Fix malformed patch

8.4p1-4 + 0.10.4-1
Fix Obsoletes for openssh-ldap (#1902084 )
2020-12-01 11:43:46 +01:00 · 2020-12-01 09:54:21 +01:00 · 2020-12-01 09:53:40 +01:00 · 2020-11-30 08:52:02 +01:00 · 2020-11-26 11:48:54 +01:00 · 2020-11-19 15:08:05 +01:00
29 changed files with 554 additions and 3293 deletions
--- a/.gitignore
+++ b/.gitignore
@ -42,3 +42,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.2p1.tar.gz.asc
 /openssh-8.3p1.tar.gz
 /openssh-8.3p1.tar.gz.asc
+/openssh-8.4p1.tar.gz
+/openssh-8.4p1.tar.gz.asc
+/pam_ssh_agent_auth-0.10.4.tar.gz
--- a/openssh-5.1p1-askpass-progress.patch
+++ b/openssh-5.1p1-askpass-progress.patch
@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@
- #include <string.h>
 #include <unistd.h>
+ 
 #include <X11/Xlib.h>
 +#include <glib.h>
 #include <gtk/gtk.h>
 #include <gdk/gdkx.h>
- 
+ #include <gdk/gdkkeysyms.h>
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
- 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ 	return 1;
 }
 
 +static void
@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 -	GtkWidget *parent_window, *dialog, *entry;
 +	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
 	GdkGrabStatus status;
+ 	GdkColor fg, bg;
+ 	int fg_set = 0, bg_set = 0;
+@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
+ 		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
 
- 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
-@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
- 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
- 
- 	if (prompt_type == PROMPT_ENTRY) {
+ 	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
 +		hbox = gtk_hbox_new(FALSE, 0);
 +		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 +		    FALSE, 0);
 +		gtk_widget_show(hbox);
 +
 		entry = gtk_entry_new();
+		if (fg_set)
+			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
+		if (bg_set)
+			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
 		gtk_box_pack_start(
 -		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
 -		    entry, FALSE, FALSE, 0);
-+		    GTK_BOX(hbox), entry,
-+		    TRUE, FALSE, 0);
+		    GTK_BOX(hbox), entry, TRUE, FALSE, 0);
 +		gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
 		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
 		gtk_widget_grab_focus(entry);
- 		gtk_widget_show(entry);
- 		/* Make <enter> close dialog */
- 		g_signal_connect(G_OBJECT(entry), "activate",
- 				 G_CALLBACK(ok_dialog), dialog);
+ 		if (prompt_type == PROMPT_ENTRY) {
+@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
+ 			g_signal_connect(G_OBJECT(entry), "key_press_event",
+ 			                 G_CALLBACK(check_none), dialog);
+ 		}
 +
 +		hbox = gtk_hbox_new(FALSE, 0);
-+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
-+	    FALSE, 8);
+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
+		    hbox, FALSE, FALSE, 8);
 +		gtk_widget_show(hbox);
 +
 +		progress = gtk_progress_bar_new();
 +
-+		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
+		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
+		    "Passphrase length hidden intentionally");
 +		gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
 +		    TRUE, 5);
 +		gtk_widget_show(progress);
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	    session_type,
 	    tty == NULL ? "" : " on ",
@@ -1486,14 +1492,6 @@ child_close_fds(void)
- 	 * descriptors left by system functions.  They will be closed later.
- 	 */
- 	endpwent();
+ 
+ 	/* Stop directing logs to a high-numbered fd before we close it */
+ 	log_redirect_stderr_to(NULL);
 -
 -	/*
 -	 * Close any extra open file descriptors so that we don't have them
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@ -2,8 +2,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
 --- openssh-6.8p1/Makefile.in.ctr-cavs	2015-03-18 11:22:05.493289018 +0100
 +++ openssh-6.8p1/Makefile.in	2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_KEYCAT=$(libexecdir)/ssh-keycat
 +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@ -13,8 +13,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
 
 .SUFFIXES: .lo
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 
 XMSS_OBJS=\
 	ssh-xmss.o \
@ -29,8 +29,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 
@@ -326,6 +330,7 @@ install-files:
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
- 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@ -36,16 +36,16 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 --- openssh/Makefile.in.keycat	2015-06-24 10:57:50.152849621 +0200
 +++ openssh/Makefile.in	2015-06-24 10:57:50.157849608 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 +SSH_KEYCAT=$(libexecdir)/ssh-keycat
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
+ K5LIBS=@K5LIBS@
 GSSLIBS=@GSSLIBS@
- SSHLIBS=@SSHLIBS@
 SSHDLIBS=@SSHDLIBS@
 +KEYCATLIBS=@KEYCATLIBS@
 LIBEDIT=@LIBEDIT@
@ -55,14 +55,14 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 
 .SUFFIXES: .lo
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
- 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
 
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
 +	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
@ -71,9 +71,9 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 
@@ -321,6 +325,7 @@ install-files:
- 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
- 	fi
+ 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -466,16 +466,16 @@ index 3bbccfd..6481f1f 100644
 				esac
 			fi
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
+ 	fi ]
 )
- AC_SUBST([SSHLIBS])
 AC_SUBST([SSHDLIBS])
 +AC_SUBST([KEYCATLIBS])
 
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
@@ -5031,6 +5034,9 @@ fi
- if test ! -z "${SSHLIBS}"; then
- echo "          +for ssh: ${SSHLIBS}"
+ if test ! -z "${SSHDLIBS}"; then
+ echo "         +for sshd: ${SSHDLIBS}"
 fi
 +if test ! -z "${KEYCATLIBS}"; then
 +echo "   +for ssh-keycat: ${KEYCATLIBS}"
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
- 		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+ 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
 		break;
 
