another audit improovements

2011-02-21 20:24:29 +01:00 · 2011-02-21 20:24:29 +01:00 · c2b0098c73
commit c2b0098c73
parent 9cefae06b0
10 changed files with 452 additions and 1260 deletions
--- a/openssh-5.8p1-audit1.patch
+++ b/openssh-5.8p1-audit1.patch
@ -1,18 +1,31 @@
 diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 --- openssh-5.8p1/audit-linux.c.audit1	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-16 23:26:59.000000000 +0100
-@@ -39,8 +39,8 @@
+++ openssh-5.8p1/audit-linux.c	2011-02-21 20:01:00.000000000 +0100
+@@ -35,13 +35,20 @@
 
+ #include "log.h"
+ #include "audit.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "servconf.h"
+ #include "canohost.h"
+ 
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern u_int utmp_len;
 const char* audit_username(void);
 
 -int
 -linux_audit_record_event(int uid, const char *username,
+-    const char *hostname, const char *ip, const char *ttyn, int success)
 +static void
-+linux_audit_user_login(int uid, const char *username,
-     const char *hostname, const char *ip, const char *ttyn, int success)
+linux_audit_user_logxxx(int uid, const char *username,
+    const char *hostname, const char *ip, const char *ttyn, int success, int event)
 {
 	int audit_fd, rc, saved_errno;
-@@ -49,9 +49,9 @@ linux_audit_record_event(int uid, const 
+ 
+@@ -49,11 +56,11 @@ linux_audit_record_event(int uid, const 
 	if (audit_fd < 0) {
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 		    errno == EAFNOSUPPORT)
@ -22,9 +35,12 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 -			return 0; /* Must prevent login */
 +			goto fatal_report; /* Must prevent login */
 	}
- 	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+-	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
+	rc = audit_log_acct_message(audit_fd, event,
 	    NULL, "login", username ? username : "(unknown)",
-@@ -65,7 +65,62 @@ linux_audit_record_event(int uid, const 
+ 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ 	saved_errno = errno;
+@@ -65,35 +72,102 @@ linux_audit_record_event(int uid, const 
 	if ((rc == -EPERM) && (geteuid() != 0))
 		rc = 0;
 	errno = saved_errno;
@ -41,19 +57,19 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +{
 +	int audit_fd, rc, saved_errno;
 +	static const char *event_name[] = {
-+		"exceed maxtries",
+		"maxtries exceeded",
 +		"root denied",
 +		"success",
 +		"none",
-+		"pasword",
-+		"chalenge-response",
+		"password",
+		"challenge-response",
 +		"pubkey",
 +		"hostbased",
 +		"gssapi",
 +		"invalid user",
 +		"nologin",
-+		"connection close",
-+		"connection abandon",
+		"connection closed",
+		"connection abandoned",
 +		"unknown"
 +	};
 +
@ -87,8 +103,10 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +	}
 }
 
+static int user_login_count = 0;
+
 /* Below is the sshd audit API code */
-@@ -73,8 +128,8 @@ linux_audit_record_event(int uid, const 
+ 
 void
 audit_connection_from(const char *host, int port)
 {
@ -98,19 +116,41 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 
 void
 audit_run_command(const char *command)
-@@ -85,9 +140,8 @@ audit_run_command(const char *command)
+ {
+-	/* not implemented */
+	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+	    NULL, "ssh", 1, AUDIT_USER_START);
+	if (!user_login_count++) 
+		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
+ }
+ 
 void
 audit_session_open(struct logininfo *li)
 {
 -	if (linux_audit_record_event(li->uid, NULL, li->hostname,
 -	    NULL, li->line, 1) == 0)
 -		fatal("linux_audit_write_entry failed: %s", strerror(errno));
-+	linux_audit_user_login(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1);
+	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+	    NULL, li->line, 1, AUDIT_USER_START);
+	if (!user_login_count++) 
+		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+		    NULL, li->line, 1, AUDIT_USER_LOGIN);
 }
 
 void
-@@ -101,20 +155,33 @@ audit_event(ssh_audit_event_t event)
+ audit_session_close(struct logininfo *li)
+ {
+-	/* not implemented */
+	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+	    NULL, li->line, 1, AUDIT_USER_END);
+	if (!--user_login_count) 
+		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
+		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
+ }
+ 
+ void
+@@ -101,21 +175,34 @@ audit_event(ssh_audit_event_t event)
 {
 	switch(event) {
 	case SSH_AUTH_SUCCESS:
@ -124,8 +164,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 	case SSH_LOGIN_ROOT_DENIED:
 +		linux_audit_user_auth(-1, audit_username(), NULL,
 +			get_remote_ipaddr(), "sshd", 0, event);
-+		linux_audit_user_login(-1, audit_username(), NULL,
-+			get_remote_ipaddr(), "sshd", 0);
+		linux_audit_user_logxxx(-1, audit_username(), NULL,
+			get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
 		break;
 
 +	case SSH_LOGIN_EXCEED_MAXTRIES:
@ -143,7 +183,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
 +	case SSH_CONNECTION_ABANDON:
 	case SSH_INVALID_USER:
 -		linux_audit_record_event(-1, audit_username(), NULL,
-+		linux_audit_user_login(-1, audit_username(), NULL,
- 			get_remote_ipaddr(), "sshd", 0);
+-			get_remote_ipaddr(), "sshd", 0);
+		linux_audit_user_logxxx(-1, audit_username(), NULL,
+			get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
 		break;
 
+ 	default:
--- a/openssh-5.8p1-audit1a.patch
+++ b/openssh-5.8p1-audit1a.patch
@ -1,127 +0,0 @@
-diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit1a	2011-02-21 18:14:37.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:17:33.000000000 +0100
-@@ -35,13 +35,20 @@
- 
- #include "log.h"
- #include "audit.h"
-+#include "key.h"
-+#include "hostfile.h"
-+#include "auth.h"
-+#include "servconf.h"
- #include "canohost.h"
- 
-+extern ServerOptions options;
-+extern Authctxt *the_authctxt;
-+extern u_int utmp_len;
- const char* audit_username(void);
- 
- static void
-linux_audit_user_login(int uid, const char *username,
-    const char *hostname, const char *ip, const char *ttyn, int success)
-+linux_audit_user_logxxx(int uid, const char *username,
-+    const char *hostname, const char *ip, const char *ttyn, int success, int event)
- {
- 	int audit_fd, rc, saved_errno;
- 
-@@ -53,7 +60,7 @@ linux_audit_user_login(int uid, const ch
- 		else
- 			goto fatal_report; /* Must prevent login */
- 	}
-	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
-+	rc = audit_log_acct_message(audit_fd, event,
- 	    NULL, "login", username ? username : "(unknown)",
- 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
- 	saved_errno = errno;
-@@ -77,19 +84,19 @@ linux_audit_user_auth(int uid, const cha
- {
- 	int audit_fd, rc, saved_errno;
- 	static const char *event_name[] = {
-		"exceed maxtries",
-+		"maxtries exceeded",
- 		"root denied",
- 		"success",
- 		"none",
-		"pasword",
-		"chalenge-response",
-+		"password",
-+		"challenge-response",
- 		"pubkey",
- 		"hostbased",
- 		"gssapi",
- 		"invalid user",
- 		"nologin",
-		"connection close",
-		"connection abandon",
-+		"connection closed",
-+		"connection abandoned",
- 		"unknown"
- 	};
- 
-@@ -123,6 +130,8 @@ fatal_report:
- 	}
- }
- 
-+static int user_login_count = 0;
-+
- /* Below is the sshd audit API code */
- 
- void
-@@ -134,20 +143,31 @@ audit_connection_from(const char *host, 
- void
- audit_run_command(const char *command)
- {
-	/* not implemented */
-+	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
-+	    NULL, "ssh", 1, AUDIT_USER_START);
-+	if (!user_login_count++) 
-+		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
-+		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
- }
- 
- void
- audit_session_open(struct logininfo *li)
- {
-	linux_audit_user_login(li->uid, NULL, li->hostname,
-	    NULL, li->line, 1);
-+	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1, AUDIT_USER_START);
-+	if (!user_login_count++) 
-+		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+		    NULL, li->line, 1, AUDIT_USER_LOGIN);
- }
- 
- void
- audit_session_close(struct logininfo *li)
- {
-	/* not implemented */
-+	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1, AUDIT_USER_END);
-+	if (!--user_login_count) 
-+		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
- }
- 
- void
-@@ -163,8 +183,8 @@ audit_event(ssh_audit_event_t event)
- 	case SSH_LOGIN_ROOT_DENIED:
- 		linux_audit_user_auth(-1, audit_username(), NULL,
- 			get_remote_ipaddr(), "sshd", 0, event);
-		linux_audit_user_login(-1, audit_username(), NULL,
-			get_remote_ipaddr(), "sshd", 0);
-+		linux_audit_user_logxxx(-1, audit_username(), NULL,
-+			get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
- 		break;
- 
- 	case SSH_LOGIN_EXCEED_MAXTRIES:
-@@ -181,8 +201,8 @@ audit_event(ssh_audit_event_t event)
- 	case SSH_CONNECTION_CLOSE:
- 	case SSH_CONNECTION_ABANDON:
- 	case SSH_INVALID_USER:
-		linux_audit_user_login(-1, audit_username(), NULL,
-			get_remote_ipaddr(), "sshd", 0);
-+		linux_audit_user_logxxx(-1, audit_username(), NULL,
-+			get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
- 		break;
- 
- 	default:
--- a/openssh-5.8p1-audit2.patch
+++ b/openssh-5.8p1-audit2.patch
@ -1,12 +1,12 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 --- openssh-5.8p1/audit-bsm.c.audit2	2011-01-17 11:15:29.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 18:21:20.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c	2011-02-21 20:04:37.000000000 +0100
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
 	/* not implemented */
 }
 
 +int
-+audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
 +{
 +	/* not implemented */
 +}
@ -16,34 +16,31 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
 {
 diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 --- openssh-5.8p1/audit.c.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 18:21:21.000000000 +0100
-@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
+++ openssh-5.8p1/audit.c	2011-02-21 20:04:37.000000000 +0100
+@@ -36,6 +36,7 @@
+ #include "key.h"
+ #include "hostfile.h"
+ #include "auth.h"
+#include "xmalloc.h"
+ 
+ /*
+  * Care must be taken when using this since it WILL NOT be initialized when
+@@ -111,6 +112,22 @@ audit_event_lookup(ssh_audit_event_t ev)
 	return(event_lookup[i].name);
 }
 
-+int
-+audit_key(int type, int *rv, const Key *key)
+void
+audit_key(int host_user, int *rv, const Key *key)
 +{
 +	char *fp;
-+	unsigned size = 0;
-+	const char *crypto_name[] = {
-+		"ssh-rsa1",
-+		"ssh-rsa",
-+		"ssh-dsa",
-+		"unknown" };
+	const char *crypto_name;
 +
 +	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+	switch(key->type) {
-+		case KEY_RSA1:
-+		case KEY_RSA:
-+			size = RSA_size(key->rsa);
-+			break;
-+		case KEY_DSA:
-+			size = DSA_size(key->dsa);
-+			break;
-+	}
-+
-+	if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0)
+	if (key->type == KEY_RSA1)
+		crypto_name = "ssh-rsa1";
+	else
+		crypto_name = key_ssh_name(key);
+	if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
 +		*rv = 0;
 +	xfree(fp);
 +}
@ -51,7 +48,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
-@@ -182,5 +209,17 @@ audit_run_command(const char *command)
+@@ -182,5 +199,17 @@ audit_run_command(const char *command)
 	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
 	    audit_username(), command);
 }
@ -62,16 +59,16 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
 + * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
 + */
 +int
-+audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
 +{
 +	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", 
-+		host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
+		host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 --- openssh-5.8p1/audit.h.audit2	2011-01-17 11:15:30.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 18:21:21.000000000 +0100
+++ openssh-5.8p1/audit.h	2011-02-21 20:04:37.000000000 +0100
@@ -28,6 +28,7 @@
 # define _SSH_AUDIT_H
 
