default is no filter.
++.It Cm search_format
++Specifies the user format of search string in LDAP substituting %u for user name
++and %f for additional ssh filter
++.Cm SSH_Filter
++(optional).
++The default value is (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f)
+.It Cm AccountClass
+Specifies the LDAP class used to find user accounts.
+The default is posixAccount.
@@ -2670,3 +2702,51 @@ index 0000000..f7081b8
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima@redhat.com
+diff --git a/openssh-lpk-openldap.ldif b/openssh-lpk-openldap.ldif
+new file mode 100644
+index 0000000..9adf4b8
+--- /dev/null
++++ b/openssh-lpk-openldap.ldif
+@@ -0,0 +1,19 @@
++#
++# LDAP Public Key Patch schema for use with openssh-ldappubkey
++# useful with PKA-LDAP also
++#
++# Author: Eric AUGE <eau@phear.org>
++#
++# LDIF for openLDAP Directory Server.
++# Based on the original schema, modified by Jakub Jelen.
++#
++
++dn: cn=openssh-lpk,cn=schema,cn=config
++objectClass: olcSchemaConfig
++cn: openssh-lpk
++olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13
++ NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
++ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
++olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0
++ NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
++ SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
+diff --git a/openssh-lpk-sun.ldif b/openssh-lpk-sun.ldif
+new file mode 100644
+index 0000000..9adf4b8
+--- /dev/null
++++ b/openssh-lpk-sun.ldif
+@@ -0,0 +1,17 @@
++#
++# LDAP Public Key Patch schema for use with openssh-ldappubkey
++# useful with PKA-LDAP also
++#
++# Author: Eric AUGE <eau@phear.org>
++#
++# LDIF for Sun Directory Server.
++# Based on the original schema, modified by Jakub Jelen.
++#
++
++dn: cn=schema
++attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
++ NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key'
++ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
++objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
++ NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass'
++ SUP top AUXILIARY MUST ( sshPublicKey $ uid ) )
diff --git a/SOURCES/openssh-6.6p1-memory-problems.patch b/SOURCES/openssh-6.6p1-memory-problems.patch
new file mode 100644
index 0000000..f359193
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-memory-problems.patch
@@ -0,0 +1,43 @@
+diff --git a/servconf.c b/servconf.c
+index ad5869b..0255ed3 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ dst->n = src->n; \
+ } while (0)
+
++ u_int i;
++
+ M_CP_INTOPT(password_authentication);
+ M_CP_INTOPT(gss_authentication);
+ M_CP_INTOPT(rsa_authentication);
+@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+ } while(0)
+ #define M_CP_STRARRAYOPT(n, num_n) do {\
+ if (src->num_n != 0) { \
++ for (i = 0; i < dst->num_n; i++) \
++ free(dst->n[i]); \
+ for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
+- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
++ dst->n[dst->num_n] = src->n[dst->num_n]; \
+ } \
+ } while(0)
+
+diff --git a/sshd.c b/sshd.c
+index 7e43153..f2a08f6 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2160,10 +2160,12 @@ main(int ac, char **av)
+ }
+ #endif /* LIBWRAP */
+
++ char *addr = get_local_ipaddr(sock_in);
+ /* Log the connection. */
+ verbose("Connection from %s port %d on %s port %d",
+ remote_ip, remote_port,
+- get_local_ipaddr(sock_in), get_local_port());
++ addr, get_local_port());
++ free(addr);
+
+ /*
+ * We don't want to listen forever unless the other side
diff --git a/SOURCES/openssh-6.6p1-security-7.0.patch b/SOURCES/openssh-6.6p1-security-7.0.patch
new file mode 100644
index 0000000..1e6963d
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-security-7.0.patch
@@ -0,0 +1,44 @@
+diff --git a/monitor.c b/monitor.c
+index b410965..f1b873d 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ debug3("%s", __func__);
+- authctxt->user = buffer_get_string(m, NULL);
+ sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ sshpam_authok = NULL;
+ buffer_clear(m);
+@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+
+ debug3("%s", __func__);
+ (sshpam_device.free_ctx)(sshpam_ctxt);
++ sshpam_ctxt = sshpam_authok = NULL;
+ buffer_clear(m);
+ mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
+- return (sshpam_authok == sshpam_ctxt);
++ return r;
+ }
+ #endif
+
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index e6217b3..eac421b 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+
+ debug3("%s", __func__);
+ buffer_init(&m);
+- buffer_put_cstring(&m, authctxt->user);
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/SOURCES/openssh-6.6p1-sftp-force-permission.patch b/SOURCES/openssh-6.6p1-sftp-force-permission.patch
new file mode 100644
index 0000000..2853bdd
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-sftp-force-permission.patch
@@ -0,0 +1,81 @@
+diff -up openssh-6.6p1/sftp-server.8.sftp-force-mode openssh-6.6p1/sftp-server.8
+--- openssh-6.6p1/sftp-server.8.sftp-force-mode 2013-10-15 03:07:05.000000000 +0200
++++ openssh-6.6p1/sftp-server.8 2015-04-20 14:04:47.427562510 +0200
+@@ -38,6 +38,7 @@
+ .Op Fl P Ar blacklisted_requests
+ .Op Fl p Ar whitelisted_requests
+ .Op Fl u Ar umask
++.Op Fl m Ar force_file_perms
+ .Ek
+ .Nm
+ .Fl Q Ar protocol_feature
+@@ -138,6 +139,10 @@ Sets an explicit
+ .Xr umask 2
+ to be applied to newly-created files and directories, instead of the
+ user's default mask.
