- upgrade to new upstream release

- fixed a problem with public key authentication and explicitely specified SELinux role
2008-07-23 14:50:23 +00:00 · 2008-07-23 14:50:23 +00:00 · 93a4744539
parent 077dad7320
commit 93a4744539
11 changed files with 243 additions and 279 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-openssh-5.0p1-noacss.tar.bz2
+openssh-5.1p1-noacss.tar.bz2
--- a/openssh-4.5p1-controlcleanup.patch
+++ b/openssh-4.5p1-controlcleanup.patch
@ -1,15 +0,0 @@
--- openssh-4.5p1/ssh.c~	2007-03-24 16:25:18.000000000 +0000
-+++ openssh-4.5p1/ssh.c	2007-03-24 16:31:06.000000000 +0000
-@@ -1347,7 +1347,11 @@
- 		}
- 		if (errno == ENOENT)
- 			debug("Control socket \"%.100s\" does not exist", path);
-		else {
-+		else if (errno == ECONNREFUSED) {
-+			debug("Control socket connect(%.100s): %s", path,
-+			    strerror(errno));
-+			unlink(path);
-+		} else {
- 			error("Control socket connect(%.100s): %s", path,
- 			    strerror(errno));
- 		}
--- a/openssh-4.7p1-master-race.patch
+++ b/openssh-4.7p1-master-race.patch
@ -1,85 +0,0 @@
--- openssh-4.7p1/ssh.c.masterrace	2008-03-06 13:55:11.000000000 +0000
-+++ openssh-4.7p1/ssh.c	2008-03-06 13:55:19.000000000 +0000
-@@ -1065,7 +1065,7 @@ client_global_request_reply_fwd(int type
- 	}
- }
- 
-static void
-+static int
- ssh_control_listener(void)
- {
- 	struct sockaddr_un addr;
-@@ -1073,10 +1073,11 @@ ssh_control_listener(void)
- 	int addr_len;
- 
- 	if (options.control_path == NULL ||
-	    options.control_master == SSHCTL_MASTER_NO)
-		return;
-+	    options.control_master == SSHCTL_MASTER_NO ||
-+	    control_fd != -1)
-+		return 1;
- 
-	debug("setting up multiplex master socket");
-+	debug("trying to set up multiplex master socket");
- 
- 	memset(&addr, '\0', sizeof(addr));
- 	addr.sun_family = AF_UNIX;
-@@ -1093,11 +1094,9 @@ ssh_control_listener(void)
- 	old_umask = umask(0177);
- 	if (bind(control_fd, (struct sockaddr *)&addr, addr_len) == -1) {
- 		control_fd = -1;
-		if (errno == EINVAL || errno == EADDRINUSE)
-			fatal("ControlSocket %s already exists",
-			    options.control_path);
-		else
-+		if (errno != EINVAL && errno != EADDRINUSE)
- 			fatal("%s bind(): %s", __func__, strerror(errno));
-+		return 0;
- 	}
- 	umask(old_umask);
- 
-@@ -1105,6 +1104,9 @@ ssh_control_listener(void)
- 		fatal("%s listen(): %s", __func__, strerror(errno));
- 
- 	set_nonblock(control_fd);
-+
-+	debug("control master listening on %s", options.control_path);
-+	return 1;
- }
- 
- /* request pty/x11/agent/tcpfwd/shell for channel */
-@@ -1196,7 +1198,9 @@ ssh_session2(void)
- 	ssh_init_forwarding();
- 
- 	/* Start listening for multiplex clients */
-	ssh_control_listener();
-+	if (!ssh_control_listener())
-+		fatal("control master socket %s already exists",
-+		      options.control_path);
- 
-  	/*
-  	 * If we are the control master, and if control_persist is set,
-@@ -1375,7 +1379,13 @@ control_client(const char *path)
- 	switch (options.control_master) {
- 	case SSHCTL_MASTER_AUTO:
- 	case SSHCTL_MASTER_AUTO_ASK:
-		debug("auto-mux: Trying existing master");
-+		/* see if we can create a control master socket
-+		   to avoid a race between two auto clients */
-+		if (mux_command == SSHMUX_COMMAND_OPEN &&
-+		    ssh_control_listener())
-+			return;
-+		debug("trying to connect to control master socket %s",
-+		    options.control_path);
- 		/* FALLTHROUGH */
- 	case SSHCTL_MASTER_NO:
- 		break;
-@@ -1522,6 +1532,8 @@ control_client(const char *path)
- 	signal(SIGTERM, control_client_sighandler);
- 	signal(SIGWINCH, control_client_sigrelay);
- 
-+	debug("connected to control master; waiting for exit");
-+
- 	if (tty_flag)
- 		enter_raw_mode();
- 
--- a/openssh-5.0p1-unbreakalive.patch
+++ b/openssh-5.0p1-unbreakalive.patch
@ -1,20 +0,0 @@
-Index: packet.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/packet.c,v
-retrieving revision 1.152
-diff -u -p packet.c
--- packet.c	8 May 2008 06:59:01 -0000
-+++ packet.c	19 May 2008 04:00:34 -0000
-@@ -1185,9 +1185,10 @@ packet_read_poll_seqnr(u_int32_t *seqnr_
- 	for (;;) {
- 		if (compat20) {
- 			type = packet_read_poll2(seqnr_p);
-			keep_alive_timeouts = 0;
-			if (type)
-+			if (type) {
-+				keep_alive_timeouts = 0;
- 				DBG(debug("received packet type %d", type));
-+			}
- 			switch (type) {
- 			case SSH2_MSG_IGNORE:
- 				debug3("Received SSH2_MSG_IGNORE");
--- a/openssh-5.1p1-cloexec.patch
+++ b/openssh-5.1p1-cloexec.patch
@ -1,15 +1,15 @@
-diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c
--- openssh-4.7p1/sshconnect2.c.cloexec	2008-03-06 15:58:03.000000000 +0100
-+++ openssh-4.7p1/sshconnect2.c	2008-05-21 09:27:06.000000000 +0200
+diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
+--- openssh-5.1p1/sshconnect2.c.cloexec	2008-07-23 15:21:23.000000000 +0200
+++ openssh-5.1p1/sshconnect2.c	2008-07-23 15:23:19.000000000 +0200
@@ -38,6 +38,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 +#include <fcntl.h>
- 
- #include "openbsd-compat/sys-queue.h"
- 
-@@ -1257,6 +1258,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
+ #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+ #include <vis.h>
+ #endif
+@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
 		return -1;
 	}
 	if (pid == 0) {
@ -17,9 +17,9 @@ diff -up openssh-4.7p1/sshconnect2.c.cloexec openssh-4.7p1/sshconnect2.c
 		permanently_drop_suid(getuid());
 		close(from[0]);
 		if (dup2(from[1], STDOUT_FILENO) < 0)
-diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c
--- openssh-4.7p1/sshconnect.c.cloexec	2006-10-23 19:02:24.000000000 +0200
-+++ openssh-4.7p1/sshconnect.c	2008-03-06 15:58:03.000000000 +0100
+diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
+--- openssh-5.1p1/sshconnect.c.cloexec	2008-07-02 14:34:30.000000000 +0200
+++ openssh-5.1p1/sshconnect.c	2008-07-23 15:21:23.000000000 +0200
@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>
@ -28,7 +28,7 @@ diff -up openssh-4.7p1/sshconnect.c.cloexec openssh-4.7p1/sshconnect.c
 