 +	case sKerberosUseKuserok:
--- a/openssh-6.7p1-kdf-cavs.patch
+++ b/openssh-6.7p1-kdf-cavs.patch
@ -2,7 +2,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
 --- openssh-6.8p1/Makefile.in.kdf-cavs	2015-03-18 11:23:46.346049359 +0100
 +++ openssh-6.8p1/Makefile.in	2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_KEYCAT=$(libexecdir)/ssh-keycat
 CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 +SSH_CAVS=$(libexecdir)/ssh-cavs
@ -13,8 +13,8 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
 
 .SUFFIXES: .lo
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
 
 XMSS_OBJS=\
 	ssh-xmss.o \
@ -29,7 +29,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 
@@ -331,6 +335,8 @@ install-files:
- 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
--- a/openssh-6.7p1-ldap.patch
+++ b/openssh-6.7p1-ldap.patch
--- a/openssh-6.7p1-sftp-force-permission.patch
+++ b/openssh-6.7p1-sftp-force-permission.patch
@ -2,21 +2,23 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
 --- openssh-7.2p2/sftp-server.8.sftp-force-mode	2016-03-09 19:04:48.000000000 +0100
 +++ openssh-7.2p2/sftp-server.8	2016-06-23 16:18:20.463854117 +0200
@@ -38,6 +38,7 @@
- .Op Fl P Ar blacklisted_requests
- .Op Fl p Ar whitelisted_requests
+ .Op Fl P Ar denied_requests
+ .Op Fl p Ar allowed_requests
 .Op Fl u Ar umask
 +.Op Fl m Ar force_file_perms
 .Ek
 .Nm
 .Fl Q Ar protocol_feature
-@@ -138,6 +139,10 @@ Sets an explicit
+@@ -138,6 +139,12 @@ Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
 +.It Fl m Ar force_file_perms
 +Sets explicit file permissions to be applied to newly-created files instead
 +of the default or client requested mode.  Numeric values include:
-+777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
+777, 755, 750, 666, 644, 640, etc.  Using both -m and -u switches makes the
+umask (-u) effective only for newly created directories and explicit mode (-m)
+for newly created files.
 .El
 .Pp
 On some systems,
@ -65,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
- 	    "[-l log_level]\n\t[-P blacklisted_requests] "
-	    "[-p whitelisted_requests] [-u umask]\n"
-+	    "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
+ 	    "[-l log_level]\n\t[-P denied_requests] "
+-	    "[-p allowed_requests] [-u umask]\n"
+	    "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
--- a/openssh-7.1p2-audit-race-condition.patch
+++ b/openssh-7.1p2-audit-race-condition.patch
@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 }
 
@@ -1538,6 +1565,34 @@ child_close_fds(void)
- 	endpwent();
+ 	log_redirect_stderr_to(NULL);
 }
 
 +void
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@ -1158,8 +1158,8 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
     {0, 0, NULL}
 };
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
- 	size_t signaturelen, datalen, bloblen;
- 	int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
+ 	int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
+ 	int encoded_ret;
 	struct sshkey_sig_details *sig_details = NULL;
 +	int type = 0;
 
