Update to 5.4p1

2010-03-09 09:37:02 +00:00 · 2010-03-09 09:37:02 +00:00 · 3101856932
commit 3101856932
parent 172266f986
12 changed files with 587 additions and 2102 deletions
--- a/openssh-4.3p2-no-v6only.patch
+++ b/openssh-4.3p2-no-v6only.patch
@ -1,11 +0,0 @@
 --- openssh-4.3p2/channels.c.no-v6only	2006-07-17 15:39:31.000000000 +0200
 +++ openssh-4.3p2/channels.c	2006-08-08 12:44:51.000000000 +0200
@@ -2794,7 +2794,7 @@
 				}
 			}
 #ifdef IPV6_V6ONLY
 -			if (ai->ai_family == AF_INET6) {
 +			if (x11_use_localhost && ai->ai_family == AF_INET6) {
 				int on = 1;
 				if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
 					error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
--- a/openssh-5.2p1-engine.patch
+++ b/openssh-5.2p1-engine.patch
@ -1,9 +0,0 @@
 --- openssh-5.2p1/openbsd-compat/openssl-compat.c~	2010-01-27 17:36:29.000000000 -0500
 +++ openssh-5.2p1/openbsd-compat/openssl-compat.c	2010-01-28 10:52:53.000000000 -0500
@@ -58,5 +58,6 @@
 	/* Enable use of crypto hardware */
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
 +	OPENSSL_config(NULL);
 }
 #endif
--- a/openssh-5.2p1-sesftp.patch
+++ b/openssh-5.2p1-sesftp.patch
@ -1,64 +0,0 @@
 diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c
 --- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp	2009-08-12 00:29:37.712368892 +0200
 +++ openssh-5.2p1/openbsd-compat/port-linux.c	2009-08-12 00:29:37.732544890 +0200
@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons
 		freecon(user_ctx);
 	debug3("%s: done", __func__);
 }
 +
 +void
 +ssh_selinux_change_context(const char *newname)
 +{
 +	int len, newlen;
 +	char *oldctx, *newctx, *cx;
 +
 +	if (!ssh_selinux_enabled())
 +		return;
 +
 +	if (getcon((security_context_t *)&oldctx) < 0) {
 +		logit("%s: getcon failed with %s", __func__, strerror (errno));
 +		return;
 +	}
 +	if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) {
 +		logit ("%s: unparseable context %s", __func__, oldctx);
 +		return;
 +	}
 +
 +	newlen = strlen(oldctx) + strlen(newname) + 1;
 +	newctx = xmalloc(newlen);
 +	len = cx - oldctx + 1;
 +	memcpy(newctx, oldctx, len);
 +	strlcpy(newctx + len, newname, newlen - len);
 +	if ((cx = index(cx + 1, ':')))
 +		strlcat(newctx, cx, newlen);
 +	debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx);
 +	if (setcon(newctx) < 0)
 +		logit("%s: setcon failed with %s", __func__, strerror (errno));
 +	xfree(oldctx);
 +	xfree(newctx);
 +}
 #endif /* WITH_SELINUX */
 diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h
 --- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp	2008-03-26 21:27:21.000000000 +0100
 +++ openssh-5.2p1/openbsd-compat/port-linux.h	2009-08-12 00:29:37.733388083 +0200
@@ -23,6 +23,7 @@
 int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_setup_exec_context(char *);
 +void ssh_selinux_change_context(const char *);
 #endif
 #endif /* ! _PORT_LINUX_H */
 diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
 --- openssh-5.2p1/session.c.sesftp	2009-08-12 00:29:37.659250161 +0200
 +++ openssh-5.2p1/session.c	2009-08-12 00:29:37.729578695 +0200
@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
 +#ifdef WITH_SELINUX
 +		ssh_selinux_change_context("sftpd_t");
 +#endif
 		exit(sftp_server_main(i, argv, s->pw));
 	}
--- a/openssh-5.3p1-nss-keys.patch
+++ b/openssh-5.3p1-nss-keys.patch
--- a/openssh-5.4p1-fips.patch
+++ b/openssh-5.4p1-fips.patch
@ -1,15 +1,15 @@
-diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
+diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
--- openssh-5.3p1/auth2-pubkey.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/auth2-pubkey.c.fips	2010-03-01 17:55:26.000000000 +0100
-+++ openssh-5.3p1/auth2-pubkey.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/auth2-pubkey.c	2010-03-01 17:57:56.000000000 +0100
-@@ -33,6 +33,7 @@
+@@ -35,6 +35,7 @@
- #include <stdio.h>
+ #include <string.h>
- #include <stdarg.h>
+ #include <time.h>
 #include <unistd.h>
 +#include <openssl/fips.h>
 #include "xmalloc.h"
 #include "ssh.h"
-@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);
@ -18,10 +18,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
 			verbose("Found matching %s key: %s",
 			    key_type(found), fp);
 			xfree(fp);
-diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
+diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c
--- openssh-5.3p1/authfile.c.fips	2006-09-01 07:38:36.000000000 +0200
+--- openssh-5.4p1/authfile.c.fips	2010-01-12 09:42:29.000000000 +0100
-+++ openssh-5.3p1/authfile.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/authfile.c	2010-03-01 17:55:28.000000000 +0100
-@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
+@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
 	/* Allocate space for the private part of the key in the buffer. */
 	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -38,7 +38,7 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
 	cipher_crypt(&ciphercontext, cp,
 	    buffer_ptr(&buffer), buffer_len(&buffer));
 	cipher_cleanup(&ciphercontext);
-@@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char
+@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char
 	cp = buffer_append_space(&decrypted, buffer_len(&buffer));
 	/* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
@ -55,9 +55,9 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
 	cipher_crypt(&ciphercontext, cp,
 	    buffer_ptr(&buffer), buffer_len(&buffer));
 	cipher_cleanup(&ciphercontext);
-diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
+diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c
--- openssh-5.3p1/cipher.c.fips	2009-10-02 13:44:03.000000000 +0200
+--- openssh-5.4p1/cipher.c.fips	2010-03-01 15:09:22.000000000 +0100
-+++ openssh-5.3p1/cipher.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/cipher.c	2010-03-01 17:55:28.000000000 +0100
@@ -40,6 +40,7 @@
 #include <sys/types.h>
@ -142,9 +142,9 @@ diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
 }
 /*
-diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
+diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c
--- openssh-5.3p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
+--- openssh-5.4p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
-+++ openssh-5.3p1/cipher-ctr.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/cipher-ctr.c	2010-03-01 17:55:28.000000000 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -155,9 +155,9 @@ diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
+diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h
--- openssh-5.3p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
+--- openssh-5.4p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.3p1/cipher.h	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/cipher.h	2010-03-01 17:55:28.000000000 +0100
@@ -78,7 +78,7 @@ void	 cipher_init(CipherContext *, Ciphe
     const u_char *, u_int, int);
 void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -167,9 +167,9 @@ diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
 u_int	 cipher_blocksize(const Cipher *);
 u_int	 cipher_keylen(const Cipher *);
 u_int	 cipher_is_cbc(const Cipher *);
-diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
+diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c
--- openssh-5.3p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
+--- openssh-5.4p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.3p1/mac.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/mac.c	2010-03-01 17:55:28.000000000 +0100
@@ -28,6 +28,7 @@
 #include <sys/types.h>
@ -219,10 +219,10 @@ diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
 	for (i = 0; macs[i].name; i++) {
 		if (strcmp(name, macs[i].name) == 0) {
-diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
+diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
--- openssh-5.3p1/Makefile.in.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/Makefile.in.fips	2010-02-24 08:18:51.000000000 +0100
-+++ openssh-5.3p1/Makefile.in	2009-10-02 14:20:18.000000000 +0200
+++ openssh-5.4p1/Makefile.in	2010-03-01 17:55:28.000000000 +0100
-@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -240,28 +240,31 @@ diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
 -	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
-	$(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+-	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
 -	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
 -	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 -	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 +	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
+diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h
--- openssh-5.3p1/myproposal.h.fips	2009-01-28 06:33:31.000000000 +0100
+--- openssh-5.4p1/myproposal.h.fips	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.3p1/myproposal.h	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/myproposal.h	2010-03-01 17:55:28.000000000 +0100
-@@ -53,7 +53,12 @@
+@@ -55,7 +55,12 @@
 	"hmac-sha1-96,hmac-md5-96"
 #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
 #define	KEX_DEFAULT_LANG	""
@ -275,23 +278,9 @@ diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
 static char *myproposal[PROPOSAL_MAX] = {
 	KEX_DEFAULT_KEX,
-diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
+diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.3p1/nsskeys.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips	2008-06-04 02:54:00.000000000 +0200
-+++ openssh-5.3p1/nsskeys.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c	2010-03-01 17:55:28.000000000 +0100
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
 			break;
 	}
 -	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
 -	debug("fingerprint %u %s", key_size(k), p);
 +	p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX);
 +	debug("SHA1 fingerprint %u %s", key_size(k), p);
 	xfree(p);
 	return 0;
 diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips	2008-06-04 02:54:00.000000000 +0200
 +++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c	2009-10-02 14:12:00.000000000 +0200
@@ -39,6 +39,7 @@
 static int rc4_ready = 0;
 static RC4_KEY rc4;
@ -333,9 +322,9 @@ diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbs
 #endif /* !HAVE_ARC4RANDOM */
 #ifndef ARC4RANDOM_BUF
-diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
+diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
--- openssh-5.3p1/ssh-add.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/ssh-add.c.fips	2010-02-26 21:55:06.000000000 +0100
-+++ openssh-5.3p1/ssh-add.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/ssh-add.c	2010-03-01 17:55:28.000000000 +0100
@@ -42,6 +42,7 @@
 #include <sys/param.h>
@ -343,8 +332,8 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
 +#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
- #ifdef HAVE_LIBNSS
+ #include <fcntl.h>
-@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection
+@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection
 		    key = ssh_get_next_identity(ac, &comment, version)) {
 			had_identities = 1;
 			if (do_fp) {
@ -353,9 +342,9 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
 				    SSH_FP_HEX);
 				printf("%d %s %s (%s)\n",
 				    key_size(key), fp, comment, key_type(key));
-diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
+diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c
--- openssh-5.3p1/ssh-agent.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/ssh-agent.c.fips	2010-02-26 21:55:06.000000000 +0100
-+++ openssh-5.3p1/ssh-agent.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/ssh-agent.c	2010-03-01 17:55:28.000000000 +0100
@@ -51,6 +51,7 @@
 #include <openssl/evp.h>
@ -364,7 +353,7 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
 #include "openbsd-compat/openssl-compat.h"
 #include <errno.h>
-@@ -200,9 +201,9 @@ confirm_key(Identity *id)
+@@ -199,9 +200,9 @@ confirm_key(Identity *id)
 	char *p;
 	int ret = -1;
@ -377,9 +366,9 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
 		ret = 0;
 	xfree(p);
-diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
+diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c
--- openssh-5.3p1/ssh.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/ssh.c.fips	2010-02-26 21:55:06.000000000 +0100
-+++ openssh-5.3p1/ssh.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/ssh.c	2010-03-01 17:55:28.000000000 +0100
@@ -72,6 +72,8 @@
 #include <openssl/evp.h>
@ -389,7 +378,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -221,6 +223,10 @@ main(int ac, char **av)
+@@ -225,6 +227,10 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	__progname = ssh_get_progname(av[0]);
@ -400,8 +389,8 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
 	init_rng();
 	/*
-@@ -281,6 +287,9 @@ main(int ac, char **av)
+@@ -285,6 +291,9 @@ main(int ac, char **av)
- 	    "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
+ 	    "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
 +			if (FIPS_mode()) {
@ -410,7 +399,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
-@@ -552,7 +561,6 @@ main(int ac, char **av)
+@@ -581,7 +590,6 @@ main(int ac, char **av)
 	if (!host)
 		usage();
@ -418,7 +407,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
 	ERR_load_crypto_strings();
 	/* Initialize the command to execute on remote host. */
-@@ -638,6 +646,10 @@ main(int ac, char **av)
+@@ -667,6 +675,10 @@ main(int ac, char **av)
 	seed_rng();
@ -429,7 +418,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
-@@ -704,6 +716,12 @@ main(int ac, char **av)
+@@ -733,6 +745,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
@ -442,9 +431,9 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts, &timeout_ms,
-diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
+diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/sshconnect2.c.fips	2010-03-01 17:55:28.000000000 +0100
-+++ openssh-5.3p1/sshconnect2.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/sshconnect2.c	2010-03-01 17:55:29.000000000 +0100
@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -477,7 +466,7 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
 	if (options.hostkeyalgorithms != NULL)
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    options.hostkeyalgorithms;
-@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
 	}
@ -488,19 +477,19 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
 	xfree(fp);
 	/*
-diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
+diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
--- openssh-5.3p1/sshconnect.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/sshconnect.c.fips	2010-02-26 21:55:06.000000000 +0100
-+++ openssh-5.3p1/sshconnect.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/sshconnect.c	2010-03-01 17:55:29.000000000 +0100
@@ -40,6 +40,8 @@
 #include <string.h>
 #include <unistd.h>
 #include <fcntl.h>
 +#include <openssl/fips.h>
 +
 #include "xmalloc.h"
 #include "key.h"
 #include "hostfile.h"
-@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
+@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so
 			goto fail;
 		} else if (options.strict_host_key_checking == 2) {
 			char msg1[1024], msg2[1024];
@ -508,7 +497,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
 			if (show_other_keys(host, host_key))
 				snprintf(msg1, sizeof(msg1),
-@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
+@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
@ -519,7 +508,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
 			    SSH_FP_RANDOMART);
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
-@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
+@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
 			    "established%s\n"
@ -532,7 +521,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
 			    options.visual_host_key ? "\n" : "",
 			    options.visual_host_key ? ra : "",
 			    msg2);
-@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
+@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con
 	Key *found;
 	char *fp, *ra;
 	int line, ret;
@ -555,7 +544,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
 		xfree(ra);
 		xfree(fp);
 	}
-@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
+@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
 	const char *type = key_type(host_key);
@ -566,7 +555,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
-@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
+@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key)
 	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that the %s host key has just been changed.", type);
@ -577,9 +566,9 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
 	error("Please contact your system administrator.");
 	xfree(fp);
-diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
+diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
--- openssh-5.3p1/sshd.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/sshd.c.fips	2010-03-01 17:55:27.000000000 +0100
-+++ openssh-5.3p1/sshd.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/sshd.c	2010-03-01 17:55:29.000000000 +0100
@@ -76,6 +76,8 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@ -589,7 +578,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #ifdef HAVE_SECUREWARE
-@@ -1261,6 +1263,12 @@ main(int ac, char **av)
+@@ -1298,6 +1300,12 @@ main(int ac, char **av)
 	(void)set_auth_parameters(ac, av);
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -602,7 +591,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 	init_rng();
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1413,8 +1421,6 @@ main(int ac, char **av)
+@@ -1459,8 +1467,6 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -611,7 +600,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 	/*
 	 * Force logging to stderr until we have loaded the private host
 	 * key (unless started from inetd)
-@@ -1532,6 +1538,10 @@ main(int ac, char **av)
+@@ -1578,6 +1584,10 @@ main(int ac, char **av)
 		debug("private host key: #%d type %d %s", i, key->type,
 		    key_type(key));
 	}
@ -622,7 +611,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -1656,6 +1666,10 @@ main(int ac, char **av)
+@@ -1742,6 +1752,10 @@ main(int ac, char **av)
 	/* Initialize the random number generator. */
 	arc4random_stir();
@ -633,7 +622,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	chdir("/");
-@@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
+@@ -2274,6 +2288,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -643,7 +632,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
+@@ -2283,6 +2300,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -653,9 +642,9 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
 	}
 	if (options.compression == COMP_NONE) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
+diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
--- openssh-5.3p1/ssh-keygen.c.fips	2009-10-02 14:12:00.000000000 +0200
+--- openssh-5.4p1/ssh-keygen.c.fips	2010-02-26 21:55:06.000000000 +0100
-+++ openssh-5.3p1/ssh-keygen.c	2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.4p1/ssh-keygen.c	2010-03-01 17:55:29.000000000 +0100
@@ -21,6 +21,7 @@
 #include <openssl/evp.h>
@ -664,7 +653,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
 #include "openbsd-compat/openssl-compat.h"
 #include <errno.h>
-@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw)
+@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw)
 	enum fp_type fptype;
 	struct stat st;
@ -673,7 +662,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
 	rep =    print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
 	if (!have_identity)
-@@ -1506,14 +1507,15 @@ passphrase_again:
+@@ -1808,14 +1809,15 @@ passphrase_again:
 	fclose(f);
 	if (!quiet) {
--- a/openssh-5.4p1-gsskex.patch
