OpenSSH release update

Resolves: rhbz#1950819 8.5p1 => 8.6p1
2021-04-19 17:17:19 +02:00 · 2021-04-19 17:17:19 +02:00 · f32b842272
parent 446f300da0
commit f32b842272
12 changed files with 2045 additions and 2116 deletions
--- a/.gitignore
+++ b/.gitignore
@ -48,3 +48,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.5p1.tar.gz
 /openssh-8.5p1.tar.gz.asc
 /gpgkey-736060BA.gpg
 /openssh-8.6p1.tar.gz
 /openssh-8.6p1.tar.gz.asc
--- a/openssh-4.3p2-askpass-grab-info.patch
+++ b/openssh-4.3p2-askpass-grab-info.patch
@ -1,19 +1,18 @@
-diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
+diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info	2016-12-23 13:31:22.645213115 +0100
+--- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info	2021-04-19 13:57:11.720113536 +0200
-+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:40.997216691 +0100
+++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c	2021-04-19 13:59:29.842163204 +0200
-@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
+@@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
 	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
- 				     GTK_MESSAGE_ERROR,
+ 	    GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
- 				     GTK_BUTTONS_CLOSE,
+-	    "Could not grab %s. A malicious client may be eavesdropping "
-				     "Could not grab %s. "
+-	    "on your session.", what);
-				     "A malicious client may be eavesdropping "
+	    "SSH password dialog could not grab the %s input.\n"
-				     "on your session.", what);
+	    "This might be caused by application such as screensaver, "
-+				     "SSH password dialog could not grab the %s input.\n"
+	    "however it could also mean that someone may be eavesdropping "
-+				     "This might be caused by application such as screensaver, "
+	    "on your session.\n"
-+				     "however it could also mean that someone may be eavesdropping "
+	    "Either close the application which grabs the %s or "
-+				     "on your session.\n"
+	    "log out and log in again to prevent this from happening.", what, what);
 +				     "Either close the application which grabs the %s or "
 +				     "log out and log in again to prevent this from happening.", what, what);
 	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
 	gtk_dialog_run(GTK_DIALOG(err));
--- a/openssh-5.1p1-askpass-progress.patch
+++ b/openssh-5.1p1-askpass-progress.patch
@ -60,7 +60,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 		if (prompt_type == PROMPT_ENTRY) {
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
 			g_signal_connect(G_OBJECT(entry), "key_press_event",
- 			                 G_CALLBACK(check_none), dialog);
+ 			    G_CALLBACK(check_none), dialog);
 		}
 +
 +		hbox = gtk_hbox_new(FALSE, 0);
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
+diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/log.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/log.c	2016-12-23 15:14:33.330168088 +0100
+++ openssh-8.6p1/log.c	2021-04-19 14:43:08.544843434 +0200
-@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
+@@ -194,6 +194,11 @@ void
 log_init(const char *av0, LogLevel level, SyslogFacility facility,
     int on_stderr)
 {
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
-@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
+@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
 		exit(1);
 	}
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
 	log_on_stderr = on_stderr;
 	if (on_stderr)
-diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
+diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/log.h.log-in-chroot	2021-04-19 14:43:08.544843434 +0200
-+++ openssh-7.4p1/log.h	2016-12-23 15:14:33.330168088 +0100
+++ openssh-8.6p1/log.h	2021-04-19 14:56:46.931042176 +0200
-@@ -49,6 +49,7 @@ typedef enum {
+@@ -52,6 +52,7 @@ typedef enum {
-     const char *, void *);
+ typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
 void     log_init(const char *, LogLevel, SyslogFacility, int);
 +void     log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
 LogLevel log_level_get(void);
 int      log_change_level(LogLevel);
 int      log_is_on_stderr(void);
-diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
+diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot	2016-12-23 15:14:33.311168085 +0100
+--- openssh-8.6p1/monitor.c.log-in-chroot	2021-04-19 14:43:08.526843298 +0200
-+++ openssh-7.4p1/monitor.c	2016-12-23 15:16:42.154193100 +0100
+++ openssh-8.6p1/monitor.c	2021-04-19 14:55:25.286424043 +0200
-@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
 		close(pmonitor->m_log_sendfd);
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 	authctxt = (Authctxt *)ssh->authctxt;
 	memset(authctxt, 0, sizeof(*authctxt));
 	ssh->authctxt = authctxt;
-@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
+@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
 	close(pmonitor->m_recvfd);
 	pmonitor->m_recvfd = -1;
@ -58,16 +58,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 	monitor_set_child_handler(pmonitor->m_pid);
 	ssh_signal(SIGHUP, &monitor_child_handler);
 	ssh_signal(SIGTERM, &monitor_child_handler);
-@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
+@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
 	/* Log it */
 	if (log_level_name(level) == NULL)
 		fatal_f("invalid log level %u (corrupted message?)", level);
-	sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg);
+-	sshlogdirect(level, forced, "%s [preauth]", msg);
-+	sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state);
+	sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
 	sshbuf_free(logmsg);
- 	free(file);
+ 	free(msg);
-@@ -1719,13 +1723,28 @@ monitor_init(void)
+@@ -1868,13 +1872,28 @@ monitor_init(void)
 	mon = xcalloc(1, sizeof(*mon));
 	monitor_openfds(mon, 1);
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 }
 #ifdef GSSAPI
-diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
+diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot	2016-12-23 15:14:33.330168088 +0100
+--- openssh-8.6p1/monitor.h.log-in-chroot	2021-04-19 14:43:08.527843305 +0200
-+++ openssh-7.4p1/monitor.h	2016-12-23 15:16:28.372190424 +0100
+++ openssh-8.6p1/monitor.h	2021-04-19 14:43:08.545843441 +0200
-@@ -83,10 +83,11 @@ struct monitor {
+@@ -80,10 +80,11 @@ struct monitor {
 	int			 m_log_sendfd;
 	struct kex		**m_pkex;
 	pid_t			 m_pid;
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
 struct Authctxt;
 void monitor_child_preauth(struct ssh *, struct monitor *);
-diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
+diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot	2016-12-23 15:14:33.319168086 +0100
+--- openssh-8.6p1/session.c.log-in-chroot	2021-04-19 14:43:08.534843358 +0200
-+++ openssh-7.4p1/session.c	2016-12-23 15:18:18.742211853 +0100
+++ openssh-8.6p1/session.c	2021-04-19 14:43:08.545843441 +0200
@@ -160,6 +160,7 @@ login_cap_t *lc;
 static int is_child = 0;
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 /* File containing userauth info, if ExposeAuthInfo set */
 static char *auth_info_file = NULL;
-@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
+@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
 	int ret;
 	const char *forced = NULL, *tty = NULL;
 	char session_type[1024];
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	if (options.adm_forced_command) {
 		original_command = command;
-@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
+@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
 			tty += 5;
 	}
@ -144,7 +144,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
 	    session_type,
 	    tty == NULL ? "" : " on ",
-@@ -1486,14 +1492,6 @@ child_close_fds(void)
+@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
 	/* Stop directing logs to a high-numbered fd before we close it */
 	log_redirect_stderr_to(NULL);
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 }
 /*
-@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
+@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
 			exit(1);
 	}
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	do_rc_files(ssh, s, shell);
 	/* restore SIGPIPE for child */
-@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
+@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	fflush(NULL);
 	/* Get the last component of the shell name. */
-diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
+diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/sftp.h.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/sftp.h	2016-12-23 15:14:33.331168088 +0100
+++ openssh-8.6p1/sftp.h	2021-04-19 14:43:08.545843441 +0200
@@ -97,5 +97,5 @@
 struct passwd;
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
 -int	sftp_server_main(int, char **, struct passwd *);
 +int	sftp_server_main(int, char **, struct passwd *, int);
 void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
-diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
+diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/sftp-server.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/sftp-server.c	2016-12-23 15:14:33.331168088 +0100
+++ openssh-8.6p1/sftp-server.c	2021-04-19 14:43:08.545843441 +0200
-@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
+@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
 }
 int
@ -209,7 +209,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 {
 	fd_set *rset, *wset;
 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
 	extern char *__progname;
 	__progname = ssh_get_progname(argv[0]);
@ -218,7 +218,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 	pw = pwcopy(user_pw);
-@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
 		}
 	}
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 	/*
 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
-diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
+diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/sftp-server-main.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/sftp-server-main.c	2016-12-23 15:14:33.331168088 +0100
+++ openssh-8.6p1/sftp-server-main.c	2021-04-19 14:43:08.545843441 +0200
-@@ -49,5 +49,5 @@ main(int argc, char **argv)
+@@ -50,5 +50,5 @@ main(int argc, char **argv)
 		return 1;
 	}
 -	return (sftp_server_main(argc, argv, user_pw));
 +	return (sftp_server_main(argc, argv, user_pw, 0));
 }
-diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
+diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot	2016-12-23 15:14:33.328168088 +0100
+--- openssh-8.6p1/sshd.c.log-in-chroot	2021-04-19 14:43:08.543843426 +0200
-+++ openssh-7.4p1/sshd.c	2016-12-23 15:14:33.332168088 +0100
+++ openssh-8.6p1/sshd.c	2021-04-19 14:43:08.545843441 +0200
-@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
 	}
 	/* New socket pair */
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
 	pmonitor->m_pid = fork();
 	if (pmonitor->m_pid == -1)
-@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@ -1,7 +1,7 @@
-diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
+diff -up openssh-8.6p1/audit-bsm.c.audit openssh-8.6p1/audit-bsm.c
--- openssh/audit-bsm.c.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/audit-bsm.c.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/audit-bsm.c	2019-04-03 17:02:20.713886041 +0200
+++ openssh-8.6p1/audit-bsm.c	2021-04-19 16:47:35.753062106 +0200
-@@ -372,13 +372,26 @@ audit_connection_from(const char *host,
+@@ -373,13 +373,26 @@ audit_connection_from(const char *host,
 #endif
 }
@ -29,7 +29,7 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
 audit_session_open(struct logininfo *li)
 {
 	/* not implemented */
-@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li
+@@ -391,6 +404,12 @@ audit_session_close(struct logininfo *li