@ -85,12 +82,12 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
 void	audit_run_command(const char *);
 ssh_audit_event_t audit_classify_auth(const char *);
 +int	audit_keyusage(int, const char *, unsigned, char *, int);
-+int	audit_key(int, int *, const Key *);
+void	audit_key(int, int *, const Key *);
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit2	2011-02-21 18:21:20.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:21:56.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit2	2011-02-21 20:04:37.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-21 20:04:37.000000000 +0100
@@ -41,6 +41,8 @@
 #include "servconf.h"
 #include "canohost.h"
@ -105,7 +102,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 }
 
 +int
-+audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
 +{
 +	char buf[AUDIT_LOG_SIZE];
 +	int audit_fd, rc, saved_errno;
@ -124,7 +121,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 +	if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
 +		goto out;
 +	snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
-+			type, 8 * len, fp, get_remote_port());
+			type, bits, fp, get_remote_port());
 +	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
 +		buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
 +out:
@ -140,7 +137,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
 /* Below is the sshd audit API code */
 diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 --- openssh-5.8p1/auth2-hostbased.c.audit2	2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-21 18:21:21.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c	2011-02-21 20:04:37.000000000 +0100
@@ -136,6 +136,18 @@ done:
 	return authenticated;
 }
@ -162,7 +159,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 --- openssh-5.8p1/auth2-pubkey.c.audit2	2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-21 18:21:21.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-02-21 20:04:37.000000000 +0100
@@ -177,6 +177,18 @@ done:
 	return authenticated;
 }
@ -184,7 +181,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
 {
 diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 --- openssh-5.8p1/auth.h.audit2	2010-05-10 03:58:03.000000000 +0200
-+++ openssh-5.8p1/auth.h	2011-02-21 18:21:21.000000000 +0100
+++ openssh-5.8p1/auth.h	2011-02-21 20:04:37.000000000 +0100
@@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
 char	*authorized_keys_file(struct passwd *);
 char	*authorized_keys_file2(struct passwd *);
@ -203,7 +200,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 --- openssh-5.8p1/auth-rsa.c.audit2	2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-21 18:21:21.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c	2011-02-21 20:04:37.000000000 +0100
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
 {
 	u_char buf[32], mdbuf[16];
@ -227,7 +224,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 +
 +#ifdef SSH_AUDIT_EVENTS
 +	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
+	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
 +		debug("unsuccessful audit");
 +		rv = 0;
 	}
@ -242,7 +239,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
 /*
 diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
 --- openssh-5.8p1/monitor.c.audit2	2010-09-10 03:23:34.000000000 +0200
-+++ openssh-5.8p1/monitor.c	2011-02-21 18:21:21.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-21 20:04:37.000000000 +0100
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
 	if (!valid_data)
 		fatal("%s: bad signature data blob", __func__);
--- a/openssh-5.8p1-audit2a.patch
+++ b/openssh-5.8p1-audit2a.patch
@ -1,318 +0,0 @@
-diff -up openssh-5.8p1/acss.c.audit2a openssh-5.8p1/acss.c
-diff -up openssh-5.8p1/acss.h.audit2a openssh-5.8p1/acss.h
-diff -up openssh-5.8p1/addrmatch.c.audit2a openssh-5.8p1/addrmatch.c
-diff -up openssh-5.8p1/atomicio.c.audit2a openssh-5.8p1/atomicio.c
-diff -up openssh-5.8p1/atomicio.h.audit2a openssh-5.8p1/atomicio.h
-diff -up openssh-5.8p1/audit-bsm.c.audit2a openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit2a	2011-02-21 16:17:09.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 16:20:57.000000000 +0100
-@@ -317,7 +317,7 @@ audit_session_close(struct logininfo *li
- }
- 
- int
-audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
-+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
- {
- 	/* not implemented */
- }
-diff -up openssh-5.8p1/audit.c.audit2a openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit2a	2011-02-21 16:17:09.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 16:23:39.000000000 +0100
-@@ -36,6 +36,7 @@
- #include "key.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "xmalloc.h"
- 
- /*
-  * Care must be taken when using this since it WILL NOT be initialized when
-@@ -111,29 +112,18 @@ audit_event_lookup(ssh_audit_event_t ev)
- 	return(event_lookup[i].name);
- }
- 
-int
-audit_key(int type, int *rv, const Key *key)
-+void
-+audit_key(int host_user, int *rv, const Key *key)
- {
- 	char *fp;
-	unsigned size = 0;
-	const char *crypto_name[] = {
-		"ssh-rsa1",
-		"ssh-rsa",
-		"ssh-dsa",
-		"unknown" };
-+	const char *crypto_name;
- 
- 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	switch(key->type) {
-		case KEY_RSA1:
-		case KEY_RSA:
-			size = RSA_size(key->rsa);
-			break;
-		case KEY_DSA:
-			size = DSA_size(key->dsa);
-			break;
-	}
-
-	if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0)
-+	if (key->type == KEY_RSA1)
-+		crypto_name = "ssh-rsa1";
-+	else
-+		crypto_name = key_ssh_name(key);
-+	if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
- 		*rv = 0;
- 	xfree(fp);
- }
-@@ -216,10 +206,10 @@ audit_run_command(const char *command)
-  * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
-  */
- int
-audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
-+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
- {
- 	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", 
-		host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
-+		host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
- }
- # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
- #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.8p1/audit.h.audit2a openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit2a	2011-02-21 16:17:09.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 16:24:27.000000000 +0100
-@@ -55,6 +55,6 @@ void	audit_session_close(struct logininf
- void	audit_run_command(const char *);
- ssh_audit_event_t audit_classify_auth(const char *);
- int	audit_keyusage(int, const char *, unsigned, char *, int);
-int	audit_key(int, int *, const Key *);
-+void	audit_key(int, int *, const Key *);
- 
- #endif /* _SSH_AUDIT_H */
-diff -up openssh-5.8p1/audit-linux.c.audit2a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit2a	2011-02-21 16:17:09.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 16:21:19.000000000 +0100
-@@ -129,7 +129,7 @@ fatal_report:
- }
- 
- int
-audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
-+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
- {
- 	char buf[AUDIT_LOG_SIZE];
- 	int audit_fd, rc, saved_errno;
-@@ -148,7 +148,7 @@ audit_keyusage(int host_user, const char
- 	if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
- 		goto out;
- 	snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
-			type, 8 * len, fp, get_remote_port());
-+			type, bits, fp, get_remote_port());
- 	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
- 		buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
- out:
-diff -up openssh-5.8p1/auth1.c.audit2a openssh-5.8p1/auth1.c
-diff -up openssh-5.8p1/auth2.c.audit2a openssh-5.8p1/auth2.c
-diff -up openssh-5.8p1/auth2-chall.c.audit2a openssh-5.8p1/auth2-chall.c
-diff -up openssh-5.8p1/auth2-gss.c.audit2a openssh-5.8p1/auth2-gss.c
-diff -up openssh-5.8p1/auth2-hostbased.c.audit2a openssh-5.8p1/auth2-hostbased.c
-diff -up openssh-5.8p1/auth2-jpake.c.audit2a openssh-5.8p1/auth2-jpake.c
-diff -up openssh-5.8p1/auth2-kbdint.c.audit2a openssh-5.8p1/auth2-kbdint.c
-diff -up openssh-5.8p1/auth2-none.c.audit2a openssh-5.8p1/auth2-none.c
-diff -up openssh-5.8p1/auth2-passwd.c.audit2a openssh-5.8p1/auth2-passwd.c
-diff -up openssh-5.8p1/auth2-pubkey.c.audit2a openssh-5.8p1/auth2-pubkey.c
-diff -up openssh-5.8p1/auth-bsdauth.c.audit2a openssh-5.8p1/auth-bsdauth.c
-diff -up openssh-5.8p1/auth.c.audit2a openssh-5.8p1/auth.c
-diff -up openssh-5.8p1/auth-chall.c.audit2a openssh-5.8p1/auth-chall.c
-diff -up openssh-5.8p1/authfd.c.audit2a openssh-5.8p1/authfd.c
-diff -up openssh-5.8p1/authfd.h.audit2a openssh-5.8p1/authfd.h
-diff -up openssh-5.8p1/authfile.c.audit2a openssh-5.8p1/authfile.c
-diff -up openssh-5.8p1/authfile.h.audit2a openssh-5.8p1/authfile.h
-diff -up openssh-5.8p1/auth.h.audit2a openssh-5.8p1/auth.h
-diff -up openssh-5.8p1/auth-krb5.c.audit2a openssh-5.8p1/auth-krb5.c
-diff -up openssh-5.8p1/auth-options.c.audit2a openssh-5.8p1/auth-options.c
-diff -up openssh-5.8p1/auth-options.h.audit2a openssh-5.8p1/auth-options.h
-diff -up openssh-5.8p1/auth-pam.c.audit2a openssh-5.8p1/auth-pam.c
-diff -up openssh-5.8p1/auth-pam.h.audit2a openssh-5.8p1/auth-pam.h
-diff -up openssh-5.8p1/auth-passwd.c.audit2a openssh-5.8p1/auth-passwd.c
-diff -up openssh-5.8p1/auth-rhosts.c.audit2a openssh-5.8p1/auth-rhosts.c
-diff -up openssh-5.8p1/auth-rh-rsa.c.audit2a openssh-5.8p1/auth-rh-rsa.c
-diff -up openssh-5.8p1/auth-rsa.c.audit2a openssh-5.8p1/auth-rsa.c
--- openssh-5.8p1/auth-rsa.c.audit2a	2011-02-21 16:17:09.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-21 16:25:17.000000000 +0100
-@@ -120,7 +120,7 @@ auth_rsa_verify_response(Key *key, BIGNU
- 
- #ifdef SSH_AUDIT_EVENTS
- 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
-+	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
- 		debug("unsuccessful audit");
- 		rv = 0;
- 	}
-diff -up openssh-5.8p1/auth-shadow.c.audit2a openssh-5.8p1/auth-shadow.c
-diff -up openssh-5.8p1/auth-sia.c.audit2a openssh-5.8p1/auth-sia.c
-diff -up openssh-5.8p1/auth-sia.h.audit2a openssh-5.8p1/auth-sia.h
-diff -up openssh-5.8p1/auth-skey.c.audit2a openssh-5.8p1/auth-skey.c
-diff -up openssh-5.8p1/bufaux.c.audit2a openssh-5.8p1/bufaux.c
-diff -up openssh-5.8p1/bufbn.c.audit2a openssh-5.8p1/bufbn.c
-diff -up openssh-5.8p1/bufec.c.audit2a openssh-5.8p1/bufec.c
-diff -up openssh-5.8p1/buffer.c.audit2a openssh-5.8p1/buffer.c
-diff -up openssh-5.8p1/buffer.h.audit2a openssh-5.8p1/buffer.h
-diff -up openssh-5.8p1/canohost.c.audit2a openssh-5.8p1/canohost.c
-diff -up openssh-5.8p1/canohost.h.audit2a openssh-5.8p1/canohost.h
-diff -up openssh-5.8p1/channels.c.audit2a openssh-5.8p1/channels.c
-diff -up openssh-5.8p1/channels.h.audit2a openssh-5.8p1/channels.h
-diff -up openssh-5.8p1/cipher-3des1.c.audit2a openssh-5.8p1/cipher-3des1.c
-diff -up openssh-5.8p1/cipher-acss.c.audit2a openssh-5.8p1/cipher-acss.c
-diff -up openssh-5.8p1/cipher-aes.c.audit2a openssh-5.8p1/cipher-aes.c
-diff -up openssh-5.8p1/cipher-bf1.c.audit2a openssh-5.8p1/cipher-bf1.c
-diff -up openssh-5.8p1/cipher.c.audit2a openssh-5.8p1/cipher.c
-diff -up openssh-5.8p1/cipher-ctr.c.audit2a openssh-5.8p1/cipher-ctr.c
-diff -up openssh-5.8p1/cipher.h.audit2a openssh-5.8p1/cipher.h
-diff -up openssh-5.8p1/cleanup.c.audit2a openssh-5.8p1/cleanup.c