 #include "xmalloc.h"
 #include "key.h"
-@@ -189,8 +190,11 @@ ssh_create_socket(int privileged, struct
+@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct
 		return sock;
 	}
 	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
--- a/openssh-5.1p1-log-in-chroot.patch
+++ b/openssh-5.1p1-log-in-chroot.patch
@ -1,7 +1,7 @@
-diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.log-chroot	2007-09-06 17:24:13.000000000 +0200
-+++ openssh-4.7p1/sshd.c	2007-09-06 17:24:13.000000000 +0200
-@@ -596,6 +596,10 @@ privsep_preauth_child(void)
+diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c
+--- openssh-5.1p1/sshd.c.log-chroot	2008-07-23 15:18:52.000000000 +0200
+++ openssh-5.1p1/sshd.c	2008-07-23 15:18:52.000000000 +0200
+@@ -591,6 +591,10 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
 
@ -12,9 +12,9 @@ diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c
 	/* Change our root directory */
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
--- openssh-4.7p1/log.c.log-chroot	2007-05-20 07:08:16.000000000 +0200
-+++ openssh-4.7p1/log.c	2007-09-06 17:29:34.000000000 +0200
+diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c
+--- openssh-5.1p1/log.c.log-chroot	2008-06-10 15:01:51.000000000 +0200
+++ openssh-5.1p1/log.c	2008-07-23 15:18:52.000000000 +0200
@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
 static int log_on_stderr = 1;
 static int log_facility = LOG_AUTH;
@ -23,7 +23,7 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
 
 extern char *__progname;
 