 	/* not implemented */
 }
@ -42,7 +42,7 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
 void
 audit_event(struct ssh *ssh, ssh_audit_event_t event)
 {
-@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
+@@ -452,4 +471,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
 		debug("%s: unhandled event %d", __func__, event);
 	}
 }
@ -71,9 +71,9 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff -up openssh/audit.c.audit openssh/audit.c
+diff -up openssh-8.6p1/audit.c.audit openssh-8.6p1/audit.c
--- openssh/audit.c.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/audit.c.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/audit.c	2019-04-03 17:02:20.713886041 +0200
+++ openssh-8.6p1/audit.c	2021-04-19 16:47:35.753062106 +0200
@@ -34,6 +34,12 @@
 #include "log.h"
 #include "hostfile.h"
@ -251,9 +251,9 @@ diff -up openssh/audit.c.audit openssh/audit.c
 }
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh/audit.h.audit openssh/audit.h
+diff -up openssh-8.6p1/audit.h.audit openssh-8.6p1/audit.h
--- openssh/audit.h.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/audit.h.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/audit.h	2019-04-03 17:02:20.713886041 +0200
+++ openssh-8.6p1/audit.h	2021-04-19 16:47:35.753062106 +0200
@@ -26,6 +26,7 @@
 # define _SSH_AUDIT_H
@ -296,9 +296,9 @@ diff -up openssh/audit.h.audit openssh/audit.h
 +void	audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
-diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
+diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
--- openssh/audit-linux.c.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/audit-linux.c.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/audit-linux.c	2019-04-03 17:02:20.713886041 +0200
+++ openssh-8.6p1/audit-linux.c	2021-04-19 16:47:35.753062106 +0200
@@ -33,27 +33,40 @@
 #include "log.h"
@ -669,9 +669,9 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
 +		error("cannot write into audit");
 +}
 #endif /* USE_LINUX_AUDIT */
-diff -up openssh/auditstub.c.audit openssh/auditstub.c
+diff -up openssh-8.6p1/auditstub.c.audit openssh-8.6p1/auditstub.c
--- openssh/auditstub.c.audit	2019-04-03 17:02:20.714886050 +0200
+--- openssh-8.6p1/auditstub.c.audit	2021-04-19 16:47:35.754062114 +0200
-+++ openssh/auditstub.c	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/auditstub.c	2021-04-19 16:47:35.754062114 +0200
@@ -0,0 +1,52 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -725,10 +725,10 @@ diff -up openssh/auditstub.c.audit openssh/auditstub.c
 +audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid)
 +{
 +}
-diff -up openssh/auth2.c.audit openssh/auth2.c
+diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c
--- openssh/auth2.c.audit	2019-04-03 17:02:20.651885453 +0200
+--- openssh-8.6p1/auth2.c.audit	2021-04-19 16:47:35.682061561 +0200
-+++ openssh/auth2.c	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/auth2.c	2021-04-19 16:47:35.754062114 +0200
-@@ -303,9 +303,6 @@ input_userauth_request(int type, u_int32
+@@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32
 		} else {
 			/* Invalid user, fake password information */
 			authctxt->pw = fakepw();
@ -738,9 +738,9 @@ diff -up openssh/auth2.c.audit openssh/auth2.c
 		}
 #ifdef USE_PAM
 		if (options.use_pam)
-diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
+diff -up openssh-8.6p1/auth2-hostbased.c.audit openssh-8.6p1/auth2-hostbased.c
--- openssh/auth2-hostbased.c.audit	2019-04-03 17:02:20.612885083 +0200
+--- openssh-8.6p1/auth2-hostbased.c.audit	2021-04-19 16:47:35.656061361 +0200
-+++ openssh/auth2-hostbased.c	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/auth2-hostbased.c	2021-04-19 16:47:35.754062114 +0200
@@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh)
 	authenticated = 0;
 	if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
@ -771,10 +771,10 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
 /* return 1 if given hostkey is allowed */
 int
 hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
-diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
+diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
--- openssh/auth2-pubkey.c.audit	2019-04-03 17:02:20.691885832 +0200
+--- openssh-8.6p1/auth2-pubkey.c.audit	2021-04-19 16:47:35.726061899 +0200
-+++ openssh/auth2-pubkey.c	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/auth2-pubkey.c	2021-04-19 16:47:35.754062114 +0200
-@@ -219,7 +219,7 @@ userauth_pubkey(struct ssh *ssh)
+@@ -213,7 +213,7 @@ userauth_pubkey(struct ssh *ssh)
 		/* test for correct signature */
 		authenticated = 0;
 		if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -783,7 +783,7 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
 		    sshbuf_ptr(b), sshbuf_len(b),
 		    (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
 		    ssh->compat, &sig_details)) == 0) {
-@@ -278,6 +278,20 @@ done:
+@@ -305,6 +305,20 @@ done:
 	return authenticated;
 }
@ -804,10 +804,10 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
 static int
 match_principals_option(const char *principal_list, struct sshkey_cert *cert)
 {
-diff -up openssh/auth.c.audit openssh/auth.c
+diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
--- openssh/auth.c.audit	2019-04-03 17:02:20.691885832 +0200
+--- openssh-8.6p1/auth.c.audit	2021-04-19 16:47:35.681061553 +0200
-+++ openssh/auth.c	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/auth.c	2021-04-19 16:47:35.754062114 +0200
-@@ -366,7 +366,7 @@ auth_log(struct ssh *ssh, int authentica
+@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
 # endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
@ -816,7 +816,7 @@ diff -up openssh/auth.c.audit openssh/auth.c
 		audit_event(ssh, audit_classify_auth(method));
 #endif
 }
-@@ -592,9 +592,6 @@ getpwnamallow(struct ssh *ssh, const cha
+@@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
 		record_failed_login(ssh, user,
 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
 #endif
@ -826,10 +826,10 @@ diff -up openssh/auth.c.audit openssh/auth.c
 		return (NULL);
 	}
 	if (!allowed_user(ssh, pw))
-diff -up openssh/auth.h.audit openssh/auth.h
+diff -up openssh-8.6p1/auth.h.audit openssh-8.6p1/auth.h
--- openssh/auth.h.audit	2019-04-03 17:02:20.692885842 +0200
+--- openssh-8.6p1/auth.h.audit	2021-04-19 16:47:35.697061676 +0200
-+++ openssh/auth.h	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/auth.h	2021-04-19 16:47:35.754062114 +0200
-@@ -195,6 +195,8 @@ struct passwd * getpwnamallow(struct ssh
+@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(struct ssh
 char	*expand_authorized_keys(const char *, struct passwd *pw);
 char	*authorized_principals_file(struct passwd *);
@ -838,7 +838,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
 FILE	*auth_openkeyfile(const char *, struct passwd *, int);
 FILE	*auth_openprincipals(const char *, struct passwd *, int);
-@@ -214,6 +216,8 @@ struct sshkey	*get_hostkey_private_by_ty
+@@ -212,6 +214,8 @@ struct sshkey	*get_hostkey_private_by_ty
 int	 get_hostkey_index(struct sshkey *, int, struct ssh *);
 int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
     u_char **, size_t *, const u_char *, size_t, const char *);
@ -847,10 +847,10 @@ diff -up openssh/auth.h.audit openssh/auth.h
 /* Key / cert options linkage to auth layer */
 const struct sshauthopt *auth_options(struct ssh *);
-diff -up openssh/cipher.c.audit openssh/cipher.c
+diff -up openssh-8.6p1/cipher.c.audit openssh-8.6p1/cipher.c
--- openssh/cipher.c.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/cipher.c.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/cipher.c	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/cipher.c	2021-04-19 16:47:35.755062122 +0200
-@@ -61,25 +61,6 @@ struct sshcipher_ctx {
+@@ -64,25 +64,6 @@ struct sshcipher_ctx {
 	const struct sshcipher *cipher;
 };
@ -876,7 +876,7 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
 static const struct sshcipher ciphers[] = {
 #ifdef WITH_OPENSSL
 #ifndef OPENSSL_NO_DES
-@@ -410,7 +391,7 @@ cipher_get_length(struct sshcipher_ctx *
+@@ -422,7 +403,7 @@ cipher_get_length(struct sshcipher_ctx *
 void
 cipher_free(struct sshcipher_ctx *cc)
 {
@ -885,10 +885,10 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
 		return;
 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
 		chachapoly_free(cc->cp_ctx);
-diff -up openssh/cipher.h.audit openssh/cipher.h
+diff -up openssh-8.6p1/cipher.h.audit openssh-8.6p1/cipher.h
--- openssh/cipher.h.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/cipher.h.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/cipher.h	2019-04-03 17:02:20.714886050 +0200
+++ openssh-8.6p1/cipher.h	2021-04-19 16:47:35.755062122 +0200
-@@ -45,7 +45,25 @@
+@@ -47,7 +47,25 @@
 #define CIPHER_ENCRYPT		1
 #define CIPHER_DECRYPT		0
@ -915,10 +915,10 @@ diff -up openssh/cipher.h.audit openssh/cipher.h
 struct sshcipher_ctx;
 const struct sshcipher *cipher_by_name(const char *);
-diff -up openssh/kex.c.audit openssh/kex.c
+diff -up openssh-8.6p1/kex.c.audit openssh-8.6p1/kex.c
--- openssh/kex.c.audit	2019-04-03 17:02:20.652885462 +0200
+--- openssh-8.6p1/kex.c.audit	2021-04-19 16:47:35.743062030 +0200
-+++ openssh/kex.c	2019-04-03 17:02:20.715886060 +0200
+++ openssh-8.6p1/kex.c	2021-04-19 16:47:35.755062122 +0200
-@@ -60,6 +60,7 @@
+@@ -65,6 +65,7 @@
 #include "ssherr.h"
 #include "sshbuf.h"
 #include "digest.h"
@ -926,7 +926,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 #ifdef GSSAPI
 #include "ssh-gss.h"
-@@ -758,12 +759,16 @@ kex_start_rekex(struct ssh *ssh)
+@@ -816,12 +817,16 @@ kex_start_rekex(struct ssh *ssh)
 }
 static int
@ -945,7 +945,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
 		error_f("unsupported cipher %s", name);
 		free(name);
-@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
+@@ -842,8 +847,12 @@ choose_mac(struct ssh *ssh, struct sshma
 {
 	char *name = match_list(client, server, NULL);
@ -959,7 +959,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	if (mac_setup(mac, name) < 0) {
 		error_f("unsupported MAC %s", name);
 		free(name);
-@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
+@@ -856,12 +865,16 @@ choose_mac(struct ssh *ssh, struct sshma
 }
 static int
@ -978,7 +978,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 #ifdef WITH_ZLIB
 	if (strcmp(name, "zlib@openssh.com") == 0) {
 		comp->type = COMP_DELAYED;
-@@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
+@@ -1002,7 +1015,7 @@ kex_choose_conf(struct ssh *ssh)
 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
@ -987,7 +987,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 		    sprop[nenc])) != 0) {
 			kex->failed_choice = peer[nenc];
 			peer[nenc] = NULL;
-@@ -948,7 +961,7 @@ kex_choose_conf(struct ssh *ssh)
+@@ -1017,7 +1030,7 @@ kex_choose_conf(struct ssh *ssh)
 			peer[nmac] = NULL;
 			goto out;
 		}
@ -996,7 +996,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 		    sprop[ncomp])) != 0) {
 			kex->failed_choice = peer[ncomp];
 			peer[ncomp] = NULL;
-@@ -971,6 +984,10 @@ kex_choose_conf(struct ssh *ssh)
+@@ -1040,6 +1053,10 @@ kex_choose_conf(struct ssh *ssh)
 		dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
 		dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
 		dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
@ -1007,7 +1007,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 	}
 	/* XXX need runden? */
 	kex->we_need = need;
-@@ -1129,6 +1146,36 @@ dump_digest(const char *msg, const u_cha
+@@ -1297,6 +1314,36 @@ dump_digest(const char *msg, const u_cha
 }
 #endif
@ -1044,9 +1044,9 @@ diff -up openssh/kex.c.audit openssh/kex.c
 /*
  * Send a plaintext error message to the peer, suffixed by \r\n.