-diff -up openssh-5.8p1/clientloop.c.audit2a openssh-5.8p1/clientloop.c
-diff -up openssh-5.8p1/clientloop.h.audit2a openssh-5.8p1/clientloop.h
-diff -up openssh-5.8p1/compat.c.audit2a openssh-5.8p1/compat.c
-diff -up openssh-5.8p1/compat.h.audit2a openssh-5.8p1/compat.h
-diff -up openssh-5.8p1/compress.c.audit2a openssh-5.8p1/compress.c
-diff -up openssh-5.8p1/compress.h.audit2a openssh-5.8p1/compress.h
-diff -up openssh-5.8p1/crc32.c.audit2a openssh-5.8p1/crc32.c
-diff -up openssh-5.8p1/crc32.h.audit2a openssh-5.8p1/crc32.h
-diff -up openssh-5.8p1/deattack.c.audit2a openssh-5.8p1/deattack.c
-diff -up openssh-5.8p1/deattack.h.audit2a openssh-5.8p1/deattack.h
-diff -up openssh-5.8p1/defines.h.audit2a openssh-5.8p1/defines.h
-diff -up openssh-5.8p1/dh.c.audit2a openssh-5.8p1/dh.c
-diff -up openssh-5.8p1/dh.h.audit2a openssh-5.8p1/dh.h
-diff -up openssh-5.8p1/dispatch.c.audit2a openssh-5.8p1/dispatch.c
-diff -up openssh-5.8p1/dispatch.h.audit2a openssh-5.8p1/dispatch.h
-diff -up openssh-5.8p1/dns.c.audit2a openssh-5.8p1/dns.c
-diff -up openssh-5.8p1/dns.h.audit2a openssh-5.8p1/dns.h
-diff -up openssh-5.8p1/entropy.c.audit2a openssh-5.8p1/entropy.c
-diff -up openssh-5.8p1/entropy.h.audit2a openssh-5.8p1/entropy.h
-diff -up openssh-5.8p1/fatal.c.audit2a openssh-5.8p1/fatal.c
-diff -up openssh-5.8p1/groupaccess.c.audit2a openssh-5.8p1/groupaccess.c
-diff -up openssh-5.8p1/groupaccess.h.audit2a openssh-5.8p1/groupaccess.h
-diff -up openssh-5.8p1/gss-genr.c.audit2a openssh-5.8p1/gss-genr.c
-diff -up openssh-5.8p1/gss-serv.c.audit2a openssh-5.8p1/gss-serv.c
-diff -up openssh-5.8p1/gss-serv-krb5.c.audit2a openssh-5.8p1/gss-serv-krb5.c
-diff -up openssh-5.8p1/hostfile.c.audit2a openssh-5.8p1/hostfile.c
-diff -up openssh-5.8p1/hostfile.h.audit2a openssh-5.8p1/hostfile.h
-diff -up openssh-5.8p1/includes.h.audit2a openssh-5.8p1/includes.h
-diff -up openssh-5.8p1/jpake.c.audit2a openssh-5.8p1/jpake.c
-diff -up openssh-5.8p1/jpake.h.audit2a openssh-5.8p1/jpake.h
-diff -up openssh-5.8p1/kex.c.audit2a openssh-5.8p1/kex.c
-diff -up openssh-5.8p1/kexdh.c.audit2a openssh-5.8p1/kexdh.c
-diff -up openssh-5.8p1/kexdhc.c.audit2a openssh-5.8p1/kexdhc.c
-diff -up openssh-5.8p1/kexdhs.c.audit2a openssh-5.8p1/kexdhs.c
-diff -up openssh-5.8p1/kexecdh.c.audit2a openssh-5.8p1/kexecdh.c
-diff -up openssh-5.8p1/kexecdhc.c.audit2a openssh-5.8p1/kexecdhc.c
-diff -up openssh-5.8p1/kexecdhs.c.audit2a openssh-5.8p1/kexecdhs.c
-diff -up openssh-5.8p1/kexgex.c.audit2a openssh-5.8p1/kexgex.c
-diff -up openssh-5.8p1/kexgexc.c.audit2a openssh-5.8p1/kexgexc.c
-diff -up openssh-5.8p1/kexgexs.c.audit2a openssh-5.8p1/kexgexs.c
-diff -up openssh-5.8p1/kex.h.audit2a openssh-5.8p1/kex.h
-diff -up openssh-5.8p1/key.c.audit2a openssh-5.8p1/key.c
-diff -up openssh-5.8p1/key.h.audit2a openssh-5.8p1/key.h
-diff -up openssh-5.8p1/log.c.audit2a openssh-5.8p1/log.c
-diff -up openssh-5.8p1/log.h.audit2a openssh-5.8p1/log.h
-diff -up openssh-5.8p1/loginrec.c.audit2a openssh-5.8p1/loginrec.c
-diff -up openssh-5.8p1/loginrec.h.audit2a openssh-5.8p1/loginrec.h
-diff -up openssh-5.8p1/logintest.c.audit2a openssh-5.8p1/logintest.c
-diff -up openssh-5.8p1/mac.c.audit2a openssh-5.8p1/mac.c
-diff -up openssh-5.8p1/mac.h.audit2a openssh-5.8p1/mac.h
-diff -up openssh-5.8p1/match.c.audit2a openssh-5.8p1/match.c
-diff -up openssh-5.8p1/match.h.audit2a openssh-5.8p1/match.h
-diff -up openssh-5.8p1/md5crypt.c.audit2a openssh-5.8p1/md5crypt.c
-diff -up openssh-5.8p1/md5crypt.h.audit2a openssh-5.8p1/md5crypt.h
-diff -up openssh-5.8p1/md-sha256.c.audit2a openssh-5.8p1/md-sha256.c
-diff -up openssh-5.8p1/misc.c.audit2a openssh-5.8p1/misc.c
-diff -up openssh-5.8p1/misc.h.audit2a openssh-5.8p1/misc.h
-diff -up openssh-5.8p1/moduli.c.audit2a openssh-5.8p1/moduli.c
-diff -up openssh-5.8p1/monitor.c.audit2a openssh-5.8p1/monitor.c
-diff -up openssh-5.8p1/monitor_fdpass.c.audit2a openssh-5.8p1/monitor_fdpass.c
-diff -up openssh-5.8p1/monitor_fdpass.h.audit2a openssh-5.8p1/monitor_fdpass.h
-diff -up openssh-5.8p1/monitor.h.audit2a openssh-5.8p1/monitor.h
-diff -up openssh-5.8p1/monitor_mm.c.audit2a openssh-5.8p1/monitor_mm.c
-diff -up openssh-5.8p1/monitor_mm.h.audit2a openssh-5.8p1/monitor_mm.h
-diff -up openssh-5.8p1/monitor_wrap.c.audit2a openssh-5.8p1/monitor_wrap.c
-diff -up openssh-5.8p1/monitor_wrap.h.audit2a openssh-5.8p1/monitor_wrap.h
-diff -up openssh-5.8p1/msg.c.audit2a openssh-5.8p1/msg.c
-diff -up openssh-5.8p1/msg.h.audit2a openssh-5.8p1/msg.h
-diff -up openssh-5.8p1/mux.c.audit2a openssh-5.8p1/mux.c
-diff -up openssh-5.8p1/myproposal.h.audit2a openssh-5.8p1/myproposal.h
-diff -up openssh-5.8p1/nchan.c.audit2a openssh-5.8p1/nchan.c
-diff -up openssh-5.8p1/packet.c.audit2a openssh-5.8p1/packet.c
-diff -up openssh-5.8p1/packet.h.audit2a openssh-5.8p1/packet.h
-diff -up openssh-5.8p1/pathnames.h.audit2a openssh-5.8p1/pathnames.h
-diff -up openssh-5.8p1/pkcs11.h.audit2a openssh-5.8p1/pkcs11.h
-diff -up openssh-5.8p1/platform.c.audit2a openssh-5.8p1/platform.c
-diff -up openssh-5.8p1/platform.h.audit2a openssh-5.8p1/platform.h
-diff -up openssh-5.8p1/progressmeter.c.audit2a openssh-5.8p1/progressmeter.c
-diff -up openssh-5.8p1/progressmeter.h.audit2a openssh-5.8p1/progressmeter.h
-diff -up openssh-5.8p1/readconf.c.audit2a openssh-5.8p1/readconf.c
-diff -up openssh-5.8p1/readconf.h.audit2a openssh-5.8p1/readconf.h
-diff -up openssh-5.8p1/readpass.c.audit2a openssh-5.8p1/readpass.c
-diff -up openssh-5.8p1/rijndael.c.audit2a openssh-5.8p1/rijndael.c
-diff -up openssh-5.8p1/rijndael.h.audit2a openssh-5.8p1/rijndael.h
-diff -up openssh-5.8p1/roaming_client.c.audit2a openssh-5.8p1/roaming_client.c
-diff -up openssh-5.8p1/roaming_common.c.audit2a openssh-5.8p1/roaming_common.c
-diff -up openssh-5.8p1/roaming_dummy.c.audit2a openssh-5.8p1/roaming_dummy.c
-diff -up openssh-5.8p1/roaming.h.audit2a openssh-5.8p1/roaming.h
-diff -up openssh-5.8p1/roaming_serv.c.audit2a openssh-5.8p1/roaming_serv.c
-diff -up openssh-5.8p1/rsa.c.audit2a openssh-5.8p1/rsa.c
-diff -up openssh-5.8p1/rsa.h.audit2a openssh-5.8p1/rsa.h
-diff -up openssh-5.8p1/schnorr.c.audit2a openssh-5.8p1/schnorr.c
-diff -up openssh-5.8p1/schnorr.h.audit2a openssh-5.8p1/schnorr.h
-diff -up openssh-5.8p1/scp.c.audit2a openssh-5.8p1/scp.c
-diff -up openssh-5.8p1/servconf.c.audit2a openssh-5.8p1/servconf.c
-diff -up openssh-5.8p1/servconf.h.audit2a openssh-5.8p1/servconf.h
-diff -up openssh-5.8p1/serverloop.c.audit2a openssh-5.8p1/serverloop.c
-diff -up openssh-5.8p1/serverloop.h.audit2a openssh-5.8p1/serverloop.h
-diff -up openssh-5.8p1/session.c.audit2a openssh-5.8p1/session.c
-diff -up openssh-5.8p1/session.h.audit2a openssh-5.8p1/session.h
-diff -up openssh-5.8p1/sftp.c.audit2a openssh-5.8p1/sftp.c
-diff -up openssh-5.8p1/sftp-client.c.audit2a openssh-5.8p1/sftp-client.c
-diff -up openssh-5.8p1/sftp-client.h.audit2a openssh-5.8p1/sftp-client.h
-diff -up openssh-5.8p1/sftp-common.c.audit2a openssh-5.8p1/sftp-common.c
-diff -up openssh-5.8p1/sftp-common.h.audit2a openssh-5.8p1/sftp-common.h
-diff -up openssh-5.8p1/sftp-glob.c.audit2a openssh-5.8p1/sftp-glob.c
-diff -up openssh-5.8p1/sftp.h.audit2a openssh-5.8p1/sftp.h
-diff -up openssh-5.8p1/sftp-server.c.audit2a openssh-5.8p1/sftp-server.c
-diff -up openssh-5.8p1/sftp-server-main.c.audit2a openssh-5.8p1/sftp-server-main.c
-diff -up openssh-5.8p1/ssh1.h.audit2a openssh-5.8p1/ssh1.h
-diff -up openssh-5.8p1/ssh2.h.audit2a openssh-5.8p1/ssh2.h
-diff -up openssh-5.8p1/ssh-add.c.audit2a openssh-5.8p1/ssh-add.c
-diff -up openssh-5.8p1/ssh-agent.c.audit2a openssh-5.8p1/ssh-agent.c
-diff -up openssh-5.8p1/ssh.c.audit2a openssh-5.8p1/ssh.c
-diff -up openssh-5.8p1/sshconnect1.c.audit2a openssh-5.8p1/sshconnect1.c
-diff -up openssh-5.8p1/sshconnect2.c.audit2a openssh-5.8p1/sshconnect2.c
-diff -up openssh-5.8p1/sshconnect.c.audit2a openssh-5.8p1/sshconnect.c
-diff -up openssh-5.8p1/sshconnect.h.audit2a openssh-5.8p1/sshconnect.h
-diff -up openssh-5.8p1/sshd.c.audit2a openssh-5.8p1/sshd.c
-diff -up openssh-5.8p1/ssh-dss.c.audit2a openssh-5.8p1/ssh-dss.c
-diff -up openssh-5.8p1/ssh-ecdsa.c.audit2a openssh-5.8p1/ssh-ecdsa.c
-diff -up openssh-5.8p1/ssh-gss.h.audit2a openssh-5.8p1/ssh-gss.h
-diff -up openssh-5.8p1/ssh.h.audit2a openssh-5.8p1/ssh.h
-diff -up openssh-5.8p1/ssh-keygen.c.audit2a openssh-5.8p1/ssh-keygen.c
-diff -up openssh-5.8p1/ssh-keyscan.c.audit2a openssh-5.8p1/ssh-keyscan.c
-diff -up openssh-5.8p1/ssh-keysign.c.audit2a openssh-5.8p1/ssh-keysign.c
-diff -up openssh-5.8p1/sshlogin.c.audit2a openssh-5.8p1/sshlogin.c
-diff -up openssh-5.8p1/sshlogin.h.audit2a openssh-5.8p1/sshlogin.h
-diff -up openssh-5.8p1/ssh-pkcs11.c.audit2a openssh-5.8p1/ssh-pkcs11.c
-diff -up openssh-5.8p1/ssh-pkcs11-client.c.audit2a openssh-5.8p1/ssh-pkcs11-client.c
-diff -up openssh-5.8p1/ssh-pkcs11.h.audit2a openssh-5.8p1/ssh-pkcs11.h
-diff -up openssh-5.8p1/ssh-pkcs11-helper.c.audit2a openssh-5.8p1/ssh-pkcs11-helper.c
-diff -up openssh-5.8p1/sshpty.c.audit2a openssh-5.8p1/sshpty.c
-diff -up openssh-5.8p1/sshpty.h.audit2a openssh-5.8p1/sshpty.h
-diff -up openssh-5.8p1/ssh-rand-helper.c.audit2a openssh-5.8p1/ssh-rand-helper.c
-diff -up openssh-5.8p1/ssh-rsa.c.audit2a openssh-5.8p1/ssh-rsa.c
-diff -up openssh-5.8p1/sshtty.c.audit2a openssh-5.8p1/sshtty.c
-diff -up openssh-5.8p1/ttymodes.c.audit2a openssh-5.8p1/ttymodes.c
-diff -up openssh-5.8p1/ttymodes.h.audit2a openssh-5.8p1/ttymodes.h
-diff -up openssh-5.8p1/uidswap.c.audit2a openssh-5.8p1/uidswap.c
-diff -up openssh-5.8p1/uidswap.h.audit2a openssh-5.8p1/uidswap.h
-diff -up openssh-5.8p1/umac.c.audit2a openssh-5.8p1/umac.c
-diff -up openssh-5.8p1/umac.h.audit2a openssh-5.8p1/umac.h
-diff -up openssh-5.8p1/uuencode.c.audit2a openssh-5.8p1/uuencode.c
-diff -up openssh-5.8p1/uuencode.h.audit2a openssh-5.8p1/uuencode.h
-diff -up openssh-5.8p1/version.h.audit2a openssh-5.8p1/version.h
-diff -up openssh-5.8p1/xmalloc.c.audit2a openssh-5.8p1/xmalloc.c
-diff -up openssh-5.8p1/xmalloc.h.audit2a openssh-5.8p1/xmalloc.h
--- a/openssh-5.8p1-audit3.patch
+++ b/openssh-5.8p1-audit3.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit3	2011-02-21 18:28:25.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 18:28:25.000000000 +0100
+--- openssh-5.8p1/audit-bsm.c.audit3	2011-02-21 20:09:33.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c	2011-02-21 20:09:33.000000000 +0100
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
 		debug("%s: unhandled event %d", __func__, event);
 	}
@ -13,15 +13,23 @@ diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
 +}
 +
 +void
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress)
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
 +{
 +	/* not implemented */
 +}
 #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit3	2011-02-21 18:28:25.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 18:28:25.000000000 +0100
-@@ -36,6 +36,8 @@
+--- openssh-5.8p1/audit.c.audit3	2011-02-21 20:09:33.000000000 +0100
+++ openssh-5.8p1/audit.c	2011-02-21 20:09:33.000000000 +0100
+@@ -28,6 +28,7 @@
+ 
+ #include <stdarg.h>
+ #include <string.h>
+#include <unistd.h>
+ 
+ #ifdef SSH_AUDIT_EVENTS
+ 
+@@ -36,6 +37,8 @@
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
@ -30,7 +38,7 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
 #include "xmalloc.h"
 
