improve audit of logins and auths

openssh-5.8p1-audit0a.patch

@@ -0,0 +1,17 @@
+Don't audit SSH_INVALID_USER twice.
+
+PRIVSEP(getpwnamallow()) a few lines above already did this.
+
+diff -ur openssh/auth2.c openssh-5.8p1/auth2.c
+--- openssh/auth2.c	2011-03-02 02:32:52.383773622 +0100
++++ openssh-5.8p1/auth2.c	2011-03-02 03:32:34.585110911 +0100
+@@ -250,9 +250,6 @@
+ 		} else {
+ 			logit("input_userauth_request: invalid user %s", user);
+ 			authctxt->pw = fakepw();
+-#ifdef SSH_AUDIT_EVENTS
+-			PRIVSEP(audit_event(SSH_INVALID_USER));
+-#endif
+ 		}
+ #ifdef USE_PAM
+ 		if (options.use_pam)

openssh-5.8p1-audit1a.patch

@@ -0,0 +1,429 @@
+diff -up openssh-5.8p1/audit-bsm.c.audit1a openssh-5.8p1/audit-bsm.c
+--- openssh-5.8p1/audit-bsm.c.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-02 09:37:14.000000000 +0100
+@@ -298,19 +298,26 @@ audit_connection_from(const char *host, 
+ #endif
+ }
+ 
+-void
++int
+ audit_run_command(const char *command)
+ {
+ 	/* not implemented */
++	return 0;
+ }
+ 
+ void
+-audit_end_command(const char *command)
++audit_end_command(int handle, const char *command)
+ {
+ 	/* not implemented */
+ }
+ 
+ void
++audit_count_session_open(void)
++{
++	/* not necessary */
++}
++
++void
+ audit_session_open(struct logininfo *li)
+ {
+ 	/* not implemented */
+diff -up openssh-5.8p1/audit.c.audit1a openssh-5.8p1/audit.c
+--- openssh-5.8p1/audit.c.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/audit.c	2011-03-02 09:37:14.000000000 +0100
+@@ -140,6 +140,17 @@ audit_event(ssh_audit_event_t event)
+ }
+ 
+ /*
++ * Called when a child process has called, or will soon call,
++ * audit_session_open.
++ */
++void
++audit_count_session_open(void)
++{
++	debug("audit count session open euid %d user %s", geteuid(),
++	      audit_username());
++}
++
++/*
+  * Called when a user session is started.  Argument is the tty allocated to
+  * the session, or NULL if no tty was allocated.
+  *
+@@ -174,22 +185,25 @@ audit_session_close(struct logininfo *li
+ /*
+  * This will be called when a user runs a non-interactive command.  Note that
+  * it may be called multiple times for a single connection since SSH2 allows
+- * multiple sessions within a single connection.
++ * multiple sessions within a single connection.  Returns a "handle" for
++ * audit_end_command.
+  */
+-void
++int
+ audit_run_command(const char *command)
+ {
+ 	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
+ 	    audit_username(), command);
++	return 0;
+ }
+ 
+ /*
+  * This will be called when the non-interactive command finishes.  Note that
+  * it may be called multiple times for a single connection since SSH2 allows
+- * multiple sessions within a single connection.
++ * multiple sessions within a single connection.  "handle" should come from
++ * the corresponding audit_run_command.
+  */
+ void
+-audit_end_command(const char *command)
++audit_end_command(int handle, const char *command)
+ {
+ 	debug("audit end nopty exec  euid %d user %s command '%.200s'", geteuid(),
+ 	    audit_username(), command);
+diff -up openssh-5.8p1/audit.h.audit1a openssh-5.8p1/audit.h
+--- openssh-5.8p1/audit.h.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/audit.h	2011-03-02 09:37:14.000000000 +0100
+@@ -49,10 +49,11 @@ typedef enum ssh_audit_event_type ssh_au
+ 
+ void	audit_connection_from(const char *, int);
+ void	audit_event(ssh_audit_event_t);
++void	audit_count_session_open(void);
+ void	audit_session_open(struct logininfo *);
+ void	audit_session_close(struct logininfo *);
+-void	audit_run_command(const char *);
+-void 	audit_end_command(const char *);
++int	audit_run_command(const char *);
++void 	audit_end_command(int, const char *);
+ ssh_audit_event_t audit_classify_auth(const char *);
+ 
+ #endif /* _SSH_AUDIT_H */
+diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
+--- openssh-5.8p1/audit-linux.c.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-02 09:37:14.000000000 +0100
+@@ -140,7 +140,7 @@ audit_connection_from(const char *host, 
+ 	/* not implemented */
+ }
+ 
+-void
++int
+ audit_run_command(const char *command)
+ {
+ 	if (!user_login_count++) 
+@@ -148,10 +148,11 @@ audit_run_command(const char *command)
+ 		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+ 	    NULL, "ssh", 1, AUDIT_USER_START);
++	return 0;
+ }
+ 
+ void
+-audit_end_command(const char *command)
++audit_end_command(int handle, const char *command)
+ {
+ 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
+ 	    NULL, "ssh", 1, AUDIT_USER_END);
+@@ -161,6 +162,12 @@ audit_end_command(const char *command)
+ }
+ 
+ void
++audit_count_session_open(void)
++{
++	user_login_count++;
++}
++
++void
+ audit_session_open(struct logininfo *li)
+ {
+ 	if (!user_login_count++) 
+diff -up openssh-5.8p1/monitor.c.audit1a openssh-5.8p1/monitor.c
+--- openssh-5.8p1/monitor.c.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-03-02 09:37:14.000000000 +0100
+@@ -1291,6 +1291,12 @@ mm_session_close(Session *s)
+ 		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
+ 		session_pty_cleanup2(s);
+ 	}
++#ifdef SSH_AUDIT_EVENTS
++	if (s->command != NULL) {
++		debug3("%s: command %d", __func__, s->command_handle);
++		session_end_command2(s);
++	}
++#endif
+ 	session_unused(s->self);
+ }
+ 
+@@ -1613,25 +1619,44 @@ mm_answer_audit_command(int socket, Buff
+ {
+ 	u_int len;
+ 	char *cmd;
++	Session *s;
+ 
+ 	debug3("%s entering", __func__);
+ 	cmd = buffer_get_string(m, &len);
++
+ 	/* sanity check command, if so how? */
+-	audit_run_command(cmd);
+-	xfree(cmd);
++	s = session_new();
++	if (s == NULL)
++		fatal("%s: error allocating a session", __func__);
++	s->command = cmd;
++	s->command_handle = audit_run_command(cmd);
++
++	buffer_clear(m);
++	buffer_put_int(m, s->self);
++
++	mm_request_send(socket, MONITOR_ANS_AUDIT_COMMAND, m);
++
+ 	return (0);
+ }
+ 
+ int
+ mm_answer_audit_end_command(int socket, Buffer *m)
+ {
++	int handle;
+ 	u_int len;
+ 	char *cmd;
++	Session *s;
+ 
+ 	debug3("%s entering", __func__);
++	handle = buffer_get_int(m);
+ 	cmd = buffer_get_string(m, &len);
+-	/* sanity check command, if so how? */
+-	audit_end_command(cmd);
++
++	s = session_by_id(handle);
++	if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
++	    strcmp(s->command, cmd) != 0)
++		fatal("%s: invalid handle", __func__);
++	mm_session_close(s);
++
+ 	xfree(cmd);
+ 	return (0);
+ }
+diff -up openssh-5.8p1/monitor.h.audit1a openssh-5.8p1/monitor.h