  * Only used during banner exchange, and there only for the server.
-diff -up openssh/kex.h.audit openssh/kex.h
+diff -up openssh-8.6p1/kex.h.audit openssh-8.6p1/kex.h
--- openssh/kex.h.audit	2019-04-03 17:02:20.652885462 +0200
+--- openssh-8.6p1/kex.h.audit	2021-04-19 16:47:35.683061568 +0200
-+++ openssh/kex.h	2019-04-03 17:02:20.715886060 +0200
+++ openssh-8.6p1/kex.h	2021-04-19 16:47:35.756062129 +0200
@@ -226,6 +226,8 @@ int	 kexgss_client(struct ssh *);
 int	 kexgss_server(struct ssh *);
 #endif
@ -1056,10 +1056,10 @@ diff -up openssh/kex.h.audit openssh/kex.h
 int	 kex_dh_keypair(struct kex *);
 int	 kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
     struct sshbuf **);
-diff -up openssh/mac.c.audit openssh/mac.c
+diff -up openssh-8.6p1/mac.c.audit openssh-8.6p1/mac.c
--- openssh/mac.c.audit	2019-04-03 17:02:20.652885462 +0200
+--- openssh-8.6p1/mac.c.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/mac.c	2019-04-03 17:02:20.715886060 +0200
+++ openssh-8.6p1/mac.c	2021-04-19 16:47:35.756062129 +0200
-@@ -243,6 +243,20 @@ mac_clear(struct sshmac *mac)
+@@ -239,6 +239,20 @@ mac_clear(struct sshmac *mac)
 	mac->umac_ctx = NULL;
 }
@ -1080,9 +1080,9 @@ diff -up openssh/mac.c.audit openssh/mac.c
 /* XXX copied from ciphers_valid */
 #define	MAC_SEP	","
 int
-diff -up openssh/mac.h.audit openssh/mac.h
+diff -up openssh-8.6p1/mac.h.audit openssh-8.6p1/mac.h
--- openssh/mac.h.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/mac.h.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/mac.h	2019-04-03 17:02:20.715886060 +0200
+++ openssh-8.6p1/mac.h	2021-04-19 16:47:35.756062129 +0200
@@ -49,5 +49,6 @@ int	 mac_compute(struct sshmac *, u_int3
 int	 mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
     const u_char *, size_t);
@ -1090,21 +1090,21 @@ diff -up openssh/mac.h.audit openssh/mac.h
 +void	 mac_destroy(struct sshmac *);
 #endif /* SSHMAC_H */
-diff -up openssh/Makefile.in.audit openssh/Makefile.in
+diff -up openssh-8.6p1/Makefile.in.audit openssh-8.6p1/Makefile.in
--- openssh/Makefile.in.audit	2019-04-03 17:02:20.705885965 +0200
+--- openssh-8.6p1/Makefile.in.audit	2021-04-19 16:47:35.731061937 +0200
-+++ openssh/Makefile.in	2019-04-03 17:02:20.715886060 +0200
+++ openssh-8.6p1/Makefile.in	2021-04-19 16:47:35.756062129 +0200
-@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -112,7 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	kexsntrup761x25519.o sntrup761.o kexgen.o \
 	kexgssc.o \
-	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
+ 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
 -	sshbuf-io.o
 +	sshbuf-io.o auditstub.o
 SKOBJS=	ssh-sk-client.o
-diff -up openssh/monitor.c.audit openssh/monitor.c
+diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
--- openssh/monitor.c.audit	2019-04-03 17:02:20.674885671 +0200
+--- openssh-8.6p1/monitor.c.audit	2021-04-19 16:47:35.707061753 +0200
-+++ openssh/monitor.c	2019-04-03 17:03:17.201421405 +0200
+++ openssh-8.6p1/monitor.c	2021-04-19 16:47:35.756062129 +0200
@@ -93,6 +93,7 @@
 #include "compat.h"
 #include "ssh2.h"
@ -1113,7 +1113,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 #include "match.h"
 #include "ssherr.h"
 #include "sk-api.h"
-@@ -107,6 +108,8 @@ extern u_char session_id[];
+@@ -107,6 +108,8 @@ extern u_int utmp_len;
 extern struct sshbuf *loginmsg;
 extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1157,7 +1157,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
+@@ -1444,8 +1461,10 @@ mm_answer_keyverify(struct ssh *ssh, int
 	int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
 	int encoded_ret;
 	struct sshkey_sig_details *sig_details = NULL;
@ -1169,7 +1169,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	    (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
 	    (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
 	    (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
-@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
+@@ -1454,6 +1473,8 @@ mm_answer_keyverify(struct ssh *ssh, int
 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
 	  !monitor_allowed_key(blob, bloblen))
 		fatal_f("bad key, not previously allowed");
@ -1178,7 +1178,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	/* Empty signature algorithm means NULL. */
 	if (*sigalg == '\0') {
-@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int
+@@ -1469,14 +1490,19 @@ mm_answer_keyverify(struct ssh *ssh, int
 	case MM_USERKEY:
 		valid_data = monitor_valid_userblob(ssh, data, datalen);
 		auth_method = "publickey";
@ -1198,11 +1198,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 		break;
 	}
 	if (!valid_data)
- 		fatal_f("bad %s signature data blob",
+@@ -1488,8 +1514,6 @@ mm_answer_keyverify(struct ssh *ssh, int
 		    key_blobtype == MM_USERKEY ? "userkey" :
 		    (key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown"));
 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT)) == NULL)
 		fatal_f("sshkey_fingerprint failed");
@ -1211,7 +1207,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	debug3_f("%s %p signature %s%s%s", auth_method, key,
 	    (ret == 0) ? "verified" : "unverified",
 	    (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
-@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
+@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
 }
 static void
@ -1232,7 +1228,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	session_unused(s->self);
 }
-@@ -1609,7 +1639,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
+@@ -1649,7 +1679,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
  error:
 	if (s != NULL)
@ -1241,7 +1237,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	if ((r = sshbuf_put_u32(m, 0)) != 0)
 		fatal_fr(r, "assemble 0");
 	mm_request_send(sock, MONITOR_ANS_PTY, m);
-@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
+@@ -1668,7 +1698,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
 	if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
 		fatal_fr(r, "parse tty");
 	if ((s = session_by_tty(tty)) != NULL)
@ -1250,7 +1246,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	sshbuf_reset(m);
 	free(tty);
 	return (0);
-@@ -1650,6 +1680,8 @@ mm_answer_term(struct ssh *ssh, int sock
+@@ -1690,6 +1720,8 @@ mm_answer_term(struct ssh *ssh, int sock
 		sshpam_cleanup();
 #endif
@ -1259,7 +1255,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
-@@ -1696,12 +1728,47 @@ mm_answer_audit_command(struct ssh *ssh,
+@@ -1736,12 +1768,47 @@ mm_answer_audit_command(struct ssh *ssh,
 {
 	char *cmd;
 	int r;
@ -1308,7 +1304,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	free(cmd);
 	return (0);
 }
-@@ -1767,6 +1834,7 @@ monitor_apply_keystate(struct ssh *ssh,
+@@ -1813,6 +1880,7 @@ monitor_apply_keystate(struct ssh *ssh,
 void
 mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
 {
@ -1316,7 +1312,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 	debug3_f("Waiting for new keys");
 	if ((child_state = sshbuf_new()) == NULL)
-@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
+@@ -1820,6 +1888,19 @@ mm_get_keystate(struct ssh *ssh, struct
 	mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
 	    child_state);
 	debug3_f("GOT new keys");
@ -1336,7 +1332,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 }
-@@ -2066,3 +2147,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
+@@ -2111,3 +2192,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
 #endif /* GSSAPI */
@ -1439,9 +1435,9 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +	return 0;
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh/monitor.h.audit openssh/monitor.h
+diff -up openssh-8.6p1/monitor.h.audit openssh-8.6p1/monitor.h
--- openssh/monitor.h.audit	2019-04-03 17:02:20.674885671 +0200
+--- openssh-8.6p1/monitor.h.audit	2021-04-19 16:47:35.707061753 +0200
-+++ openssh/monitor.h	2019-04-03 17:02:20.715886060 +0200
+++ openssh-8.6p1/monitor.h	2021-04-19 16:47:35.757062137 +0200
@@ -65,7 +65,13 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
 	MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1457,10 +1453,10 @@ diff -up openssh/monitor.h.audit openssh/monitor.h
 	MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
 	MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
-diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
+diff -up openssh-8.6p1/monitor_wrap.c.audit openssh-8.6p1/monitor_wrap.c
--- openssh/monitor_wrap.c.audit	2019-04-03 17:02:20.653885472 +0200
+--- openssh-8.6p1/monitor_wrap.c.audit	2021-04-19 16:47:35.685061584 +0200
-+++ openssh/monitor_wrap.c	2019-04-03 17:02:20.716886069 +0200
+++ openssh-8.6p1/monitor_wrap.c	2021-04-19 16:47:35.757062137 +0200
-@@ -513,7 +513,7 @@ mm_key_allowed(enum mm_keytype type, con
+@@ -520,7 +520,7 @@ mm_key_allowed(enum mm_keytype type, con
  */
 int
@ -1469,7 +1465,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
     const u_char *data, size_t datalen, const char *sigalg, u_int compat,
     struct sshkey_sig_details **sig_detailsp)
 {
-@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
+@@ -536,7 +536,8 @@ mm_sshkey_verify(const struct sshkey *ke
 		*sig_detailsp = NULL;
 	if ((m = sshbuf_new()) == NULL)