 /*
-@@ -128,6 +130,18 @@ audit_key(int host_user, int *rv, const 
+@@ -128,6 +131,18 @@ audit_key(int host_user, int *rv, const 
 	xfree(fp);
 }
 
@ -43,13 +51,13 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
 +void
 +audit_kex(int ctos, char *enc, char *mac, char *comp)
 +{
-+	PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
+	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
 +}
 +
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
-@@ -211,5 +225,24 @@ audit_keyusage(int host_user, const char
+@@ -211,5 +226,26 @@ audit_keyusage(int host_user, const char
 	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", 
 		host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
 }
@ -67,16 +75,18 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
 + * This will be called on succesfull protocol negotiation.
 + */
 +void
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress)
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
+	       uid_t uid)
 +{
-+	debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
-+		geteuid(), ctos, enc, mac, compress);
+	debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
+		(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
+	        (unsigned)uid);
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit3	2011-02-21 18:28:25.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 18:28:25.000000000 +0100
+--- openssh-5.8p1/audit.h.audit3	2011-02-21 20:09:33.000000000 +0100
+++ openssh-5.8p1/audit.h	2011-02-21 20:09:33.000000000 +0100
@@ -56,5 +56,9 @@ void	audit_run_command(const char *);
 ssh_audit_event_t audit_classify_auth(const char *);
 int	audit_keyusage(int, const char *, unsigned, char *, int);
@ -84,12 +94,12 @@ diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
 +void	audit_unsupported(int);
 +void	audit_kex(int, char *, char *, char *);
 +void	audit_unsupported_body(int);
-+void	audit_kex_body(int, char *, char *, char *);
+void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit3	2011-02-21 18:28:25.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:28:59.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit3	2011-02-21 20:09:33.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-21 20:09:33.000000000 +0100
@@ -40,6 +40,8 @@
 #include "auth.h"
 #include "servconf.h"
@ -99,7 +109,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
 
 #define AUDIT_LOG_SIZE 128
 
-@@ -243,4 +245,54 @@ audit_event(ssh_audit_event_t event)
+@@ -243,4 +245,56 @@ audit_event(ssh_audit_event_t event)
 	}
 }
 
@ -125,7 +135,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
 +}
 +
 +void
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress)
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
+	       uid_t uid)
 +{
 +#ifdef AUDIT_CRYPTO_SESSION
 +	char buf[AUDIT_LOG_SIZE];
@ -133,8 +144,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
 +	const static char *direction[] = { "from-server", "from-client", "both" };
 +	Cipher *cipher = cipher_by_name(enc);
 +
-+	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d rport=%d laddr=%s lport=%d",
+	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
 +		direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
+		(intmax_t)pid, (intmax_t)uid,
 +		get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
 +	audit_fd = audit_open();
 +	if (audit_fd < 0) {
@ -155,8 +167,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
 +
 #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
--- openssh-5.8p1/auditstub.c.audit3	2011-02-21 18:28:25.000000000 +0100
-+++ openssh-5.8p1/auditstub.c	2011-02-21 18:28:25.000000000 +0100
+--- openssh-5.8p1/auditstub.c.audit3	2011-02-21 20:09:33.000000000 +0100
+++ openssh-5.8p1/auditstub.c	2011-02-21 20:09:33.000000000 +0100
@@ -0,0 +1,39 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -199,7 +211,7 @@ diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
 +
 diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
 --- openssh-5.8p1/cipher.c.audit3	2011-02-09 15:24:23.000000000 +0100
-+++ openssh-5.8p1/cipher.c	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/cipher.c	2011-02-21 20:09:33.000000000 +0100
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX 
 extern const EVP_CIPHER *evp_aes_128_ctr(void);
 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
@ -219,7 +231,7 @@ diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
 	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
 diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
 --- openssh-5.8p1/cipher.h.audit3	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.8p1/cipher.h	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/cipher.h	2011-02-21 20:09:33.000000000 +0100
@@ -61,7 +61,16 @@
 typedef struct Cipher Cipher;
 typedef struct CipherContext CipherContext;
@ -240,7 +252,7 @@ diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
 	EVP_CIPHER_CTX evp;
 diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
 --- openssh-5.8p1/kex.c.audit3	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1/kex.c	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/kex.c	2011-02-21 20:09:33.000000000 +0100
@@ -49,6 +49,7 @@
 #include "dispatch.h"
 #include "monitor.h"
@ -305,7 +317,7 @@ diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
 diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
 --- openssh-5.8p1/Makefile.in.audit3	2011-02-04 01:42:13.000000000 +0100
-+++ openssh-5.8p1/Makefile.in	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/Makefile.in	2011-02-21 20:09:33.000000000 +0100
@@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@ -316,8 +328,8 @@ diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit3	2011-02-21 18:28:25.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-21 18:28:25.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit3	2011-02-21 20:09:33.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-21 20:09:33.000000000 +0100
@@ -89,6 +89,7 @@
 #include "ssh2.h"
 #include "jpake.h"
@ -371,7 +383,7 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -2206,3 +2217,40 @@ mm_answer_jpake_check_confirm(int sock, 
+@@ -2206,3 +2217,44 @@ mm_answer_jpake_check_confirm(int sock, 
 }
 