+--- openssh-5.8p1/monitor.h.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/monitor.h	2011-03-02 09:37:15.000000000 +0100
+@@ -60,7 +60,7 @@ enum monitor_reqtype {
+ 	MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
+ 	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
+ 	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
+-	MONITOR_REQ_AUDIT_END_COMMAND,
++	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
+ 	MONITOR_REQ_TERM,
+ 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
+ 	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
+diff -up openssh-5.8p1/monitor_wrap.c.audit1a openssh-5.8p1/monitor_wrap.c
+--- openssh-5.8p1/monitor_wrap.c.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-02 09:37:15.000000000 +0100
+@@ -1150,10 +1150,11 @@ mm_audit_event(ssh_audit_event_t event)
+ 	buffer_free(&m);
+ }
+ 
+-void
++int
+ mm_audit_run_command(const char *command)
+ {
+ 	Buffer m;
++	int handle;
+ 
+ 	debug3("%s entering command %s", __func__, command);
+ 
+@@ -1161,17 +1162,23 @@ mm_audit_run_command(const char *command
+ 	buffer_put_cstring(&m, command);
+ 
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
++	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, &m);
++
++	handle = buffer_get_int(&m);
+ 	buffer_free(&m);
++
++	return (handle);
+ }
+ 
+ void
+-mm_audit_end_command(const char *command)
++mm_audit_end_command(int handle, const char *command)
+ {
+ 	Buffer m;
+ 
+ 	debug3("%s entering command %s", __func__, command);
+ 
+ 	buffer_init(&m);
++	buffer_put_int(&m, handle);
+ 	buffer_put_cstring(&m, command);
+ 
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, &m);
+diff -up openssh-5.8p1/monitor_wrap.h.audit1a openssh-5.8p1/monitor_wrap.h
+--- openssh-5.8p1/monitor_wrap.h.audit1a	2011-03-02 09:41:17.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-02 09:44:35.000000000 +0100
+@@ -73,8 +73,8 @@ void mm_sshpam_free_ctx(void *);
+ #ifdef SSH_AUDIT_EVENTS
+ #include "audit.h"
+ void mm_audit_event(ssh_audit_event_t);
+-void mm_audit_run_command(const char *);
+-void mm_audit_end_command(const char *);
++int mm_audit_run_command(const char *);
++void mm_audit_end_command(int, const char *);
+ #endif
+ 
+ struct Session;
+diff -up openssh-5.8p1/session.c.audit1a openssh-5.8p1/session.c
+--- openssh-5.8p1/session.c.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/session.c	2011-03-02 09:37:15.000000000 +0100
+@@ -738,6 +738,14 @@ do_exec_pty(Session *s, const char *comm
+ 	/* Parent.  Close the slave side of the pseudo tty. */
+ 	close(ttyfd);
+ 
++#ifndef HAVE_OSF_SIA
++	/* do_login in the child did not affect state in this process,
++	   compensate.  From an architectural standpoint, this is extremely
++	   ugly. */
++	if (!(options.use_login && command == NULL))
++		audit_count_session_open();
++#endif
++
+ 	/* Enter interactive session. */
+ 	s->ptymaster = ptymaster;
+ 	packet_set_interactive(1, 
+@@ -809,17 +817,19 @@ do_exec(Session *s, const char *command)
+ 	}
+ 
+ #ifdef SSH_AUDIT_EVENTS
+-	if (command != NULL) {
+-		PRIVSEP(audit_run_command(command));
++	if (s->command != NULL || s->command_handle != -1)
++		fatal("do_exec: command already set");
++	if (command != NULL)
+ 		s->command = xstrdup(command);
+-	} else if (s->ttyfd == -1) {
++	else if (s->ttyfd == -1) {
+ 		char *shell = s->pw->pw_shell;
+ 
+ 		if (shell[0] == '\0')	/* empty shell means /bin/sh */
+ 			shell =_PATH_BSHELL;
+-		PRIVSEP(audit_run_command(shell));
+ 		s->command = xstrdup(shell);
+ 	}
++	if (s->command != NULL)
++		s->command_handle = PRIVSEP(audit_run_command(s->command));
+ #endif
+ 	if (s->ttyfd != -1)
+ 		ret = do_exec_pty(s, command);
+@@ -1843,6 +1853,7 @@ session_unused(int id)
+ 	sessions[id].ttyfd = -1;
+ 	sessions[id].ptymaster = -1;
+ 	sessions[id].x11_chanids = NULL;
++	sessions[id].command_handle = -1;
+ 	sessions[id].next_unused = sessions_first_unused;
+ 	sessions_first_unused = id;
+ }
+@@ -1925,6 +1936,19 @@ session_open(Authctxt *authctxt, int cha
+ }
+ 
+ Session *
++session_by_id(int id)
++{
++	if (id >= 0 && id < sessions_nalloc) {
++		Session *s = &sessions[id];
++		if (s->used)
++			return s;
++	}
++	debug("session_by_id: unknown id %d", id);
++	session_dump();
++	return NULL;
++}
++
++Session *
+ session_by_tty(char *tty)
+ {
+ 	int i;
+@@ -2450,6 +2474,30 @@ session_exit_message(Session *s, int sta
+ 		chan_write_failed(c);
+ }
+ 
++#ifdef SSH_AUDIT_EVENTS
++void
++session_end_command2(Session *s)
++{
++	if (s->command != NULL) {
++		audit_end_command(s->command_handle, s->command);
++		xfree(s->command);
++		s->command = NULL;
++		s->command_handle = -1;
++	}
++}
++
++static void
++session_end_command(Session *s)
++{
++	if (s->command != NULL) {
++		PRIVSEP(audit_end_command(s->command_handle, s->command));
++		xfree(s->command);
++		s->command = NULL;
++		s->command_handle = -1;
++	}
++}
++#endif
++
+ void
+ session_close(Session *s)
+ {
+@@ -2459,10 +2507,8 @@ session_close(Session *s)
+ 	if (s->ttyfd != -1)
+ 		session_pty_cleanup(s);
+ #ifdef SSH_AUDIT_EVENTS
+-	if (s->command) {
+-		PRIVSEP(audit_end_command(s->command));
+-		xfree(s->command);
+-	}
++	if (s->command)
++		session_end_command(s);
+ #endif
+ 	if (s->term)
+ 		xfree(s->term);
+@@ -2683,6 +2729,15 @@ do_authenticated2(Authctxt *authctxt)
+ 	server_loop2(authctxt);
+ }
+ 
++static void
++do_cleanup_one_session(Session *s)
++{
++	session_pty_cleanup2(s);
++#ifdef SSH_AUDIT_EVENTS
++	session_end_command2(s);
++#endif
++}
++
+ void
+ do_cleanup(Authctxt *authctxt)
+ {
+@@ -2731,5 +2786,5 @@ do_cleanup(Authctxt *authctxt)
+ 	 * or if running in monitor.
+ 	 */
+ 	if (!use_privsep || mm_is_monitor())
+-		session_destroy_all(session_pty_cleanup2);
++		session_destroy_all(do_cleanup_one_session);
+ }
+diff -up openssh-5.8p1/session.h.audit1a openssh-5.8p1/session.h
+--- openssh-5.8p1/session.h.audit1a	2011-03-02 09:37:14.000000000 +0100
++++ openssh-5.8p1/session.h	2011-03-02 09:37:15.000000000 +0100
+@@ -63,6 +63,7 @@ struct Session {
+ 
+ 	/* exec */
+ #ifdef SSH_AUDIT_EVENTS
++	int	command_handle;
+ 	char	*command;
+ #endif
+ };
+@@ -77,8 +78,10 @@ void	 session_close_by_pid(pid_t, int);
+ void	 session_close_by_channel(int, void *);
+ void	 session_destroy_all(void (*)(Session *));
+ void	 session_pty_cleanup2(Session *);
++void	 session_end_command2(Session *);
+ 
+ Session	*session_new(void);
++Session *session_by_id(int);
+ Session	*session_by_tty(char *);
+ void	 session_close(Session *);
+ void	 do_setusercontext(struct passwd *);