 		fatal_f("sshbuf_new failed");
@ -1479,7 +1475,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 	    (r = sshbuf_put_string(m, sig, siglen)) != 0 ||
 	    (r = sshbuf_put_string(m, data, datalen)) != 0 ||
 	    (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
-@@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke
+@@ -569,6 +570,22 @@ mm_sshkey_verify(const struct sshkey *ke
 	return 0;
 }
@ -1502,7 +1498,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 void
 mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
 {
-@@ -900,11 +915,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
+@@ -921,11 +938,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
 	sshbuf_free(m);
 }
@ -1517,7 +1513,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 	debug3("%s entering command %s", __func__, command);
-@@ -914,6 +930,30 @@ mm_audit_run_command(const char *command
+@@ -935,6 +953,30 @@ mm_audit_run_command(const char *command
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
@ -1548,7 +1544,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 	sshbuf_free(m);
 }
 #endif /* SSH_AUDIT_EVENTS */
-@@ -1074,3 +1114,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
+@@ -1095,3 +1137,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
 }
 #endif /* GSSAPI */
@ -1632,10 +1628,10 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	sshbuf_free(m);
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
+diff -up openssh-8.6p1/monitor_wrap.h.audit openssh-8.6p1/monitor_wrap.h
--- openssh/monitor_wrap.h.audit	2019-04-03 17:02:20.653885472 +0200
+--- openssh-8.6p1/monitor_wrap.h.audit	2021-04-19 16:47:35.685061584 +0200
-+++ openssh/monitor_wrap.h	2019-04-03 17:02:20.716886069 +0200
+++ openssh-8.6p1/monitor_wrap.h	2021-04-19 16:47:35.757062137 +0200
-@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, st
+@@ -61,7 +61,9 @@ int mm_user_key_allowed(struct ssh *, st
     struct sshauthopt **);
 int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
     const char *, struct sshkey *);
@ -1646,7 +1642,7 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
     const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
 #ifdef GSSAPI
-@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
+@@ -86,7 +88,12 @@ void mm_sshpam_free_ctx(void *);
 #ifdef SSH_AUDIT_EVENTS
 #include "audit.h"
 void mm_audit_event(struct ssh *, ssh_audit_event_t);
@ -1660,10 +1656,10 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
 #endif
 struct Session;
-diff -up openssh/packet.c.audit openssh/packet.c
+diff -up openssh-8.6p1/packet.c.audit openssh-8.6p1/packet.c
--- openssh/packet.c.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/packet.c.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/packet.c	2019-04-03 17:02:20.716886069 +0200
+++ openssh-8.6p1/packet.c	2021-04-19 16:48:46.885608837 +0200
-@@ -77,6 +77,7 @@
+@@ -81,6 +81,7 @@
 #endif
 #include "xmalloc.h"
@ -1671,7 +1667,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 #include "compat.h"
 #include "ssh2.h"
 #include "cipher.h"
-@@ -510,6 +511,13 @@ ssh_packet_get_connection_out(struct ssh
+@@ -506,6 +507,13 @@ ssh_packet_get_connection_out(struct ssh
 	return ssh->state->connection_out;
 }
@ -1685,7 +1681,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 /*
  * Returns the IP-address of the remote host as a string.  The returned
  * string must not be freed.
-@@ -587,22 +595,19 @@ ssh_packet_close_internal(struct ssh *ss
+@@ -583,22 +591,19 @@ ssh_packet_close_internal(struct ssh *ss
 {
 	struct session_state *state = ssh->state;
 	u_int mode;
@ -1713,7 +1709,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
 	for (mode = 0; mode < MODE_MAX; mode++) {
 		kex_free_newkeys(state->newkeys[mode]);	/* current keys */
 		state->newkeys[mode] = NULL;
-@@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
+@@ -634,8 +639,18 @@ ssh_packet_close_internal(struct ssh *ss
 #endif	/* WITH_ZLIB */
 	cipher_free(state->send_context);
 	cipher_free(state->receive_context);
@ -1732,15 +1728,15 @@ diff -up openssh/packet.c.audit openssh/packet.c
 		free(ssh->local_ipaddr);
 		ssh->local_ipaddr = NULL;
 		free(ssh->remote_ipaddr);
-@@ -864,6 +879,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+@@ -892,6 +907,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
- 		   (unsigned long long)state->p_send.bytes,
+ 		    (unsigned long long)state->p_send.bytes,
- 		   (unsigned long long)state->p_send.blocks);
+ 		    (unsigned long long)state->p_send.blocks);
 		kex_free_newkeys(state->newkeys[mode]);
 +		audit_session_key_free(ssh, mode);
 		state->newkeys[mode] = NULL;
 	}
 	/* note that both bytes and the seqnr are not reset */
-@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh)
+@@ -2173,6 +2189,72 @@ ssh_packet_get_output(struct ssh *ssh)
 	return (void *)ssh->state->output;
 }
@ -1813,18 +1809,18 @@ diff -up openssh/packet.c.audit openssh/packet.c
 /* Reset after_authentication and reset compression in post-auth privsep */
 static int
 ssh_packet_set_postauth(struct ssh *ssh)
-diff -up openssh/packet.h.audit openssh/packet.h
+diff -up openssh-8.6p1/packet.h.audit openssh-8.6p1/packet.h
--- openssh/packet.h.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/packet.h.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/packet.h	2019-04-03 17:02:20.716886069 +0200
+++ openssh-8.6p1/packet.h	2021-04-19 16:47:35.758062145 +0200
-@@ -217,4 +217,5 @@ const u_char	*sshpkt_ptr(struct ssh *, s
+@@ -218,4 +218,5 @@ const u_char	*sshpkt_ptr(struct ssh *, s
 # undef EC_POINT
 #endif
 +void	 packet_destroy_all(struct ssh *, int, int);
 #endif				/* PACKET_H */
-diff -up openssh/session.c.audit openssh/session.c
+diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
--- openssh/session.c.audit	2019-04-03 17:02:20.712886031 +0200
+--- openssh-8.6p1/session.c.audit	2021-04-19 16:47:35.722061868 +0200
-+++ openssh/session.c	2019-04-03 17:02:20.716886069 +0200
+++ openssh-8.6p1/session.c	2021-04-19 16:47:35.758062145 +0200
@@ -136,7 +136,7 @@ extern char *__progname;
 extern int debug_flag;
 extern u_int utmp_len;
@ -1834,7 +1830,7 @@ diff -up openssh/session.c.audit openssh/session.c
 extern struct sshbuf *loginmsg;
 extern struct sshauthopt *auth_opts;
 extern char *tun_fwd_ifnames; /* serverloop.c */
-@@ -648,6 +648,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
+@@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
 	/* Parent.  Close the slave side of the pseudo tty. */
 	close(ttyfd);
@ -1849,7 +1845,7 @@ diff -up openssh/session.c.audit openssh/session.c
 	/* Enter interactive session. */
 	s->ptymaster = ptymaster;
 	ssh_packet_set_interactive(ssh, 1,
-@@ -740,15 +748,19 @@ do_exec(struct ssh *ssh, Session *s, con
+@@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
 	    s->self);
 #ifdef SSH_AUDIT_EVENTS
@ -1871,7 +1867,7 @@ diff -up openssh/session.c.audit openssh/session.c
 #endif
 	if (s->ttyfd != -1)
 		ret = do_exec_pty(ssh, s, command);
-@@ -1556,8 +1568,11 @@ do_child(struct ssh *ssh, Session *s, co
+@@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
 	sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
 	/* remove hostkey from the child's memory */
@ -1884,7 +1880,7 @@ diff -up openssh/session.c.audit openssh/session.c
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
-@@ -1769,6 +1784,9 @@ session_unused(int id)
+@@ -1763,6 +1778,9 @@ session_unused(int id)
 	sessions[id].ttyfd = -1;
 	sessions[id].ptymaster = -1;
 	sessions[id].x11_chanids = NULL;
@ -1894,7 +1890,7 @@ diff -up openssh/session.c.audit openssh/session.c
 	sessions[id].next_unused = sessions_first_unused;
 	sessions_first_unused = id;
 }
-@@ -1851,6 +1869,19 @@ session_open(Authctxt *authctxt, int cha
+@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
 }
 Session *
@ -1914,7 +1910,7 @@ diff -up openssh/session.c.audit openssh/session.c
 session_by_tty(char *tty)
 {
 	int i;
-@@ -2461,6 +2492,32 @@ session_exit_message(struct ssh *ssh, Se
+@@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
 		chan_write_failed(ssh, c);
 }
@ -1947,7 +1943,7 @@ diff -up openssh/session.c.audit openssh/session.c
 void
 session_close(struct ssh *ssh, Session *s)
 {
-@@ -2474,6 +2531,10 @@ session_close(struct ssh *ssh, Session *
+@@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
 	if (s->ttyfd != -1)
 		session_pty_cleanup(s);
@ -1958,7 +1954,7 @@ diff -up openssh/session.c.audit openssh/session.c
 	free(s->term);
 	free(s->display);
 	free(s->x11_chanids);
-@@ -2549,14 +2610,14 @@ session_close_by_channel(struct ssh *ssh
+@@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
 }
 void
@ -1975,7 +1971,7 @@ diff -up openssh/session.c.audit openssh/session.c
 			else
 				session_close(ssh, s);
 		}
-@@ -2683,6 +2744,15 @@ do_authenticated2(struct ssh *ssh, Authc
+@@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
 	server_loop2(ssh, authctxt);
 }
@ -1991,7 +1987,7 @@ diff -up openssh/session.c.audit openssh/session.c
 void
 do_cleanup(struct ssh *ssh, Authctxt *authctxt)
 {
-@@ -2746,7 +2816,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
+@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
 	 * or if running in monitor.