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -173,20 +173,20 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
 	/* remove unsupported algos from default lists */
-	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
-	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
-	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
+-	def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
+-	def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
+-	def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
+	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
+	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
+	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
+	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
 #define ASSEMBLE(what, defaults, all) \
 	do { \
@ -211,20 +211,20 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
 	/* remove unsupported algos from default lists */
-	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
-	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
-	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
+-	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
+-	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
+-	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
+	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
+	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
+	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
+	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
 #define ASSEMBLE(what, defaults, all) \
 	do { \
--- a/openssh-7.7p1-redhat.patch
+++ b/openssh-7.7p1-redhat.patch
@ -2,9 +2,9 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
 --- openssh/ssh_config.redhat	2020-02-11 23:28:35.000000000 +0100
 +++ openssh/ssh_config	2020-02-13 18:13:39.180641839 +0100
@@ -43,3 +43,10 @@
- #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+ #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 +#
 +# This system is following system-wide crypto policy.
 +# To modify the crypto properties (Ciphers, MACs, ...), create a  *.conf
@ -86,7 +86,7 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
 diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 --- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
 +++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,28 @@
 +# This system is following system-wide crypto policy. The changes to
 +# crypto properties (Ciphers, MACs, ...) will not have any effect in
 +# this or following included files. To override some configuration option,
@ -96,7 +96,6 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 +
 +SyslogFacility AUTHPRIV
 +
-+PasswordAuthentication yes
 +ChallengeResponseAuthentication no
 +
 +GSSAPIAuthentication yes
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
-diff -up openssh/configure.ac.role-mls openssh/configure.ac
--- openssh/configure.ac.role-mls	2018-08-20 07:57:29.000000000 +0200
-+++ openssh/configure.ac	2018-08-22 11:14:56.820430957 +0200
-@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
- 			  LIBS="$LIBS -lselinux"
- 			],
- 			AC_MSG_ERROR([SELinux support requires libselinux library]))
-		SSHLIBS="$SSHLIBS $LIBSELINUX"
-		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
- 		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
-		LIBS="$save_LIBS"
- 	fi ]
- )
- AC_SUBST([SSHLIBS])
 diff -up openssh/misc.c.role-mls openssh/misc.c
 --- openssh/misc.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/misc.c	2018-08-22 11:14:56.817430932 +0200
@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 --- openssh/monitor_wrap.h.role-mls	2018-08-22 11:14:56.818430941 +0200
 +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
-     const u_char *, size_t, const char *, const char *, u_int compat);
+     const u_char *, size_t, const char *, const char *,
+     const char *, u_int compat);
 void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);
--- a/openssh-7.9p1-ssh-copy-id.patch
+++ b/openssh-7.9p1-ssh-copy-id.patch
@ -1,31 +1,27 @@
-diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
--- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/contrib/ssh-copy-id	2019-01-23 20:49:30.513393667 +0100
-@@ -112,7 +112,8 @@ do
-         usage
-   }
- 
-  OPT= OPTARG=
-+  OPT=
-+  OPTARG=
-   # implement something like getopt to avoid Solaris pain
-   case "$1" in
-     -i?*|-o?*|-p?*)
-@@ -261,7 +262,7 @@ populate_new_ids() {
-   fi
-   if [ -z "$NEW_IDS" ] ; then
-     printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
-    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
-+    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
-     exit 0
-   fi
-   printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
-@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
-     # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
-     #     'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
-     [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
-      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
-+      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
-       || exit 1
-     ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
-     ;;
+From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 29 Sep 2020 10:02:45 +0000
+Subject: [PATCH] Fail hard on the first failed attempt to write the
+ authorized_keys_file
+
+---
+ ssh-copy-id | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f..e69a23f 100755
+--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
+@@ -251,7 +251,7 @@ installkeys_sh() {
+ 	cd;
+ 	umask 077;
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+-	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
+	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
+ 	  cat >> ${AUTH_KEY_FILE} ||
+ 	  exit 1;
+ 	if type restorecon >/dev/null 2>&1; then
+-- 
+GitLab
+
+
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -39,18 +39,19 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 If the specified list begins with a
 .Sq +
 -character, then the specified ciphers will be appended to the default set
-+character, then the specified ciphers will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified ciphers will be placed at the head of the
 -default set.
-+built-in default set.
+built-in openssh default set.
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
@ -106,13 +107,14 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 If the specified list begins with a
 .Sq +
 -character, then the specified methods will be appended to the default set
-+character, then the specified methods will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified methods will be placed at the head of the
@ -126,7 +128,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 -diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256
 -.Ed
-+built-in default set.
+built-in openssh default set.
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
@ -146,18 +148,19 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
-+character, then the specified algorithms will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
-+built-in default set.
+built-in openssh default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@ -190,13 +193,14 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 If the specified list begins with a
 .Sq +
 -character, then the key types after it will be appended to the default
-+character, then the key types after it will be appended to the built-in default
- instead of replacing it.
+-instead of replacing it.
+character, then the key types after it will be appended to the built-in
+openssh default instead of replacing it.
 If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified key types will be placed at the head of the
@ -217,7 +221,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
-+built-in default set.
+built-in openssh default set.
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q PubkeyAcceptedKeyTypes .
@ -261,18 +265,19 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 If the specified list begins with a
 .Sq +
 -character, then the specified ciphers will be appended to the default set
-+character, then the specified ciphers will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified ciphers will be placed at the head of the
 -default set.
-+built-in default set.
+built-in openssh default set.
 .Pp
 The supported ciphers are:
 .Pp
@ -370,18 +375,19 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 Alternately if the specified list begins with a
 .Sq +
 -character, then the specified methods will be appended to the default set
-+character, then the specified methods will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified methods will be placed at the head of the
 -default set.
-+built-in default set.
+built-in openssh default set.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@ -416,18 +422,19 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
-+character, then the specified algorithms will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
-+built-in default set.
+built-in openssh default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@ -461,13 +468,14 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 Alternately if the specified list begins with a
 .Sq +
 -character, then the specified key types will be appended to the default set
-+character, then the specified key types will be appended to the built-in default set
- instead of replacing them.
+-instead of replacing them.
+character, then the specified key types will be appended to the built-in
+openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified key types will be placed at the head of the
@ -488,7 +496,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
-+built-in default set.
+built-in openssh default set.
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q PubkeyAcceptedKeyTypes .
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@ -568,8 +568,8 @@ index 4e56e110..2690ebeb 100644
 
 REGRESS_FAIL_EARLY?=	yes
 SUBDIR=	test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
-SUBDIR+=authopt misc
-+SUBDIR+=authopt misc pkcs11
+-SUBDIR+=authopt misc sshsig
+SUBDIR+=authopt misc sshsig pkcs11
 
 .include <bsd.subdir.mk>
 diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c
@ -807,7 +807,7 @@ index 00000000..b637cb13
 +}
 +
 +void
-+check_encode(char *source, size_t len, char *whitelist, char *expect)
+check_encode(char *source, size_t len, char *allow_list, char *expect)
 +{
 +	char *buf = NULL;
 +	struct sshbuf *b;
@ -816,7 +816,7 @@ index 00000000..b637cb13
 +	TEST_START(buf);
 +	free(buf);
 +
-+	b = percent_encode(source, len, whitelist);
+	b = percent_encode(source, len, allow_list);
 +	ASSERT_STRING_EQ(sshbuf_ptr(b), expect);
 +	sshbuf_free(b);
 +	TEST_DONE();
@ -841,14 +841,14 @@ index 00000000..b637cb13
 +static void
 +test_percent_encode(void)
 +{
-+	/* Without whitelist encodes everything (for CKA_ID) */
+	/* Without allow list encodes everything (for CKA_ID) */
 +	check_encode("A*", 2, "", "%41%2A");
 +	check_encode("\x00", 1, "", "%00");
 +	check_encode("\x7F", 1, "", "%7F");
 +	check_encode("\x80", 1, "", "%80");
 +	check_encode("\xff", 1, "", "%FF");
 +
-+	/* Default whitelist encodes anything but safe letters */
+	/* Default allow list encodes anything but safe letters */
 +	check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST,
 +	    "test%000alpha");
 +	check_encode(" ", 1, PKCS11_URI_WHITELIST,
@ -920,9 +920,9 @@ index 8057eb1f..0c470e32 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
@@ -67,6 +67,7 @@
- #include "ssherr.h"
 #include "digest.h"
 #include "ssh-sk.h"
+ #include "sk-api.h"
 +#include "ssh-pkcs11-uri.h"
 