++.It Fl m Ar force_file_perms
++Sets explicit file permissions to be applied to newly-created files instead
++of the default or client requested mode. Numeric values include:
++777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
+ .El
+ .Pp
+ For logging to work,
+diff -up openssh-6.6p1/sftp-server.c.sftp-force-mode openssh-6.6p1/sftp-server.c
+--- openssh-6.6p1/sftp-server.c.sftp-force-mode 2015-04-20 14:04:47.420562526 +0200
++++ openssh-6.6p1/sftp-server.c 2015-04-20 14:07:13.799231025 +0200
+@@ -71,6 +71,10 @@ static Buffer oqueue;
+ /* Version of client */
+ static u_int version;
+
++/* Force file permissions */
++int permforce = 0;
++long permforcemode;
++
+ /* SSH2_FXP_INIT received */
+ static int init_done;
+
+@@ -675,6 +679,10 @@ process_open(u_int32_t id)
+ a = get_attrib();
+ flags = flags_from_portable(pflags);
+ mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
++ if (permforce == 1) { /* Force perm if -m is set */
++ mode = permforcemode;
++ (void)umask(0); /* so umask does not interfere */
++ }
+ logit("open \"%s\" flags %s mode 0%o",
+ name, string_from_portable(pflags), mode);
+ if (readonly &&
+@@ -1430,7 +1438,7 @@ sftp_server_usage(void)
+ fprintf(stderr,
+ "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
+ "[-l log_level]\n\t[-P blacklisted_requests] "
+- "[-p whitelisted_requests] [-u umask]\n"
++ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
+ " %s -Q protocol_feature\n",
+ __progname, __progname);
+ exit(1);
+@@ -1455,7 +1463,7 @@ sftp_server_main(int argc, char **argv,
+ pw = pwcopy(user_pw);
+
+ while (!skipargs && (ch = getopt(argc, argv,
+- "d:f:l:P:p:Q:u:cehR")) != -1) {
++ "d:f:l:P:p:Q:u:m:cehR")) != -1) {
+ switch (ch) {
+ case 'Q':
+ if (strcasecmp(optarg, "requests") != 0) {
+@@ -1515,6 +1523,15 @@ sftp_server_main(int argc, char **argv,
+ fatal("Invalid umask \"%s\"", optarg);
+ (void)umask((mode_t)mask);
+ break;
++ case 'm':
++ /* Force permissions on file received via sftp */
++ permforce = 1;
++ permforcemode = strtol(optarg, &cp, 8);
++ if (permforcemode < 0 || permforcemode > 0777 ||
++ *cp != '\0' || (permforcemode == 0 &&
++ errno != 0))
++ fatal("Invalid file mode \"%s\"", optarg);
++ break;
+ case 'h':
+ default:
+ sftp_server_usage();
diff --git a/SOURCES/openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch b/SOURCES/openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch
new file mode 100644
index 0000000..3435cf2
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch
@@ -0,0 +1,214 @@
+diff -up openssh-6.6p1/channels.c.security openssh-6.6p1/channels.c
+--- openssh-6.6p1/channels.c.security 2015-07-01 19:27:08.521162690 +0200
++++ openssh-6.6p1/channels.c 2015-07-01 19:27:08.597162521 +0200
+@@ -151,6 +151,9 @@ static char *x11_saved_proto = NULL;
+ static char *x11_saved_data = NULL;
+ static u_int x11_saved_data_len = 0;
+
++/* Deadline after which all X11 connections are refused */
++static u_int x11_refuse_time;
++
+ /*
+ * Fake X11 authentication data. This is what the server will be sending us;
+ * we should replace any occurrences of this by the real data.