+++ b/openssh-5.4p1-gsskex.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
+diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c
--- openssh-5.3p1/auth2.c.gsskex	2009-11-20 14:38:55.000000000 +0100
+--- openssh-5.4p1/auth2.c.gsskex	2010-03-01 18:14:24.000000000 +0100
-+++ openssh-5.3p1/auth2.c	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/auth2.c	2010-03-01 18:14:28.000000000 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
@ -35,9 +35,9 @@ diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
 			authctxt->failures++;
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
-diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
+diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c
--- openssh-5.3p1/auth2-gss.c.gsskex	2009-11-20 14:38:55.000000000 +0100
+--- openssh-5.4p1/auth2-gss.c.gsskex	2010-03-01 18:14:24.000000000 +0100
-+++ openssh-5.3p1/auth2-gss.c	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c	2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -137,9 +137,9 @@ diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
 	userauth_gssapi,
-diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
+diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h
--- openssh-5.3p1/auth.h.gsskex	2009-11-20 14:38:55.000000000 +0100
+--- openssh-5.4p1/auth.h.gsskex	2010-03-01 18:14:25.000000000 +0100
-+++ openssh-5.3p1/auth.h	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/auth.h	2010-03-01 18:14:28.000000000 +0100
@@ -53,6 +53,7 @@ struct Authctxt {
 	int		 valid;		/* user exists and is allowed to login */
 	int		 attempt;
@ -148,10 +148,10 @@ diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
 	int		 force_pwchange;
 	char		*user;		/* username sent by the client */
 	char		*service;
-diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
+diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c
--- openssh-5.3p1/auth-krb5.c.gsskex	2006-08-05 04:39:39.000000000 +0200
+--- openssh-5.4p1/auth-krb5.c.gsskex	2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.3p1/auth-krb5.c	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/auth-krb5.c	2010-03-01 18:14:28.000000000 +0100
-@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
 	len = strlen(authctxt->krb5_ticket_file) + 6;
 	authctxt->krb5_ccname = xmalloc(len);
@ -165,7 +165,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
 #ifdef USE_PAM
 	if (options.use_pam)
-@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@ -190,7 +190,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
 	old_umask = umask(0177);
 	tmpfd = mkstemp(ccname + strlen("FILE:"));
 	umask(old_umask);
-@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
+@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
 		return errno;
 	}
 	close(tmpfd);
@ -198,9 +198,9 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
 	return (krb5_cc_resolve(ctx, ccname, ccache));
 }
-diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
+diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi
--- /dev/null	2009-11-13 11:29:57.672908570 +0100
+--- openssh-5.4p1/ChangeLog.gssapi.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/ChangeLog.gssapi	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/ChangeLog.gssapi	2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,95 @@
 +20090615
 +  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@ -297,9 +297,9 @@ diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
 +    add support for GssapiTrustDns option for gssapi-with-mic
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
-diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
+diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c
--- openssh-5.3p1/clientloop.c.gsskex	2009-08-28 03:21:07.000000000 +0200
+--- openssh-5.4p1/clientloop.c.gsskex	2010-01-30 07:28:35.000000000 +0100
-+++ openssh-5.3p1/clientloop.c	2009-11-20 14:48:53.000000000 +0100
+++ openssh-5.4p1/clientloop.c	2010-03-01 18:14:28.000000000 +0100
@@ -111,6 +111,10 @@
 #include "msg.h"
 #include "roaming.h"
@ -311,7 +311,7 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
 /* import options */
 extern Options options;
-@@ -1430,6 +1434,13 @@ client_loop(int have_pty, int escape_cha
+@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha
 		/* Do channel operations unless rekeying in progress. */
 		if (!rekeying) {
 			channel_after_select(readset, writeset);
@ -325,9 +325,9 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
 			if (need_rekeying || packet_need_rekeying()) {
 				debug("need rekeying");
 				xxx_kex->done = 0;
-diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
+diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac
--- openssh-5.3p1/configure.ac.gsskex	2009-11-20 14:39:02.000000000 +0100
+--- openssh-5.4p1/configure.ac.gsskex	2010-03-01 18:14:27.000000000 +0100
-+++ openssh-5.3p1/configure.ac	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/configure.ac	2010-03-01 18:14:28.000000000 +0100
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
 	    [Use tunnel device compatibility to OpenBSD])
 	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@ -359,9 +359,9 @@ diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
 	m4_pattern_allow(AU_IPv)
 	AC_CHECK_DECL(AU_IPv4, [], 
 	    AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
-diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
+diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c
--- openssh-5.3p1/gss-genr.c.gsskex	2009-06-22 08:11:07.000000000 +0200
+--- openssh-5.4p1/gss-genr.c.gsskex	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.3p1/gss-genr.c	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/gss-genr.c	2010-03-01 18:14:28.000000000 +0100
@@ -39,12 +39,167 @@
 #include "buffer.h"
 #include "log.h"
@ -700,9 +700,9 @@ diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
 +}
 +
 #endif /* GSSAPI */
-diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
+diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c
--- openssh-5.3p1/gss-serv.c.gsskex	2008-05-19 07:05:07.000000000 +0200
+--- openssh-5.4p1/gss-serv.c.gsskex	2008-05-19 07:05:07.000000000 +0200
-+++ openssh-5.3p1/gss-serv.c	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/gss-serv.c	2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1016,9 +1016,9 @@ diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
 }
 #endif
-diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
+diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c
--- openssh-5.3p1/gss-serv-krb5.c.gsskex	2006-09-01 07:38:36.000000000 +0200
+--- openssh-5.4p1/gss-serv-krb5.c.gsskex	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.3p1/gss-serv-krb5.c	2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.4p1/gss-serv-krb5.c	2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1139,12 +1139,12 @@ diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
 };
 #endif /* KRB5 */
-diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
+diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c
--- openssh-5.3p1/kex.c.gsskex	2009-06-21 10:15:25.000000000 +0200
+--- openssh-5.4p1/kex.c.gsskex	2010-01-08 06:50:41.000000000 +0100
-+++ openssh-5.3p1/kex.c	2009-11-20 14:50:11.000000000 +0100
+++ openssh-5.4p1/kex.c	2010-03-01 18:18:42.000000000 +0100
-@@ -49,6 +49,10 @@
+@@ -50,6 +50,10 @@
 #include "dispatch.h"
 #include "monitor.h"
 #include "roaming.h"
 +#ifdef GSSAPI
 +#include "ssh-gss.h"
@ -1153,7 +1153,7 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -325,6 +329,20 @@ choose_kex(Kex *k, char *client, char *s
+@@ -326,6 +330,20 @@ choose_kex(Kex *k, char *client, char *s
 		k->kex_type = KEX_DH_GEX_SHA256;
 		k->evp_md = evp_ssh_sha256();
 #endif
@ -1174,9 +1174,9 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
 	} else
 		fatal("bad kex alg %s", k->name);
 }
-diff -up /dev/null openssh-5.3p1/kexgssc.c
+diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c
--- /dev/null	2009-11-13 11:29:57.672908570 +0100
+--- openssh-5.4p1/kexgssc.c.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/kexgssc.c	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/kexgssc.c	2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,334 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1512,9 +1512,9 @@ diff -up /dev/null openssh-5.3p1/kexgssc.c
 +}
 +
 +#endif /* GSSAPI */
-diff -up /dev/null openssh-5.3p1/kexgsss.c
+diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c
--- /dev/null	2009-11-13 11:29:57.672908570 +0100
+--- openssh-5.4p1/kexgsss.c.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/kexgsss.c	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/kexgsss.c	2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,288 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1804,10 +1804,10 @@ diff -up /dev/null openssh-5.3p1/kexgsss.c
 +		ssh_gssapi_rekey_creds();
 +}
 +#endif /* GSSAPI */
-diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
+diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h
--- openssh-5.3p1/kex.h.gsskex	2009-06-21 10:15:25.000000000 +0200
+--- openssh-5.4p1/kex.h.gsskex	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.3p1/kex.h	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/kex.h	2010-03-01 18:14:28.000000000 +0100
-@@ -66,6 +66,9 @@ enum kex_exchange {
+@@ -67,6 +67,9 @@ enum kex_exchange {
 	KEX_DH_GRP14_SHA1,
 	KEX_DH_GEX_SHA1,
 	KEX_DH_GEX_SHA256,
@ -1817,7 +1817,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
 	KEX_MAX
 };
-@@ -121,6 +124,12 @@ struct Kex {
+@@ -123,6 +126,12 @@ struct Kex {
 	sig_atomic_t done;
 	int	flags;
 	const EVP_MD *evp_md;
@ -1830,7 +1830,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
 	char	*client_version_string;
 	char	*server_version_string;
 	int	(*verify_host_key)(Key *);
-@@ -143,6 +152,11 @@ void	 kexdh_server(Kex *);
+@@ -146,6 +155,11 @@ void	 kexdh_server(Kex *);
 void	 kexgex_client(Kex *);
 void	 kexgex_server(Kex *);