openssh-5.8p1-audit2.patch

@@ -1,7 +1,7 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
---- openssh-5.8p1/audit-bsm.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-24 09:38:06.000000000 +0100
-@@ -322,6 +322,12 @@ audit_session_close(struct logininfo *li
+--- openssh-5.8p1/audit-bsm.c.audit2	2011-03-02 08:23:54.000000000 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-02 08:23:54.000000000 +0100
+@@ -329,6 +329,12 @@ audit_session_close(struct logininfo *li
  	/* not implemented */
  }
  
@@ -15,8 +15,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
  audit_event(ssh_audit_event_t event)
  {
 diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
---- openssh-5.8p1/audit.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-24 09:46:00.000000000 +0100
+--- openssh-5.8p1/audit.c.audit2	2011-03-02 08:23:54.000000000 +0100
++++ openssh-5.8p1/audit.c	2011-03-02 08:23:55.000000000 +0100
 @@ -36,6 +36,7 @@
  #include "key.h"
  #include "hostfile.h"
@@ -48,7 +48,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
  # ifndef CUSTOM_SSH_AUDIT_EVENTS
  /*
   * Null implementations of audit functions.
-@@ -195,5 +212,17 @@ audit_end_command(const char *command)
+@@ -209,5 +226,17 @@ audit_end_command(int handle, const char
  	    audit_username(), command);
  }
  
@@ -67,8 +67,8 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
---- openssh-5.8p1/audit.h.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-24 09:38:06.000000000 +0100
+--- openssh-5.8p1/audit.h.audit2	2011-03-02 08:23:54.000000000 +0100
++++ openssh-5.8p1/audit.h	2011-03-02 08:25:02.000000000 +0100
 @@ -28,6 +28,7 @@
  # define _SSH_AUDIT_H
  
@@ -77,17 +77,17 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
  
  enum ssh_audit_event_type {
  	SSH_LOGIN_EXCEED_MAXTRIES,
-@@ -54,5 +55,7 @@ void	audit_session_close(struct logininf
- void	audit_run_command(const char *);
- void 	audit_end_command(const char *);
+@@ -55,5 +56,7 @@ void	audit_session_close(struct logininf
+ int	audit_run_command(const char *);
+ void 	audit_end_command(int, const char *);
  ssh_audit_event_t audit_classify_auth(const char *);
 +int	audit_keyusage(int, const char *, unsigned, char *, int);
 +void	audit_key(int, int *, const Key *);
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-24 09:47:31.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit2	2011-03-02 08:23:54.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-02 08:23:55.000000000 +0100
 @@ -41,6 +41,8 @@
  #include "servconf.h"
  #include "canohost.h"
@@ -136,8 +136,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
  
  /* Below is the sshd audit API code */
 diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
---- openssh-5.8p1/auth2-hostbased.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-24 09:38:06.000000000 +0100
+--- openssh-5.8p1/auth2-hostbased.c.audit2	2011-03-02 08:23:53.000000000 +0100
++++ openssh-5.8p1/auth2-hostbased.c	2011-03-02 08:23:55.000000000 +0100
 @@ -136,6 +136,18 @@ done:
  	return authenticated;
  }
@@ -158,8 +158,8 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
  int
  hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
---- openssh-5.8p1/auth2-pubkey.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-24 09:38:06.000000000 +0100
+--- openssh-5.8p1/auth2-pubkey.c.audit2	2011-03-02 08:23:53.000000000 +0100
++++ openssh-5.8p1/auth2-pubkey.c	2011-03-02 08:23:55.000000000 +0100
 @@ -177,6 +177,18 @@ done:
  	return authenticated;
  }
@@ -181,7 +181,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
  {
 diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
 --- openssh-5.8p1/auth.h.audit2	2010-05-10 03:58:03.000000000 +0200
-+++ openssh-5.8p1/auth.h	2011-02-24 09:38:06.000000000 +0100
++++ openssh-5.8p1/auth.h	2011-03-02 08:23:55.000000000 +0100
 @@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
  char	*authorized_keys_file(struct passwd *);
  char	*authorized_keys_file2(struct passwd *);
@@ -199,8 +199,8 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
  /* debug messages during authentication */
  void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
---- openssh-5.8p1/auth-rsa.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-24 09:48:39.000000000 +0100
+--- openssh-5.8p1/auth-rsa.c.audit2	2011-03-02 08:23:53.000000000 +0100
++++ openssh-5.8p1/auth-rsa.c	2011-03-02 08:23:55.000000000 +0100
 @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
  {
  	u_char buf[32], mdbuf[16];
@@ -238,8 +238,8 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
  