-@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt, 
+@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, 
 		syslog_r(pri, &sdata, "%.500s", fmtbuf);
 		closelog_r(&sdata);
 #else
@ -45,13 +45,13 @@ diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
 +	openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
 +	log_fd_keep = 1;
 +}
-diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h
--- openssh-4.7p1/log.h.log-chroot	2006-08-18 16:32:21.000000000 +0200
-+++ openssh-4.7p1/log.h	2007-09-06 17:24:13.000000000 +0200
-@@ -62,4 +62,6 @@ void     debug3(const char *, ...) __att
+diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h
+--- openssh-5.1p1/log.h.log-chroot	2008-06-13 02:22:54.000000000 +0200
+++ openssh-5.1p1/log.h	2008-07-23 15:20:11.000000000 +0200
+@@ -66,4 +66,6 @@ void     debug3(const char *, ...) __att
 
 void	 do_log(LogLevel, const char *, va_list);
- void	 cleanup_exit(int) __dead;
+ void	 cleanup_exit(int) __attribute__((noreturn));
 +
 +void     open_log(void);
 #endif
--- a/openssh-5.1p1-redhat.patch
+++ b/openssh-5.1p1-redhat.patch
@ -1,6 +1,6 @@
-diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
--- openssh-4.7p1/sshd_config.redhat	2007-03-21 10:42:25.000000000 +0100
-+++ openssh-4.7p1/sshd_config	2007-09-06 16:23:58.000000000 +0200
+diff -up openssh-5.1p1/sshd_config.redhat openssh-5.1p1/sshd_config
+--- openssh-5.1p1/sshd_config.redhat	2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.1p1/sshd_config	2008-07-23 14:11:12.000000000 +0200
@@ -33,6 +33,7 @@ Protocol 2
 # Logging
 # obsoletes QuietMode and FascistLogging
@ -9,7 +9,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
 #LogLevel INFO
 
 # Authentication:
-@@ -59,9 +60,11 @@ Protocol 2
+@@ -60,9 +61,11 @@ Protocol 2
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
@ -21,7 +21,7 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
 
 # Kerberos options
 #KerberosAuthentication no
-@@ -71,7 +74,9 @@ Protocol 2
+@@ -72,7 +75,9 @@ Protocol 2
 
 # GSSAPI options
 #GSSAPIAuthentication no
@ -31,16 +31,18 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
 
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-@@ -83,10 +88,16 @@ Protocol 2
+@@ -84,11 +89,18 @@ Protocol 2
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 +UsePAM yes
+
+# Accept locale-related environment variables 
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES  
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT  
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
 
-+# Accept locale-related environment variables
-+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
-+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
-+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
@ -48,9 +50,9 @@ diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
-diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config
--- openssh-4.7p1/ssh_config.redhat	2007-06-11 06:04:42.000000000 +0200
-+++ openssh-4.7p1/ssh_config	2007-09-06 16:21:49.000000000 +0200
+diff -up openssh-5.1p1/ssh_config.redhat openssh-5.1p1/ssh_config
+--- openssh-5.1p1/ssh_config.redhat	2007-06-11 06:04:42.000000000 +0200
+++ openssh-5.1p1/ssh_config	2008-07-23 14:07:29.000000000 +0200
@@ -43,3 +43,13 @@
 #   Tunnel no
 #   TunnelDevice any:any
@ -65,10 +67,10 @@ diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config
 +	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0
--- openssh-4.7p1/sshd_config.0.redhat	2007-09-04 08:50:11.000000000 +0200
-+++ openssh-4.7p1/sshd_config.0	2007-09-06 16:21:49.000000000 +0200
-@@ -435,9 +435,9 @@ DESCRIPTION
+diff -up openssh-5.1p1/sshd_config.0.redhat openssh-5.1p1/sshd_config.0
+--- openssh-5.1p1/sshd_config.0.redhat	2008-07-21 10:30:51.000000000 +0200
+++ openssh-5.1p1/sshd_config.0	2008-07-23 14:07:29.000000000 +0200
+@@ -490,9 +490,9 @@ DESCRIPTION
 
      SyslogFacility
              Gives the facility code that is used when logging messages from
@ -81,10 +83,10 @@ diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0
 