@ -1842,54 +1842,58 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
 void
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff -up openssh-5.3p1/key.c.gsskex openssh-5.3p1/key.c
+diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c
--- openssh-5.3p1/key.c.gsskex	2009-11-20 14:38:59.000000000 +0100
+--- openssh-5.4p1/key.c.gsskex	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.3p1/key.c	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/key.c	2010-03-01 18:20:43.000000000 +0100
-@@ -825,6 +825,8 @@ key_type_from_name(char *name)
+@@ -969,6 +969,8 @@ key_type_from_name(char *name)
- 		return KEY_RSA;
+ 		return KEY_RSA_CERT;
- 	} else if (strcmp(name, "ssh-dss") == 0) {
+ 	} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
- 		return KEY_DSA;
+ 		return KEY_DSA_CERT;
 +	} else if (strcmp(name, "null") == 0) {
 +		return KEY_NULL;
 	}
 	debug2("key_type_from_name: unknown key type '%s'", name);
 	return KEY_UNSPEC;
-diff -up openssh-5.3p1/key.h.gsskex openssh-5.3p1/key.h
+diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h
--- openssh-5.3p1/key.h.gsskex	2009-11-20 14:38:59.000000000 +0100
+--- openssh-5.4p1/key.h.gsskex	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.3p1/key.h	2009-11-20 14:50:59.000000000 +0100
+++ openssh-5.4p1/key.h	2010-03-01 18:21:22.000000000 +0100
-@@ -40,6 +40,7 @@ enum types {
+@@ -37,6 +37,7 @@ enum types {
 	KEY_RSA,
 	KEY_DSA,
- 	KEY_NSS,
+ 	KEY_RSA_CERT,
 	KEY_DSA_CERT,
 +	KEY_NULL,
 	KEY_UNSPEC
 };
 enum fp_type {
-diff -up openssh-5.3p1/Makefile.in.gsskex openssh-5.3p1/Makefile.in
+diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in
--- openssh-5.3p1/Makefile.in.gsskex	2009-11-20 14:39:02.000000000 +0100
+--- openssh-5.4p1/Makefile.in.gsskex	2010-03-01 18:14:27.000000000 +0100
-+++ openssh-5.3p1/Makefile.in	2009-11-20 15:06:44.000000000 +0100
+++ openssh-5.4p1/Makefile.in	2010-03-01 18:23:31.000000000 +0100
-@@ -71,7 +71,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
+@@ -74,11 +74,11 @@
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
- 	kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
+ 	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
-	entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o
+ 	entropy.o gss-genr.o umac.o jpake.o schnorr.o \
-+	entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o \
+-	ssh-pkcs11.o
-+	kexgssc.o
+	ssh-pkcs11.o kexgssc.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-@@ -85,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+-	roaming_common.o roaming_client.o
- 	auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
+	roaming_common.o roaming_client.o kexgssc.o
- 	monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
+ 
- 	auth-krb5.o \
+ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-	auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ 	sshpty.o sshlogin.o servconf.o serverloop.o \
-+ 	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
+@@ -91,7 +91,7 @@
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
- 	roaming_common.o
+-	roaming_common.o roaming_serv.o
-diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
+	roaming_common.o roaming_serv.o kexgsss.o
--- openssh-5.3p1/monitor.c.gsskex	2009-11-20 14:38:55.000000000 +0100
+ 
-+++ openssh-5.3p1/monitor.c	2009-11-20 14:39:05.000000000 +0100
+ MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c
 --- openssh-5.4p1/monitor.c.gsskex	2010-03-01 18:14:25.000000000 +0100
 +++ openssh-5.4p1/monitor.c	2010-03-01 18:14:29.000000000 +0100
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer 
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
@ -1956,7 +1960,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 	kex->server = 1;
 	kex->hostkey_type = buffer_get_int(m);
 	kex->kex_type = buffer_get_int(m);
-@@ -1943,6 +1967,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
 	OM_uint32 major;
 	u_int len;
@ -1966,7 +1970,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 	goid.elements = buffer_get_string(m, &len);
 	goid.length = len;
-@@ -1970,6 +1997,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 	OM_uint32 flags = 0; /* GSI needs this */
 	u_int len;
@ -1976,7 +1980,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 	in.value = buffer_get_string(m, &len);
 	in.length = len;
 	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -1987,6 +2017,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1984,7 +1988,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 	}
 	return (0);
 }
-@@ -1998,6 +2029,9 @@ mm_answer_gss_checkmic(int sock, Buffer 
+@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer 
 	OM_uint32 ret;
 	u_int len;
@ -1994,7 +1998,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 	gssbuf.value = buffer_get_string(m, &len);
 	gssbuf.length = len;
 	mic.value = buffer_get_string(m, &len);
-@@ -2024,7 +2058,11 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m
 {
 	int authenticated;
@ -2007,7 +2011,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 	buffer_clear(m);
 	buffer_put_int(m, authenticated);
-@@ -2037,6 +2075,74 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
 }
@ -2082,9 +2086,9 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
 #endif /* GSSAPI */
 #ifdef JPAKE
-diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
+diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h
--- openssh-5.3p1/monitor.h.gsskex	2009-11-20 14:38:55.000000000 +0100
+--- openssh-5.4p1/monitor.h.gsskex	2010-03-01 18:14:25.000000000 +0100
-+++ openssh-5.3p1/monitor.h	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/monitor.h	2010-03-01 18:14:29.000000000 +0100
@@ -56,6 +56,8 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
 	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2094,9 +2098,9 @@ diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
 	MONITOR_REQ_PAM_START,
 	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
 	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
+diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c
--- openssh-5.3p1/monitor_wrap.c.gsskex	2009-11-20 14:38:55.000000000 +0100
+--- openssh-5.4p1/monitor_wrap.c.gsskex	2010-03-01 18:14:25.000000000 +0100
-+++ openssh-5.3p1/monitor_wrap.c	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.c	2010-03-01 18:14:29.000000000 +0100
@@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
 }
@ -2158,9 +2162,9 @@ diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
 #endif /* GSSAPI */
 #ifdef JPAKE
-diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
+diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h
--- openssh-5.3p1/monitor_wrap.h.gsskex	2009-11-20 14:38:55.000000000 +0100
+--- openssh-5.4p1/monitor_wrap.h.gsskex	2010-03-01 18:14:25.000000000 +0100
-+++ openssh-5.3p1/monitor_wrap.h	2009-11-20 14:39:05.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.h	2010-03-01 18:14:29.000000000 +0100
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2173,10 +2177,10 @@ diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
 #endif
 #ifdef USE_PAM
-diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
+diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c
--- openssh-5.3p1/readconf.c.gsskex	2009-11-20 14:38:59.000000000 +0100
+--- openssh-5.4p1/readconf.c.gsskex	2010-02-11 23:21:03.000000000 +0100
-+++ openssh-5.3p1/readconf.c	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/readconf.c	2010-03-01 18:14:29.000000000 +0100
-@@ -128,6 +128,7 @@ typedef enum {
+@@ -127,6 +127,7 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2184,7 +2188,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
 	oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-@@ -165,10 +166,18 @@ static struct {
+@@ -164,10 +165,18 @@ static struct {
 	{ "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
 	{ "gssapiauthentication", oGssAuthentication },
@ -2203,7 +2207,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
 #endif
 	{ "fallbacktorsh", oDeprecated },
 	{ "usersh", oDeprecated },
-@@ -462,10 +471,26 @@ parse_flag:
+@@ -456,10 +465,26 @@ parse_flag:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2230,7 +2234,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
 	case oBatchMode:
 		intptr = &options->batch_mode;
 		goto parse_flag;
-@@ -1029,7 +1054,11 @@ initialize_options(Options * options)
+@@ -1015,7 +1040,11 @@ initialize_options(Options * options)
 	options->pubkey_authentication = -1;
 	options->challenge_response_authentication = -1;
 	options->gss_authentication = -1;
@ -2242,7 +2246,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
-@@ -1123,8 +1152,14 @@ fill_default_options(Options * options)
+@@ -1107,8 +1136,14 @@ fill_default_options(Options * options)
 		options->challenge_response_authentication = 1;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2257,9 +2261,9 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
+diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h
--- openssh-5.3p1/readconf.h.gsskex	2009-11-20 14:38:59.000000000 +0100
+--- openssh-5.4p1/readconf.h.gsskex	2010-02-11 23:21:03.000000000 +0100
-+++ openssh-5.3p1/readconf.h	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/readconf.h	2010-03-01 18:14:29.000000000 +0100
@@ -44,7 +44,11 @@ typedef struct {
 	int     challenge_response_authentication;
 					/* Try S/Key or TIS, authentication. */
@ -2272,10 +2276,10 @@ diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
+diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c
--- openssh-5.3p1/servconf.c.gsskex	2009-11-20 14:39:03.000000000 +0100
+--- openssh-5.4p1/servconf.c.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/servconf.c	2009-11-20 14:52:27.000000000 +0100
+++ openssh-5.4p1/servconf.c	2010-03-01 18:25:32.000000000 +0100
-@@ -92,7 +92,10 @@ initialize_server_options(ServerOptions 
+@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions 
