openssh/openssh-6.6p1-redhat.patch

diff --git a/ssh_config b/ssh_config
index 49a4f6c..3f83c40 100644
--- a/ssh_config
+++ b/ssh_config
@@ -50,3 +50,15 @@
 # Uncomment this if you want to use .local domain
 # Host *.local
 #   CheckHostIP no
+
+Host *
+	GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+	ForwardX11Trusted yes
+# Send locale-related environment variables
+	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+	SendEnv XMODIFIERS
diff --git a/sshd_config b/sshd_config
index c735429..e68ddee 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,10 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -21,10 +25,10 @@
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
@@ -36,6 +40,7 @@
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
+SyslogFacility AUTHPRIV
 #LogLevel INFO
 
 # Authentication:
@@ -71,9 +76,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
+PasswordAuthentication yes
 
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -82,8 +89,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #KerberosGetAFSToken no
 
 # GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
@@ -94,12 +101,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
 # no default banner path
 #Banner none
 
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
diff --git a/sshd_config.0 b/sshd_config.0
index 413c260..87e7ee7 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -675,9 +675,9 @@ DESCRIPTION
 
      SyslogFacility
              Gives the facility code that is used when logging messages from
-             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
-             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
-             default is AUTH.
+             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+             The default is AUTH.
 
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe..12465c2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`diff --git a/ssh_config b/ssh_config`
the .local domain example should be in ssh_config, not in sshd_config 2014-12-03 17:08:20 +00:00			`index 49a4f6c..3f83c40 100644`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`--- a/ssh_config`
			`+++ b/ssh_config`
the .local domain example should be in ssh_config, not in sshd_config 2014-12-03 17:08:20 +00:00			`@@ -50,3 +50,15 @@`
			`# Uncomment this if you want to use .local domain`
			`# Host *.local`
			`# CheckHostIP no`
			`+`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+Host *`
			`+ GSSAPIAuthentication yes`
			`+# If this option is set to yes then remote X11 clients will have full access`
			`+# to the original X11 display. As virtually no X11 client supports the untrusted`
			`+# mode correctly we set this to yes.`
			`+ ForwardX11Trusted yes`
			`+# Send locale-related environment variables`
rebase for openssh-6.3p1, remove unused patches (#1007769) 2013-10-14 13:54:41 +00:00			`+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES`
			`+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE`
			`+ SendEnv XMODIFIERS`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`diff --git a/sshd_config b/sshd_config`
			`index c735429..e68ddee 100644`
			`--- a/sshd_config`
			`+++ b/sshd_config`
add SELinux comment to /etc/ssh/sshd_config about SELinux command to modify port (#861400) 2012-10-26 14:34:55 +00:00			`@@ -10,6 +10,10 @@`
			`# possible, but leave them commented. Uncommented options override the`
			`# default value.`

			`+# If you want to change the port on a SELinux system, you have to tell`
			`+# SELinux about this change.`
			`+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER`
			`+#`
			`#Port 22`
			`#AddressFamily any`
			`#ListenAddress 0.0.0.0`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`@@ -21,10 +25,10 @@`
use only rsa and ecdsa host keys by default 2013-12-09 16:30:18 +00:00			`# HostKey for protocol version 1`
			`#HostKey /etc/ssh/ssh_host_key`
			`# HostKeys for protocol version 2`
			`-#HostKey /etc/ssh/ssh_host_rsa_key`
			`+HostKey /etc/ssh/ssh_host_rsa_key`
			`#HostKey /etc/ssh/ssh_host_dsa_key`
			`-#HostKey /etc/ssh/ssh_host_ecdsa_key`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`-#HostKey /etc/ssh/ssh_host_ed25519_key`
use only rsa and ecdsa host keys by default 2013-12-09 16:30:18 +00:00			`+HostKey /etc/ssh/ssh_host_ecdsa_key`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`+HostKey /etc/ssh/ssh_host_ed25519_key`
use only rsa and ecdsa host keys by default 2013-12-09 16:30:18 +00:00
			`# Lifetime and size of ephemeral version 1 server key`
			`#KeyRegenerationInterval 1h`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`@@ -36,6 +40,7 @@`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`# Logging`
			`# obsoletes QuietMode and FascistLogging`
			`#SyslogFacility AUTH`
			`+SyslogFacility AUTHPRIV`
			`#LogLevel INFO`

			`# Authentication:`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`# To disable tunneled clear text passwords, change to no here!`
			`#PasswordAuthentication yes`
			`#PermitEmptyPasswords no`
			`+PasswordAuthentication yes`

			`# Change to no to disable s/key passwords`
			`#ChallengeResponseAuthentication yes`
			`+ChallengeResponseAuthentication no`

			`# Kerberos options`
			`#KerberosAuthentication no`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys`
			`#KerberosGetAFSToken no`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00
			`# GSSAPI options`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`-#GSSAPIAuthentication no`
			`-#GSSAPICleanupCredentials yes`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+GSSAPIAuthentication yes`
don't clean up gssapi credentials by default (#1055016) 2014-02-26 16:08:07 +00:00			`+GSSAPICleanupCredentials no`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`# Set this to 'yes' to enable PAM authentication, account processing,`
			`# and session processing. If this is enabled, PAM authentication will`
			`@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys`
			`# If you just want the PAM account and session checks to run without`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`# PAM authentication, then enable this but set PasswordAuthentication`
			`# and ChallengeResponseAuthentication to 'no'.`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`-#UsePAM no`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+UsePAM yes`

replace TwoFactorAuth with RequiredAuthentications[12] https://bugzilla.mindrot.org/show_bug.cgi?id=983 2012-02-06 21:15:10 +00:00			`#AllowAgentForwarding yes`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`#AllowTcpForwarding yes`
			`#GatewayPorts no`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`-#X11Forwarding no`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`+X11Forwarding yes`
			`#X11DisplayOffset 10`
			`#X11UseLocalhost yes`
rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`#PermitTTY yes`
			`@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations.`
ignore SIGPIPE in ssh keyscan 2011-09-07 13:12:54 +00:00			`# no default banner path`
			`#Banner none`

			`+# Accept locale-related environment variables`
			`+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES`
			`+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT`
			`+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE`
			`+AcceptEnv XMODIFIERS`
			`+`
			`# override default of no subsystems`
			`Subsystem sftp /usr/libexec/sftp-server`

rebase to openssh-6.6p1 2014-06-03 14:51:07 +00:00			`diff --git a/sshd_config.0 b/sshd_config.0`
			`index 413c260..87e7ee7 100644`
			`--- a/sshd_config.0`
			`+++ b/sshd_config.0`
			`@@ -675,9 +675,9 @@ DESCRIPTION`

			`SyslogFacility`
			`Gives the facility code that is used when logging messages from`
			`- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,`
			`- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The`
			`- default is AUTH.`
			`+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,`
			`+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.`
			`+ The default is AUTH.`

			`TCPKeepAlive`
			`Specifies whether the system should send TCP keepalive messages`
			`diff --git a/sshd_config.5 b/sshd_config.5`
			`index ce71efe..12465c2 100644`
			`--- a/sshd_config.5`
			`+++ b/sshd_config.5`
			`@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.`
			`.It Cm SyslogFacility`
			`Gives the facility code that is used when logging messages from`
			`.Xr sshd 8 .`
			`-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,`
			`+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,`
			`LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.`
			`The default is AUTH.`
			`.It Cm TCPKeepAlive`