 /* argv0 */
@ -1045,9 +1045,9 @@ index 7eb6f0dc..27d8e4af 100644
 +			return NULL;
 +		}
 +		free(module_path);
-+		if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+		if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
 +			verbose("refusing PKCS#11 provider \"%.100s\": "
-+			    "not whitelisted", canonical_provider);
+			    "not allowed", canonical_provider);
 +			pkcs11_uri_cleanup(uri);
 +			return NULL;
 +		}
@ -1085,9 +1085,9 @@ index 7eb6f0dc..27d8e4af 100644
 -		    provider, strerror(errno));
 -		goto send;
 -	}
-	if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+-	if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
 -		verbose("refusing PKCS#11 add of \"%.100s\": "
-		    "provider not whitelisted", canonical_provider);
+-		    "provider not allowed", canonical_provider);
 +
 +	sane_uri = sanitize_pkcs11_provider(provider);
 +	if (sane_uri == NULL)
@ -1216,7 +1216,7 @@ new file mode 100644
 index 00000000..e1a7b4e0
 --- /dev/null
 +++ b/ssh-pkcs11-uri.c
-@@ -0,0 +1,421 @@
+@@ -0,0 +1,425 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@ -1342,7 +1342,7 @@ index 00000000..e1a7b4e0
 +}
 +
 +struct sshbuf *
-+percent_encode(const char *data, size_t length, const char *whitelist)
+percent_encode(const char *data, size_t length, const char *allow_list)
 +{
 +	struct sshbuf *b = NULL;
 +	char tmp[4], *cp;
@ -1351,7 +1351,7 @@ index 00000000..e1a7b4e0
 +	if ((b = sshbuf_new()) == NULL)
 +		return NULL;
 +	for (i = 0; i < length; i++) {
-+		cp = strchr(whitelist, data[i]);
+		cp = strchr(allow_list, data[i]);
 +		/* if c is specified as '\0' pointer to terminator is returned !! */
 +		if (cp != NULL && *cp != '\0') {
 +			if (sshbuf_put(b, &data[i], 1) != 0)
@ -1468,6 +1468,10 @@ index 00000000..e1a7b4e0
 +void
 +pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
 +{
+	if (pkcs11 == NULL) {
+		return;
+	}
+
 +	free(pkcs11->id);
 +	free(pkcs11->module_path);
 +	free(pkcs11->token);
@ -3111,7 +3115,7 @@ index 15aee569..976844cb 100644
 +		}
 +#endif /* ENABLE_PKCS11 */
 +		cp = tilde_expand_filename(name, getuid());
- 		filename = default_client_percent_expand(cp,
+ 		filename = default_client_percent_dollar_expand(cp,
 		    pw->pw_dir, host, options.user, pw->pw_name);
 		free(cp);
 diff --git a/ssh_config.5 b/ssh_config.5
--- a/openssh-8.3p1-sshd_include.patch
+++ b/openssh-8.3p1-sshd_include.patch
@ -1,227 +0,0 @@
-From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 25 May 2020 15:46:51 +0200
-Subject: [PATCH 1/3] regress: Add more test cases
-
---
- regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++-
- 1 file changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
-index b25c8faa..b6a9a248 100644
--- a/regress/servcfginclude.sh
-+++ b/regress/servcfginclude.sh
-@@ -146,9 +146,43 @@ Include
- _EOF
- 
- trace "disallow invalid with no argument"
-${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
-+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
-     -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
- 	fail "sshd allowed Include with no argument"
- 
-+# Ensure the Include before any Match block works as expected (bug #3122)
-+cat > $OBJ/sshd_config.i << _EOF
-+Banner /xx
-+HostKey $OBJ/host.ssh-ed25519
-+Include $OBJ/sshd_config.i.2
-+Match host a
-+	Banner /aaaa
-+_EOF
-+cat > $OBJ/sshd_config.i.2 << _EOF
-+Match host a
-+	Banner /aa
-+_EOF
-+
-+trace "Include before match blocks"
-+trial a /aa "included file before match blocks is properly evaluated"
-+
-+# Port in included file is correctly interpretted (bug #3169)
-+cat > $OBJ/sshd_config.i << _EOF
-+Include $OBJ/sshd_config.i.2
-+Port 7722
-+_EOF
-+cat > $OBJ/sshd_config.i.2 << _EOF
-+HostKey $OBJ/host.ssh-ed25519
-+_EOF
-+
-+trace "Port after included files"
-+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
-+    -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
-+	fail "failed to parse Port after included files"
-+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
-+if test "x7722" != "x$_port" ; then
-+	fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
-+fi
-+
- # cleanup
- rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
-- 
-2.25.4
-
-
-From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 25 May 2020 16:56:39 +0200
-Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every
- included file
-
-Fixes #3169
---
- servconf.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/servconf.c b/servconf.c
-index 5bb4b1f8..78a7d87d 100644
--- a/servconf.c
-+++ b/servconf.c
-@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *,
-     const char *, int);
- static void add_one_listen_addr(ServerOptions *, const char *,
-     const char *, int);
-void parse_server_config_depth(ServerOptions *options, const char *filename,
-+static void parse_server_config_depth(ServerOptions *options, const char *filename,
-     struct sshbuf *conf, struct include_list *includes,
-     struct connection_info *connectinfo, int flags, int *activep, int depth);
- 
-@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
- #undef M_CP_STRARRAYOPT
- 
- #define SERVCONF_MAX_DEPTH	16
-void
-+static void
- parse_server_config_depth(ServerOptions *options, const char *filename,
-     struct sshbuf *conf, struct include_list *includes,
-     struct connection_info *connectinfo, int flags, int *activep, int depth)
-@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
- 	if (bad_options > 0)