 #endif /* JPAKE */
@ -397,13 +409,17 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
 +{
 +	int ctos, len;
 +	char *cipher, *mac, *compress;
+	pid_t pid;
+	uid_t uid;
 +
 +	ctos = buffer_get_int(m);
 +	cipher = buffer_get_string(m, &len);
 +	mac = buffer_get_string(m, &len);
 +	compress = buffer_get_string(m, &len);
+	pid = buffer_get_int64(m);
+	uid = buffer_get_int64(m);
 +
-+	audit_kex_body(ctos, cipher, mac, compress);
+	audit_kex_body(ctos, cipher, mac, compress, pid, uid);
 +
 +	buffer_clear(m);
 +
@ -414,7 +430,7 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
 +#endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
 --- openssh-5.8p1/monitor.h.audit3	2008-11-05 06:20:46.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/monitor.h	2011-02-21 20:09:33.000000000 +0100
@@ -66,6 +66,8 @@ enum monitor_reqtype {
 	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
 	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
@ -426,8 +442,8 @@ diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
 struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
 --- openssh-5.8p1/monitor_wrap.c.audit3	2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 18:28:25.000000000 +0100
-@@ -1412,3 +1412,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 20:09:33.000000000 +0100
+@@ -1412,3 +1412,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
 	return success;
 }
 #endif /* JPAKE */
@ -449,7 +465,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
 +}
 +
 +void
-+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress)
+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
+		  uid_t uid)
 +{
 +	Buffer m;
 +
@ -458,6 +475,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
 +	buffer_put_cstring(&m, cipher);
 +	buffer_put_cstring(&m, mac);
 +	buffer_put_cstring(&m, compress);
+	buffer_put_int64(&m, pid);
+	buffer_put_int64(&m, uid);
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
@ -468,19 +487,19 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
 +#endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
 --- openssh-5.8p1/monitor_wrap.h.audit3	2009-03-05 14:58:22.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 20:09:33.000000000 +0100
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
 #include "audit.h"
 void mm_audit_event(ssh_audit_event_t);
 void mm_audit_run_command(const char *);
 +void mm_audit_unsupported_body(int);
-+void mm_audit_kex_body(int, char *, char *, char *);
+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 #endif
 
 struct Session;
 diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
 --- openssh-5.8p1/sshd.c.audit3	2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-21 18:28:25.000000000 +0100
+++ openssh-5.8p1/sshd.c	2011-02-21 20:09:33.000000000 +0100
@@ -118,6 +118,7 @@
 #endif
 #include "monitor_wrap.h"
--- a/openssh-5.8p1-audit3a.patch
+++ b/openssh-5.8p1-audit3a.patch
@ -1,139 +0,0 @@
-diff -up openssh-5.8p1/audit-bsm.c.audit3a openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit3a	2011-02-21 18:29:45.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 18:29:45.000000000 +0100
-@@ -391,7 +391,7 @@ audit_unsupported_body(int what)
- }
- 
- void
-audit_kex_body(int ctos, char *enc, char *mac, char *compress)
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
- {
- 	/* not implemented */
- }
-diff -up openssh-5.8p1/audit.c.audit3a openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit3a	2011-02-21 18:29:45.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 18:29:45.000000000 +0100
-@@ -28,6 +28,7 @@
- 
- #include <stdarg.h>
- #include <string.h>
-+#include <unistd.h>
- 
- #ifdef SSH_AUDIT_EVENTS
- 
-@@ -139,7 +140,7 @@ audit_unsupported(int what)
- void
- audit_kex(int ctos, char *enc, char *mac, char *comp)
- {
-	PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
-+	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
- }
- 
- # ifndef CUSTOM_SSH_AUDIT_EVENTS
-@@ -239,10 +240,12 @@ audit_unsupported_body(int what)
-  * This will be called on succesfull protocol negotiation.
-  */
- void
-audit_kex_body(int ctos, char *enc, char *mac, char *compress)
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
-+	       uid_t uid)
- {
-	debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
-		geteuid(), ctos, enc, mac, compress);
-+	debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
-+		(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
-+	        (unsigned)uid);
- }
- # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
- #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.8p1/audit.h.audit3a openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit3a	2011-02-21 18:29:45.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 18:29:45.000000000 +0100
-@@ -59,6 +59,6 @@ void	audit_key(int, int *, const Key *);
- void	audit_unsupported(int);
- void	audit_kex(int, char *, char *, char *);
- void	audit_unsupported_body(int);
-void	audit_kex_body(int, char *, char *, char *);
-+void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
- 
- #endif /* _SSH_AUDIT_H */
-diff -up openssh-5.8p1/audit-linux.c.audit3a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit3a	2011-02-21 18:29:45.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:29:45.000000000 +0100
-@@ -267,7 +267,8 @@ audit_unsupported_body(int what)
- }
- 
- void
-audit_kex_body(int ctos, char *enc, char *mac, char *compress)
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
-+	       uid_t uid)
- {
- #ifdef AUDIT_CRYPTO_SESSION
- 	char buf[AUDIT_LOG_SIZE];
-@@ -275,8 +276,9 @@ audit_kex_body(int ctos, char *enc, char
- 	const static char *direction[] = { "from-server", "from-client", "both" };
- 	Cipher *cipher = cipher_by_name(enc);
- 
-	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d rport=%d laddr=%s lport=%d",
-+	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
- 		direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
-+		(intmax_t)pid, (intmax_t)uid,
- 		get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
- 	audit_fd = audit_open();
- 	if (audit_fd < 0) {
-diff -up openssh-5.8p1/monitor.c.audit3a openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit3a	2011-02-21 18:29:45.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-21 18:29:45.000000000 +0100
-@@ -2239,13 +2239,17 @@ mm_answer_audit_kex_body(int sock, Buffe
- {
- 	int ctos, len;
- 	char *cipher, *mac, *compress;
-+	pid_t pid;
-+	uid_t uid;
- 
- 	ctos = buffer_get_int(m);
- 	cipher = buffer_get_string(m, &len);
- 	mac = buffer_get_string(m, &len);
- 	compress = buffer_get_string(m, &len);
-+	pid = buffer_get_int64(m);
-+	uid = buffer_get_int64(m);
- 
-	audit_kex_body(ctos, cipher, mac, compress);
-+	audit_kex_body(ctos, cipher, mac, compress, pid, uid);
- 
- 	buffer_clear(m);
- 
-diff -up openssh-5.8p1/monitor_wrap.c.audit3a openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit3a	2011-02-21 18:29:45.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 18:29:45.000000000 +0100
-@@ -1430,7 +1430,8 @@ mm_audit_unsupported_body(int what)
- }
- 
- void
-mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress)
-+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
-+		  uid_t uid)
- {
- 	Buffer m;
- 
-@@ -1439,6 +1440,8 @@ mm_audit_kex_body(int ctos, char *cipher
- 	buffer_put_cstring(&m, cipher);
- 	buffer_put_cstring(&m, mac);
- 	buffer_put_cstring(&m, compress);
-+	buffer_put_int64(&m, pid);
-+	buffer_put_int64(&m, uid);
- 
- 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
- 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
-diff -up openssh-5.8p1/monitor_wrap.h.audit3a openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit3a	2011-02-21 18:33:57.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 18:34:18.000000000 +0100
-@@ -75,7 +75,7 @@ void mm_sshpam_free_ctx(void *);
- void mm_audit_event(ssh_audit_event_t);
- void mm_audit_run_command(const char *);
- void mm_audit_unsupported_body(int);
-void mm_audit_kex_body(int, char *, char *, char *);
-+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
- #endif
- 
- struct Session;
--- a/openssh-5.8p1-audit4.patch
+++ b/openssh-5.8p1-audit4.patch
@ -1,20 +1,20 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/audit-bsm.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c	2011-02-21 20:14:10.000000000 +0100
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
 {
 	/* not implemented */
 }
 +
 +void
-+audit_session_key_free_body(int ctos)
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +	/* not implemented */
 +}
 #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/audit.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/audit.c	2011-02-21 20:14:10.000000000 +0100
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
 	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
 }
@ -22,13 +22,13 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
 +void
 +audit_session_key_free(int ctos)
 +{
-+	PRIVSEP(audit_session_key_free_body(ctos));
+	PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
 +}
 +
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
-@@ -247,5 +253,14 @@ audit_kex_body(int ctos, char *enc, char
+@@ -247,5 +253,15 @@ audit_kex_body(int ctos, char *enc, char
 		(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
 	        (unsigned)uid);
 }
@ -37,26 +37,27 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
 + * This will be called on succesfull session key discard
 + */
 +void
-+audit_session_key_free_body(int ctos)
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
-+	debug("audit session key discard euid %d direction %d", geteuid(), ctos);
+	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
+		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/audit.h.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/audit.h	2011-02-21 20:14:10.000000000 +0100
@@ -60,5 +60,7 @@ void	audit_unsupported(int);
 void	audit_kex(int, char *, char *, char *);
 void	audit_unsupported_body(int);
 void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 +void	audit_session_key_free(int ctos);
-+void	audit_session_key_free_body(int ctos);
+void	audit_session_key_free_body(int ctos, pid_t, uid_t);
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-21 20:14:10.000000000 +0100
@@ -266,6 +266,8 @@ audit_unsupported_body(int what)
 #endif
 }
@ -74,18 +75,19 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
 	Cipher *cipher = cipher_by_name(enc);
 
 	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
-@@ -297,4 +298,29 @@ audit_kex_body(int ctos, char *enc, char
+@@ -297,4 +298,30 @@ audit_kex_body(int ctos, char *enc, char
 #endif
 }
 
 +void
-+audit_session_key_free_body(int ctos)
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +	char buf[AUDIT_LOG_SIZE];
 +	int audit_fd, audit_ok;
 +
-+	snprintf(buf, sizeof(buf), "op=destroy kind=session direction=%s rport=%d laddr=%s lport=%d",
-+		 direction[ctos], get_remote_port(),
+	snprintf(buf, sizeof(buf), "op=destroy kind=session fp=? direction=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
+		 direction[ctos], (intmax_t)pid, (intmax_t)uid,
+		 get_remote_port(),
 +		 get_local_ipaddr(packet_get_connection_in()),
 +		 get_local_port());
 +	audit_fd = audit_open();
@ -105,8 +107,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
 +
 #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
--- openssh-5.8p1/auditstub.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/auditstub.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/auditstub.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/auditstub.c	2011-02-21 20:14:10.000000000 +0100
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
 {
 }
@ -116,8 +118,8 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
 +{
 +}
 diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
--- openssh-5.8p1/kex.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/kex.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/kex.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/kex.c	2011-02-21 20:14:10.000000000 +0100
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
 	fprintf(stderr, "\n");
 }
@ -155,7 +157,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
 +
 diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
 --- openssh-5.8p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1/kex.h	2011-02-21 18:38:45.000000000 +0100
+++ openssh-5.8p1/kex.h	2011-02-21 20:14:10.000000000 +0100
@@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
@ -167,7 +169,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
 --- openssh-5.8p1/mac.c.audit4	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.8p1/mac.c	2011-02-21 18:38:45.000000000 +0100
+++ openssh-5.8p1/mac.c	2011-02-21 20:14:10.000000000 +0100
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
 	mac->umac_ctx = NULL;
 }
@ -191,15 +193,15 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
 int
 diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
 --- openssh-5.8p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.8p1/mac.h	2011-02-21 18:38:45.000000000 +0100
+++ openssh-5.8p1/mac.h	2011-02-21 20:14:10.000000000 +0100
@@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
 int	 mac_init(Mac *);
 u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-21 20:14:10.000000000 +0100
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
 int mm_answer_audit_command(int, Buffer *);
 int mm_answer_audit_unsupported_body(int, Buffer *);
@ -240,7 +242,7 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -2257,4 +2262,18 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2257,4 +2262,22 @@ mm_answer_audit_kex_body(int sock, Buffe
 	return 0;
 }
 