 	 */
 	if (!use_privsep || mm_is_monitor())
@ -2000,9 +1996,9 @@ diff -up openssh/session.c.audit openssh/session.c
 }
 /* Return a name for the remote host that fits inside utmp_size */
-diff -up openssh/session.h.audit openssh/session.h
+diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h
--- openssh/session.h.audit	2019-03-27 23:26:14.000000000 +0100
+--- openssh-8.6p1/session.h.audit	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/session.h	2019-04-03 17:02:20.717886079 +0200
+++ openssh-8.6p1/session.h	2021-04-19 16:47:35.758062145 +0200
@@ -61,6 +61,12 @@ struct Session {
 		char	*name;
 		char	*val;
@ -2030,9 +2026,9 @@ diff -up openssh/session.h.audit openssh/session.h
 Session	*session_by_tty(char *);
 void	 session_close(struct ssh *, Session *);
 void	 do_setusercontext(struct passwd *);
-diff -up openssh/sshd.c.audit openssh/sshd.c
+diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
--- openssh/sshd.c.audit	2019-04-03 17:02:20.692885842 +0200
+--- openssh-8.6p1/sshd.c.audit	2021-04-19 16:47:35.727061907 +0200
-+++ openssh/sshd.c	2019-04-03 17:02:20.717886079 +0200
+++ openssh-8.6p1/sshd.c	2021-04-19 16:47:35.759062152 +0200
@@ -122,6 +122,7 @@
 #include "ssh-gss.h"
 #endif
@ -2041,7 +2037,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 #include "ssh-sandbox.h"
 #include "auth-options.h"
 #include "version.h"
-@@ -261,8 +262,8 @@ struct sshbuf *loginmsg;
+@@ -260,8 +261,8 @@ struct sshbuf *loginmsg;
 struct passwd *privsep_pw = NULL;
 /* Prototypes for various functions defined later in this file. */
@ -2052,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 static void do_ssh2_kex(struct ssh *);
 static char *listener_proctitle;
-@@ -278,6 +279,15 @@ close_listen_socks(void)
+@@ -279,6 +280,15 @@ close_listen_socks(void)
 	num_listen_socks = -1;
 }
@ -2068,7 +2064,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 static void
 close_startup_pipes(void)
 {
-@@ -380,18 +390,45 @@ grace_alarm_handler(int sig)
+@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
 	    ssh_remote_port(the_active_state));
 }
@ -2117,7 +2113,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 			sshkey_free(sensitive_data.host_certificates[i]);
 			sensitive_data.host_certificates[i] = NULL;
 		}
-@@ -400,20 +437,38 @@ destroy_sensitive_data(void)
+@@ -397,20 +434,38 @@ destroy_sensitive_data(void)
 /* Demote private to public keys for network child */
 void
@ -2157,7 +2153,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		}
 		/* Certs do not need demotion */
 	}
-@@ -442,7 +497,7 @@ reseed_prngs(void)
+@@ -438,7 +493,7 @@ reseed_prngs(void)
 }
 static void
@ -2166,7 +2162,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 {
 	gid_t gidset[1];
-@@ -457,7 +512,7 @@ privsep_preauth_child(void)
+@@ -453,7 +508,7 @@ privsep_preauth_child(void)
 	reseed_prngs();
 	/* Demote the private keys to public keys. */
@ -2175,7 +2171,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 #ifdef WITH_SELINUX
 	sshd_selinux_change_privsep_preauth_context();
-@@ -496,7 +551,7 @@ privsep_preauth(struct ssh *ssh)
+@@ -492,7 +547,7 @@ privsep_preauth(struct ssh *ssh)
 	if (use_privsep == PRIVSEP_ON)
 		box = ssh_sandbox_init(pmonitor);
@ -2184,7 +2180,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	if (pid == -1) {
 		fatal("fork of unprivileged child failed");
 	} else if (pid != 0) {
-@@ -542,7 +597,7 @@ privsep_preauth(struct ssh *ssh)
+@@ -537,7 +592,7 @@ privsep_preauth(struct ssh *ssh)
 		/* Arrange for logging to be sent to the monitor */
 		set_log_handler(mm_log_handler, pmonitor);
@ -2193,7 +2189,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		setproctitle("%s", "[net]");
 		if (box != NULL)
 			ssh_sandbox_child(box);
-@@ -594,7 +649,7 @@ privsep_postauth(struct ssh *ssh, Authct
+@@ -589,7 +644,7 @@ privsep_postauth(struct ssh *ssh, Authct
 		set_log_handler(mm_log_handler, pmonitor);
 	/* Demote the private keys to public keys. */
@ -2202,7 +2198,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	reseed_prngs();
-@@ -1057,7 +1112,7 @@ server_listen(void)
+@@ -1143,7 +1198,7 @@ server_listen(void)
  * from this function are in a forked subprocess.
  */
 static void
@ -2211,7 +2207,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 {
 	fd_set *fdset;
 	int i, j, ret, maxfd;
-@@ -1112,6 +1167,7 @@ server_accept_loop(int *sock_in, int *so
+@@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
 		if (received_sigterm) {
 			logit("Received signal %d; terminating.",
 			    (int) received_sigterm);
@ -2219,7 +2215,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 			close_listen_socks();
 			if (options.pid_file != NULL)
 				unlink(options.pid_file);
-@@ -1978,7 +2034,7 @@ main(int ac, char **av)
+@@ -2098,7 +2154,7 @@ main(int ac, char **av)
 #endif
 		/* Accept a connection and return in a forked child */
@ -2228,7 +2224,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		    &newsock, config_s);
 	}
-@@ -2222,6 +2278,9 @@ main(int ac, char **av)
+@@ -2333,6 +2389,9 @@ main(int ac, char **av)
 	do_authenticated(ssh, authctxt);
 	/* The connection has been terminated. */
@ -2238,7 +2234,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	ssh_packet_get_bytes(ssh, &ibytes, &obytes);
 	verbose("Transferred: sent %llu, received %llu bytes",
 	    (unsigned long long)obytes, (unsigned long long)ibytes);
-@@ -2401,6 +2460,15 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2513,6 +2572,15 @@ do_ssh2_kex(struct ssh *ssh)
 void
 cleanup_exit(int i)
 {
@ -2254,7 +2250,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 	if (the_active_state != NULL && the_authctxt != NULL) {
 		do_cleanup(the_active_state, the_authctxt);
 		if (use_privsep && privsep_is_preauth &&
-@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
+@@ -2525,9 +2593,16 @@ cleanup_exit(int i)
 			}
 		}
 	}
@ -2272,10 +2268,10 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		audit_event(the_active_state, SSH_CONNECTION_ABANDON);
 #endif
 	_exit(i);
-diff -up openssh/sshkey.c.audit openssh/sshkey.c
+diff -up openssh-8.6p1/sshkey.c.audit openssh-8.6p1/sshkey.c
--- openssh/sshkey.c.audit	2019-04-03 17:02:20.657885510 +0200
+--- openssh-8.6p1/sshkey.c.audit	2021-04-19 16:47:35.741062014 +0200
-+++ openssh/sshkey.c	2019-04-03 17:02:20.718886088 +0200
+++ openssh-8.6p1/sshkey.c	2021-04-19 16:47:35.759062152 +0200
-@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
+@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
 }
 int
@ -2314,10 +2310,10 @@ diff -up openssh/sshkey.c.audit openssh/sshkey.c
 sshkey_is_cert(const struct sshkey *k)
 {
 	if (k == NULL)
-diff -up openssh/sshkey.h.audit openssh/sshkey.h
+diff -up openssh-8.6p1/sshkey.h.audit openssh-8.6p1/sshkey.h
--- openssh/sshkey.h.audit	2019-04-03 17:02:20.657885510 +0200
+--- openssh-8.6p1/sshkey.h.audit	2021-04-19 16:47:35.741062014 +0200
-+++ openssh/sshkey.h	2019-04-03 17:02:20.718886088 +0200
+++ openssh-8.6p1/sshkey.h	2021-04-19 16:47:35.759062152 +0200
-@@ -148,6 +148,7 @@ u_int		 sshkey_size(const struct sshkey
+@@ -189,6 +189,7 @@ int		 sshkey_shield_private(struct sshke
 int		 sshkey_unshield_private(struct sshkey *);
 int	 sshkey_type_from_name(const char *);
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -1,6 +1,6 @@
-diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
+diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips	2019-07-23 14:55:45.326525641 +0200
+--- openssh-8.6p1/cipher-ctr.c.fips	2021-04-19 16:53:02.994577324 +0200
-+++ openssh-8.0p1/cipher-ctr.c	2019-07-23 14:55:45.401526401 +0200
+++ openssh-8.6p1/cipher-ctr.c	2021-04-19 16:53:03.064577862 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -11,10 +11,10 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.0p1/dh.c.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/dh.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.0p1/dh.c	2019-07-23 14:55:45.401526401 +0200
+++ openssh-8.6p1/dh.c	2021-04-19 16:58:47.750263410 +0200
-@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
+@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
 	int best, bestcount, which, linenum;
 	struct dhgroup dhg;
@ -24,10 +24,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
 +		return (dh_new_group_fallback(max));
 +	}
 +
- 	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
+ 	if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
 		logit("WARNING: could not open %s (%s), using fixed modulus",
- 		    _PATH_DH_MODULI, strerror(errno));
+ 		    get_moduli_filename(), strerror(errno));
-@@ -489,4 +495,38 @@ dh_estimate(int bits)
+@@ -502,4 +508,38 @@ dh_estimate(int bits)
 	return 8192;
 }
@ -66,21 +66,21 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
 +}
 +
 #endif /* WITH_OPENSSL */
-diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
+diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.0p1/dh.h.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/dh.h.fips	2021-04-19 16:53:03.064577862 +0200
-+++ openssh-8.0p1/dh.h	2019-07-23 14:55:45.401526401 +0200
+++ openssh-8.6p1/dh.h	2021-04-19 16:59:31.951616078 +0200
-@@ -43,6 +43,7 @@ DH	*dh_new_group_fallback(int);