  /*
 diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.audit2	2011-02-24 09:38:06.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-24 09:38:06.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit2	2011-03-02 08:23:54.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-03-02 08:23:55.000000000 +0100
 @@ -1238,7 +1238,17 @@ mm_answer_keyverify(int sock, Buffer *m)
  	if (!valid_data)
  		fatal("%s: bad signature data blob", __func__);

openssh-5.8p1-audit2a.patch

@@ -0,0 +1,153 @@
+diff -up openssh-5.8p1/auth2-hostbased.c.audit2a openssh-5.8p1/auth2-hostbased.c
+--- openssh-5.8p1/auth2-hostbased.c.audit2a	2011-03-02 08:26:16.000000000 +0100
++++ openssh-5.8p1/auth2-hostbased.c	2011-03-02 08:26:17.000000000 +0100
+@@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt)
+ 	/* test for allowed key and correct signature */
+ 	authenticated = 0;
+ 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+-	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
++	    PRIVSEP(hostbased_key_verify(key, sig, slen, buffer_ptr(&b),
+ 			buffer_len(&b))) == 1)
+ 		authenticated = 1;
+ 
+@@ -137,7 +137,7 @@ done:
+ }
+ 
+ int
+-hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
++hostbased_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
+ {
+ 	int rv;
+ 
+diff -up openssh-5.8p1/auth2-pubkey.c.audit2a openssh-5.8p1/auth2-pubkey.c
+--- openssh-5.8p1/auth2-pubkey.c.audit2a	2011-03-02 08:26:16.000000000 +0100
++++ openssh-5.8p1/auth2-pubkey.c	2011-03-02 08:26:17.000000000 +0100
+@@ -140,7 +140,7 @@ userauth_pubkey(Authctxt *authctxt)
+ 		/* test for correct signature */
+ 		authenticated = 0;
+ 		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
+-		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
++		    PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b),
+ 		    buffer_len(&b))) == 1)
+ 			authenticated = 1;
+ 		buffer_free(&b);
+@@ -178,7 +178,7 @@ done:
+ }
+ 
+ int
+-pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
++user_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
+ {
+ 	int rv;
+ 
+diff -up openssh-5.8p1/auth.h.audit2a openssh-5.8p1/auth.h
+--- openssh-5.8p1/auth.h.audit2a	2011-03-02 08:26:16.000000000 +0100
++++ openssh-5.8p1/auth.h	2011-03-02 08:26:17.000000000 +0100
+@@ -170,7 +170,7 @@ void	abandon_challenge_response(Authctxt
+ char	*authorized_keys_file(struct passwd *);
+ char	*authorized_keys_file2(struct passwd *);
+ char	*authorized_principals_file(struct passwd *);
+-int	 pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
++int	 user_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
+ 
+ FILE	*auth_openkeyfile(const char *, struct passwd *, int);
+ FILE	*auth_openprincipals(const char *, struct passwd *, int);
+@@ -186,7 +186,7 @@ Key	*get_hostkey_public_by_type(int);
+ Key	*get_hostkey_private_by_type(int);
+ int	 get_hostkey_index(Key *);
+ int	 ssh1_session_key(BIGNUM *);
+-int	 hostkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
++int	 hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
+ 
+ /* debug messages during authentication */
+ void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
+diff -up openssh-5.8p1/monitor.c.audit2a openssh-5.8p1/monitor.c
+--- openssh-5.8p1/monitor.c.audit2a	2011-03-02 08:26:17.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-03-02 08:26:17.000000000 +0100
+@@ -1208,9 +1208,11 @@ mm_answer_keyverify(int sock, Buffer *m)
+ 	Key *key;
+ 	u_char *signature, *data, *blob;
+ 	u_int signaturelen, datalen, bloblen;
++	int type = 0;
+ 	int verified = 0;
+ 	int valid_data = 0;
+ 
++	type = buffer_get_int(m);
+ 	blob = buffer_get_string(m, &bloblen);
+ 	signature = buffer_get_string(m, &signaturelen);
+ 	data = buffer_get_string(m, &datalen);
+@@ -1218,6 +1220,8 @@ mm_answer_keyverify(int sock, Buffer *m)
+ 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
+ 	  !monitor_allowed_key(blob, bloblen))
+ 		fatal("%s: bad key, not previously allowed", __func__);
++	if (type != key_blobtype)
++		fatal("%s: bad key type", __func__);
+ 
+ 	key = key_from_blob(blob, bloblen);
+ 	if (key == NULL)
+@@ -1240,10 +1244,10 @@ mm_answer_keyverify(int sock, Buffer *m)
+ 
+ 	switch (key_blobtype) {
+ 	case MM_USERKEY:
+-		verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
++		verified = user_key_verify(key, signature, signaturelen, data, datalen);
+ 		break;
+ 	case MM_HOSTKEY:
+-		verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
++		verified = hostbased_key_verify(key, signature, signaturelen, data, datalen);
+ 		break;
+ 	default:
+ 		verified = 0;
+diff -up openssh-5.8p1/monitor_wrap.c.audit2a openssh-5.8p1/monitor_wrap.c
+--- openssh-5.8p1/monitor_wrap.c.audit2a	2011-03-02 08:26:16.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-02 08:26:17.000000000 +0100
+@@ -393,7 +393,7 @@ mm_key_allowed(enum mm_keytype type, cha
+  */
+ 
+ int
+-mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
++mm_key_verify(enum mm_keytype type, Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+ {
+ 	Buffer m;
+ 	u_char *blob;
+@@ -407,6 +407,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
+ 		return (0);
+ 
+ 	buffer_init(&m);
++	buffer_put_int(&m, type);
+ 	buffer_put_string(&m, blob, len);
+ 	buffer_put_string(&m, sig, siglen);
+ 	buffer_put_string(&m, data, datalen);
+@@ -424,6 +425,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
+ 	return (verified);
+ }
+ 
++int
++mm_hostbased_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
++{
++	return mm_key_verify(MM_HOSTKEY, key, sig, siglen, data, datalen);
++}
++
++int
++mm_user_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
++{
++	return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen);
++}
++
++
+ /* Export key state after authentication */
+ Newkeys *
+ mm_newkeys_from_blob(u_char *blob, int blen)
+diff -up openssh-5.8p1/monitor_wrap.h.audit2a openssh-5.8p1/monitor_wrap.h
+--- openssh-5.8p1/monitor_wrap.h.audit2a	2011-03-02 08:26:16.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-02 08:26:17.000000000 +0100
+@@ -48,7 +48,8 @@ int mm_key_allowed(enum mm_keytype, char
+ int mm_user_key_allowed(struct passwd *, Key *);
+ int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
+ int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
+-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
++int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
++int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
+ int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
+ int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
+ BIGNUM *mm_auth_rsa_generate_challenge(Key *);