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
 	options->gss_authentication=-1;
@ -2286,7 +2290,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
-@@ -213,8 +216,14 @@ fill_default_server_options(ServerOption
+@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption
 		options->kerberos_get_afs_token = 0;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
@ -2301,7 +2305,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
 	if (options->password_authentication == -1)
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
-@@ -308,7 +317,9 @@ typedef enum {
+@@ -310,7 +319,9 @@ typedef enum {
 	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -2311,8 +2315,8 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
 +	sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sZeroKnowledgePasswordAuthentication,
+ 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -371,9 +382,15 @@ static struct {
+@@ -373,9 +384,15 @@ static struct {
 #ifdef GSSAPI
 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2328,7 +2332,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
 #endif
 	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -906,10 +923,22 @@ process_server_config_line(ServerOptions
+@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions
 		intptr = &options->gss_authentication;
 		goto parse_flag;
@ -2351,10 +2355,10 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
 	case sPasswordAuthentication:
 		intptr = &options->password_authentication;
 		goto parse_flag;
-diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
+diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h
--- openssh-5.3p1/servconf.h.gsskex	2009-11-20 14:39:03.000000000 +0100
+--- openssh-5.4p1/servconf.h.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/servconf.h	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/servconf.h	2010-03-01 18:14:29.000000000 +0100
-@@ -91,7 +91,10 @@ typedef struct {
+@@ -94,7 +94,10 @@ typedef struct {
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
@ -2365,9 +2369,9 @@ diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
 	int     password_authentication;	/* If true, permit password
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
-diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
+diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5
--- openssh-5.3p1/ssh_config.5.gsskex	2009-02-23 00:53:58.000000000 +0100
+--- openssh-5.4p1/ssh_config.5.gsskex	2010-02-11 23:26:02.000000000 +0100
-+++ openssh-5.3p1/ssh_config.5	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/ssh_config.5	2010-03-01 18:14:29.000000000 +0100
@@ -478,11 +478,38 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
@ -2408,9 +2412,9 @@ diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
+diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config
--- openssh-5.3p1/ssh_config.gsskex	2009-11-20 14:38:53.000000000 +0100
+--- openssh-5.4p1/ssh_config.gsskex	2010-03-01 18:14:24.000000000 +0100
-+++ openssh-5.3p1/ssh_config	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/ssh_config	2010-03-01 18:14:29.000000000 +0100
@@ -26,6 +26,8 @@
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@ -2420,9 +2424,9 @@ diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
-diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
+diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.gsskex	2009-11-20 14:39:01.000000000 +0100
+--- openssh-5.4p1/sshconnect2.c.gsskex	2010-03-01 18:14:27.000000000 +0100
-+++ openssh-5.3p1/sshconnect2.c	2009-11-20 15:05:03.000000000 +0100
+++ openssh-5.4p1/sshconnect2.c	2010-03-01 18:14:29.000000000 +0100
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
 {
 	Kex *kex;
@ -2503,7 +2507,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
 	xxx_kex = kex;
 	dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -247,6 +299,7 @@ void	input_gssapi_token(int type, u_int3
+@@ -253,6 +305,7 @@ void	input_gssapi_token(int type, u_int3
 void	input_gssapi_hash(int type, u_int32_t, void *);
 void	input_gssapi_error(int, u_int32_t, void *);
 void	input_gssapi_errtok(int, u_int32_t, void *);
@ -2511,7 +2515,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
 #endif
 void	userauth(Authctxt *, char *);
-@@ -262,6 +315,10 @@ static char *authmethods_get(void);
+@@ -268,6 +321,10 @@ static char *authmethods_get(void);
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@ -2522,7 +2526,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
 	{"gssapi-with-mic",
 		userauth_gssapi,
 		NULL,
-@@ -555,23 +612,35 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt)
 	int ok = 0;
 	char* remotehost = NULL;
 	const char* canonicalhost = get_canonical_hostname(1);
@ -2560,7 +2564,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
 			ok = 1; /* Mechanism works */
 		} else {
 			mech++;
-@@ -668,8 +737,8 @@ input_gssapi_response(int type, u_int32_
+@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_
 {
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
@ -2571,7 +2575,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
-@@ -779,6 +848,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p
 	xfree(msg);
 	xfree(lang);
 }
@ -2620,9 +2624,9 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
 #endif /* GSSAPI */
 int
-diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
+diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c
--- openssh-5.3p1/sshd.c.gsskex	2009-11-20 14:39:01.000000000 +0100
+--- openssh-5.4p1/sshd.c.gsskex	2010-03-01 18:14:27.000000000 +0100
-+++ openssh-5.3p1/sshd.c	2009-11-20 14:53:31.000000000 +0100
+++ openssh-5.4p1/sshd.c	2010-03-01 18:14:29.000000000 +0100
@@ -129,6 +129,10 @@ int allow_severity;
 int deny_severity;
 #endif /* LIBWRAP */
@ -2634,7 +2638,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
-@@ -1546,10 +1550,13 @@ main(int ac, char **av)
+@@ -1592,10 +1596,13 @@ main(int ac, char **av)
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
 	}
@ -2648,7 +2652,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
 	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
 		logit("sshd: no hostkeys available -- exiting.");
 		exit(1);
-@@ -1837,6 +1844,60 @@ main(int ac, char **av)
+@@ -1928,6 +1935,60 @@ main(int ac, char **av)
 	/* Log the connection. */
 	verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2709,7 +2713,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2223,12 +2284,61 @@ do_ssh2_kex(void)
+@@ -2314,12 +2375,61 @@ do_ssh2_kex(void)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2771,9 +2775,9 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
 	kex->server = 1;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
-diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
+diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5
--- openssh-5.3p1/sshd_config.5.gsskex	2009-11-20 14:39:03.000000000 +0100
+--- openssh-5.4p1/sshd_config.5.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/sshd_config.5	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/sshd_config.5	2010-03-01 18:14:29.000000000 +0100
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
 The default is
 .Dq no .
@ -2815,10 +2819,10 @@ diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
 .It Cm HostbasedAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful public key client host authentication is allowed
-diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
+diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config
--- openssh-5.3p1/sshd_config.gsskex	2009-11-20 14:39:04.000000000 +0100
+--- openssh-5.4p1/sshd_config.gsskex	2010-03-01 18:14:28.000000000 +0100
-+++ openssh-5.3p1/sshd_config	2009-11-20 14:54:30.000000000 +0100
+++ openssh-5.4p1/sshd_config	2010-03-01 18:14:29.000000000 +0100
-@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
+@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
 GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 GSSAPICleanupCredentials yes
@ -2827,9 +2831,9 @@ diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h
+diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h
--- openssh-5.3p1/ssh-gss.h.gsskex	2007-06-12 15:40:39.000000000 +0200
+--- openssh-5.4p1/ssh-gss.h.gsskex	2007-06-12 15:40:39.000000000 +0200
-+++ openssh-5.3p1/ssh-gss.h	2009-11-20 14:39:06.000000000 +0100
+++ openssh-5.4p1/ssh-gss.h	2010-03-01 18:14:30.000000000 +0100
@@ -1,6 +1,6 @@
 /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
 /*
--- a/openssh-5.4p1-mls.patch
+++ b/openssh-5.4p1-mls.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
+diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
--- openssh-5.3p1/configure.ac.mls	2009-10-02 14:04:31.000000000 +0200
+--- openssh-5.4p1/configure.ac.mls	2010-03-01 15:24:27.000000000 +0100
-+++ openssh-5.3p1/configure.ac	2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.4p1/configure.ac	2010-03-01 15:24:28.000000000 +0100
-@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux,
+@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux,
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 		LIBS="$LIBS $LIBSELINUX"
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
@ -9,9 +9,9 @@ diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
 		LIBS="$save_LIBS"
 	fi ]
 )
-diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
+diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
--- openssh-5.3p1/misc.c.mls	2009-02-21 22:47:02.000000000 +0100
+--- openssh-5.4p1/misc.c.mls	2010-01-10 00:31:12.000000000 +0100
-+++ openssh-5.3p1/misc.c	2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.4p1/misc.c	2010-03-01 15:24:28.000000000 +0100
@@ -423,6 +423,7 @@ char *
 colon(char *cp)
 {
@ -36,15 +36,16 @@ diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
 	}
 	return (0);
 }
-diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c
+diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.3p1/openbsd-compat/port-linux.c.mls	2009-10-02 14:04:31.000000000 +0200