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
-diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5
--- openssh-4.7p1/sshd_config.5.redhat	2007-06-11 06:07:13.000000000 +0200
-+++ openssh-4.7p1/sshd_config.5	2007-09-06 16:21:49.000000000 +0200
-@@ -748,7 +748,7 @@ Note that this option applies to protoco
+diff -up openssh-5.1p1/sshd_config.5.redhat openssh-5.1p1/sshd_config.5
+--- openssh-5.1p1/sshd_config.5.redhat	2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.1p1/sshd_config.5	2008-07-23 14:07:29.000000000 +0200
+@@ -846,7 +846,7 @@ Note that this option applies to protoco
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
--- a/openssh-5.1p1-selinux.patch
+++ b/openssh-5.1p1-selinux.patch
@ -1,7 +1,7 @@
-diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac
--- openssh-4.7p1/configure.ac.selinux	2007-09-06 19:46:32.000000000 +0200
-+++ openssh-4.7p1/configure.ac	2007-09-06 19:52:23.000000000 +0200
-@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux,
+diff -up openssh-5.1p1/configure.ac.selinux openssh-5.1p1/configure.ac
+--- openssh-5.1p1/configure.ac.selinux	2008-07-23 16:32:13.000000000 +0200
+++ openssh-5.1p1/configure.ac	2008-07-23 16:32:13.000000000 +0200
+@@ -3309,6 +3309,7 @@ AC_ARG_WITH(selinux,
 		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
 		    AC_MSG_ERROR(SELinux support requires libselinux library))
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
@ -9,10 +9,10 @@ diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
 		LIBS="$save_LIBS"
 	fi ]
-diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
--- openssh-4.7p1/auth1.c.selinux	2007-09-06 19:46:32.000000000 +0200
-+++ openssh-4.7p1/auth1.c	2007-09-06 19:46:32.000000000 +0200
-@@ -388,7 +388,7 @@ void
+diff -up openssh-5.1p1/auth1.c.selinux openssh-5.1p1/auth1.c
+--- openssh-5.1p1/auth1.c.selinux	2008-07-23 16:32:13.000000000 +0200
+++ openssh-5.1p1/auth1.c	2008-07-23 16:32:13.000000000 +0200
+@@ -391,7 +391,7 @@ void
 do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
@ -21,7 +21,7 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
 
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
-@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt)
+@@ -400,11 +400,19 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_string(&ulen);
 	packet_check_eom();
 
@ -41,9 +41,28 @@ diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h
--- openssh-4.7p1/monitor_wrap.h.selinux	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-4.7p1/monitor_wrap.h	2007-09-06 19:46:32.000000000 +0200
+diff -up openssh-5.1p1/auth2-pubkey.c.selinux openssh-5.1p1/auth2-pubkey.c
+--- openssh-5.1p1/auth2-pubkey.c.selinux	2008-07-04 04:54:25.000000000 +0200
+++ openssh-5.1p1/auth2-pubkey.c	2008-07-23 16:32:13.000000000 +0200
+@@ -117,7 +117,14 @@ userauth_pubkey(Authctxt *authctxt)
+ 		}
+ 		/* reconstruct packet */
+ 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+-		buffer_put_cstring(&b, authctxt->user);
+		if (authctxt->role) {
+			buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+			buffer_append(&b, authctxt->user, strlen(authctxt->user));
+			buffer_put_char(&b, '/');
+			buffer_append(&b, authctxt->role, strlen(authctxt->role));
+		} else {
+			buffer_put_cstring(&b, authctxt->user);
+		}
+ 		buffer_put_cstring(&b,
+ 		    datafellows & SSH_BUG_PKSERVICE ?
+ 		    "ssh-userauth" :
+diff -up openssh-5.1p1/monitor_wrap.h.selinux openssh-5.1p1/monitor_wrap.h
+--- openssh-5.1p1/monitor_wrap.h.selinux	2006-08-05 04:39:40.000000000 +0200
+++ openssh-5.1p1/monitor_wrap.h	2008-07-23 16:32:13.000000000 +0200
@@ -41,6 +41,7 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -52,9 +71,9 @@ diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h
--- openssh-4.7p1/monitor.h.selinux	2006-03-26 05:30:02.000000000 +0200
-+++ openssh-4.7p1/monitor.h	2007-09-06 19:46:32.000000000 +0200
+diff -up openssh-5.1p1/monitor.h.selinux openssh-5.1p1/monitor.h
+--- openssh-5.1p1/monitor.h.selinux	2006-03-26 05:30:02.000000000 +0200
+++ openssh-5.1p1/monitor.h	2008-07-23 16:32:13.000000000 +0200
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
@ -64,10 +83,29 @@ diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c
--- openssh-4.7p1/monitor_wrap.c.selinux	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-4.7p1/monitor_wrap.c	2007-09-06 19:46:32.000000000 +0200
-@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char *
+diff -up openssh-5.1p1/auth2-hostbased.c.selinux openssh-5.1p1/auth2-hostbased.c
+--- openssh-5.1p1/auth2-hostbased.c.selinux	2008-07-17 10:57:19.000000000 +0200
+++ openssh-5.1p1/auth2-hostbased.c	2008-07-23 16:32:13.000000000 +0200
+@@ -106,7 +106,14 @@ userauth_hostbased(Authctxt *authctxt)
+ 	buffer_put_string(&b, session_id2, session_id2_len);
+ 	/* reconstruct packet */
+ 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+-	buffer_put_cstring(&b, authctxt->user);
+	if (authctxt->role) {
+		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+		buffer_append(&b, authctxt->user, strlen(authctxt->user));
+		buffer_put_char(&b, '/');
+		buffer_append(&b, authctxt->role, strlen(authctxt->role));
+	} else {
+		buffer_put_cstring(&b, authctxt->user);
+	}
+ 	buffer_put_cstring(&b, service);
+ 	buffer_put_cstring(&b, "hostbased");
+ 	buffer_put_string(&b, pkalg, alen);
+diff -up openssh-5.1p1/monitor_wrap.c.selinux openssh-5.1p1/monitor_wrap.c
+--- openssh-5.1p1/monitor_wrap.c.selinux	2008-07-11 09:36:48.000000000 +0200
+++ openssh-5.1p1/monitor_wrap.c	2008-07-23 16:32:13.000000000 +0200
+@@ -296,6 +296,23 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
 