+@@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
 int	 dh_gen_key(DH *, int);
 int	 dh_pub_is_valid(const DH *, const BIGNUM *);
 +int	 dh_is_known_group(const DH *);
 u_int	 dh_estimate(int);
- 
+ void	 dh_set_moduli_file(const char *);
-diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
+diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.0p1/kex.c.fips	2019-07-23 14:55:45.395526340 +0200
+--- openssh-8.6p1/kex.c.fips	2021-04-19 16:53:03.058577815 +0200
-+++ openssh-8.0p1/kex.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/kex.c	2021-04-19 16:53:03.065577869 +0200
-@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
+@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
 		if (kex_alg_by_name(p) == NULL) {
@ -92,9 +92,9 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
 			free(s);
 			return 0;
 		}
-diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
+diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/kexgexc.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.0p1/kexgexc.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/kexgexc.c	2021-04-19 16:53:03.065577869 +0200
@@ -28,6 +28,7 @@
 #ifdef WITH_OPENSSL
@ -103,7 +103,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
 #include <sys/types.h>
 #include <openssl/dh.h>
-@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
+@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
@ -114,10 +114,10 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
 	p = g = NULL; /* belong to kex->dh now */
 	/* generate and send 'e', client DH public key */
-diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
+diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/myproposal.h.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.0p1/myproposal.h	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/myproposal.h	2021-04-19 16:53:03.065577869 +0200
-@@ -111,6 +111,20 @@
+@@ -57,6 +57,20 @@
 	"rsa-sha2-256," \
 	"ssh-rsa"
@ -138,7 +138,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 #define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305@openssh.com," \
 	"aes128-ctr,aes192-ctr,aes256-ctr," \
-@@ -134,6 +142,27 @@
+@@ -78,6 +92,27 @@
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
@ -166,10 +166,10 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define	SSH_ALLOWED_CA_SIGALGS	\
 	"ssh-ed25519," \
-diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
+diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.0p1/readconf.c.fips	2019-07-23 14:55:45.334525723 +0200
+--- openssh-8.6p1/readconf.c.fips	2021-04-19 16:53:02.999577362 +0200
-+++ openssh-8.0p1/readconf.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/readconf.c	2021-04-19 16:53:03.065577869 +0200
-@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
+@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
 	/* remove unsupported algos from default lists */
@ -191,10 +191,10 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
 #define ASSEMBLE(what, defaults, all) \
 	do { \
 		if ((r = kex_assemble_names(&options->what, \
-diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
+diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips	2019-07-23 14:55:45.373526117 +0200
+--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-04-19 16:53:03.034577631 +0200
-+++ openssh-8.0p1/sandbox-seccomp-filter.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-04-19 16:53:03.065577869 +0200
-@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
+@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
 #ifdef __NR_open
 	SC_DENY(__NR_open, EACCES),
 #endif
@ -204,10 +204,10 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
 #ifdef __NR_openat
 	SC_DENY(__NR_openat, EACCES),
 #endif
-diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
+diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.0p1/servconf.c.fips	2019-07-23 14:55:45.361525996 +0200
+--- openssh-8.6p1/servconf.c.fips	2021-04-19 16:53:03.027577577 +0200
-+++ openssh-8.0p1/servconf.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/servconf.c	2021-04-19 16:53:03.066577877 +0200
-@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
+@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
 	/* remove unsupported algos from default lists */
@ -229,10 +229,10 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
 #define ASSEMBLE(what, defaults, all) \
 	do { \
 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
-diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
+diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.0p1/ssh.c.fips	2019-07-23 14:55:45.378526168 +0200
+--- openssh-8.6p1/ssh.c.fips	2021-04-19 16:53:03.038577662 +0200
-+++ openssh-8.0p1/ssh.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/ssh.c	2021-04-19 16:53:03.066577877 +0200
-@@ -76,6 +76,7 @@
+@@ -77,6 +77,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #endif
@ -240,21 +240,21 @@ diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -614,6 +626,10 @@ main(int ac, char **av)
+@@ -1516,6 +1517,10 @@ main(int ac, char **av)
 		dump_client_config(&options, host);
 		exit(0);
 	}
-+
+ 
 +	if (FIPS_mode()) {
 +		debug("FIPS mode initialized");
 +	}
- 
+
 	/* Expand SecurityKeyProvider if it refers to an environment variable */
 	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
-diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
+ 	    strlen(options.sk_provider) > 1) {
--- openssh-8.0p1/sshconnect2.c.fips	2019-07-23 14:55:45.336525743 +0200
+diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
-+++ openssh-8.0p1/sshconnect2.c	2019-07-23 14:55:45.403526421 +0200
+--- openssh-8.6p1/sshconnect2.c.fips	2021-04-19 16:53:03.055577792 +0200
-@@ -44,6 +44,8 @@
+++ openssh-8.6p1/sshconnect2.c	2021-04-19 16:53:03.066577877 +0200
@@ -45,6 +45,8 @@
 #include <vis.h>
 #endif
@ -263,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
-@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
 #if defined(GSSAPI) && defined(WITH_OPENSSL)
 	if (options.gss_keyex) {
@ -279,24 +279,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 -			 * and can not use DNS on that socket */
 -			if (strcmp(gss_host, "UNKNOWN") == 0) {
 -				free(gss_host);
 -				gss_host = xstrdup(host);
 -			}
 -		} else {
 -			gss_host = xstrdup(host);
 -		}
 -
 -		gss = ssh_gssapi_client_mechanisms(gss_host,
 -		    options.gss_client_identity, options.gss_kex_algorithms);
 -		if (gss) {
 -			debug("Offering GSSAPI proposal: %s", gss);
 -			xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
 -			    "%s,%s", gss, orig);
 -
 -			/* If we've got GSSAPI algorithms, then we also support the
 -			 * 'null' hostkey, as a last resort */
 -			orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
 -			xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
 -			    "%s,null", orig);
 +		if (FIPS_mode()) {
 +			logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
 +			options.gss_keyex = 0;
@ -316,9 +298,24 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 +					gss_host = xstrdup(host);
 +				}
 +			} else {
-+				gss_host = xstrdup(host);
+ 				gss_host = xstrdup(host);
-+			}
+ 			}
-+
+-		} else {
 -			gss_host = xstrdup(host);
 -		}
 -		gss = ssh_gssapi_client_mechanisms(gss_host,
 -		    options.gss_client_identity, options.gss_kex_algorithms);
 -		if (gss) {
 -			debug("Offering GSSAPI proposal: %s", gss);
 -			xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
 -			    "%s,%s", gss, orig);
 -
 -			/* If we've got GSSAPI algorithms, then we also support the
 -			 * 'null' hostkey, as a last resort */
 -			orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
 -			xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
 -			    "%s,null", orig);
 +			gss = ssh_gssapi_client_mechanisms(gss_host,
 +			    options.gss_client_identity, options.gss_kex_algorithms);
 +			if (gss) {
@ -335,9 +332,9 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 		}
 	}
 #endif
-diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
+diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.0p1/sshd.c.fips	2019-07-23 14:55:45.398526371 +0200
+--- openssh-8.6p1/sshd.c.fips	2021-04-19 16:53:03.060577831 +0200
-+++ openssh-8.0p1/sshd.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/sshd.c	2021-04-19 16:57:45.827769340 +0200
@@ -66,6 +66,7 @@
 #include <grp.h>
 #include <pwd.h>
@ -354,7 +351,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #endif
-@@ -1529,6 +1532,7 @@ main(int ac, char **av)
+@@ -1619,6 +1621,7 @@ main(int ac, char **av)
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -362,7 +359,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
-@@ -1992,6 +2007,10 @@ main(int ac, char **av)
+@@ -2110,6 +2113,10 @@ main(int ac, char **av)
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -370,10 +367,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 +		debug("FIPS mode initialized");
 +	}
 +
- 	/* Chdir to the root directory so that the current disk can be
+ 	/*
- 	   unmounted if desired. */
+ 	 * Chdir to the root directory so that the current disk can be
- 	if (chdir("/") == -1)
+ 	 * unmounted if desired.