+--- openssh-5.4p1/openbsd-compat/port-linux.c.mls	2010-03-01 15:24:27.000000000 +0100
-+++ openssh-5.3p1/openbsd-compat/port-linux.c	2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.4p1/openbsd-compat/port-linux.c	2010-03-01 15:25:50.000000000 +0100
-@@ -33,12 +33,23 @@
+@@ -35,13 +35,24 @@
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
 +#include "xmalloc.h"
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
 +#include <selinux/context.h>
@ -63,7 +64,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
-@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
+@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
 	return (enabled);
 }
@ -243,7 +244,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
 #ifdef HAVE_GETSEUSERBYNAME
 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
 		sename = NULL;
-@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
 	}
 #else
 	sename = pwname;
@ -329,7 +330,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
 #ifdef HAVE_GETSEUSERBYNAME
 	if (sename != NULL)
-@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname)
 	if (lvl != NULL)
 		xfree(lvl);
 #endif
@ -351,7 +352,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
 	security_context_t user_ctx = NULL;
 	if (!ssh_selinux_enabled())
-@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
+@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn
 	debug3("%s: setting execution context", __func__);
@ -404,7 +405,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
 	debug3("%s: done", __func__);
 }
-@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons
 	debug3("%s: setting TTY context on %s", __func__, tty);
@ -416,10 +417,10 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
-diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
+diff -up openssh-5.4p1/session.c.mls openssh-5.4p1/session.c
--- openssh-5.3p1/session.c.mls	2009-08-20 08:20:50.000000000 +0200
+--- openssh-5.4p1/session.c.mls	2010-01-12 09:51:48.000000000 +0100
-+++ openssh-5.3p1/session.c	2009-10-02 14:06:12.000000000 +0200
+++ openssh-5.4p1/session.c	2010-03-01 15:24:28.000000000 +0100
-@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
+@@ -1559,10 +1559,6 @@ do_setusercontext(struct passwd *pw)
 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
@ -430,10 +431,10 @@ diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
 }
 static void
-diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c
+diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c
--- openssh-5.3p1/sshd.c.mls	2009-10-02 14:04:31.000000000 +0200
+--- openssh-5.4p1/sshd.c.mls	2010-03-01 15:24:27.000000000 +0100
-+++ openssh-5.3p1/sshd.c	2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.4p1/sshd.c	2010-03-01 15:24:28.000000000 +0100
-@@ -1896,6 +1896,9 @@ main(int ac, char **av)
+@@ -1987,6 +1987,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
--- a/openssh-5.4p1-pam_selinux.patch
+++ b/openssh-5.4p1-pam_selinux.patch
@ -0,0 +1,156 @@
 diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
 --- openssh-5.4p1/auth-pam.c.pam_selinux	2009-07-12 14:07:21.000000000 +0200
 +++ openssh-5.4p1/auth-pam.c	2010-03-01 15:27:23.000000000 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
 -do_pam_putenv(char *name, char *value)
 +do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
 diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
 --- openssh-5.4p1/auth-pam.h.pam_selinux	2004-09-11 14:17:26.000000000 +0200
 +++ openssh-5.4p1/auth-pam.h	2010-03-01 15:27:23.000000000 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
 -int do_pam_putenv(char *, char *);
 +int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c
 --- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux	2010-03-01 15:27:22.000000000 +0100
 +++ openssh-5.4p1/openbsd-compat/port-linux.c	2010-03-01 15:27:53.000000000 +0100
@@ -36,6 +36,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "xmalloc.h"
 +#include "servconf.h"
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
@@ -50,6 +51,7 @@
 #include <unistd.h>
 #endif
 +extern ServerOptions options;
 extern Authctxt *the_authctxt;
 extern int inetd_flag;
 extern int rexeced_flag;
@@ -211,29 +213,38 @@ get_user_context(const char *sename, con
         return -1;
 }
 +static void
 +ssh_selinux_get_role_level(char **role, const char **level)
 +{
 +	*role = NULL;
 +	*level = NULL;
 +	if (the_authctxt) {
 +		if (the_authctxt->role != NULL) {
 +			char *slash;
 +			*role = xstrdup(the_authctxt->role);
 +			if ((slash = strchr(*role, '/')) != NULL) {
 +				*slash = '\0';
 +				*level = slash + 1;
 +			}
 +		}
 +	}
 +}
 +
 /* Return the default security context for the given username */
 static int
 ssh_selinux_getctxbyname(char *pwname,
 	security_context_t *default_sc, security_context_t *user_sc)
 {
 	char *sename, *lvl;
 -	const char *reqlvl = NULL;
 -	char *role = NULL;
 +	const char *reqlvl;
 +	char *role;
 	int r = -1;
 	context_t con = NULL;
 	*default_sc = NULL;
 	*user_sc = NULL;
 -	if (the_authctxt) {
 -		if (the_authctxt->role != NULL) {
 -			char *slash;
 -			role = xstrdup(the_authctxt->role);
 -			if ((slash = strchr(role, '/')) != NULL) {
 -				*slash = '\0';
 -				reqlvl = slash + 1;
 -			}
 -		}
 -	}
 +
 +	ssh_selinux_get_role_level(&role, &reqlvl);
 #ifdef HAVE_GETSEUSERBYNAME
 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname,
 	return (r);
 }
 +/* Setup environment variables for pam_selinux */
 +static int
 +ssh_selinux_setup_pam_variables(void)
 +{
 +	const char *reqlvl;
 +	char *role;
 +	char *use_current;
 +	int rv;
 +
 +	debug3("%s: setting execution context", __func__);
 +
 +	ssh_selinux_get_role_level(&role, &reqlvl);
 +
 +	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
 +	
 +	if (inetd_flag && !rexeced_flag) {
 +		use_current = "1";
 +	} else {
 +		use_current = "";
 +		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
 +	}
 +
 +	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
 +
 +	if (role != NULL)
 +		xfree(role);
 +	
 +	return rv;
 +}
 +
 /* Set the execution context to the default for the specified user */
 void
 ssh_selinux_setup_exec_context(char *pwname)
@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn
 	if (!ssh_selinux_enabled())
 		return;
 +	if (options.use_pam) {
 +		/* do not compute context, just setup environment for pam_selinux */
 +		if (ssh_selinux_setup_pam_variables()) {
 +			switch (security_getenforce()) {
 +			case -1:
 +				fatal("%s: security_getenforce() failed", __func__);
 +			case 0:
 +				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
 +				    __func__);
 +			break;
 +			default:
 +				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
 +				    __func__);
 +			}
 +		}
 +		return;
 +	}
 +
 	debug3("%s: setting execution context", __func__);
 	r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
--- a/openssh-5.4p1-pka.patch
+++ b/openssh-5.4p1-pka.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
+diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c
--- openssh-5.3p1/auth2-pubkey.c.pka	2009-03-08 01:40:28.000000000 +0100
+--- openssh-5.4p1/auth2-pubkey.c.pka	2010-03-09 08:01:05.000000000 +0100
-+++ openssh-5.3p1/auth2-pubkey.c	2010-01-04 16:07:53.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c	2010-03-09 08:07:15.000000000 +0100
-@@ -175,26 +175,14 @@ done:
+@@ -187,27 +187,15 @@ done:
 /* return 1 if user allows given key */
 static int
@ -9,6 +9,7 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
 +user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
 {
 	char line[SSH_MAX_PUBKEY_BYTES];
 	const char *reason;
 	int found_key = 0;
 -	FILE *f;
 	u_long linenum = 0;
@ -27,9 +28,9 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
 -	}
 -
 	found_key = 0;
- 	found = key_new(key->type);
+ 	found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
-@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -278,8 +266,6 @@ user_key_allowed2(struct passwd *pw, Key
 			break;
 		}
 	}
@ -38,11 +39,11 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
 	key_free(found);
 	if (!found_key)
 		debug2("key not found");
- 	return found_key;
+@@ -327,13 +313,153 @@ user_cert_trusted_ca(struct passwd *pw, 
 	return ret;
 }
 -/* check whether given key is in .ssh/authorized_keys* */
 +
 +/* return 1 if user allows given key */
 +static int
 +user_key_allowed2(struct passwd *pw, Key *key, char *file)
@ -190,66 +191,13 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
 +		return success;
 +#endif
 +
- 	file = authorized_keys_file(pw);
+ 	if (auth_key_is_revoked(key))
- 	success = user_key_allowed2(pw, key, file);
+ 		return 0;
- 	xfree(file);
+ 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
-diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure
+diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac
--- openssh-5.3p1/configure.pka	2009-10-13 19:27:51.000000000 +0200
+--- openssh-5.4p1/configure.ac.pka	2010-03-09 08:01:04.000000000 +0100
-+++ openssh-5.3p1/configure	2009-10-15 06:26:33.000000000 +0200
+++ openssh-5.4p1/configure.ac	2010-03-09 08:01:05.000000000 +0100
-@@ -769,6 +769,7 @@ with_skey
+@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit,
 with_tcp_wrappers
 with_libedit
 with_audit
 +with_pka
 with_ssl_dir
 with_openssl_header_check
 with_ssl_engine
@@ -1473,6 +1474,7 @@ Optional Packages:
   --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
   --with-libedit[=PATH]   Enable libedit support for sftp
   --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
 +  --with-pka      Enable pubkey agent support
   --with-ssl-dir=PATH     Specify path to OpenSSL installation
   --without-openssl-header-check Disable OpenSSL version consistency check
   --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m
 fi
 +# Check whether user wants pubkey agent support
 +PKA_MSG="no"
 +
 +# Check whether --with-pka was given.