@ -91,9 +129,9 @@ diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c
--- openssh-4.7p1/openbsd-compat/port-linux.c.selinux	2007-06-28 00:48:03.000000000 +0200
-+++ openssh-4.7p1/openbsd-compat/port-linux.c	2007-09-06 19:46:32.000000000 +0200
+diff -up openssh-5.1p1/openbsd-compat/port-linux.c.selinux openssh-5.1p1/openbsd-compat/port-linux.c
+--- openssh-5.1p1/openbsd-compat/port-linux.c.selinux	2008-03-26 21:27:21.000000000 +0100
+++ openssh-5.1p1/openbsd-compat/port-linux.c	2008-07-23 16:32:13.000000000 +0200
@@ -30,11 +30,16 @@
 #ifdef WITH_SELINUX
 #include "log.h"
@ -109,7 +147,7 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd
 +extern Authctxt *the_authctxt;
 +
 /* Wrapper around is_selinux_enabled() to log its return value once only */
- static int
+ int
 ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
 static security_context_t
@ -155,9 +193,9 @@ diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd
 
 	if (r != 0) {
 		switch (security_getenforce()) {
-diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h
--- openssh-4.7p1/auth.h.selinux	2006-08-18 16:32:46.000000000 +0200
-+++ openssh-4.7p1/auth.h	2007-09-06 19:46:32.000000000 +0200
+diff -up openssh-5.1p1/auth.h.selinux openssh-5.1p1/auth.h
+--- openssh-5.1p1/auth.h.selinux	2008-07-02 14:37:30.000000000 +0200
+++ openssh-5.1p1/auth.h	2008-07-23 16:32:13.000000000 +0200
@@ -58,6 +58,7 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
@ -166,10 +204,10 @@ diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h
 	void		*kbdintctxt;
 #ifdef BSD_AUTH
 	auth_session_t	*as;
-diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
--- openssh-4.7p1/auth2.c.selinux	2007-05-20 06:58:41.000000000 +0200
-+++ openssh-4.7p1/auth2.c	2007-09-06 19:46:32.000000000 +0200
-@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32
+diff -up openssh-5.1p1/auth2.c.selinux openssh-5.1p1/auth2.c
+--- openssh-5.1p1/auth2.c.selinux	2008-07-05 01:44:53.000000000 +0200
+++ openssh-5.1p1/auth2.c	2008-07-23 16:32:13.000000000 +0200
+@@ -209,7 +209,7 @@ input_userauth_request(int type, u_int32
 {
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
@ -178,7 +216,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
 	int authenticated = 0;
 