- 		fatal("%s: terminating, %d bad configuration options",
- 		    filename, bad_options);
-	process_queued_listen_addrs(options);
- }
- 
- void
-@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename,
- 	int active = connectinfo ? 0 : 1;
- 	parse_server_config_depth(options, filename, conf, includes,
- 	    connectinfo, 0, &active, 0);
-+	process_queued_listen_addrs(options);
- }
- 
- static const char *
-- 
-2.25.4
-
-
-From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 26 May 2020 16:25:24 +0200
-Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files
- (#3122)
-
---
- servconf.c | 28 +++++++++++++++++++---------
- 1 file changed, 19 insertions(+), 9 deletions(-)
-
-diff --git a/servconf.c b/servconf.c
-index 78a7d87d..a8541514 100644
--- a/servconf.c
-+++ b/servconf.c
-@@ -554,6 +554,7 @@ typedef enum {
- #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
- #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
- #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
-+#define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
- 
- /* Textual representation of the tokens. */
- static struct {
-@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = {
- static int
- process_server_config_line_depth(ServerOptions *options, char *line,
-     const char *filename, int linenum, int *activep,
-    struct connection_info *connectinfo, int inc_flags, int depth,
-+    struct connection_info *connectinfo, int *inc_flags, int depth,
-     struct include_list *includes)
- {
- 	char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
-@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 					parse_server_config_depth(options,
- 					    item->filename, item->contents,
- 					    includes, connectinfo,
-					    (oactive ? 0 : SSHCFG_NEVERMATCH),
-+					    (*inc_flags & SSHCFG_MATCH_ONLY
-+					        ? SSHCFG_MATCH_ONLY : (oactive
-+					            ? 0 : SSHCFG_NEVERMATCH)),
- 					    activep, depth + 1);
- 				}
- 				found = 1;
-@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 				parse_server_config_depth(options,
- 				    item->filename, item->contents,
- 				    includes, connectinfo,
-				    (oactive ? 0 : SSHCFG_NEVERMATCH),
-+				    (*inc_flags & SSHCFG_MATCH_ONLY
-+				        ? SSHCFG_MATCH_ONLY : (oactive
-+				            ? 0 : SSHCFG_NEVERMATCH)),
- 				    activep, depth + 1);
- 				*activep = oactive;
- 				TAILQ_INSERT_TAIL(includes, item, entry);
-@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 		if (cmdline)
- 			fatal("Match directive not supported as a command-line "
- 			   "option");
-		value = match_cfg_line(&cp, linenum, connectinfo);
-+		value = match_cfg_line(&cp, linenum,
-+		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
- 		if (value < 0)
- 			fatal("%s line %d: Bad Match condition", filename,
- 			    linenum);
-		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+		/* The MATCH_ONLY is applicable only until the first match block */
-+		*inc_flags &= ~SSHCFG_MATCH_ONLY;
- 		break;
- 
- 	case sKerberosUseKuserok:
-@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line,
-     const char *filename, int linenum, int *activep,
-     struct connection_info *connectinfo, struct include_list *includes)
- {
-+	int inc_flags = 0;
- 	return process_server_config_line_depth(options, line, filename,
-	    linenum, activep, connectinfo, 0, 0, includes);
-+	    linenum, activep, connectinfo, &inc_flags, 0, includes);
- }
- 
- 
-@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
- 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
- 		fatal("Too many recursive configuration includes");
- 
-	debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
-+	debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
-+	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
- 
- 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
- 		fatal("%s: sshbuf_dup_string failed", __func__);
- 	linenum = 1;
- 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
- 		if (process_server_config_line_depth(options, cp,
-		    filename, linenum++, activep, connectinfo, flags,
-+		    filename, linenum++, activep, connectinfo, &flags,
- 		    depth, includes) != 0)
- 			bad_options++;
- 	}
-@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename,
- {
- 	int active = connectinfo ? 0 : 1;
- 	parse_server_config_depth(options, filename, conf, includes,
-	    connectinfo, 0, &active, 0);
-+	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
- 	process_queued_listen_addrs(options);
- }
- 
-- 
-2.25.4
-
-
--- a/openssh-8.4p1-debian-compat.patch
+++ b/openssh-8.4p1-debian-compat.patch
@ -0,0 +1,57 @@
+--- compat.h.orig	2020-10-05 10:09:02.953505129 -0700
+++ compat.h	2020-10-05 10:10:17.587733113 -0700
+@@ -34,7 +34,7 @@
+ 
+ #define SSH_BUG_UTF8TTYMODE	0x00000001
+ #define SSH_BUG_SIGTYPE		0x00000002
+-/* #define unused		0x00000004 */
+#define SSH_BUG_SIGTYPE74	0x00000004
+ /* #define unused		0x00000008 */
+ #define SSH_OLD_SESSIONID	0x00000010
+ /* #define unused		0x00000020 */
+--- compat.c.orig	2020-10-05 10:25:02.088720562 -0700
+++ compat.c	2020-10-05 10:13:11.637282492 -0700
+@@ -65,11 +65,12 @@
+ 		{ "OpenSSH_6.5*,"
+ 		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
+ 					SSH_BUG_SIGTYPE},
+		{ "OpenSSH_7.4*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
+		  			SSH_BUG_SIGTYPE74},
+ 		{ "OpenSSH_7.0*,"
+ 		  "OpenSSH_7.1*,"