 +if test "${with_pka+set}" = set; then
 +  withval=$with_pka;
 +		if test "x$withval" != "xno" ; then
 +
 +cat >>confdefs.h <<\_ACEOF
 +#define WITH_PUBKEY_AGENT 1
 +_ACEOF
 +
 +			PKA_MSG="yes"
 +		fi
 +
 +
 +fi
 +
 +
@@ -32772,6 +32793,7 @@ echo "               Linux audit support
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 +echo "                       PKA support: $PKA_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
 --- openssh-5.3p1/configure.ac.pka	2009-09-11 06:56:08.000000000 +0200
 +++ openssh-5.3p1/configure.ac	2010-01-04 16:07:53.000000000 +0100
@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit,
 	esac ]
 )
@ -268,7 +216,7 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
-@@ -4229,6 +4241,7 @@ echo "                   SELinux support
+@@ -4206,6 +4218,7 @@ echo "               Linux audit support
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
@ -276,30 +224,30 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
-diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
+diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c
--- openssh-5.3p1/servconf.c.pka	2009-06-21 12:26:17.000000000 +0200
+--- openssh-5.4p1/servconf.c.pka	2010-03-09 08:01:04.000000000 +0100
-+++ openssh-5.3p1/servconf.c	2010-01-04 16:07:53.000000000 +0100
+++ openssh-5.4p1/servconf.c	2010-03-09 09:04:57.000000000 +0100
-@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions 
+@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions 
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
 +	options->pubkey_agent = NULL;
 +	options->pubkey_agent_runas = NULL;
 	options->zero_knowledge_password_authentication = -1;
- }
+ 	options->revoked_keys_file = NULL;
- 
+ 	options->trusted_user_ca_keys = NULL;
-@@ -306,6 +308,7 @@ typedef enum {
+@@ -315,6 +317,7 @@ typedef enum {
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
- 	sZeroKnowledgePasswordAuthentication,
+ 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys,
 +	sPubkeyAgent, sPubkeyAgentRunAs,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
-@@ -424,6 +427,13 @@ static struct {
+@@ -437,6 +440,13 @@ static struct {
- 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
+ 	{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
- 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
- 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
+ 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 +#ifdef WITH_PUBKEY_AGENT
 +	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
 +	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
@ -310,9 +258,9 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
 	{ NULL, sBadOption, 0 }
 };
-@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions
+@@ -1345,6 +1355,20 @@ process_server_config_line(ServerOptions
- 			*charptr = xstrdup(arg);
+ 		charptr = &options->revoked_keys_file;
- 		break;
+ 		goto parse_filename;
 +	case sPubkeyAgent:
 +		len = strspn(cp, WHITESPACE);
@ -331,7 +279,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
-@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d
+@@ -1438,6 +1462,8 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(gss_authentication);
 	M_CP_INTOPT(rsa_authentication);
 	M_CP_INTOPT(pubkey_authentication);
@ -340,51 +288,43 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
 	M_CP_INTOPT(kerberos_authentication);
 	M_CP_INTOPT(hostbased_authentication);
 	M_CP_INTOPT(kbd_interactive_authentication);
-@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o)
+@@ -1683,6 +1709,8 @@ dump_config(ServerOptions *o)
- 	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
+ 	dump_cfg_string(sChrootDirectory, o->chroot_directory);
- 	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
+ 	dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
- 	dump_cfg_string(sForceCommand, o->adm_forced_command);
+ 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
 +#ifdef WITH_PUBKEY_AGENT
 +	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
 +	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
 +#endif
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
+diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h
--- openssh-5.3p1/servconf.h.pka	2009-01-28 06:31:23.000000000 +0100
+--- openssh-5.4p1/servconf.h.pka	2010-03-09 08:01:04.000000000 +0100
-+++ openssh-5.3p1/servconf.h	2010-01-04 16:07:53.000000000 +0100
+++ openssh-5.4p1/servconf.h	2010-03-09 09:05:29.000000000 +0100
-@@ -151,6 +151,8 @@ typedef struct {
+@@ -157,6 +157,8 @@ typedef struct {
 	int	num_permitted_opens;
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
 +	char   *pubkey_agent;
 +	char   *pubkey_agent_runas;
 }       ServerOptions;
 void	 initialize_server_options(ServerOptions *);
-diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
+diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0
--- openssh-5.3p1/sshd_config.0.pka	2009-09-26 08:31:16.000000000 +0200
+--- openssh-5.4p1/sshd_config.0.pka	2010-03-09 08:01:04.000000000 +0100
-+++ openssh-5.3p1/sshd_config.0	2010-01-04 16:07:53.000000000 +0100
+++ openssh-5.4p1/sshd_config.0	2010-03-09 09:07:35.000000000 +0100
-@@ -344,10 +344,11 @@ DESCRIPTION
+@@ -352,7 +352,8 @@ DESCRIPTION
              AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
              GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
              KbdInteractiveAuthentication, KerberosAuthentication,
-             MaxAuthTries, MaxSessions, PasswordAuthentication,
+              MaxAuthTries, MaxSessions, PasswordAuthentication,
-             PermitEmptyPasswords, PermitOpen, PermitRootLogin,
+              PermitEmptyPasswords, PermitOpen, PermitRootLogin,
-             RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
+-             PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
-             X11Forwarding and X11UseLocalHost.
+             PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
-+             MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
+             RhostsRSAAuthentication, RSAAuthentication,
-+             PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
+              X11DisplayOffset, X11Forwarding and X11UseLocalHost.
 +             PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
 +             RSAAuthentication, X11DisplayOffset, X11Forwarding and
 +             X11UseLocalHost.
      MaxAuthTries
-              Specifies the maximum number of authentication attempts permitted
+@@ -467,6 +468,17 @@ DESCRIPTION
-@@ -455,6 +456,17 @@ DESCRIPTION
+              this file is not readable, then public key authentication will be
-              fault is ``yes''.  Note that this option applies to protocol ver-
+              refused for all users.
              sion 2 only.
 +     PubkeyAgent
 +             Specifies which agent is used for lookup of the user's public
@ -400,22 +340,10 @@ diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
      RhostsRSAAuthentication
              Specifies whether rhosts or /etc/hosts.equiv authentication to-
              gether with successful RSA host authentication is allowed.  The
-diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config
+diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5
--- openssh-5.3p1/sshd_config.pka	2008-07-02 14:35:43.000000000 +0200
+--- openssh-5.4p1/sshd_config.5.pka	2010-03-09 08:01:04.000000000 +0100
-+++ openssh-5.3p1/sshd_config	2010-01-04 16:07:53.000000000 +0100
+++ openssh-5.4p1/sshd_config.5	2010-03-09 09:06:40.000000000 +0100
-@@ -46,6 +46,8 @@ Protocol 2
+@@ -618,6 +618,9 @@ Available keywords are
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 +#PubkeyAgent none
 +#PubkeyAgentRunAs nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
 --- openssh-5.3p1/sshd_config.5.pka	2009-08-28 02:27:08.000000000 +0200
 +++ openssh-5.3p1/sshd_config.5	2010-01-04 16:07:53.000000000 +0100
@@ -610,6 +610,9 @@ Available keywords are
 .Cm KerberosAuthentication ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
@ -425,20 +353,32 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
 .Cm PasswordAuthentication ,
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
-@@ -805,6 +808,16 @@ Specifies whether public key authenticat
+@@ -819,6 +822,16 @@ Specifies a list of revoked public keys.
- The default is
+ Keys listed in this file will be refused for public key authentication.
- .Dq yes .
+ Note that if this file is not readable, then public key authentication will
- Note that this option applies to protocol version 2 only.
+ be refused for all users.
-+.It Cm PubkeyAgent
++.It Cm PubkeyAgent
-+Specifies which agent is used for lookup of the user's public
++Specifies which agent is used for lookup of the user's public
-+keys. Empty string means to use the authorized_keys file.
++keys. Empty string means to use the authorized_keys file.
-+By default there is no PubkeyAgent set.
++By default there is no PubkeyAgent set.
-+Note that this option has an effect only with PubkeyAuthentication
++Note that this option has an effect only with PubkeyAuthentication
-+switched on.
++switched on.
-+.It Cm PubkeyAgentRunAs
++.It Cm PubkeyAgentRunAs
-+Specifies the user under whose account the PubkeyAgent is run. Empty
++Specifies the user under whose account the PubkeyAgent is run. Empty
-+string (the default value) means the user being authorized is used.
++string (the default value) means the user being authorized is used.