 	if (authctxt == NULL)
-@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32
+@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
@ -188,7 +226,7 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
-@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32
+@@ -246,8 +249,11 @@ input_userauth_request(int type, u_int32
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
@ -198,13 +236,13 @@ diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
 			mm_inform_authserv(service, style);
 +			mm_inform_authrole(role);
 +		}
+ 		userauth_banner();
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
- 		packet_disconnect("Change of username or service not allowed: "
-diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
--- openssh-4.7p1/monitor.c.selinux	2007-05-20 07:10:16.000000000 +0200
-+++ openssh-4.7p1/monitor.c	2007-09-06 19:46:32.000000000 +0200
-@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
+diff -up openssh-5.1p1/monitor.c.selinux openssh-5.1p1/monitor.c
+--- openssh-5.1p1/monitor.c.selinux	2008-07-11 09:36:48.000000000 +0200
+++ openssh-5.1p1/monitor.c	2008-07-23 16:36:10.000000000 +0200
+@@ -134,6 +134,7 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@ -212,7 +250,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -205,6 +206,7 @@ struct mon_table mon_dispatch_proto20[] 
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -220,7 +258,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -658,6 +660,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -228,7 +266,7 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
-@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -703,6 +706,23 @@ mm_answer_authserv(int sock, Buffer *m)
 }
 
 int
@ -252,3 +290,39 @@ diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
+@@ -1080,7 +1100,7 @@ static int
+ monitor_valid_userblob(u_char *data, u_int datalen)
+ {
+ 	Buffer b;
+-	char *p;
+	char *p, *r;
+ 	u_int len;
+ 	int fail = 0;
+ 
+@@ -1106,6 +1126,8 @@ monitor_valid_userblob(u_char *data, u_i
+ 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+ 		fail++;
+ 	p = buffer_get_string(&b, NULL);
+	if ((r = strchr(p, '/')) != NULL)
+		*r = '\0';
+ 	if (strcmp(authctxt->user, p) != 0) {
+ 		logit("wrong user name passed to monitor: expected %s != %.100s",
+ 		    authctxt->user, p);
+@@ -1137,7 +1159,7 @@ monitor_valid_hostbasedblob(u_char *data
+     char *chost)
+ {
+ 	Buffer b;
+-	char *p;
+	char *p, *r;
+ 	u_int len;
+ 	int fail = 0;
+ 
+@@ -1154,6 +1176,8 @@ monitor_valid_hostbasedblob(u_char *data
+ 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
+ 		fail++;
+ 	p = buffer_get_string(&b, NULL);
+	if ((r = strchr(p, '/')) != NULL)
+		*r = '\0';
+ 	if (strcmp(authctxt->user, p) != 0) {
+ 		logit("wrong user name passed to monitor: expected %s != %.100s",
+ 		    authctxt->user, p);
--- a/openssh-5.1p1-vendor.patch
+++ b/openssh-5.1p1-vendor.patch
@ -1,7 +1,7 @@
-diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
--- openssh-4.7p1/configure.ac.vendor	2007-09-06 16:27:47.000000000 +0200
-+++ openssh-4.7p1/configure.ac	2007-09-06 16:27:47.000000000 +0200
-@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog,
+diff -up openssh-5.1p1/configure.ac.vendor openssh-5.1p1/configure.ac
+--- openssh-5.1p1/configure.ac.vendor	2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.1p1/configure.ac	2008-07-23 14:13:22.000000000 +0200
+@@ -3890,6 +3890,12 @@ AC_ARG_WITH(lastlog,
 		fi
 	]
 )
@ -14,7 +14,7 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
 