+ 		  "OpenSSH_7.2*,"
+ 		  "OpenSSH_7.3*,"
+-		  "OpenSSH_7.4*,"
+ 		  "OpenSSH_7.5*,"
+ 		  "OpenSSH_7.6*,"
+ 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
+--- sshconnect2.c.orig	2020-09-26 07:26:37.618010545 -0700
+++ sshconnect2.c	2020-10-05 10:47:22.116315148 -0700
+@@ -1305,6 +1305,26 @@
+ 			break;
+ 	}
+ 	free(oallowed);
+	/*
+	 * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
+	 * support.  For that release, check the local policy against the
+	 * SHA2 signature types.
+	 */
+	if (alg == NULL &&
+	    (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
+		oallowed = allowed = xstrdup(options.pubkey_key_types);
+		while ((cp = strsep(&allowed, ",")) != NULL) {
+			if (sshkey_type_from_name(cp) != key->type)
+				continue;
+			tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
+			if (tmp != NULL)
+				alg = xstrdup(cp);
+			free(tmp);
+			if (alg != NULL)
+				break;
+		}
+		free(oallowed);
+	}
+ 	return alg;
+ }
+ 
+
--- a/openssh-8.4p1-sandbox-seccomp.patch
+++ b/openssh-8.4p1-sandbox-seccomp.patch
@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c06..5065ae7e 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
+#ifdef __NR_pselect6_time64
+	SC_ALLOW(__NR_pselect6_time64),
+#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif
--- a/openssh-8.4p1-ssh-copy-id.patch
+++ b/openssh-8.4p1-ssh-copy-id.patch
@ -0,0 +1,130 @@
+From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
+From: Oleg <Fallmay@users.noreply.github.com>
+Date: Thu, 1 Oct 2020 12:09:08 +0300
+Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
+
+---
+ contrib/ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f94..a76907717 100644
+--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+   #    the cat adds the keys we're getting via STDIN
+   #    and if available restorecon is used to restore the SELinux context
+-  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ 	  restorecon -F .ssh ${AUTH_KEY_FILE};
+ 	fi
+ EOF
+  )
+ 
+   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
+
+From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
+From: Philip Hands <phil@hands.com>
+Date: Sat, 3 Oct 2020 00:20:07 +0200
+Subject: [PATCH] un-nest $() to make ksh cheerful
+
+---
+ ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
+From: Philip Hands <phil@hands.com>
+Date: Fri, 2 Oct 2020 21:30:10 +0200
+Subject: [PATCH] ksh doesn't grok 'local'
+
+and AFAICT it's not actually doing anything useful in the code, so let's
+see how things go without it.
+---
+ ssh-copy-id | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index a769077..11c9463 100755
+--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
+@@ -76,7 +76,7 @@ quote() {
+ }
+ 
+ use_id_file() {
+-  local L_ID_FILE="$1"
+  L_ID_FILE="$1"
+ 
+   if [ -z "$L_ID_FILE" ] ; then
+     printf '%s: ERROR: no ID file found\n' "$0"
+@@ -94,7 +94,7 @@ use_id_file() {
+   # check that the files are readable
+   for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
+     ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
+-      local L_PRIVMSG=""
+      L_PRIVMSG=""
+       [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG="	(to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
+       printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
+       exit 1
+@@ -169,7 +169,7 @@ fi
+ # populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
+ # and has the side effect of setting $NEW_IDS
+ populate_new_ids() {
+-  local L_SUCCESS="$1"
+  L_SUCCESS="$1"
+ 
+   # shellcheck disable=SC2086
+   if [ "$FORCED" ] ; then
+@@ -181,13 +181,12 @@ populate_new_ids() {
+   eval set -- "$SSH_OPTS"
+ 
+   umask 0177
+-  local L_TMP_ID_FILE
+   L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
+   if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
+     printf '%s: ERROR: mktemp failed\n' "$0" >&2
+     exit 1
+   fi
+-  local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+  L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+   # shellcheck disable=SC2064
+   trap "$L_CLEANUP" EXIT TERM INT QUIT
+   printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
+@@ -237,7 +236,7 @@ populate_new_ids() {
+ #    produce a one-liner to add the keys to remote authorized_keys file
+ #    optionally takes an alternative path for authorized_keys
+ installkeys_sh() {
+-  local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+  AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+ 
+   # In setting INSTALLKEYS_SH:
+   #    the tr puts it all on one line (to placate tcsh)
+-- 
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 11c9463..ee3f637 100755
+--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
+@@ -237,6 +237,7 @@ populate_new_ids() {
+ #    optionally takes an alternative path for authorized_keys
+ installkeys_sh() {
+   AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+  AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
+ 
+   # In setting INSTALLKEYS_SH:
+   #    the tr puts it all on one line (to placate tcsh)
+@@ -249,7 +250,7 @@ installkeys_sh() {
+   INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+-	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+	mkdir -p "${AUTH_KEY_DIR}" &&
+ 	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
+ 	  cat >> ${AUTH_KEY_FILE} ||
+ 	  exit 1;
+-- 
--- a/openssh.spec
+++ b/openssh.spec
@ -29,9 +29,6 @@
 # Do we want libedit support
 %global libedit 1