@ -248,10 +250,14 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
 +mm_answer_audit_session_key_free_body(int sock, Buffer *m)
 +{
 +	int ctos;
+	pid_t pid;
+	uid_t uid;
 +
 +	ctos = buffer_get_int(m);
+	pid = buffer_get_int64(m);
+	uid = buffer_get_int64(m);
 +
-+	audit_session_key_free_body(ctos);
+	audit_session_key_free_body(ctos, pid, uid);
 +
 +	buffer_clear(m);
 +
@ -260,8 +266,8 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
--- openssh-5.8p1/monitor.h.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/monitor.h	2011-02-21 20:14:10.000000000 +0100
@@ -68,6 +68,7 @@ enum monitor_reqtype {
 	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
 	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -271,20 +277,22 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
 
 struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 18:38:45.000000000 +0100
-@@ -1449,4 +1449,17 @@ mm_audit_kex_body(int ctos, char *cipher
+--- openssh-5.8p1/monitor_wrap.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 20:14:10.000000000 +0100
+@@ -1449,4 +1449,19 @@ mm_audit_kex_body(int ctos, char *cipher
 
 	buffer_free(&m);
 }
 +
 +void
-+mm_audit_session_key_free_body(int ctos)
+mm_audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +	Buffer m;
 +
 +	buffer_init(&m);
 +	buffer_put_int(&m, ctos);
+	buffer_put_int64(&m, pid);
+	buffer_put_int64(&m, uid);
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
 +				  &m);
@ -292,19 +300,19 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 18:39:26.000000000 +0100
+--- openssh-5.8p1/monitor_wrap.h.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 20:14:10.000000000 +0100
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
 void mm_audit_run_command(const char *);
 void mm_audit_unsupported_body(int);
 void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
-+void mm_audit_session_key_free_body(int);
+void mm_audit_session_key_free_body(int, pid_t, uid_t);
 #endif
 
 struct Session;
 diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 --- openssh-5.8p1/packet.c.audit4	2010-11-24 00:46:37.000000000 +0100
-+++ openssh-5.8p1/packet.c	2011-02-21 18:38:45.000000000 +0100
+++ openssh-5.8p1/packet.c	2011-02-21 20:14:10.000000000 +0100
@@ -497,6 +497,7 @@ packet_close(void)
 	}
 	cipher_cleanup(&active_state->send_context);
@ -399,7 +407,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 +
 diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
 --- openssh-5.8p1/packet.h.audit4	2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1/packet.h	2011-02-21 18:38:45.000000000 +0100
+++ openssh-5.8p1/packet.h	2011-02-21 20:14:10.000000000 +0100
@@ -125,4 +125,5 @@ void	 packet_restore_state(void);
 void	*packet_get_input(void);
 void	*packet_get_output(void);
@ -407,8 +415,8 @@ diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
 +void	 packet_destroy_all(void);
 #endif				/* PACKET_H */
 diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit4	2011-02-21 18:38:45.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-21 18:38:45.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit4	2011-02-21 20:14:09.000000000 +0100
+++ openssh-5.8p1/sshd.c	2011-02-21 20:14:10.000000000 +0100
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
 	return (0);
 }
@ -425,7 +433,7 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
 + 		newkeys_destroy(current_keys[MODE_OUT]);
 +		newkeys_destroy(current_keys[MODE_IN]);
 +		packet_destroy_all();
-+		audit_session_key_free_body(2);
+		audit_session_key_free_body(2, getpid(), getuid());
 		monitor_child_postauth(pmonitor);
 
 		/* NEVERREACHED */
--- a/openssh-5.8p1-audit4a.patch
+++ b/openssh-5.8p1-audit4a.patch
@ -1,131 +0,0 @@
-diff -up openssh-5.8p1/audit-bsm.c.audit4a openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 18:42:14.000000000 +0100
-@@ -397,7 +397,7 @@ audit_kex_body(int ctos, char *enc, char
- }
- 
- void
-audit_session_key_free_body(int ctos)
-+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
- {
- 	/* not implemented */
- }
-diff -up openssh-5.8p1/audit.c.audit4a openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 18:42:14.000000000 +0100
-@@ -146,7 +146,7 @@ audit_kex(int ctos, char *enc, char *mac
- void
- audit_session_key_free(int ctos)
- {
-	PRIVSEP(audit_session_key_free_body(ctos));
-+	PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
- }
- 
- # ifndef CUSTOM_SSH_AUDIT_EVENTS
-@@ -258,9 +258,10 @@ audit_kex_body(int ctos, char *enc, char
-  * This will be called on succesfull session key discard
-  */
- void
-audit_session_key_free_body(int ctos)
-+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
- {
-	debug("audit session key discard euid %d direction %d", geteuid(), ctos);
-+	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
-+		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
- }
- # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
- #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.8p1/audit.h.audit4a openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 18:42:14.000000000 +0100
-@@ -61,6 +61,6 @@ void	audit_kex(int, char *, char *, char
- void	audit_unsupported_body(int);
- void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
- void	audit_session_key_free(int ctos);
-void	audit_session_key_free_body(int ctos);
-+void	audit_session_key_free_body(int ctos, pid_t, uid_t);
- 
- #endif /* _SSH_AUDIT_H */
-diff -up openssh-5.8p1/audit-linux.c.audit4a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:42:14.000000000 +0100
-@@ -299,13 +299,14 @@ audit_kex_body(int ctos, char *enc, char
- }
- 
- void
-audit_session_key_free_body(int ctos)
-+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
- {
- 	char buf[AUDIT_LOG_SIZE];
- 	int audit_fd, audit_ok;
- 
-	snprintf(buf, sizeof(buf), "op=destroy kind=session direction=%s rport=%d laddr=%s lport=%d",
-		 direction[ctos], get_remote_port(),
-+	snprintf(buf, sizeof(buf), "op=destroy kind=session fp=? direction=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
-+		 direction[ctos], (intmax_t)pid, (intmax_t)uid,
-+		 get_remote_port(),
- 		 get_local_ipaddr(packet_get_connection_in()),
- 		 get_local_port());
- 	audit_fd = audit_open();
-diff -up openssh-5.8p1/monitor.c.audit4a openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-21 18:42:14.000000000 +0100
-@@ -2266,10 +2266,14 @@ int
- mm_answer_audit_session_key_free_body(int sock, Buffer *m)
- {
- 	int ctos;
-+	pid_t pid;
-+	uid_t uid;
- 
- 	ctos = buffer_get_int(m);
-+	pid = buffer_get_int64(m);
-+	uid = buffer_get_int64(m);
- 
-	audit_session_key_free_body(ctos);
-+	audit_session_key_free_body(ctos, pid, uid);
- 
- 	buffer_clear(m);
- 
-diff -up openssh-5.8p1/monitor_wrap.c.audit4a openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 18:42:14.000000000 +0100
-@@ -1451,12 +1451,14 @@ mm_audit_kex_body(int ctos, char *cipher
- }
- 
- void
-mm_audit_session_key_free_body(int ctos)
-+mm_audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
- {
- 	Buffer m;
- 
- 	buffer_init(&m);
- 	buffer_put_int(&m, ctos);
-+	buffer_put_int64(&m, pid);
-+	buffer_put_int64(&m, uid);
- 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
- 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
- 				  &m);
-diff -up openssh-5.8p1/monitor_wrap.h.audit4a openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit4a	2011-02-21 18:42:14.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 18:42:14.000000000 +0100
-@@ -76,7 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
- void mm_audit_run_command(const char *);
- void mm_audit_unsupported_body(int);
- void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
-void mm_audit_session_key_free_body(int);
-+void mm_audit_session_key_free_body(int, pid_t, uid_t);
- #endif
- 
- struct Session;
-diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit4a	2011-02-21 18:48:30.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-21 18:48:41.000000000 +0100
-@@ -693,7 +693,7 @@ privsep_postauth(Authctxt *authctxt)
-  		newkeys_destroy(current_keys[MODE_OUT]);
- 		newkeys_destroy(current_keys[MODE_IN]);
- 		packet_destroy_all();
-		audit_session_key_free_body(2);
-+		audit_session_key_free_body(2, getpid(), getuid());
- 		monitor_child_postauth(pmonitor);
- 
- 		/* NEVERREACHED */
--- a/openssh-5.8p1-audit5.patch
+++ b/openssh-5.8p1-audit5.patch
@ -1,7 +1,7 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 18:54:03.000000000 +0100
-@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos, pi
+--- openssh-5.8p1/audit-bsm.c.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/audit-bsm.c	2011-02-21 20:16:34.000000000 +0100
+@@ -401,4 +401,22 @@ audit_session_key_free_body(int ctos, pi
 {
 	/* not implemented */
 }
@ -10,12 +10,24 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
 +audit_destroy_sensitive_data(const char *fp)
 +{
 +	/* not implemented */
+}
+
+void
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
+{
+	/* not implemented */
+}
+
+void
+audit_generate_ephemeral_server_key(const char *fp)
+{
+	/* not implemented */
 +}
 #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 18:54:03.000000000 +0100
-@@ -263,5 +263,14 @@ audit_session_key_free_body(int ctos, pi
+--- openssh-5.8p1/audit.c.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/audit.c	2011-02-21 20:16:34.000000000 +0100
+@@ -263,5 +263,24 @@ audit_session_key_free_body(int ctos, pi
 	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
 		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
 }
@ -24,36 +36,66 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
 + * This will be called on destroy private part of the server key
 + */
 +void
-+audit_destroy_sensitive_data(const char *fp)
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
 +{
-+	debug("audit destroy sensitive data euid %d fingerprint %s", geteuid(), fp);
+	debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
+		geteuid(), fp, (long)pid, (unsigned)uid);
+}
+
+/*
+ * This will be called on generation of the ephemeral server key
+ */
+void
+audit_generate_ephemeral_server_key(const char *)
+{
+	debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 18:54:03.000000000 +0100
-@@ -62,5 +62,6 @@ void	audit_unsupported_body(int);
+--- openssh-5.8p1/audit.h.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/audit.h	2011-02-21 20:16:34.000000000 +0100
+@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
+ };
+ typedef enum ssh_audit_event_type ssh_audit_event_t;
+ 
+int	listening_for_clients(void);
+
+ void	audit_connection_from(const char *, int);
+ void	audit_event(ssh_audit_event_t);
+ void	audit_session_open(struct logininfo *);
+@@ -62,5 +64,7 @@ void	audit_unsupported_body(int);
 void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 void	audit_session_key_free(int ctos);
 void	audit_session_key_free_body(int ctos, pid_t, uid_t);
-+void	audit_destroy_sensitive_data(const char *);
+void	audit_destroy_sensitive_data(const char *, pid_t, uid_t);
+void	audit_generate_ephemeral_server_key(const char *);
 