+@@ -894,6 +897,13 @@ x11_open_helper(Buffer *b)
+ u_char *ucp;
+ u_int proto_len, data_len;
+
++ /* Is this being called after the refusal deadline? */
++ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
++ verbose("Rejected X11 connection after ForwardX11Timeout "
++ "expired");
++ return -1;
++ }
++
+ /* Check if the fixed size part of the packet is in buffer. */
+ if (buffer_len(b) < 12)
+ return 0;
+@@ -1457,6 +1467,12 @@ channel_set_reuseaddr(int fd)
+ error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
+ }
+
++void
++channel_set_x11_refuse_time(u_int refuse_time)
++{
++ x11_refuse_time = refuse_time;
++}
++
+ /*
+ * This socket is listening for connections to a forwarded TCP/IP port.
+ */
+diff -up openssh-6.6p1/channels.h.security openssh-6.6p1/channels.h
+--- openssh-6.6p1/channels.h.security 2015-07-01 19:27:08.597162521 +0200
++++ openssh-6.6p1/channels.h 2015-07-01 19:43:32.900950560 +0200
+@@ -279,6 +279,7 @@ int permitopen_port(const char *);
+
+ /* x11 forwarding */
+
++void channel_set_x11_refuse_time(u_int);
+ int x11_connect_display(void);
+ int x11_create_display_inet(int, int, int, u_int *, int **);
+ void x11_input_open(int, u_int32_t, void *);
+diff -up openssh-6.6p1/clientloop.c.security openssh-6.6p1/clientloop.c
+--- openssh-6.6p1/clientloop.c.security 2015-07-01 19:27:08.540162648 +0200
++++ openssh-6.6p1/clientloop.c 2015-07-01 19:44:51.139761508 +0200
+@@ -164,7 +164,7 @@ static int connection_in; /* Connection
+ static int connection_out; /* Connection to server (output). */
+ static int need_rekeying; /* Set to non-zero if rekeying is requested. */
+ static int session_closed; /* In SSH2: login session closed. */
+-static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
++static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
+
+ static void client_init_dispatch(void);
+ int session_ident = -1;
+@@ -302,7 +302,8 @@ client_x11_display_valid(const char *dis
+ return 1;
+ }
+
+-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
++#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
++#define X11_TIMEOUT_SLACK 60
+ void
+ client_x11_get_proto(const char *display, const char *xauth_path,
+ u_int trusted, u_int timeout, char **_proto, char **_data)
+@@ -315,7 +316,7 @@ client_x11_get_proto(const char *display
+ int got_data = 0, generated = 0, do_unlink = 0, i;
+ char *xauthdir, *xauthfile;
+ struct stat st;
+- u_int now;
++ u_int now, x11_timeout_real;
+
+ xauthdir = xauthfile = NULL;
+ *_proto = proto;
+@@ -348,6 +349,15 @@ client_x11_get_proto(const char *display
+ xauthdir = xmalloc(MAXPATHLEN);
+ xauthfile = xmalloc(MAXPATHLEN);
+ mktemp_proto(xauthdir, MAXPATHLEN);
++ /*
++ * The authentication cookie should briefly outlive
++ * ssh's willingness to forward X11 connections to
++ * avoid nasty fail-open behaviour in the X server.