openssh-5.8p1-audit3.patch

@@ -1,7 +1,7 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
---- openssh-5.8p1/audit-bsm.c.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-24 09:54:32.000000000 +0100
-@@ -389,4 +389,16 @@ audit_event(ssh_audit_event_t event)
+--- openssh-5.8p1/audit-bsm.c.audit3	2011-03-02 10:04:35.000000000 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-02 10:04:36.000000000 +0100
+@@ -396,4 +396,16 @@ audit_event(ssh_audit_event_t event)
  		debug("%s: unhandled event %d", __func__, event);
  	}
  }
@@ -19,8 +19,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
---- openssh-5.8p1/audit.c.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-24 09:56:03.000000000 +0100
+--- openssh-5.8p1/audit.c.audit3	2011-03-02 10:04:35.000000000 +0100
++++ openssh-5.8p1/audit.c	2011-03-02 10:04:36.000000000 +0100
 @@ -28,6 +28,7 @@
  
  #include <stdarg.h>
@@ -57,7 +57,7 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
  # ifndef CUSTOM_SSH_AUDIT_EVENTS
  /*
   * Null implementations of audit functions.
-@@ -224,5 +239,26 @@ audit_keyusage(int host_user, const char
+@@ -238,5 +253,26 @@ audit_keyusage(int host_user, const char
  		host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
  		key_fingerprint_prefix(), fp, rv);
  }
@@ -85,9 +85,9 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
---- openssh-5.8p1/audit.h.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-24 09:54:32.000000000 +0100
-@@ -57,5 +57,9 @@ void 	audit_end_command(const char *);
+--- openssh-5.8p1/audit.h.audit3	2011-03-02 10:04:36.000000000 +0100
++++ openssh-5.8p1/audit.h	2011-03-02 10:04:36.000000000 +0100
+@@ -58,5 +58,9 @@ void 	audit_end_command(int, const char 
  ssh_audit_event_t audit_classify_auth(const char *);
  int	audit_keyusage(int, const char *, unsigned, char *, int);
  void	audit_key(int, int *, const Key *);
@@ -98,8 +98,8 @@ diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-24 09:54:32.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit3	2011-03-02 10:04:36.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-02 10:04:36.000000000 +0100
 @@ -40,6 +40,8 @@
  #include "auth.h"
  #include "servconf.h"
@@ -109,7 +109,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
  
  #define AUDIT_LOG_SIZE 128
  
-@@ -262,4 +264,56 @@ audit_event(ssh_audit_event_t event)
+@@ -269,4 +271,56 @@ audit_event(ssh_audit_event_t event)
  	}
  }
  
@@ -167,8 +167,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
 +
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
---- openssh-5.8p1/auditstub.c.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/auditstub.c	2011-02-24 09:54:32.000000000 +0100
+--- openssh-5.8p1/auditstub.c.audit3	2011-03-02 10:04:36.000000000 +0100
++++ openssh-5.8p1/auditstub.c	2011-03-02 10:04:36.000000000 +0100
 @@ -0,0 +1,39 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@@ -211,7 +211,7 @@ diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
 +
 diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
 --- openssh-5.8p1/cipher.c.audit3	2011-02-09 15:24:23.000000000 +0100
-+++ openssh-5.8p1/cipher.c	2011-02-24 09:54:32.000000000 +0100
++++ openssh-5.8p1/cipher.c	2011-03-02 10:04:36.000000000 +0100
 @@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX 
  extern const EVP_CIPHER *evp_aes_128_ctr(void);
  extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
@@ -231,7 +231,7 @@ diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
  	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
 diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
 --- openssh-5.8p1/cipher.h.audit3	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.8p1/cipher.h	2011-02-24 09:54:32.000000000 +0100
++++ openssh-5.8p1/cipher.h	2011-03-02 10:04:36.000000000 +0100
 @@ -61,7 +61,16 @@
  typedef struct Cipher Cipher;
  typedef struct CipherContext CipherContext;
@@ -252,7 +252,7 @@ diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
  	EVP_CIPHER_CTX evp;
 diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
 --- openssh-5.8p1/kex.c.audit3	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1/kex.c	2011-02-24 09:54:32.000000000 +0100
++++ openssh-5.8p1/kex.c	2011-03-02 10:04:36.000000000 +0100
 @@ -49,6 +49,7 @@
  #include "dispatch.h"
  #include "monitor.h"
@@ -317,7 +317,7 @@ diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
  	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
 diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
 --- openssh-5.8p1/Makefile.in.audit3	2011-02-04 01:42:13.000000000 +0100
-+++ openssh-5.8p1/Makefile.in	2011-02-24 09:54:32.000000000 +0100
++++ openssh-5.8p1/Makefile.in	2011-03-02 10:04:37.000000000 +0100
 @@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
  	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -328,8 +328,8 @@ diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
  	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-24 09:54:32.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit3	2011-03-02 10:04:36.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-03-02 10:04:37.000000000 +0100
 @@ -89,6 +89,7 @@
  #include "ssh2.h"
  #include "jpake.h"
@@ -383,7 +383,7 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
  #endif
      {0, 0, NULL}
  };
-@@ -2223,3 +2234,44 @@ mm_answer_jpake_check_confirm(int sock, 
+@@ -2252,3 +2263,44 @@ mm_answer_jpake_check_confirm(int sock, 
  }
  