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
-@@ -4041,6 +4047,7 @@ echo "       IP address in \$DISPLAY hac
+@@ -4146,6 +4152,7 @@ echo "       IP address in \$DISPLAY hac
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
@ -22,47 +22,47 @@ diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
-diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5
--- openssh-4.7p1/sshd_config.5.vendor	2007-09-06 16:27:47.000000000 +0200
-+++ openssh-4.7p1/sshd_config.5	2007-09-06 16:27:47.000000000 +0200
-@@ -725,6 +725,14 @@ This option applies to protocol version 
+diff -up openssh-5.1p1/sshd_config.5.vendor openssh-5.1p1/sshd_config.5
+--- openssh-5.1p1/sshd_config.5.vendor	2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.1p1/sshd_config.5	2008-07-23 14:19:23.000000000 +0200
+@@ -812,6 +812,14 @@ This option applies to protocol version 
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
- The minimum value is 512, and the default is 768.
-+.It Cm ShowPatchLevel
-+Specifies whether
-+.Nm sshd
-+will display the patch level of the binary in the identification string.
-+The patch level is set at compile-time.
-+The default is
-+.Dq no .
-+This option applies to protocol version 1 only.
+ The minimum value is 512, and the default is 1024.
+.It Cm ShowPatchLevel 
+Specifies whether 
+.Nm sshd 
+will display the patch level of the binary in the identification string. 
+The patch level is set at compile-time. 
+The default is 
+.Dq no . 
+This option applies to protocol version 1 only. 
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
-diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h
--- openssh-4.7p1/servconf.h.vendor	2007-02-19 12:25:38.000000000 +0100
-+++ openssh-4.7p1/servconf.h	2007-09-06 16:27:47.000000000 +0200
-@@ -120,6 +120,7 @@ typedef struct {
- 	int	max_startups;
+diff -up openssh-5.1p1/servconf.h.vendor openssh-5.1p1/servconf.h
+--- openssh-5.1p1/servconf.h.vendor	2008-06-10 15:01:51.000000000 +0200
+++ openssh-5.1p1/servconf.h	2008-07-23 14:13:22.000000000 +0200
+@@ -126,6 +126,7 @@ typedef struct {
 	int	max_authtries;
+ 	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
 +	int	show_patchlevel;	/* Show vendor patch level to clients */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
-diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
--- openssh-4.7p1/servconf.c.vendor	2007-05-20 07:03:16.000000000 +0200
-+++ openssh-4.7p1/servconf.c	2007-09-06 16:29:11.000000000 +0200
-@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions 
- 	options->max_startups = -1;
+diff -up openssh-5.1p1/servconf.c.vendor openssh-5.1p1/servconf.c
+--- openssh-5.1p1/servconf.c.vendor	2008-07-04 05:51:12.000000000 +0200
+++ openssh-5.1p1/servconf.c	2008-07-23 14:32:27.000000000 +0200
+@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions 
 	options->max_authtries = -1;
+ 	options->max_sessions = -1;
 	options->banner = NULL;
 +	options->show_patchlevel = -1;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
-@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption
+@@ -259,6 +260,9 @@ fill_default_server_options(ServerOption
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
 
@ -72,23 +72,24 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
-@@ -293,6 +297,7 @@ typedef enum {
+@@ -296,7 +300,7 @@ typedef enum {
+ 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
+ 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
+ 	sMaxStartups, sMaxAuthTries, sMaxSessions,
+-	sBanner, sUseDNS, sHostbasedAuthentication,
+	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
+ 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
- 	sMatch, sPermitOpen, sForceCommand,
- 	sUsePrivilegeSeparation,
-+	sShowPatchLevel,
- 	sDeprecated, sUnsupported
- } ServerOpCodes;
- 
-@@ -390,6 +395,7 @@ static struct {
- 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
- 	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
+@@ -401,6 +405,7 @@ static struct {
+ 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
+ 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
 +	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1005,6 +1011,10 @@ parse_flag:
+@@ -1020,6 +1025,10 @@ process_server_config_line(ServerOptions
 		intptr = &use_privsep;
 		goto parse_flag;
 
@ -99,12 +100,20 @@ diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
-diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0
--- openssh-4.7p1/sshd_config.0.vendor	2007-09-06 16:27:47.000000000 +0200
-+++ openssh-4.7p1/sshd_config.0	2007-09-06 16:27:47.000000000 +0200
-@@ -418,6 +418,11 @@ DESCRIPTION
+@@ -1584,6 +1593,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sUseLogin, o->use_login);
+ 	dump_cfg_fmtint(sCompression, o->compression);
+ 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+	dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
+ 	dump_cfg_fmtint(sUseDNS, o->use_dns);
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+diff -up openssh-5.1p1/sshd_config.0.vendor openssh-5.1p1/sshd_config.0
+--- openssh-5.1p1/sshd_config.0.vendor	2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.1p1/sshd_config.0	2008-07-23 14:13:22.000000000 +0200
+@@ -466,6 +466,11 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
-              server key.  The minimum value is 512, and the default is 768.
+              server key.  The minimum value is 512, and the default is 1024.
 