++ */
++ if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
++ x11_timeout_real = UINT_MAX;
++ else
++ x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+ if (mkdtemp(xauthdir) != NULL) {
+ do_unlink = 1;
+ snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
+@@ -355,17 +365,20 @@ client_x11_get_proto(const char *display
+ snprintf(cmd, sizeof(cmd),
+ "%s -f %s generate %s " SSH_X11_PROTO
+ " untrusted timeout %u 2>" _PATH_DEVNULL,
+- xauth_path, xauthfile, display, timeout);
++ xauth_path, xauthfile, display,
++ x11_timeout_real);
+ debug2("x11_get_proto: %s", cmd);
+- if (system(cmd) == 0)
+- generated = 1;
+ if (x11_refuse_time == 0) {
+ now = monotime() + 1;
+ if (UINT_MAX - timeout < now)
+ x11_refuse_time = UINT_MAX;
+ else
+ x11_refuse_time = now + timeout;
++ channel_set_x11_refuse_time(
++ x11_refuse_time);
+ }
++ if (system(cmd) == 0)
++ generated = 1;
+ }
+ }
+
+@@ -1884,7 +1897,7 @@ client_request_x11(const char *request_t
+ "malicious server.");
+ return NULL;
+ }
+- if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
++ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return NULL;
+diff -up openssh-6.6p1/ssh-agent.c.security openssh-6.6p1/ssh-agent.c
+--- openssh-6.6p1/ssh-agent.c.security 2015-07-01 19:27:08.597162521 +0200
++++ openssh-6.6p1/ssh-agent.c 2015-07-01 19:42:35.691088800 +0200
+@@ -64,6 +64,9 @@
+ #include <time.h>
+ #include <string.h>
+ #include <unistd.h>
++#ifdef HAVE_UTIL_H
++#include <util.h>
++#endif
+
+ #include "xmalloc.h"
+ #include "ssh.h"
+@@ -129,8 +130,12 @@ char socket_name[MAXPATHLEN];
+ char socket_dir[MAXPATHLEN];
+
+ /* locking */
++#define LOCK_SIZE 32
++#define LOCK_SALT_SIZE 16
++#define LOCK_ROUNDS 1
+ int locked = 0;
+-char *lock_passwd = NULL;
++char lock_passwd[LOCK_SIZE];
++char lock_salt[LOCK_SALT_SIZE];
+
+ extern char *__progname;
+
+@@ -548,22 +553,45 @@ send:
+ static void
+ process_lock_agent(SocketEntry *e, int lock)
+ {
+- int success = 0;
+- char *passwd;
++ int success = 0, delay;
++ char *passwd, passwdhash[LOCK_SIZE];
++ static u_int fail_count = 0;
++ size_t pwlen;
+
+ passwd = buffer_get_string(&e->request, NULL);
+- if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
+- locked = 0;
+- explicit_bzero(lock_passwd, strlen(lock_passwd));
+- free(lock_passwd);
+- lock_passwd = NULL;
+- success = 1;
++ pwlen = strlen(passwd);
++ if (pwlen == 0) {
++ debug("empty password not supported");
++ } else if (locked && !lock) {
++ if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
++ passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0)
++ fatal("bcrypt_pbkdf");
++ if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) {
++ debug("agent unlocked");
++ locked = 0;
++ fail_count = 0;
++ explicit_bzero(lock_passwd, sizeof(lock_passwd));
++ success = 1;
++ } else {
++ /* delay in 0.1s increments up to 10s */
++ if (fail_count < 100)
++ fail_count++;
++ delay = 100000 * fail_count;
++ debug("unlock failed, delaying %0.1lf seconds",
++ (double)delay/1000000);
++ usleep(delay);
++ }
++ explicit_bzero(passwdhash, sizeof(passwdhash));
+ } else if (!locked && lock) {
++ debug("agent locked");
+ locked = 1;
+- lock_passwd = xstrdup(passwd);
++ arc4random_buf(lock_salt, sizeof(lock_salt));
++ if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
++ lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0)
++ fatal("bcrypt_pbkdf");
+ success = 1;
+ }
+- explicit_bzero(passwd, strlen(passwd));
++ explicit_bzero(passwd, pwlen);
+ free(passwd);
+
+ buffer_put_int(&e->output, 1);
diff --git a/SOURCES/openssh-6.6p1-test-mode-all-values.patch b/SOURCES/openssh-6.6p1-test-mode-all-values.patch
new file mode 100644
index 0000000..05f83a0
--- /dev/null
+++ b/SOURCES/openssh-6.6p1-test-mode-all-values.patch
@@ -0,0 +1,73 @@
+diff --git a/servconf.c b/servconf.c
+index ad5869b..1171c33 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -1990,6 +1990,8 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
+ {
+ u_int i;
+
++ if (count <= 0)
++ return;
+ printf("%s", lookup_opcode_name(code));
+ for (i = 0; i < count; i++)
+ printf(" %s", vals[i]);
+@@ -2028,7 +2030,7 @@ dump_config(ServerOptions *o)
+
+ /* integer arguments */
+ #ifdef USE_PAM
+- dump_cfg_int(sUsePAM, o->use_pam);
++ dump_cfg_fmtint(sUsePAM, o->use_pam);
+ #endif
+ dump_cfg_int(sServerKeyBits, o->server_key_bits);
+ dump_cfg_int(sLoginGraceTime, o->login_grace_time);
+@@ -2084,6 +2086,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
+ dump_cfg_fmtint(sUseDNS, o->use_dns);
+ dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
++ dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
+ dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+@@ -2094,14 +2097,15 @@ dump_config(ServerOptions *o)
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
+ cipher_alg_list(',', 0));
+ dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
+- dump_cfg_string(sBanner, o->banner);
++ dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner);
+ dump_cfg_string(sForceCommand, o->adm_forced_command);
+ dump_cfg_string(sChrootDirectory, o->chroot_directory);
+ dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
+ dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
+ dump_cfg_string(sAuthorizedPrincipalsFile,
+ o->authorized_principals_file);
+- dump_cfg_string(sVersionAddendum, o->version_addendum);
++ dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' ?