-# Do we want LDAP support
-%global ldap 1
-
 # Whether to build pam_ssh_agent_auth
 %if 0%{?!nopam:1}
 %global pam_ssh_agent 1
@ -52,35 +49,23 @@
 # rpm -ba|--rebuild --define "static_openssl 1"
 %{?static_openssl:%global static_libcrypto 1}

-# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
-%global rescue 0
-%{?build_rescue:%global rescue 1}
-%{?build_rescue:%global rescue_rel rescue}
-
-# Turn off some stuff for resuce builds
-%if %{rescue}
-%global kerberos5 0
-%global libedit 0
-%global pam_ssh_agent 0
-%endif
-
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.3p1
-%global openssh_rel 3
-%global pam_ssh_agent_ver 0.10.3
-%global pam_ssh_agent_rel 10
+%global openssh_ver 8.4p1
+%global openssh_rel 4
+%global pam_ssh_agent_ver 0.10.4
+%global pam_ssh_agent_rel 1

 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}
+Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
-#URL1: http://pamsshagentauth.sourceforge.net
+#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2: sshd.pam
 Source3: DJM-GPG-KEY.gpg
-Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
+Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
 Source5: pam_ssh_agent-rmheaders
 Source6: ssh-keycat.pam
 Source7: sshd.sysconfig
@ -122,9 +107,6 @@ Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
 Patch400: openssh-7.8p1-role-mls.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=781634
 Patch404: openssh-6.6p1-privsep-selinux.patch
-
-#?-- unwanted child :(
-Patch501: openssh-6.7p1-ldap.patch
 #?
 Patch502: openssh-6.6p1-keycat.patch

@ -156,7 +138,7 @@ Patch713: openssh-6.6p1-ctr-cavstest.patch
 # add SSH KDF CAVS test driver
 Patch714: openssh-6.7p1-kdf-cavs.patch

-# GSSAPI Key Exchange (RFC 4462 + draft-ietf-curdle-gss-keyex-sha2-08)
+# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
 # from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
 Patch800: openssh-8.0p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
@ -202,8 +184,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
 # ssh-copy-id is unmaintained: Aggreagete patches
-#  - do not return 0 if the write fails (full disk)
-#  - shellcheck reports (upstream #2902)
+# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
 Patch958: openssh-7.9p1-ssh-copy-id.patch
 # Mention crypto-policies in manual pages (#1668325)
 Patch962: openssh-8.0p1-crypto-policies.patch
@ -215,8 +196,11 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
 Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
-# Unbreak sshd_config include corner cases (#3122)
-Patch967: openssh-8.3p1-sshd_include.patch
+Patch967: openssh-8.4p1-ssh-copy-id.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
+Patch968: openssh-8.4p1-sandbox-seccomp.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
+Patch969: openssh-8.4p1-debian-compat.patch

 License: BSD
 Requires: /sbin/nologin
@ -230,9 +214,6 @@ BuildRequires: gnome-libs-devel
 %endif
 %endif

-%if %{ldap}
-BuildRequires: openldap-devel
-%endif
 BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
 BuildRequires: audit-libs-devel >= 2.0.5
 BuildRequires: util-linux, groff
@ -240,10 +221,11 @@ BuildRequires: pam-devel
 BuildRequires: openssl-devel >= 0.9.8j
 BuildRequires: perl-podlators
 BuildRequires: systemd-devel
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: p11-kit-devel
 BuildRequires: libfido2-devel
 Recommends: p11-kit
+Obsoletes: openssh-ldap < 8.3p1-4

 %if %{kerberos5}
 BuildRequires: krb5-devel
@ -277,12 +259,6 @@ Requires: pam >= 1.0.1-3
 Requires: crypto-policies >= 20200610-1
 %{?systemd_requires}

-%if %{ldap}
-%package ldap
-Summary: A LDAP support for open source SSH server daemon
-Requires: openssh = %{version}-%{release}
-%endif
-
 %package keycat
 Summary: A mls keycat backend for openssh
 Requires: openssh = %{version}-%{release}
@ -298,7 +274,7 @@ Requires: openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary: PAM module for authentication with ssh-agent
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
 License: BSD

 %description
@ -326,12 +302,6 @@ into and executing commands on a remote machine. This package contains
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
 securely connect to your SSH server.

-%if %{ldap}
-%description ldap
-OpenSSH LDAP backend is a way how to distribute the authorized tokens
-among the servers in the network.
-%endif
-
 %description keycat
 OpenSSH mls keycat is backend for using the authorized keys in the
 openssh in the mls mode.
@ -358,7 +328,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %setup -q -a 4

 %if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 %patch300 -p2 -b .psaa-build
 %patch301 -p2 -b .psaa-seteuid
 %patch302 -p2 -b .psaa-visibility
@ -373,9 +343,6 @@ popd
 %patch400 -p1 -b .role-mls
 %patch404 -p1 -b .privsep-selinux

-%if %{ldap}
-%patch501 -p1 -b .ldap
-%endif
 %patch502 -p1 -b .keycat

 %patch601 -p1 -b .ip-opts
@ -417,7 +384,9 @@ popd
 %patch964 -p1 -b .openssl-kdf
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
-%patch967 -p1 -b .include
+%patch967 -p1 -b .ssh-copy-id
+%patch968 -p1 -b .seccomp
+%patch969 -p0 -b .debian

 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@ -426,7 +395,7 @@ popd
 %patch100 -p1 -b .coverity

 autoreconf
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 autoreconf
 popd

@ -434,9 +403,6 @@ popd
 # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
 # it is needed for lib(open)ssh build too since it is linked to the pam module too
 CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
-%if %{rescue}
-CFLAGS="$CFLAGS -Os"
-%endif
 %if %{pie}
 %ifarch s390 s390x sparc sparcv9 sparc64
 CFLAGS="$CFLAGS -fPIC"
@ -482,14 +448,7 @@ fi
 	--with-systemd \
 	--with-default-pkcs11-provider=yes \
 	--with-security-key-builtin=yes \
-%if %{ldap}
-	--with-ldap \
-%endif
-%if %{rescue}
-	--without-pam \
-%else
 	--with-pam \
-%endif
 %if %{WITH_SELINUX}
 	--with-selinux --with-audit=linux \
 	--with-sandbox=seccomp_filter \
@ -509,7 +468,7 @@ fi
 perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
 %endif

-make
+%make_build

 # Define a variable to toggle gnome1/gtk2 building.  This is necessary
 # because RPM doesn't handle nested %%if statements.
@ -534,13 +493,13 @@ popd
 %endif

 %if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 LDFLAGS="$SAVE_LDFLAGS"
 %configure --with-selinux \
 	--libexecdir=/%{_libdir}/security \
 	--with-mantype=man \
 	--without-openssl-header-check `# The check is broken`
-make
+%make_build
 popd
 %endif