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 18:54:03.000000000 +0100
-@@ -324,4 +324,26 @@ audit_session_key_free_body(int ctos, pi
- 		error("cannot write into audit");
- }
- 
+--- openssh-5.8p1/audit-linux.c.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/audit-linux.c	2011-02-21 20:16:34.000000000 +0100
+@@ -317,6 +317,31 @@ audit_session_key_free_body(int ctos, pi
+ 		return;
+ 	}
+ 	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
+			buf, NULL,
+			listening_for_clients() ? NULL : get_remote_ipaddr(),
+			NULL, 1);
+	audit_close(audit_fd);
+	/* do not abort if the error is EPERM and sshd is run as non root user */
+	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
+		error("cannot write into audit");
+}
+
 +void
-+audit_destroy_sensitive_data(const char *fp)
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
 +{
 +	char buf[AUDIT_LOG_SIZE];
 +	int audit_fd, audit_ok;
 +
-+	snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=?", fp);
+	snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=? spid=%jd suid=%jd",
+		fp, (intmax_t)pid, (intmax_t)uid);
 +	audit_fd = audit_open();
 +	if (audit_fd < 0) {
 +		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
@ -62,17 +104,83 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
 +		return;
 +	}
 +	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
-+			buf, NULL, get_remote_ipaddr(), NULL, 1);
+ 			buf, NULL, get_remote_ipaddr(), NULL, 1);
+ 	audit_close(audit_fd);
+ 	/* do not abort if the error is EPERM and sshd is run as non root user */
+@@ -324,4 +349,25 @@ audit_session_key_free_body(int ctos, pi
+ 		error("cannot write into audit");
+ }
+ 
+void
+audit_generate_ephemeral_server_key(const char *fp)
+{
+	char buf[AUDIT_LOG_SIZE];
+	int audit_fd, audit_ok;
+
+	snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=?", fp);
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+					 errno != EAFNOSUPPORT)
+			error("cannot open audit");
+		return;
+	}
+	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
+			buf, NULL, 0, NULL, 1);
 +	audit_close(audit_fd);
 +	/* do not abort if the error is EPERM and sshd is run as non root user */
 +	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
 +		error("cannot write into audit");
 +}
-+
 #endif /* USE_LINUX_AUDIT */
+diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
+--- openssh-5.8p1/key.c.audit5	2011-02-04 01:48:34.000000000 +0100
+++ openssh-5.8p1/key.c	2011-02-21 20:16:34.000000000 +0100
+@@ -1769,6 +1769,30 @@ key_demote(const Key *k)
+ }
+ 
+ int
+key_is_private(const Key *k)
+{
+	switch (k->type) {
+	case KEY_RSA_CERT_V00:
+	case KEY_RSA_CERT:
+	case KEY_RSA1:
+	case KEY_RSA:
+		return k->rsa->d != NULL;
+	case KEY_DSA_CERT_V00:
+	case KEY_DSA_CERT:
+	case KEY_DSA:
+		return k->dsa->priv_key != NULL;
+#ifdef OPENSSL_HAS_ECC
+	case KEY_ECDSA_CERT:
+	case KEY_ECDSA:
+		return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif
+	default:
+		fatal("key_is_private: bad key type %d", k->type);
+		return 1;
+	}
+}
+
+int
+ key_is_cert(const Key *k)
+ {
+ 	if (k == NULL)
+diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
+--- openssh-5.8p1/key.h.audit5	2010-11-05 00:19:49.000000000 +0100
+++ openssh-5.8p1/key.h	2011-02-21 20:16:34.000000000 +0100
+@@ -106,6 +106,7 @@ Key	*key_generate(int, u_int);
+ Key	*key_from_private(const Key *);
+ int	 key_type_from_name(char *);
+ int	 key_is_cert(const Key *);
+int	 key_is_private(const Key *k);
+ int	 key_type_plain(int);
+ int	 key_to_certified(Key *, int);
+ int	 key_drop_cert(Key *);
 diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-21 18:54:03.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-21 20:16:34.000000000 +0100
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer 
 int mm_answer_audit_unsupported_body(int, Buffer *);
 int mm_answer_audit_kex_body(int, Buffer *);
@ -113,7 +221,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -2280,4 +2285,20 @@ mm_answer_audit_session_key_free_body(in
+@@ -2280,4 +2285,24 @@ mm_answer_audit_session_key_free_body(in
 	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
 	return 0;
 }
@ -123,10 +231,14 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
 +{
 +	int len;
 +	char *fp;
+	pid_t pid;
+	uid_t uid;
 +
 +	fp = buffer_get_string(m, &len);
+	pid = buffer_get_int64(m);
+	uid = buffer_get_int64(m);
 +
-+	audit_destroy_sensitive_data(fp);
+	audit_destroy_sensitive_data(fp, pid, uid);
 +
 +	buffer_clear(m);
 +
@ -135,8 +247,8 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
--- openssh-5.8p1/monitor.h.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-02-21 18:54:03.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/monitor.h	2011-02-21 20:16:34.000000000 +0100
@@ -69,6 +69,7 @@ enum monitor_reqtype {
 	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
 	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
@ -146,20 +258,22 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
 
 struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 18:54:03.000000000 +0100
-@@ -1464,4 +1464,18 @@ mm_audit_session_key_free_body(int ctos,
+--- openssh-5.8p1/monitor_wrap.c.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 20:16:34.000000000 +0100
+@@ -1464,4 +1464,20 @@ mm_audit_session_key_free_body(int ctos,
 				  &m);
 	buffer_free(&m);
 }
 +
 +void
-+mm_audit_destroy_sensitive_data(const char *fp)
+mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
 +{
 +	Buffer m;
 +
 +	buffer_init(&m);
 +	buffer_put_cstring(&m, fp);
+	buffer_put_int64(&m, pid);
+	buffer_put_int64(&m, uid);
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
@ -168,19 +282,19 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 18:54:56.000000000 +0100
+--- openssh-5.8p1/monitor_wrap.h.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 20:16:34.000000000 +0100
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
 void mm_audit_unsupported_body(int);
 void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 void mm_audit_session_key_free_body(int, pid_t, uid_t);
-+void mm_audit_destroy_sensitive_data(const char *);
+void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
 #endif
 
 struct Session;
 diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
 --- openssh-5.8p1/session.c.audit5	2010-12-01 02:02:59.000000000 +0100
-+++ openssh-5.8p1/session.c	2011-02-21 18:54:03.000000000 +0100
+++ openssh-5.8p1/session.c	2011-02-21 20:16:34.000000000 +0100
@@ -132,7 +132,7 @@ extern int log_stderr;
 extern int debug_flag;
 extern u_int utmp_len;
@ -200,8 +314,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit5	2011-02-21 18:54:03.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-21 18:54:03.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit5	2011-02-21 20:16:34.000000000 +0100
+++ openssh-5.8p1/sshd.c	2011-02-21 20:16:34.000000000 +0100
@@ -253,7 +253,7 @@ Buffer loginmsg;
 struct passwd *privsep_pw = NULL;
 
@ -211,51 +325,119 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
 void demote_sensitive_data(void);
 
 static void do_ssh1_kex(void);
-@@ -534,7 +534,7 @@ sshd_exchange_identification(int sock_in
+@@ -272,6 +272,15 @@ close_listen_socks(void)
+ 	num_listen_socks = -1;
+ }
 
- /* Destroy the host and server keys.  They will no longer be needed. */
+/*
+ * Is this process listening for clients (i.e. not specific to any specific
+ * client connection?)
+ */
+int listening_for_clients(void)
+{
+	return num_listen_socks > 0;
+}
+
+ static void
+ close_startup_pipes(void)
+ {
+@@ -532,22 +541,47 @@ sshd_exchange_identification(int sock_in
+ 	}
+ }
+ 
+-/* Destroy the host and server keys.  They will no longer be needed. */
+/*
+ * Destroy the host and server keys.  They will no longer be needed.  Careful,
+ * this can be called from cleanup_exit() - i.e. from just about anywhere.
+ */
 void
 -destroy_sensitive_data(void)
 +destroy_sensitive_data(int privsep)
 {
 	int i;
+	pid_t pid;
+	uid_t uid;
 
-@@ -544,8 +544,16 @@ destroy_sensitive_data(void)
+ 	if (sensitive_data.server_key) {
+ 		key_free(sensitive_data.server_key);
+ 		sensitive_data.server_key = NULL;
 	}
+	pid = getpid();
+	uid = getuid();
 	for (i = 0; i < options.num_host_key_files; i++) {
 		if (sensitive_data.host_keys[i]) {
 +			char *fp;
 +
-+			fp = key_fingerprint(sensitive_data.host_keys[i],
-+					     FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+			if (key_is_private(sensitive_data.host_keys[i]))
+				fp = key_fingerprint(sensitive_data.host_keys[i],
+					FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
+					SSH_FP_HEX);
+			else
+				fp = NULL;
 			key_free(sensitive_data.host_keys[i]);
 			sensitive_data.host_keys[i] = NULL;
-+			if (privsep)
-+				PRIVSEP(audit_destroy_sensitive_data(fp));
-+			else
-+				audit_destroy_sensitive_data(fp);
+			if (fp != NULL) {
+				if (privsep)
+					PRIVSEP(audit_destroy_sensitive_data(fp,
+						pid, uid));
+				else
+					audit_destroy_sensitive_data(fp,
+						pid, uid);
+				xfree(fp);
+			}
 		}
- 		if (sensitive_data.host_certificates[i]) {
+-		if (sensitive_data.host_certificates[i]) {
+		if (sensitive_data.host_certificates
+		    && sensitive_data.host_certificates[i]) {
 			key_free(sensitive_data.host_certificates[i]);
-@@ -571,11 +579,17 @@ demote_sensitive_data(void)
+ 			sensitive_data.host_certificates[i] = NULL;
+ 		}
+@@ -561,6 +595,8 @@ void
+ demote_sensitive_data(void)
+ {
+ 	Key *tmp;
+	pid_t pid;
+	uid_t uid;
+ 	int i;
 
+ 	if (sensitive_data.server_key) {
+@@ -569,13 +605,27 @@ demote_sensitive_data(void)
+ 		sensitive_data.server_key = tmp;
+ 	}
+ 
+	pid = getpid();
+	uid = getuid();
 	for (i = 0; i < options.num_host_key_files; i++) {
 		if (sensitive_data.host_keys[i]) {
 +			char *fp;
 +
-+			fp = key_fingerprint(sensitive_data.host_keys[i],
-+					     FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+			if (key_is_private(sensitive_data.host_keys[i]))
+				fp = key_fingerprint(sensitive_data.host_keys[i],
+					FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
+					SSH_FP_HEX);
+			else
+				fp = NULL;
 			tmp = key_demote(sensitive_data.host_keys[i]);
 			key_free(sensitive_data.host_keys[i]);
 			sensitive_data.host_keys[i] = tmp;
 			if (tmp->type == KEY_RSA1)
 				sensitive_data.ssh1_host_key = tmp;
-+			audit_destroy_sensitive_data(fp);
-+			xfree(fp);
+			if (fp != NULL) {
+				audit_destroy_sensitive_data(fp, pid, uid);
+				xfree(fp);
+			}
 		}
 		/* Certs do not need demotion */
 	}
-@@ -2024,7 +2038,7 @@ main(int ac, char **av)
+@@ -1120,6 +1170,7 @@ server_accept_loop(int *sock_in, int *so
+ 		if (received_sigterm) {
+ 			logit("Received signal %d; terminating.",
+ 			    (int) received_sigterm);
+			destroy_sensitive_data(0);
+ 			close_listen_socks();
+ 			unlink(options.pid_file);
+ 			exit(255);
+@@ -2024,7 +2075,7 @@ main(int ac, char **av)
 		privsep_postauth(authctxt);
 		/* the monitor process [priv] will not return */
 		if (!compat20)
@ -264,7 +446,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
 	}
 
 	packet_set_timeout(options.client_alive_interval,
-@@ -2264,7 +2278,7 @@ do_ssh1_kex(void)
+@@ -2264,7 +2315,7 @@ do_ssh1_kex(void)
 			session_id[i] = session_key[i] ^ session_key[i + 16];
 	}
 	/* Destroy the private and public keys. No longer. */
@ -273,3 +455,13 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
 