++ "none" : o->version_addendum);
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
+ dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
+ dump_cfg_string(sHostKeyAgent, o->host_key_agent);
+@@ -2117,7 +2121,7 @@ dump_config(ServerOptions *o)
+ o->authorized_keys_files);
+ dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
+ o->host_key_files);
+- dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
++ dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
+ o->host_cert_files);
+ dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
+ dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
+diff --git a/ssh.1 b/ssh.1
+index f65e42f..4a7d1cd 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -444,7 +444,11 @@ For full details of the options listed below, and their possible values, see
+ .It GatewayPorts
+ .It GlobalKnownHostsFile
+ .It GSSAPIAuthentication
++.It GSSAPIKeyExchange
++.It GSSAPIClientIdentity
+ .It GSSAPIDelegateCredentials
++.It GSSAPIRenewalForcesRekey
++.It GSSAPITrustDns
+ .It HashKnownHosts
+ .It Host
+ .It HostbasedAuthentication
diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam
index a80e450..0f5c061 100644
--- a/SOURCES/sshd.pam
+++ b/SOURCES/sshd.pam
@@ -2,6 +2,8 @@
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
@@ -10,6 +12,9 @@ session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
+session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session optional pam_reauthorize.so prepare
diff --git a/SOURCES/sshd.service b/SOURCES/sshd.service
index 4e3ea9b..eb87d32 100644
--- a/SOURCES/sshd.service
+++ b/SOURCES/sshd.service
@@ -1,5 +1,6 @@
[Unit]
Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
diff --git a/SOURCES/sshd.socket b/SOURCES/sshd.socket
index 94b9533..caa50c4 100644
--- a/SOURCES/sshd.socket
+++ b/SOURCES/sshd.socket
@@ -1,5 +1,6 @@
[Unit]
Description=OpenSSH Server Socket
+Documentation=man:sshd(8) man:sshd_config(5)
Conflicts=sshd.service
[Socket]
diff --git a/SOURCES/sshd@.service b/SOURCES/sshd@.service
index 0189d71..9fed0db 100644
--- a/SOURCES/sshd@.service
+++ b/SOURCES/sshd@.service
@@ -1,5 +1,6 @@
[Unit]
Description=OpenSSH per-connection server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
Wants=sshd-keygen.service
After=sshd-keygen.service
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index c4abf71..22c77f1 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -64,7 +64,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.6.1p1
-%define openssh_rel 12
+%define openssh_rel 22
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 9
@@ -219,6 +219,31 @@ Patch916: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
Patch918: openssh-6.6.1p1-log-in-chroot.patch
# MLS labeling according to chosen sensitivity (#1202843)
Patch919: openssh-6.6.1p1-mls-fix-labeling.patch
+# sshd test mode show all config values (#1187597)
+Patch920: openssh-6.6p1-test-mode-all-values.patch
+# Add sftp option to force mode of created files (#1191055)
+Patch921: openssh-6.6p1-sftp-force-permission.patch
+# TERM env variable is always accepted by sshd, regardless the empty AcceptEnv setting (#1162683)
+Patch922: openssh-6.6p1-document-TERM-env.patch
+# fix ssh-copy-id on non-sh remote shells (#1201758)
+Patch923: openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch
+# fix memory problem (#1223218)
+Patch924: openssh-6.6p1-memory-problems.patch
+# Enhance AllowGroups documentation in man page (#1150007)
+Patch925: openssh-6.6p1-allowGroups-documentation.patch
+# authentication limits (MaxAuthTries) bypass [security] (#1246521)
+Patch926: openssh-6.6p1-authentication-limits-bypass.patch
+# CVE-2015-5352: Security fixes backported from openssh-6.9 (#1247864)
+# XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
+# weakness of agent locking (ssh-add -x) to password guessing (#1238238)
+Patch927: openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch
+# provide option GssKexAlgorithms to disable vulnerable groun1 kex