-@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
 	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
 		orig = NULL;
@ -392,9 +389,9 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
-diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
+diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips	2019-07-23 14:55:45.398526371 +0200
+--- openssh-8.6p1/sshkey.c.fips	2021-04-19 16:53:03.061577838 +0200
-+++ openssh-8.0p1/sshkey.c	2019-07-23 14:55:45.404526431 +0200
+++ openssh-8.6p1/sshkey.c	2021-04-19 16:53:03.067577885 +0200
@@ -34,6 +34,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -411,7 +408,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
 #include "ssh-sk.h"
 #ifdef WITH_XMSS
-@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
+@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -420,10 +417,10 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
-diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
+diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips	2019-07-23 14:55:45.391526300 +0200
+--- openssh-8.6p1/ssh-keygen.c.fips	2021-04-19 16:53:03.038577662 +0200
-+++ openssh-8.0p1/ssh-keygen.c	2019-07-23 14:57:54.118830056 +0200
+++ openssh-8.6p1/ssh-keygen.c	2021-04-19 16:53:03.068577892 +0200
-@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
+@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
 #endif
 	}
 #ifdef WITH_OPENSSL
@ -436,7 +433,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
 	switch (type) {
 	case KEY_DSA:
 		if (*bitsp != 1024)
-@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 			first = 1;
 			printf("%s: generating new host keys: ", __progname);
 		}
@ -454,4 +451,4 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
 -		type = sshkey_type_from_name(key_types[i].key_type);
 		if ((fd = mkstemp(prv_tmp)) == -1) {
 			error("Could not save your private key in %s: %s",
-			    prv_tmp, strerror(errno));
+ 			    prv_tmp, strerror(errno));
--- a/openssh-7.7p1-gssapi-new-unique.patch
+++ b/openssh-7.7p1-gssapi-new-unique.patch
@ -1,7 +1,26 @@
-diff --git a/auth-krb5.c b/auth-krb5.c
+diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
-index a5a81ed2..63f877f2 100644
+--- openssh-8.6p1/auth.h.ccache_name	2021-04-19 14:05:10.820744325 +0200
--- a/auth-krb5.c
+++ openssh-8.6p1/auth.h	2021-04-19 14:05:10.853744569 +0200
-+++ b/auth-krb5.c
+@@ -83,6 +83,7 @@ struct Authctxt {
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
 	char		*krb5_ccname;
 +	int		 krb5_set_env;
 #endif
 	struct sshbuf	*loginmsg;
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
 int	 sys_auth_passwd(struct ssh *, const char *);
 #if defined(KRB5) && !defined(HEIMDAL)
 -krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
 +krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
 #endif
 #endif /* AUTH_H */
 diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
 --- openssh-8.6p1/auth-krb5.c.ccache_name	2021-04-16 05:55:25.000000000 +0200
 +++ openssh-8.6p1/auth-krb5.c	2021-04-19 14:40:55.142832954 +0200
@@ -51,6 +51,7 @@
 #include <unistd.h>
 #include <string.h>
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
 extern ServerOptions	 options;
-@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
 #endif
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
 	char *client, *platform_client;
 	const char *errmsg;
-@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
 		goto out;
 	}
-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
+-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
 -	    &authctxt->krb5_fwd_ccache);
 +	problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
 +	     &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
 	if (problem)
 		goto out;
-@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
 -	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 +	problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 				 &creds);
 	if (problem)
 		goto out;
 #endif
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
 		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
 #endif
-@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
 void
 krb5_cleanup_proc(Authctxt *authctxt)
 {
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
 	if (authctxt->krb5_user) {
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 		authctxt->krb5_user = NULL;
-@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
 	}
 }
@ -198,10 +211,7 @@ index a5a81ed2..63f877f2 100644
 +	return -1;
 +}
 +
- krb5_error_code
+krb5_error_code
 -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 -	int tmpfd, ret, oerrno;
 -	char ccname[40];
 +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
 +	profile_t p;
 +	int ret = 0;
@ -222,7 +232,10 @@ index a5a81ed2..63f877f2 100644
 +	return ret;
 +}
 +
-+krb5_error_code
+ krb5_error_code
 -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 -	int tmpfd, ret, oerrno;
 -	char ccname[40];
 +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
 +	int tmpfd, ret, oerrno, type_len;
 +	char *ccname = NULL;
@ -324,30 +337,41 @@ index a5a81ed2..63f877f2 100644
 }
 #endif /* !HEIMDAL */
 #endif /* KRB5 */
-diff --git a/auth.h b/auth.h
+diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
-index 29491df9..fdab5040 100644
+--- openssh-8.6p1/gss-serv.c.ccache_name	2021-04-19 14:05:10.844744503 +0200
--- a/auth.h
+++ openssh-8.6p1/gss-serv.c	2021-04-19 14:05:10.854744577 +0200
-+++ b/auth.h
+@@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
-@@ -82,6 +82,7 @@ struct Authctxt {
+ }
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
 	char		*krb5_ccname;
 +	int		 krb5_set_env;
 #endif
 	struct sshbuf	*loginmsg;
-@@ -238,7 +239,7 @@ int	 sys_auth_passwd(struct ssh *, const char *);
+ /* As user */
- int	 sys_auth_passwd(struct ssh *, const char *);
+-void
 +int
 ssh_gssapi_storecreds(void)
 {
 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
 -		(*gssapi_client.mech->storecreds)(&gssapi_client);
 +		return (*gssapi_client.mech->storecreds)(&gssapi_client);
 	} else
 		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
 +
 +	return 0;
 }
- #if defined(KRB5) && !defined(HEIMDAL)
+ /* This allows GSSAPI methods to do things to the child's environment based
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+@@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
-+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
+ 	char *envstr;
 #endif
- #endif /* AUTH_H */
+-	if (gssapi_client.store.filename == NULL &&
-diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
+-	    gssapi_client.store.envval == NULL &&
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name	2019-03-01 15:17:42.708611802 +0100
+-	    gssapi_client.store.envvar == NULL)
-+++ openssh-7.9p1/gss-serv-krb5.c	2019-03-01 15:17:42.713611844 +0100
+	if (gssapi_client.store.envval == NULL)
 		return;
 	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
 diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
 --- openssh-8.6p1/gss-serv-krb5.c.ccache_name	2021-04-19 14:05:10.852744562 +0200
 +++ openssh-8.6p1/gss-serv-krb5.c	2021-04-19 14:05:10.854744577 +0200
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
@ -450,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
 		do_pam_putenv(client->store.envvar, client->store.envval);
 #endif
-@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	client->store.data = krb_context;
@ -459,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
 }
 int
-diff --git a/gss-serv.c b/gss-serv.c
+diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
-index 6cae720e..16e55cbc 100644
+--- openssh-8.6p1/servconf.c.ccache_name	2021-04-19 14:05:10.848744532 +0200
--- a/gss-serv.c
+++ openssh-8.6p1/servconf.c	2021-04-19 14:05:10.854744577 +0200
-+++ b/gss-serv.c
+@@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
 }
 /* As user */
 -void
 +int
 ssh_gssapi_storecreds(void)
 {
 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
 -		(*gssapi_client.mech->storecreds)(&gssapi_client);
 +		return (*gssapi_client.mech->storecreds)(&gssapi_client);
 	} else
 		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
 +
 +	return 0;
 }
 /* This allows GSSAPI methods to do things to the child's environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
 	char *envstr;
 #endif
 -	if (gssapi_client.store.filename == NULL &&
 -	    gssapi_client.store.envval == NULL &&
 -	    gssapi_client.store.envvar == NULL)
 +	if (gssapi_client.store.envval == NULL)
 		return;
 	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
 diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 --- openssh-7.9p1/servconf.c.ccache_name	2019-03-01 15:17:42.704611768 +0100
 +++ openssh-7.9p1/servconf.c	2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
 	options->kerberos_or_local_passwd = -1;
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
@ -503,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	options->gss_authentication=-1;
 	options->gss_keyex = -1;
 	options->gss_cleanup_creds = -1;
-@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
 		options->kerberos_ticket_cleanup = 1;
 	if (options->kerberos_get_afs_token == -1)
 		options->kerberos_get_afs_token = 0;
@ -512,7 +503,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
 	if (options->gss_keyex == -1)
-@@ -447,7 +450,8 @@ typedef enum {
+@@ -506,7 +509,8 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -522,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
-@@ -526,11 +530,13 @@ static struct {
+@@ -593,11 +597,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -536,7 +527,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
 		intptr = &options->kerberos_get_afs_token;
 		goto parse_flag;
@ -547,7 +538,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	case sGssAuthentication:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
-@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
+@@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
 # ifdef USE_AFS
 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
 # endif
@ -555,11 +546,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 #endif
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
-diff --git a/servconf.h b/servconf.h
+diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
-index db8362c6..4fa42d64 100644
+--- openssh-8.6p1/servconf.h.ccache_name	2021-04-19 14:05:10.848744532 +0200
--- a/servconf.h
+++ openssh-8.6p1/servconf.h	2021-04-19 14:05:10.855744584 +0200
-+++ b/servconf.h
+@@ -140,6 +140,8 @@ typedef struct {
@@ -123,6 +123,8 @@ typedef struct {
 						 * file on logout. */
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
@ -568,11 +558,10 @@ index db8362c6..4fa42d64 100644
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
-diff --git a/session.c b/session.c
+diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
-index 85df6a27..480a5ead 100644
+--- openssh-8.6p1/session.c.ccache_name	2021-04-19 14:05:10.852744562 +0200
--- a/session.c
+++ openssh-8.6p1/session.c	2021-04-19 14:05:10.855744584 +0200
-+++ b/session.c
+@@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 	/* Allow any GSSAPI methods that we've used to alter
 	 * the child's environment as they see fit
 	 */
@ -582,7 +571,7 @@ index 85df6a27..480a5ead 100644
 #endif
 	/* Set basic environment. */
-@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+@@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
 	}
 #endif
 #ifdef KRB5
@ -591,33 +580,10 @@ index 85df6a27..480a5ead 100644
 		child_set_env(&env, &envsize, "KRB5CCNAME",
 		    s->authctxt->krb5_ccname);
 #endif
-diff --git a/ssh-gss.h b/ssh-gss.h
+diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
-index 6593e422..245178af 100644
+--- openssh-8.6p1/sshd.c.ccache_name	2021-04-19 14:05:10.849744540 +0200
--- a/ssh-gss.h
+++ openssh-8.6p1/sshd.c	2021-04-19 14:05:10.855744584 +0200
-+++ b/ssh-gss.h
+@@ -2284,7 +2284,7 @@ main(int ac, char **av)
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
 	int (*dochild) (ssh_gssapi_client *);
 	int (*userok) (ssh_gssapi_client *, char *);
 	int (*localname) (ssh_gssapi_client *, char **);
 -	void (*storecreds) (ssh_gssapi_client *);
 +	int (*storecreds) (ssh_gssapi_client *);
 	int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
 } ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
 -void ssh_gssapi_storecreds(void);
 +int ssh_gssapi_storecreds(void);
 const char *ssh_gssapi_displayname(void);
 char *ssh_gssapi_server_mechanisms(void);
 diff --git a/sshd.c b/sshd.c
 index edbe815c..89514e8a 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
 #ifdef GSSAPI
 	if (options.gss_authentication) {
 		temporarily_use_uid(authctxt->pw);
@ -626,11 +592,10 @@ index edbe815c..89514e8a 100644
 		restore_uid();
 	}
 #endif
-diff --git a/sshd_config.5 b/sshd_config.5
+diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
-index c0683d4a..2349f477 100644
+--- openssh-8.6p1/sshd_config.5.ccache_name	2021-04-19 14:05:10.849744540 +0200
--- a/sshd_config.5
+++ openssh-8.6p1/sshd_config.5	2021-04-19 14:05:10.856744592 +0200
-+++ b/sshd_config.5
+@@ -939,6 +939,14 @@ Specifies whether to automatically destr
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
 file on logout.