  #endif /* JPAKE */
@@ -429,8 +429,8 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
 +
 +#endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
---- openssh-5.8p1/monitor.h.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-02-24 09:54:32.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit3	2011-03-02 10:04:35.000000000 +0100
++++ openssh-5.8p1/monitor.h	2011-03-02 10:04:37.000000000 +0100
 @@ -67,6 +67,8 @@ enum monitor_reqtype {
  	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
  	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
@@ -441,9 +441,9 @@ diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
  
  struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-24 09:54:32.000000000 +0100
-@@ -1426,3 +1426,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
+--- openssh-5.8p1/monitor_wrap.c.audit3	2011-03-02 10:04:36.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-02 10:04:37.000000000 +0100
+@@ -1447,3 +1447,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
  	return success;
  }
  #endif /* JPAKE */
@@ -486,20 +486,20 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
 +}
 +#endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h.audit3	2011-02-24 09:54:32.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-24 09:54:32.000000000 +0100
-@@ -75,6 +75,8 @@ void mm_sshpam_free_ctx(void *);
+--- openssh-5.8p1/monitor_wrap.h.audit3	2011-03-02 10:04:36.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-02 10:05:36.000000000 +0100
+@@ -76,6 +76,8 @@ void mm_sshpam_free_ctx(void *);
  void mm_audit_event(ssh_audit_event_t);
- void mm_audit_run_command(const char *);
- void mm_audit_end_command(const char *);
+ int mm_audit_run_command(const char *);
+ void mm_audit_end_command(int, const char *);
 +void mm_audit_unsupported_body(int);
 +void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
  #endif
  
  struct Session;
 diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit3	2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-24 09:54:32.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit3	2011-03-02 10:04:35.000000000 +0100
++++ openssh-5.8p1/sshd.c	2011-03-02 10:04:37.000000000 +0100
 @@ -118,6 +118,7 @@
  #endif
  #include "monitor_wrap.h"

openssh-5.8p1-audit4.patch

@@ -1,7 +1,7 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
---- openssh-5.8p1/audit-bsm.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-28 23:07:12.000000000 +0100
-@@ -401,4 +401,10 @@ audit_kex_body(int ctos, char *enc, char
+--- openssh-5.8p1/audit-bsm.c.audit4	2011-03-02 10:06:43.000000000 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-02 10:06:44.000000000 +0100
+@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
  {
  	/* not implemented */
  }
@@ -13,8 +13,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
---- openssh-5.8p1/audit.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-28 23:07:12.000000000 +0100
+--- openssh-5.8p1/audit.c.audit4	2011-03-02 10:06:43.000000000 +0100
++++ openssh-5.8p1/audit.c	2011-03-02 10:06:44.000000000 +0100
 @@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
  	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
  }
@@ -28,7 +28,7 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
  # ifndef CUSTOM_SSH_AUDIT_EVENTS
  /*
   * Null implementations of audit functions.
-@@ -260,5 +266,15 @@ audit_kex_body(int ctos, char *enc, char
+@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
  		(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
  	        (unsigned)uid);
  }
@@ -45,9 +45,9 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
---- openssh-5.8p1/audit.h.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-28 23:07:12.000000000 +0100
-@@ -61,5 +61,7 @@ void	audit_unsupported(int);
+--- openssh-5.8p1/audit.h.audit4	2011-03-02 10:06:43.000000000 +0100
++++ openssh-5.8p1/audit.h	2011-03-02 10:06:44.000000000 +0100
+@@ -62,5 +62,7 @@ void	audit_unsupported(int);
  void	audit_kex(int, char *, char *, char *);
  void	audit_unsupported_body(int);
  void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
@@ -56,9 +56,9 @@ diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-28 23:07:12.000000000 +0100
-@@ -285,6 +285,8 @@ audit_unsupported_body(int what)
+--- openssh-5.8p1/audit-linux.c.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-02 10:06:44.000000000 +0100
+@@ -292,6 +292,8 @@ audit_unsupported_body(int what)
  #endif
  }
  
@@ -67,7 +67,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
  void
  audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
  	       uid_t uid)
-@@ -292,7 +294,6 @@ audit_kex_body(int ctos, char *enc, char
+@@ -299,7 +301,6 @@ audit_kex_body(int ctos, char *enc, char
  #ifdef AUDIT_CRYPTO_SESSION
  	char buf[AUDIT_LOG_SIZE];
  	int audit_fd, audit_ok;
@@ -75,7 +75,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
  	Cipher *cipher = cipher_by_name(enc);
  
  	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
-@@ -316,4 +317,30 @@ audit_kex_body(int ctos, char *enc, char
+@@ -323,4 +324,30 @@ audit_kex_body(int ctos, char *enc, char
  #endif
  }
  
@@ -107,8 +107,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
 +
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
---- openssh-5.8p1/auditstub.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/auditstub.c	2011-02-28 23:07:12.000000000 +0100
+--- openssh-5.8p1/auditstub.c.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/auditstub.c	2011-03-02 10:06:44.000000000 +0100
 @@ -27,6 +27,8 @@
   * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
   */
@@ -132,8 +132,8 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
 +{
 +}
 diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
---- openssh-5.8p1/kex.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/kex.c	2011-02-28 23:07:12.000000000 +0100
+--- openssh-5.8p1/kex.c.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/kex.c	2011-03-02 10:06:44.000000000 +0100
 @@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
  	fprintf(stderr, "\n");
  }
@@ -171,7 +171,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
 +
 diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
 --- openssh-5.8p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1/kex.h	2011-02-28 23:07:12.000000000 +0100
++++ openssh-5.8p1/kex.h	2011-03-02 10:06:44.000000000 +0100
 @@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
  void	 kexecdh_client(Kex *);
  void	 kexecdh_server(Kex *);
@@ -183,7 +183,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
      BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
 --- openssh-5.8p1/mac.c.audit4	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.8p1/mac.c	2011-02-28 23:07:12.000000000 +0100
++++ openssh-5.8p1/mac.c	2011-03-02 10:06:44.000000000 +0100
 @@ -162,6 +162,20 @@ mac_clear(Mac *mac)
  	mac->umac_ctx = NULL;
  }
@@ -207,15 +207,15 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
  int
 diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
 --- openssh-5.8p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.8p1/mac.h	2011-02-28 23:07:13.000000000 +0100
++++ openssh-5.8p1/mac.h	2011-03-02 10:06:44.000000000 +0100
 @@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
  int	 mac_init(Mac *);
  u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
  void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-28 23:07:13.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-03-02 10:06:44.000000000 +0100
 @@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer 
  int mm_answer_audit_end_command(int, Buffer *);
  int mm_answer_audit_unsupported_body(int, Buffer *);
@@ -256,7 +256,7 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
  #endif
      {0, 0, NULL}
  };
-@@ -1783,11 +1788,13 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1812,11 +1817,13 @@ mm_get_keystate(struct monitor *pmonitor
  
  	blob = buffer_get_string(&m, &bloblen);
  	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@@ -270,7 +270,7 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
  	xfree(blob);
  