 	if (use_privsep)
 		mm_ssh1_session_id(session_id);
+@@ -2356,6 +2407,9 @@ cleanup_exit(int i)
+ {
+ 	if (the_authctxt)
+ 		do_cleanup(the_authctxt);
+	if (sensitive_data.host_keys != NULL)
+		destroy_sensitive_data(use_privsep && pmonitor != NULL &&
+				!mm_is_monitor());
+ #ifdef SSH_AUDIT_EVENTS
+ 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
+ 	if (!use_privsep || mm_is_monitor())
--- a/openssh-5.8p1-audit5a.patch
+++ b/openssh-5.8p1-audit5a.patch
@ -1,351 +0,0 @@
-diff -up openssh-5.8p1/audit-bsm.c.audit5a openssh-5.8p1/audit-bsm.c
--- openssh-5.8p1/audit-bsm.c.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-21 19:11:32.000000000 +0100
-@@ -407,4 +407,16 @@ audit_destroy_sensitive_data(const char 
- {
- 	/* not implemented */
- }
-+
-+void
-+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
-+{
-+	/* not implemented */
-+}
-+
-+void
-+audit_generate_ephemeral_server_key(const char *fp)
-+{
-+	/* not implemented */
-+}
- #endif /* BSM */
-diff -up openssh-5.8p1/audit.c.audit5a openssh-5.8p1/audit.c
--- openssh-5.8p1/audit.c.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-21 19:11:32.000000000 +0100
-@@ -268,9 +268,19 @@ audit_session_key_free_body(int ctos, pi
-  * This will be called on destroy private part of the server key
-  */
- void
-audit_destroy_sensitive_data(const char *fp)
-+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
- {
-	debug("audit destroy sensitive data euid %d fingerprint %s", geteuid(), fp);
-+	debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
-+		geteuid(), fp, (long)pid, (unsigned)uid);
-+}
-+
-+/*
-+ * This will be called on generation of the ephemeral server key
-+ */
-+void
-+audit_generate_ephemeral_server_key(const char *)
-+{
-+	debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
- }
- # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
- #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.8p1/audit.h.audit5a openssh-5.8p1/audit.h
--- openssh-5.8p1/audit.h.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-21 19:11:32.000000000 +0100
-@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
- };
- typedef enum ssh_audit_event_type ssh_audit_event_t;
- 
-+int	listening_for_clients(void);
-+
- void	audit_connection_from(const char *, int);
- void	audit_event(ssh_audit_event_t);
- void	audit_session_open(struct logininfo *);
-@@ -62,6 +64,7 @@ void	audit_unsupported_body(int);
- void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
- void	audit_session_key_free(int ctos);
- void	audit_session_key_free_body(int ctos, pid_t, uid_t);
-void	audit_destroy_sensitive_data(const char *);
-+void	audit_destroy_sensitive_data(const char *, pid_t, uid_t);
-+void	audit_generate_ephemeral_server_key(const char *);
- 
- #endif /* _SSH_AUDIT_H */
-diff -up openssh-5.8p1/audit-linux.c.audit5a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-21 19:11:32.000000000 +0100
-@@ -317,7 +317,9 @@ audit_session_key_free_body(int ctos, pi
- 		return;
- 	}
- 	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
-			buf, NULL, get_remote_ipaddr(), NULL, 1);
-+			buf, NULL,
-+			listening_for_clients() ? NULL : get_remote_ipaddr(),
-+			NULL, 1);
- 	audit_close(audit_fd);
- 	/* do not abort if the error is EPERM and sshd is run as non root user */
- 	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
-@@ -325,12 +327,13 @@ audit_session_key_free_body(int ctos, pi
- }
- 
- void
-audit_destroy_sensitive_data(const char *fp)
-+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
- {
- 	char buf[AUDIT_LOG_SIZE];
- 	int audit_fd, audit_ok;
- 
-	snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=?", fp);
-+	snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=? spid=%jd suid=%jd",
-+		fp, (intmax_t)pid, (intmax_t)uid);
- 	audit_fd = audit_open();
- 	if (audit_fd < 0) {
- 		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
-@@ -346,4 +349,25 @@ audit_destroy_sensitive_data(const char 
- 		error("cannot write into audit");
- }
- 
-+void
-+audit_generate_ephemeral_server_key(const char *fp)
-+{
-+	char buf[AUDIT_LOG_SIZE];
-+	int audit_fd, audit_ok;
-+
-+	snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=?", fp);
-+	audit_fd = audit_open();
-+	if (audit_fd < 0) {
-+		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
-+					 errno != EAFNOSUPPORT)
-+			error("cannot open audit");
-+		return;
-+	}
-+	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
-+			buf, NULL, 0, NULL, 1);
-+	audit_close(audit_fd);
-+	/* do not abort if the error is EPERM and sshd is run as non root user */
-+	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
-+		error("cannot write into audit");
-+}
- #endif /* USE_LINUX_AUDIT */
-diff -up openssh-5.8p1/key.c.audit5a openssh-5.8p1/key.c
--- openssh-5.8p1/key.c.audit5a	2011-02-04 01:48:34.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-21 19:15:28.000000000 +0100
-@@ -1769,6 +1769,30 @@ key_demote(const Key *k)
- }
- 
- int
-+key_is_private(const Key *k)
-+{
-+	switch (k->type) {
-+	case KEY_RSA_CERT_V00:
-+	case KEY_RSA_CERT:
-+	case KEY_RSA1:
-+	case KEY_RSA:
-+		return k->rsa->d != NULL;
-+	case KEY_DSA_CERT_V00:
-+	case KEY_DSA_CERT:
-+	case KEY_DSA:
-+		return k->dsa->priv_key != NULL;
-+#ifdef OPENSSL_HAS_ECC
-+	case KEY_ECDSA_CERT:
-+	case KEY_ECDSA:
-+		return EC_KEY_get0_private_key(k->ecdsa) != NULL;
-+#endif
-+	default:
-+		fatal("key_is_private: bad key type %d", k->type);
-+		return 1;
-+	}
-+}
-+
-+int
- key_is_cert(const Key *k)
- {
- 	if (k == NULL)
-diff -up openssh-5.8p1/key.h.audit5a openssh-5.8p1/key.h
--- openssh-5.8p1/key.h.audit5a	2010-11-05 00:19:49.000000000 +0100
-+++ openssh-5.8p1/key.h	2011-02-21 19:15:34.000000000 +0100
-@@ -106,6 +106,7 @@ Key	*key_generate(int, u_int);
- Key	*key_from_private(const Key *);
- int	 key_type_from_name(char *);
- int	 key_is_cert(const Key *);
-+int	 key_is_private(const Key *k);
- int	 key_type_plain(int);
- int	 key_to_certified(Key *, int);
- int	 key_drop_cert(Key *);
-diff -up openssh-5.8p1/monitor.c.audit5a openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-21 19:11:32.000000000 +0100
-@@ -2291,10 +2291,14 @@ mm_answer_audit_server_key_free(int sock
- {
- 	int len;
- 	char *fp;
-+	pid_t pid;
-+	uid_t uid;
- 
- 	fp = buffer_get_string(m, &len);
-+	pid = buffer_get_int64(m);
-+	uid = buffer_get_int64(m);
- 
-	audit_destroy_sensitive_data(fp);
-+	audit_destroy_sensitive_data(fp, pid, uid);
- 
- 	buffer_clear(m);
- 
-diff -up openssh-5.8p1/monitor_wrap.c.audit5a openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-21 19:11:32.000000000 +0100
-@@ -1466,12 +1466,14 @@ mm_audit_session_key_free_body(int ctos,
- }
- 
- void
-mm_audit_destroy_sensitive_data(const char *fp)
-+mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
- {
- 	Buffer m;
- 
- 	buffer_init(&m);
- 	buffer_put_cstring(&m, fp);
-+	buffer_put_int64(&m, pid);
-+	buffer_put_int64(&m, uid);
- 
- 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
- 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
-diff -up openssh-5.8p1/monitor_wrap.h.audit5a openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-21 19:11:32.000000000 +0100
-@@ -77,7 +77,7 @@ void mm_audit_run_command(const char *);
- void mm_audit_unsupported_body(int);
- void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
- void mm_audit_session_key_free_body(int, pid_t, uid_t);
-void mm_audit_destroy_sensitive_data(const char *);
-+void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
- #endif
- 
- struct Session;
-diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit5a	2011-02-21 19:11:32.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-21 19:11:32.000000000 +0100
-@@ -272,6 +272,15 @@ close_listen_socks(void)
- 	num_listen_socks = -1;
- }
- 
-+/*
-+ * Is this process listening for clients (i.e. not specific to any specific
-+ * client connection?)
-+ */
-+int listening_for_clients(void)
-+{
-+	return num_listen_socks > 0;
-+}
-+
- static void
- close_startup_pipes(void)
- {
-@@ -532,30 +541,47 @@ sshd_exchange_identification(int sock_in
- 	}
- }
- 
-/* Destroy the host and server keys.  They will no longer be needed. */
-+/*
-+ * Destroy the host and server keys.  They will no longer be needed.  Careful,
-+ * this can be called from cleanup_exit() - i.e. from just about anywhere.
-+ */
- void
- destroy_sensitive_data(int privsep)
- {
- 	int i;
-+	pid_t pid;
-+	uid_t uid;
- 
- 	if (sensitive_data.server_key) {
- 		key_free(sensitive_data.server_key);
- 		sensitive_data.server_key = NULL;
- 	}
-+	pid = getpid();
-+	uid = getuid();
- 	for (i = 0; i < options.num_host_key_files; i++) {
- 		if (sensitive_data.host_keys[i]) {
- 			char *fp;
- 
-			fp = key_fingerprint(sensitive_data.host_keys[i],
-					     FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
-+			if (key_is_private(sensitive_data.host_keys[i]))
-+				fp = key_fingerprint(sensitive_data.host_keys[i],
-+					FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
-+					SSH_FP_HEX);
-+			else
-+				fp = NULL;
- 			key_free(sensitive_data.host_keys[i]);
- 			sensitive_data.host_keys[i] = NULL;
-			if (privsep)
-				PRIVSEP(audit_destroy_sensitive_data(fp));
-			else
-				audit_destroy_sensitive_data(fp);
-+			if (fp != NULL) {
-+				if (privsep)
-+					PRIVSEP(audit_destroy_sensitive_data(fp,
-+						pid, uid));
-+				else
-+					audit_destroy_sensitive_data(fp,
-+						pid, uid);
-+				xfree(fp);
-+			}
- 		}
-		if (sensitive_data.host_certificates[i]) {
-+		if (sensitive_data.host_certificates
-+		    && sensitive_data.host_certificates[i]) {
- 			key_free(sensitive_data.host_certificates[i]);
- 			sensitive_data.host_certificates[i] = NULL;
- 		}
-@@ -569,6 +595,8 @@ void
- demote_sensitive_data(void)
- {
- 	Key *tmp;
-+	pid_t pid;
-+	uid_t uid;
- 	int i;
- 
- 	if (sensitive_data.server_key) {
-@@ -577,19 +605,27 @@ demote_sensitive_data(void)
- 		sensitive_data.server_key = tmp;
- 	}
- 
-+	pid = getpid();
-+	uid = getuid();
- 	for (i = 0; i < options.num_host_key_files; i++) {
- 		if (sensitive_data.host_keys[i]) {
- 			char *fp;
- 
-			fp = key_fingerprint(sensitive_data.host_keys[i],
-					     FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
-+			if (key_is_private(sensitive_data.host_keys[i]))
-+				fp = key_fingerprint(sensitive_data.host_keys[i],
-+					FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
-+					SSH_FP_HEX);
-+			else
-+				fp = NULL;
- 			tmp = key_demote(sensitive_data.host_keys[i]);
- 			key_free(sensitive_data.host_keys[i]);
- 			sensitive_data.host_keys[i] = tmp;
- 			if (tmp->type == KEY_RSA1)
- 				sensitive_data.ssh1_host_key = tmp;
-			audit_destroy_sensitive_data(fp);
-			xfree(fp);
-+			if (fp != NULL) {
-+				audit_destroy_sensitive_data(fp, pid, uid);
-+				xfree(fp);
-+			}
- 		}
- 		/* Certs do not need demotion */
- 	}
-@@ -1134,6 +1170,7 @@ server_accept_loop(int *sock_in, int *so
- 		if (received_sigterm) {
- 			logit("Received signal %d; terminating.",
- 			    (int) received_sigterm);
-+			destroy_sensitive_data(0);
- 			close_listen_socks();
- 			unlink(options.pid_file);
- 			exit(255);
-@@ -2370,6 +2407,9 @@ cleanup_exit(int i)
- {
- 	if (the_authctxt)
- 		do_cleanup(the_authctxt);
-+	if (sensitive_data.host_keys != NULL)
-+		destroy_sensitive_data(use_privsep && pmonitor != NULL &&
-+				!mm_is_monitor());
- #ifdef SSH_AUDIT_EVENTS
- 	/* done after do_cleanup so it can cancel the PAM auth 'thread' */
- 	if (!use_privsep || mm_is_monitor())