 +     ShowPatchLevel
 +	     Specifies whether sshd will display the specific patch level of
@ -114,10 +123,10 @@ diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
-diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config
--- openssh-4.7p1/sshd_config.vendor	2007-09-06 16:27:47.000000000 +0200
-+++ openssh-4.7p1/sshd_config	2007-09-06 16:27:47.000000000 +0200
-@@ -109,6 +109,7 @@ X11Forwarding yes
+diff -up openssh-5.1p1/sshd_config.vendor openssh-5.1p1/sshd_config
+--- openssh-5.1p1/sshd_config.vendor	2008-07-23 14:13:22.000000000 +0200
+++ openssh-5.1p1/sshd_config	2008-07-23 14:13:22.000000000 +0200
+@@ -112,6 +112,7 @@ X11Forwarding yes
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
@ -125,20 +134,19 @@ diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
-diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c
--- openssh-4.7p1/sshd.c.vendor	2007-06-05 10:22:32.000000000 +0200
-+++ openssh-4.7p1/sshd.c	2007-09-06 16:27:47.000000000 +0200
-@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in
- 		major = PROTOCOL_MAJOR_1;
+diff -up openssh-5.1p1/sshd.c.vendor openssh-5.1p1/sshd.c
+--- openssh-5.1p1/sshd.c.vendor	2008-07-11 09:36:49.000000000 +0200
+++ openssh-5.1p1/sshd.c	2008-07-23 14:35:43.000000000 +0200
+@@ -416,7 +416,7 @@ sshd_exchange_identification(int sock_in
 		minor = PROTOCOL_MINOR_1;
 	}
-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
-+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
-+		 (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
+ 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+-	    SSH_VERSION, newline);
+	   (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
 	server_version_string = xstrdup(buf);
 
 	/* Send our protocol version identification. */
-@@ -1434,7 +1435,8 @@ main(int ac, char **av)
+@@ -1484,7 +1484,8 @@ main(int ac, char **av)
 		exit(1);
 	}
 
--- a/openssh.spec
+++ b/openssh.spec
@ -62,8 +62,8 @@

 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
-Version: 5.0p1
-Release: 3%{?dist}%{?rescue_rel}
+Version: 5.1p1
+Release: 1%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -74,17 +74,17 @@ Source0: openssh-%{version}-noacss.tar.bz2
 Source1: openssh-nukeacss.sh
 Source2: sshd.pam
 Source3: sshd.init
-Patch0: openssh-4.7p1-redhat.patch
+Patch0: openssh-5.1p1-redhat.patch
 Patch2: openssh-3.8.1p1-skip-initial.patch
 Patch3: openssh-3.8.1p1-krb5-config.patch
-Patch4: openssh-4.7p1-vendor.patch
-Patch12: openssh-4.7p1-selinux.patch
+Patch4: openssh-5.1p1-vendor.patch
+Patch12: openssh-5.1p1-selinux.patch
 Patch13: openssh-4.7p1-mls.patch
 Patch16: openssh-4.7p1-audit.patch
 Patch17: openssh-4.3p2-cve-2007-3102.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
-Patch27: openssh-4.7p1-log-in-chroot.patch
+Patch27: openssh-5.1p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
 Patch35: openssh-4.2p1-askpass-progress.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
@ -93,11 +93,8 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 Patch51: openssh-4.7p1-nss-keys.patch
 Patch54: openssh-4.7p1-gssapi-role.patch
-Patch55: openssh-4.7p1-cloexec.patch
-Patch58: openssh-4.5p1-controlcleanup.patch
-Patch59: openssh-4.7p1-master-race.patch
+Patch55: openssh-5.1p1-cloexec.patch
 Patch60: openssh-5.0p1-pam_selinux.patch
-Patch61: openssh-5.0p1-unbreakalive.patch
 Patch62: openssh-3.9p1-scp-manpage.patch

 License: BSD
@ -229,10 +226,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch51 -p1 -b .nss-keys
 %patch54 -p0 -b .gssapi-role
 %patch55 -p1 -b .cloexec
-%patch58 -p1 -b .controlcleanup
-%patch59 -p1 -b .master-race
 %patch60 -p1 -b .pam_selinux
-%patch61 -p0 -b .unbreakalive
 %patch62 -p0 -b .manpage

 autoreconf
@ -423,7 +417,7 @@ fi

 %files
 %defattr(-,root,root)
-%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* RFC* TODO WARNING*
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README* TODO WARNING*
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
 %if ! %{rescue}
@ -468,6 +462,7 @@ fi
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
+%attr(0644,root,root) %{_mandir}/man5/moduli.5*
 %attr(0644,root,root) %{_mandir}/man8/sshd.8*
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
@ -484,6 +479,11 @@ fi
 %endif

 %changelog
+* Wed Jul 23 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-1
+- upgrade to new upstream release
+- fixed a problem with public key authentication and explicitely
+  specified SELinux role
+
 * Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> - 5.0p1-3
 - pass the connection socket to ssh-keysign (#447680)

--- a/2
+++ b/2
@ -1 +1 @@
-e39c15a5fb9036bd64256c78a6fbf394  openssh-5.0p1-noacss.tar.bz2
+5273579190b10f53baaf87f3c6eb0d73  openssh-5.1p1-noacss.tar.bz2