  	/* Now get sequence numbers for the packets */
-@@ -1833,6 +1840,16 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1862,6 +1869,16 @@ mm_get_keystate(struct monitor *pmonitor
  	}
  
  	buffer_free(&m);
@@ -287,7 +287,7 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
  }
  
  
-@@ -2274,4 +2291,22 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2303,4 +2320,22 @@ mm_answer_audit_kex_body(int sock, Buffe
  	return 0;
  }
  
@@ -311,8 +311,8 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
---- openssh-5.8p1/monitor.h.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-02-28 23:07:13.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/monitor.h	2011-03-02 10:06:45.000000000 +0100
 @@ -69,6 +69,7 @@ enum monitor_reqtype {
  	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
  	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@@ -322,9 +322,9 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
  
  struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-28 23:07:13.000000000 +0100
-@@ -601,12 +601,14 @@ mm_send_keystate(struct monitor *monitor
+--- openssh-5.8p1/monitor_wrap.c.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-02 10:06:45.000000000 +0100
+@@ -615,12 +615,14 @@ mm_send_keystate(struct monitor *monitor
  		fatal("%s: conversion of newkeys failed", __func__);
  
  	buffer_put_string(&m, blob, bloblen);
@@ -339,7 +339,7 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
  	xfree(blob);
  
  	packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
-@@ -1463,4 +1465,19 @@ mm_audit_kex_body(int ctos, char *cipher
+@@ -1484,4 +1486,19 @@ mm_audit_kex_body(int ctos, char *cipher
  
  	buffer_free(&m);
  }
@@ -360,10 +360,10 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-28 23:07:13.000000000 +0100
-@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
- void mm_audit_end_command(const char *);
+--- openssh-5.8p1/monitor_wrap.h.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-02 10:07:05.000000000 +0100
+@@ -78,6 +78,7 @@ int mm_audit_run_command(const char *);
+ void mm_audit_end_command(int, const char *);
  void mm_audit_unsupported_body(int);
  void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 +void mm_audit_session_key_free_body(int, pid_t, uid_t);
@@ -372,7 +372,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
  struct Session;
 diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 --- openssh-5.8p1/packet.c.audit4	2010-11-24 00:46:37.000000000 +0100
-+++ openssh-5.8p1/packet.c	2011-02-28 23:07:13.000000000 +0100
++++ openssh-5.8p1/packet.c	2011-03-02 10:06:45.000000000 +0100
 @@ -60,6 +60,7 @@
  #include <signal.h>
  
@@ -532,7 +532,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 +
 diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
 --- openssh-5.8p1/packet.h.audit4	2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1/packet.h	2011-02-28 23:07:13.000000000 +0100
++++ openssh-5.8p1/packet.h	2011-03-02 10:06:45.000000000 +0100
 @@ -125,4 +125,5 @@ void	 packet_restore_state(void);
  void	*packet_get_input(void);
  void	*packet_get_output(void);
@@ -540,9 +540,9 @@ diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
 +void	 packet_destroy_all(int, int);
  #endif				/* PACKET_H */
 diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c
---- openssh-5.8p1/session.c.audit4	2011-02-28 23:07:11.000000000 +0100
-+++ openssh-5.8p1/session.c	2011-02-28 23:07:13.000000000 +0100
-@@ -1617,6 +1617,9 @@ do_child(Session *s, const char *command
+--- openssh-5.8p1/session.c.audit4	2011-03-02 10:06:43.000000000 +0100
++++ openssh-5.8p1/session.c	2011-03-02 10:06:45.000000000 +0100
+@@ -1627,6 +1627,9 @@ do_child(Session *s, const char *command
  
  	/* remove hostkey from the child's memory */
  	destroy_sensitive_data();
@@ -553,8 +553,8 @@ diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c
  	/* Force a password change */
  	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit4	2011-02-28 23:07:12.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-28 23:07:13.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit4	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/sshd.c	2011-03-02 10:06:45.000000000 +0100
 @@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
  	return (0);
  }

openssh-5.8p1-audit5.patch

@@ -1,7 +1,7 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
---- openssh-5.8p1/audit-bsm.c.audit5	2011-02-28 23:17:12.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-02-28 23:17:13.000000000 +0100
-@@ -407,4 +407,22 @@ audit_session_key_free_body(int ctos, pi
+--- openssh-5.8p1/audit-bsm.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-02 08:30:41.000000000 +0100
+@@ -414,4 +414,22 @@ audit_session_key_free_body(int ctos, pi
  {
  	/* not implemented */
  }
@@ -25,9 +25,9 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
---- openssh-5.8p1/audit.c.audit5	2011-02-28 23:17:12.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-02-28 23:17:13.000000000 +0100
-@@ -276,5 +276,24 @@ audit_session_key_free_body(int ctos, pi
+--- openssh-5.8p1/audit.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/audit.c	2011-03-02 08:30:41.000000000 +0100
+@@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
  	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
  		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
  }
@@ -53,8 +53,8 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
---- openssh-5.8p1/audit.h.audit5	2011-02-28 23:17:12.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-02-28 23:17:13.000000000 +0100
+--- openssh-5.8p1/audit.h.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/audit.h	2011-03-02 08:31:15.000000000 +0100
 @@ -48,6 +48,8 @@ enum ssh_audit_event_type {
  };
  typedef enum ssh_audit_event_type ssh_audit_event_t;
@@ -63,8 +63,8 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
 +
  void	audit_connection_from(const char *, int);
  void	audit_event(ssh_audit_event_t);
- void	audit_session_open(struct logininfo *);
-@@ -63,5 +65,7 @@ void	audit_unsupported_body(int);
+ void	audit_count_session_open(void);
+@@ -64,5 +66,7 @@ void	audit_unsupported_body(int);
  void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
  void	audit_session_key_free(int ctos);
  void	audit_session_key_free_body(int ctos, pid_t, uid_t);
@@ -73,9 +73,9 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit5	2011-02-28 23:17:12.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-28 23:17:13.000000000 +0100
-@@ -343,4 +343,50 @@ audit_session_key_free_body(int ctos, pi
+--- openssh-5.8p1/audit-linux.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-02 08:30:42.000000000 +0100
+@@ -350,4 +350,50 @@ audit_session_key_free_body(int ctos, pi
  		error("cannot write into audit");
  }
  