-+.Dq 
++.Dq 
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
 diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config
 --- openssh-5.4p1/sshd_config.pka	2010-03-09 08:01:04.000000000 +0100
 +++ openssh-5.4p1/sshd_config	2010-03-09 08:01:06.000000000 +0100
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
 #RSAAuthentication yes
 #PubkeyAuthentication yes
 #AuthorizedKeysFile	.ssh/authorized_keys
 +#PubkeyAgent none
 +#PubkeyAgentRunAs nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
--- a/openssh-5.4p1-redhat.patch
+++ b/openssh-5.4p1-redhat.patch
@ -1,10 +1,10 @@
-diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
+diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config
--- openssh-5.2p1/ssh_config.redhat	2009-02-21 02:45:02.000000000 +0100
+--- openssh-5.4p1/ssh_config.redhat	2010-01-12 09:40:27.000000000 +0100
-+++ openssh-5.2p1/ssh_config	2009-08-09 08:45:11.302092427 +0200
+++ openssh-5.4p1/ssh_config	2010-03-01 15:15:51.000000000 +0100
-@@ -44,3 +44,14 @@
+@@ -45,3 +45,14 @@
 #   TunnelDevice any:any
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 +Host *
 +	GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access
@ -16,10 +16,10 @@ diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +	SendEnv XMODIFIERS
-diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
+diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.redhat	2009-02-23 01:18:15.000000000 +0100
+--- openssh-5.4p1/sshd_config.0.redhat	2010-03-01 14:30:04.000000000 +0100
-+++ openssh-5.2p1/sshd_config.0	2009-08-09 08:45:11.276555108 +0200
+++ openssh-5.4p1/sshd_config.0	2010-03-01 15:14:13.000000000 +0100
-@@ -491,9 +491,9 @@ DESCRIPTION
+@@ -501,9 +501,9 @@ DESCRIPTION
      SyslogFacility
              Gives the facility code that is used when logging messages from
@ -32,10 +32,10 @@ diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
-diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
+diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5
--- openssh-5.2p1/sshd_config.5.redhat	2009-02-23 01:00:24.000000000 +0100
+--- openssh-5.4p1/sshd_config.5.redhat	2010-02-26 21:55:06.000000000 +0100
-+++ openssh-5.2p1/sshd_config.5	2009-08-09 08:45:11.278927203 +0200
+++ openssh-5.4p1/sshd_config.5	2010-03-01 15:14:14.000000000 +0100
-@@ -848,7 +848,7 @@ Note that this option applies to protoco
+@@ -865,7 +865,7 @@ Note that this option applies to protoco
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
@ -44,10 +44,10 @@ diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
-diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
+diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config
--- openssh-5.2p1/sshd_config.redhat	2008-07-02 14:35:43.000000000 +0200
+--- openssh-5.4p1/sshd_config.redhat	2009-10-11 12:51:09.000000000 +0200
-+++ openssh-5.2p1/sshd_config	2009-08-09 08:47:40.850857227 +0200
+++ openssh-5.4p1/sshd_config	2010-03-01 15:14:14.000000000 +0100
-@@ -33,6 +33,7 @@ Protocol 2
+@@ -31,6 +31,7 @@
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
@ -55,7 +55,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
 #LogLevel INFO
 # Authentication:
-@@ -60,9 +61,11 @@ Protocol 2
+@@ -58,9 +59,11 @@
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
@ -67,7 +67,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
 # Kerberos options
 #KerberosAuthentication no
-@@ -72,7 +75,9 @@ Protocol 2
+@@ -70,7 +73,9 @@
 # GSSAPI options
 #GSSAPIAuthentication no
@ -77,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-@@ -84,11 +89,19 @@ Protocol 2
+@@ -82,11 +87,19 @@
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
--- a/openssh-5.4p1-selinux.patch
+++ b/openssh-5.4p1-selinux.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
+diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c
--- openssh-5.2p1/auth1.c.selinux	2008-07-09 12:54:05.000000000 +0200
+--- openssh-5.4p1/auth1.c.selinux	2010-03-01 15:19:56.000000000 +0100
-+++ openssh-5.2p1/auth1.c	2009-08-11 22:43:07.918183730 +0200
+++ openssh-5.4p1/auth1.c	2010-03-01 15:19:57.000000000 +0100
-@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt)
+@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
@ -11,7 +11,7 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
-@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt)
+@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_string(&ulen);
 	packet_check_eom();
@ -37,9 +37,9 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
+diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c
--- openssh-5.2p1/auth2.c.selinux	2008-11-05 06:20:46.000000000 +0100
+--- openssh-5.4p1/auth2.c.selinux	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.2p1/auth2.c	2009-08-11 22:43:07.919756192 +0200
+++ openssh-5.4p1/auth2.c	2010-03-01 15:19:57.000000000 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
@ -79,9 +79,9 @@ diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
 		userauth_banner();
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
-diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
+diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c
--- openssh-5.2p1/auth2-gss.c.selinux	2007-12-02 12:59:45.000000000 +0100
+--- openssh-5.4p1/auth2-gss.c.selinux	2007-12-02 12:59:45.000000000 +0100
-+++ openssh-5.2p1/auth2-gss.c	2009-08-11 22:43:07.921723295 +0200
+++ openssh-5.4p1/auth2-gss.c	2010-03-01 15:19:57.000000000 +0100
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
@ -114,9 +114,9 @@ diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
 	xfree(mic.value);
 	authctxt->postponed = 0;
-diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
+diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c
--- openssh-5.2p1/auth2-hostbased.c.selinux	2008-07-17 10:57:19.000000000 +0200
+--- openssh-5.4p1/auth2-hostbased.c.selinux	2008-07-17 10:57:19.000000000 +0200
-+++ openssh-5.2p1/auth2-hostbased.c	2009-08-11 22:43:07.923721059 +0200
+++ openssh-5.4p1/auth2-hostbased.c	2010-03-01 15:19:57.000000000 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
@ -134,10 +134,10 @@ diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
-diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
+diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c
--- openssh-5.2p1/auth2-pubkey.c.selinux	2008-07-04 04:54:25.000000000 +0200
+--- openssh-5.4p1/auth2-pubkey.c.selinux	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.2p1/auth2-pubkey.c	2009-08-11 22:43:07.925704588 +0200
+++ openssh-5.4p1/auth2-pubkey.c	2010-03-01 15:19:57.000000000 +0100
-@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt)
+@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -154,9 +154,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
 		buffer_put_cstring(&b,
 		    datafellows & SSH_BUG_PKSERVICE ?
 		    "ssh-userauth" :
-diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
+diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h
--- openssh-5.2p1/auth.h.selinux	2008-11-05 06:20:46.000000000 +0100
+--- openssh-5.4p1/auth.h.selinux	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.2p1/auth.h	2009-08-11 22:43:07.927199901 +0200
+++ openssh-5.4p1/auth.h	2010-03-01 15:19:57.000000000 +0100
@@ -58,6 +58,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
@ -167,21 +167,21 @@ diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
 	void		*kbdintctxt;
 	void		*jpake_ctx;
 #ifdef BSD_AUTH
-diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac
+diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac
--- openssh-5.2p1/configure.ac.selinux	2009-02-16 05:37:03.000000000 +0100
+--- openssh-5.4p1/configure.ac.selinux	2010-03-01 15:19:57.000000000 +0100
-+++ openssh-5.2p1/configure.ac	2009-08-11 22:43:07.930259052 +0200
+++ openssh-5.4p1/configure.ac	2010-03-01 15:21:12.000000000 +0100
-@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux,
+@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux,
- 		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
+ 			],
- 		    AC_MSG_ERROR(SELinux support requires libselinux library))
+ 			AC_MSG_ERROR(SELinux support requires libselinux library))
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 +		LIBS="$LIBS $LIBSELINUX"
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
 		LIBS="$save_LIBS"
 	fi ]
-diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
+diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c
--- openssh-5.2p1/monitor.c.selinux	2009-02-14 06:33:31.000000000 +0100
+--- openssh-5.4p1/monitor.c.selinux	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.2p1/monitor.c	2009-08-11 22:43:07.933623092 +0200
+++ openssh-5.4p1/monitor.c	2010-03-01 15:19:57.000000000 +0100
-@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *);
+@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@ -191,7 +191,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[] 
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -201,7 +201,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -211,7 +211,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
-@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
@ -237,7 +237,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
-@@ -1102,7 +1130,7 @@ static int
+@@ -1104,7 +1132,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
 	Buffer b;
@ -246,7 +246,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 	u_int len;
 	int fail = 0;
-@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
@ -255,7 +255,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
-@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
@ -264,7 +264,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 	u_int len;
 	int fail = 0;
-@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
@ -273,9 +273,9 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
-diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
+diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h
--- openssh-5.2p1/monitor.h.selinux	2008-11-05 06:20:46.000000000 +0100
+--- openssh-5.4p1/monitor.h.selinux	2008-11-05 06:20:46.000000000 +0100
-+++ openssh-5.2p1/monitor.h	2009-08-11 22:43:07.935612930 +0200
+++ openssh-5.4p1/monitor.h	2010-03-01 15:19:57.000000000 +0100
@@ -31,6 +31,9 @@
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
@ -286,9 +286,9 @@ diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
+diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c
--- openssh-5.2p1/monitor_wrap.c.selinux	2008-11-05 06:20:47.000000000 +0100
+--- openssh-5.4p1/monitor_wrap.c.selinux	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.2p1/monitor_wrap.c	2009-08-11 22:43:07.937212340 +0200
+++ openssh-5.4p1/monitor_wrap.c	2010-03-01 15:19:57.000000000 +0100
@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
@ -315,9 +315,9 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
+diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h
--- openssh-5.2p1/monitor_wrap.h.selinux	2008-11-05 06:20:47.000000000 +0100
+--- openssh-5.4p1/monitor_wrap.h.selinux	2009-03-05 14:58:22.000000000 +0100
-+++ openssh-5.2p1/monitor_wrap.h	2009-08-11 22:43:07.938268752 +0200
+++ openssh-5.4p1/monitor_wrap.h	2010-03-01 15:19:57.000000000 +0100
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -328,17 +328,18 @@ diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c
+diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.2p1/openbsd-compat/port-linux.c.selinux	2008-03-26 21:27:21.000000000 +0100
+--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux	2010-03-01 05:52:50.000000000 +0100
-+++ openssh-5.2p1/openbsd-compat/port-linux.c	2009-08-11 22:44:14.529196220 +0200
+++ openssh-5.4p1/openbsd-compat/port-linux.c	2010-03-01 15:22:19.000000000 +0100
-@@ -30,11 +30,16 @@
+@@ -32,12 +32,17 @@
 #ifdef WITH_SELINUX
 #include "log.h"
 #include "xmalloc.h"
 #include "port-linux.h"
 +#include "key.h"
 +#include "hostfile.h"
 +#include "auth.h"
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
 #include <selinux/get_context_list.h>
@ -348,7 +349,7 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
 ssh_selinux_enabled(void)
-@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
+@@ -56,23 +61,36 @@ ssh_selinux_enabled(void)
 static security_context_t
 ssh_selinux_getctxbyname(char *pwname)
 {
--- a/openssh.spec
+++ b/openssh.spec
@ -185,7 +185,7 @@ Provides: openssh-askpass-gnome
 Summary: PAM module for authentication with ssh-agent
 Group: System Environment/Base
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh-rel}{?dist}%{?rescue_rel}
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}{?dist}%{?rescue_rel}
 License: BSD
 %description