+Patch928: openssh-6.6p1-gssKexAlgorithms.patch
+# Vulnerabilities published with openssh-7.0 (#1265807):
+# Privilege separation weakness related to PAM support
+# Use-after-free bug related to PAM support
+Patch929: openssh-6.6p1-security-7.0.patch
+
License: BSD
Group: Applications/Internet
@@ -442,6 +467,16 @@ popd
%patch918 -p1 -b .log-in-chroot
%patch919 -p1 -b .mls-labels
%patch802 -p1 -b .GSSAPIEnablek5users
+%patch920 -p1 -b .sshd-t
+%patch921 -p1 -b .sftp-force-mode
+%patch922 -p1 -b .term
+%patch923 -p1 -b .ssh-copy-id
+%patch924 -p1 -b .memory-problems
+%patch925 -p1 -b .allowGroups
+%patch926 -p1 -b .kbd
+%patch927 -p1 -b .xsecurity
+%patch928 -p1 -b .gsskexalg
+%patch929 -p1 -b .security7
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-fps
@@ -735,6 +770,7 @@ getent passwd sshd >/dev/null || \
%files ldap
%defattr(-,root,root)
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
+%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
@@ -765,6 +801,57 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Fri Sep 25 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-22 + 0.9.3-9
+- Use the correct constant for glob limits (#1160377)
+
+* Thu Sep 24 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-21 + 0.9.3-9
+- Extend memory limit for remote glob in sftp acc. to stat limit (#1160377)
+
+* Thu Sep 24 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-20 + 0.9.3-9
+- Fix vulnerabilities published with openssh-7.0 (#1265807)
+ - Privilege separation weakness related to PAM support
+ - Use-after-free bug related to PAM support
+
+* Thu Sep 24 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-19 + 0.9.3-9
+- Increase limit of files for glob match in sftp to 8192 (#1160377)
+
+* Tue Aug 18 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-18 + 0.9.3-9
+- Add GSSAPIKexAlgorithms option for server and client application (#1253062)
+
+* Wed Jul 29 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-17 + 0.9.3-9
+- Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864)
+ - XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
+ - weakness of agent locking (ssh-add -x) to password guessing (#1238238)
+
+* Mon Jul 27 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-16 + 0.9.3-9
+- only query each keyboard-interactive device once (CVE-2015-5600) (#1245971)
+
+* Wed Jul 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-15 + 0.9.3-9
+- One more typo in manual page documenting TERM variable (#1162683)
+- Fix race condition with auditing messages answers (#1240613)
+
+* Mon Jun 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-14 + 0.9.3-9
+- Fix ldif schema to have correct spacing on newlines (#1184938)
+- Add missing values for sshd test mode (#1187597)
+- ssh-copy-id: tcsh doesnt work with multiline strings (#1201758)
+- Fix memory problems with newkeys and array transfers (#1223218)
+- Enhance AllowGroups documentation in man page (#1150007)
+
+* Mon May 11 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-13 + 0.9.3-9
+- Increase limit of files for glob match in sftp (#1160377)
+- Add pam_reauthorize.so to /etc/pam.d/sshd (#1204233)
+- Show all config values in sshd test mode (#1187597)
+- Document required selinux boolean for working ssh-ldap-helper (#1178116)
+- Consistent usage of pam_namespace in sshd (#1125110)
+- Fix auditing when using combination of ForcedCommand and PTY (#1199112)
+- Add sftp option to force mode of created files (#1197989)
+- Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper (#1201753)
+- Provide documentation line for systemd service and socket (#1181591)
+- Provide LDIF version of LPK schema (#1184938)
+- Document TERM environment variable (#1162683)
+- Fix ssh-copy-id on non-sh remote shells (#1201758)
+- Do not read RSA1 hostkeys for HostBased authentication in FIPS (#1197666)
+
* Thu Mar 19 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-12 + 0.9.3-9
- Fix labeling in MLS according to selected sensitivity (#1202843)