@@ -127,8 +127,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
 +}
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
---- openssh-5.8p1/key.c.audit5	2011-02-28 23:17:10.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-28 23:17:13.000000000 +0100
+--- openssh-5.8p1/key.c.audit5	2011-03-02 08:30:38.000000000 +0100
++++ openssh-5.8p1/key.c	2011-03-02 08:30:42.000000000 +0100
 @@ -1797,6 +1797,30 @@ key_demote(const Key *k)
  }
  
@@ -161,8 +161,8 @@ diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
  {
  	if (k == NULL)
 diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
---- openssh-5.8p1/key.h.audit5	2011-02-28 23:17:10.000000000 +0100
-+++ openssh-5.8p1/key.h	2011-02-28 23:17:13.000000000 +0100
+--- openssh-5.8p1/key.h.audit5	2011-03-02 08:30:38.000000000 +0100
++++ openssh-5.8p1/key.h	2011-03-02 08:30:42.000000000 +0100
 @@ -109,6 +109,7 @@ Key	*key_generate(int, u_int);
  Key	*key_from_private(const Key *);
  int	 key_type_from_name(char *);
@@ -172,8 +172,8 @@ diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
  int	 key_to_certified(Key *, int);
  int	 key_drop_cert(Key *);
 diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.audit5	2011-02-28 23:17:13.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-02-28 23:17:14.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/monitor.c	2011-03-02 08:30:42.000000000 +0100
 @@ -106,6 +106,8 @@ extern Buffer auth_debug;
  extern int auth_debug_init;
  extern Buffer loginmsg;
@@ -223,7 +223,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
  #endif
      {0, 0, NULL}
  };
-@@ -1597,6 +1604,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1607,6 +1614,8 @@ mm_answer_term(int sock, Buffer *req)
  		sshpam_cleanup();
  #endif
  
@@ -232,7 +232,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
  	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
  		if (errno != EINTR)
  			exit(1);
-@@ -2309,4 +2318,24 @@ mm_answer_audit_session_key_free_body(in
+@@ -2338,4 +2347,24 @@ mm_answer_audit_session_key_free_body(in
  	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
  	return 0;
  }
@@ -258,8 +258,8 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
---- openssh-5.8p1/monitor.h.audit5	2011-02-28 23:17:13.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-02-28 23:17:14.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/monitor.h	2011-03-02 08:30:42.000000000 +0100
 @@ -70,6 +70,7 @@ enum monitor_reqtype {
  	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
  	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
@@ -269,9 +269,9 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
  
  struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c.audit5	2011-02-28 23:17:13.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-02-28 23:17:14.000000000 +0100
-@@ -1480,4 +1480,20 @@ mm_audit_session_key_free_body(int ctos,
+--- openssh-5.8p1/monitor_wrap.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-02 08:30:42.000000000 +0100
+@@ -1501,4 +1501,20 @@ mm_audit_session_key_free_body(int ctos,
  				  &m);
  	buffer_free(&m);
  }
@@ -293,9 +293,9 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h.audit5	2011-02-28 23:17:13.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-02-28 23:17:14.000000000 +0100
-@@ -78,6 +78,7 @@ void mm_audit_end_command(const char *);
+--- openssh-5.8p1/monitor_wrap.h.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-02 08:30:42.000000000 +0100
+@@ -79,6 +79,7 @@ void mm_audit_end_command(const char *);
  void mm_audit_unsupported_body(int);
  void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
  void mm_audit_session_key_free_body(int, pid_t, uid_t);
@@ -304,8 +304,8 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
  
  struct Session;
 diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
---- openssh-5.8p1/session.c.audit5	2011-02-28 23:17:13.000000000 +0100
-+++ openssh-5.8p1/session.c	2011-02-28 23:17:14.000000000 +0100
+--- openssh-5.8p1/session.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/session.c	2011-03-02 08:30:42.000000000 +0100
 @@ -132,7 +132,7 @@ extern int log_stderr;
  extern int debug_flag;
  extern u_int utmp_len;
@@ -315,7 +315,7 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
  extern Buffer loginmsg;
  
  /* original command from peer. */
-@@ -1616,7 +1616,7 @@ do_child(Session *s, const char *command
+@@ -1626,7 +1626,7 @@ do_child(Session *s, const char *command
  	int r = 0;
  
  	/* remove hostkey from the child's memory */
@@ -325,8 +325,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
  	   monitor over a single socket, with no synchronization. */
  	packet_destroy_all(0, 1);
 diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit5	2011-02-28 23:17:13.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-28 23:17:14.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit5	2011-03-02 08:30:41.000000000 +0100
++++ openssh-5.8p1/sshd.c	2011-03-02 08:30:42.000000000 +0100
 @@ -253,7 +253,7 @@ Buffer loginmsg;
  struct passwd *privsep_pw = NULL;
  

openssh.spec

@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 12
+%define openssh_rel 13
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30
 
@@ -99,6 +99,8 @@ Patch0: openssh-5.6p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
 Patch100: openssh-5.8p1-fingerprint.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
+Patch8: openssh-5.8p1-audit0.patch
+Patch108: openssh-5.8p1-audit0a.patch
 Patch1: openssh-5.8p1-audit1.patch
 Patch101: openssh-5.8p1-audit1a.patch
 Patch2: openssh-5.8p1-audit2.patch
@@ -308,6 +310,8 @@ The module is most useful for su and sudo service stacks.
 ###%patch99 -p1 -b .wIm
 %patch0 -p1 -b .redhat
 %patch100 -p1 -b .fingerprint
+%patch8 -p1 -b .audit0
+%patch108 -p1 -b .audit0a
 %patch1 -p1 -b .audit1
 %patch101 -p1 -b .audit1a
 %patch2 -p1 -b .audit2
@@ -376,7 +380,6 @@ LDFLAGS="$LDFLAGS -pie -z relro -z now"
 export CFLAGS
 export LDFLAGS
 
-
 %endif
 %if %{kerberos5}
 if test -r /etc/profile.d/krb5-devel.sh ; then
@@ -645,6 +648,9 @@ fi
 %endif
 
 %changelog
+* Thu Mar  3 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-13 + 0.9.2-30
+- improve audit of logins and auths
+
 * Tue Mar  1 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-12 + 0.9.2-30
 - improove ssk-keycat