 The default is
 .Cm yes .
@ -645,3 +610,24 @@ index c0683d4a..2349f477 100644
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
 --- openssh-8.6p1/ssh-gss.h.ccache_name	2021-04-19 14:05:10.852744562 +0200
 +++ openssh-8.6p1/ssh-gss.h	2021-04-19 14:05:10.855744584 +0200
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
 	int (*dochild) (ssh_gssapi_client *);
 	int (*userok) (ssh_gssapi_client *, char *);
 	int (*localname) (ssh_gssapi_client *, char **);
 -	void (*storecreds) (ssh_gssapi_client *);
 +	int (*storecreds) (ssh_gssapi_client *);
 	int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
 } ssh_gssapi_mech;
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
 -void ssh_gssapi_storecreds(void);
 +int ssh_gssapi_storecreds(void);
 const char *ssh_gssapi_displayname(void);
 char *ssh_gssapi_server_mechanisms(void);
--- a/openssh-7.8p1-UsePAM-warning.patch
+++ b/openssh-7.8p1-UsePAM-warning.patch
@ -1,7 +1,7 @@
-diff --git a/sshd.c b/sshd.c
+diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- a/sshd.c
+--- openssh-8.6p1/sshd.c.log-usepam-no	2021-04-19 14:00:45.099735129 +0200
-+++ b/sshd.c
+++ openssh-8.6p1/sshd.c	2021-04-19 14:03:21.140920974 +0200
-@@ -1701,6 +1701,10 @@ main(int ac, char **av)
+@@ -1749,6 +1749,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    cfg, &includes, NULL);
@ -9,13 +9,13 @@ diff --git a/sshd.c b/sshd.c
 +	if (! options.use_pam)
 +		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
 +
- 	/* Fill in default values for those options not explicitly set. */
+ #ifdef WITH_OPENSSL
- 	fill_default_server_options(&options);
+ 	if (options.moduli_file != NULL)
- 
+ 		dh_set_moduli_file(options.moduli_file);
-diff --git a/sshd_config b/sshd_config
+diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
--- a/sshd_config
+--- openssh-8.6p1/sshd_config.log-usepam-no	2021-04-19 14:00:45.098735121 +0200
-+++ b/sshd_config
+++ openssh-8.6p1/sshd_config	2021-04-19 14:00:45.099735129 +0200
-@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
+@@ -87,6 +87,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -1,7 +1,7 @@
-diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
+diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
--- openssh-8.2p1/ssh_config.5.crypto-policies	2020-03-26 14:40:44.546775605 +0100
+--- openssh-8.6p1/ssh_config.5.crypto-policies	2021-04-19 15:18:32.071920379 +0200
-+++ openssh-8.2p1/ssh_config.5	2020-03-26 14:52:20.700649727 +0100
+++ openssh-8.6p1/ssh_config.5	2021-04-19 15:21:18.400179265 +0200
-@@ -359,14 +359,13 @@ or
+@@ -368,15 +368,13 @@ or
 .Qq *.c.example.com
 domains.
 .It Cm CASignatureAlgorithms
@ -14,14 +14,15 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
+-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
 .Xr ssh 1
 will not accept host certificates signed using algorithms other than those
 specified.
-@@ -424,20 +424,25 @@ If the option is set to
+@@ -436,20 +434,25 @@ If the option is set to
 (the default),
 the check will not be executed.
 .It Cm Ciphers
@ -51,7 +52,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
-@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
+@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
@ -65,7 +66,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClearAllForwardings
-@@ -812,6 +810,11 @@ command line will be passed untouched to
+@@ -826,6 +822,11 @@ command line will be passed untouched to
 The default is
 .Dq no .
 .It Cm GSSAPIKexAlgorithms
@ -77,7 +78,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 The list of key exchange algorithms that are offered for GSSAPI
 key exchange. Possible values are
 .Bd -literal -offset 3n
-@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
+@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
 gss-curve25519-sha256-
 .Ed
 .Pp
@ -89,7 +90,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-@@ -1149,29 +1150,25 @@ it may be zero or more of:
+@@ -1169,29 +1168,25 @@ it may be zero or more of:
 and
 .Cm pam .
 .It Cm KexAlgorithms
@ -128,7 +129,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
-@@ -1231,37 +1228,33 @@ The default is INFO.
+@@ -1301,37 +1296,33 @@ function, and all code in the
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
@ -175,7 +176,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas
+@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
 The default is
 .Cm no .
 .It Cm PubkeyAcceptedAlgorithms
@ -222,10 +223,10 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
-diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
+diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
--- openssh-8.2p1/sshd_config.5.crypto-policies	2020-03-26 14:40:44.530775355 +0100
+--- openssh-8.6p1/sshd_config.5.crypto-policies	2021-04-19 15:18:32.062920311 +0200
-+++ openssh-8.2p1/sshd_config.5	2020-03-26 14:48:56.732468099 +0100
+++ openssh-8.6p1/sshd_config.5	2021-04-19 15:20:42.591908243 +0200
-@@ -375,14 +375,13 @@ If the argument is
+@@ -373,15 +373,13 @@ If the argument is
 then no banner is displayed.
 By default, no banner is displayed.
 .It Cm CASignatureAlgorithms
@ -238,14 +239,15 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
+-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
 Certificates signed using other algorithms will not be accepted for
 public key or host-based authentication.
 .It Cm ChallengeResponseAuthentication
-@@ -446,20 +446,25 @@ The default is
+@@ -445,20 +443,25 @@ The default is
 indicating not to
 .Xr chroot 2 .
 .It Cm Ciphers
@ -275,7 +277,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 .Pp
 The supported ciphers are:
 .Pp
-@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
+@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
 chacha20-poly1305@openssh.com
 .El
 .Pp
@ -289,7 +291,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClientAliveCountMax
-@@ -681,21 +679,22 @@ For this to work
+@@ -680,21 +676,22 @@ For this to work
 .Cm GSSAPIKeyExchange
 needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIKexAlgorithms
@ -322,7 +324,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedAlgorithms
 Specifies the signature algorithms that will be accepted for hostbased
-@@ -793,26 +793,13 @@ is specified, the location of the socket
+@@ -794,26 +791,13 @@ is specified, the location of the socket
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
@ -354,7 +356,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
-@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
+@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
 The default is
 .Cm yes .
 .It Cm KexAlgorithms
@ -384,7 +386,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
-@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
+@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
@ -400,7 +402,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q KexAlgorithms .
 .It Cm ListenAddress
-@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
+@@ -1097,21 +1077,26 @@ function, and all code in the
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
@ -431,7 +433,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 .Pp
 The algorithms that contain
 .Qq -etm
-@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
+@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
 umac-128-etm@openssh.com
 .El
 .Pp
@ -447,7 +449,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm Match
-@@ -1480,37 +1460,25 @@ or equivalent.)
+@@ -1541,37 +1517,25 @@ or equivalent.)
 The default is
 .Cm yes .
 .It Cm PubkeyAcceptedAlgorithms
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
--- a/openssh.spec
+++ b/openssh.spec
@ -50,8 +50,8 @@
 %{?static_openssl:%global static_libcrypto 1}
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.5p1
+%global openssh_ver 8.6p1
-%global openssh_rel 2
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 2
@ -650,6 +650,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 %changelog
 * Mon Apr 19 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1
 - New upstream release (#1950819)
 * Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
 - ssh-agent.serivce is user unit (#1761817#27)
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-SHA512 (openssh-8.5p1.tar.gz) = af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
+SHA512 (openssh-8.6p1.tar.gz) = 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
-SHA512 (openssh-8.5p1.tar.gz.asc) = 264a991c7207f2215875e2b472a649ede1a69f6486d25777bf522047c26ea77c2995d34b6917a993ea9a250b7dd5298a30f1975e20e471f079c9064ce283cec2
+SHA512 (openssh-8.6p1.tar.gz.asc) = ea75d7fe350fd1761ee5490b222249e9b8915b2a02a1d41979195f15d239def387e4c6467362ab9515d517087750fa66bc368f5baa15c325502f725172631967
 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
 SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21