@ -557,8 +516,7 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
-make install DESTDIR=$RPM_BUILD_ROOT
-rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
+%make_install

 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/sysconfig/
@ -597,8 +555,8 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*

 %if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-make install DESTDIR=$RPM_BUILD_ROOT
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+%make_install
 popd
 %endif
 %pre
@ -612,6 +570,17 @@ getent passwd sshd >/dev/null || \

 %post server
 %systemd_post sshd.service sshd.socket
+# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
+# drop-in directory (in F32+).
+# Do this only if the file generated by anaconda exists, contains our config
+# directive and sshd_config contains include directive as shipped in our package
+%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin
+test -f %{sysconfig_anaconda} && \
+  test ! -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf && \
+  grep -q '^PERMITROOTLOGIN="-oPermitRootLogin=yes"' %{sysconfig_anaconda} && \
+  grep -q '^Include /etc/ssh/sshd_config.d/\*.conf' /etc/ssh/sshd_config && \
+  echo "PermitRootLogin yes" >> /etc/ssh/sshd_config.d/25-permitrootlogin.conf && \
+  rm %{sysconfig_anaconda} || :

 %preun server
 %systemd_preun sshd.service sshd.socket
@ -624,13 +593,11 @@ getent passwd sshd >/dev/null || \
 %doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
-%if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
 %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
-%endif

 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
@ -641,7 +608,6 @@ getent passwd sshd >/dev/null || \
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
 %attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
-%if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
@ -656,9 +622,7 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
 %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
 %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
-%endif

-%if ! %{rescue}
 %files server
 %dir %attr(0711,root,root) %{_var}/empty/sshd
 %attr(0755,root,root) %{_sbindir}/sshd
@ -679,17 +643,6 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
 %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
-%endif
-
-%if %{ldap}
-%files ldap
-%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
-%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
-%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
-%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
-%endif

 %files keycat
 %doc HOWTO.ssh-keycat
@ -710,12 +663,36 @@ getent passwd sshd >/dev/null || \

 %if %{pam_ssh_agent}
 %files -n pam_ssh_agent_auth
-%license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
+%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
 %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
 %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
 %endif

 %changelog
+* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
+- Remove "PasswordAuthentication yes" from vendor configuration as it is
+  already default and it might be hard to override.
+- Fix broken obsoletes for openssh-ldap (#1902084)
+
+* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
+- Unbreak seccomp filter on arm (#1897712)
+- Add a workaround for Debian's broken OpenSSH (#1881301)
+
+* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
+- Unbreak ssh-copy-id after a release (#1884231)
+- Remove misleading comment from sysconfig
+
+* Tue Sep 29 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-1 + 0.10.4-1
+- New upstream release of OpenSSH and pam_ssh_agent_auth (#1882995)
+
+* Fri Aug 21 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-4 + 0.10.3-10
+- Remove openssh-ldap subpackage (#1871025)
+- pkcs11: Do not crash with invalid paths in ssh-agent (#1868996)
+- Clarify documentation about sftp-server -m (#1862504)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.3p1-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
 * Wed Jun 10 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-3 + 0.10.3-10
 - Do not lose PIN when more slots match PKCS#11 URI (#1843372)
 - Update to new crypto-policies version on server (using sshd_config include)
--- a/1
+++ b/1
@ -9,7 +9,6 @@ buffer.c
 cleanup.c
 cipher.h
 compat.h
-defines.h
 entropy.c
 entropy.h
 fatal.c
--- a/pam_ssh_agent_auth-0.10.2-compat.patch
+++ b/pam_ssh_agent_auth-0.10.2-compat.patch
@ -1,6 +1,6 @@
-diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c	2020-02-07 10:43:05.011757956 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c	2020-09-23 10:52:16.424001475 +0200
@@ -27,6 +27,7 @@
  * or implied, of Jamie Beverly.
  */
@ -9,7 +9,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
 #include <stdio.h>
 #include <errno.h>
 #include <string.h>
-@@ -65,8 +66,8 @@ proc_pid_cmdline(char *** inargv)
+@@ -66,8 +67,8 @@ proc_pid_cmdline(char *** inargv)
                 case EOF:
                 case '\0':
                     if (len > 0) { 
@ -20,7 +20,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
                         strncpy(argv[count++], argbuf, len);
                         memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
                         len = 0;
-@@ -105,9 +106,9 @@ pamsshagentauth_free_command_line(char *
+@@ -106,9 +107,9 @@ pamsshagentauth_free_command_line(char *
 {
     size_t i;
     for (i = 0; i < n_args; i++)
@ -32,9 +32,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
     return;
 }
 
-diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2020-02-07 10:43:05.011757956 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h	2020-09-23 10:52:16.424001475 +0200
@@ -30,8 +30,8 @@
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
@ -55,9 +55,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss
     char    *filename;      /* comment for agent-only keys */
     int tried;
     int isprivate;      /* key points to the private key */
-diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat	2020-02-07 10:43:05.009757925 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2020-02-07 10:43:05.012757972 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat	2020-09-23 10:52:16.421001434 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c	2020-09-23 10:52:16.424001475 +0200
@@ -36,8 +36,8 @@
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
@ -285,10 +285,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
     EVP_cleanup();
     return retval;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat	2020-02-07 10:43:05.010757940 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2020-02-07 10:43:05.012757972 +0100
-@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat	2020-09-23 10:52:16.423001461 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c	2020-09-23 10:53:10.631727657 +0200
+@@ -106,7 +106,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
  * a patch 8-)
  */
 #if ! HAVE___PROGNAME || HAVE_BUNDLE
@ -297,7 +297,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
 #endif
 
     for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
-@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -132,11 +132,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
 #endif
     }
 
@ -311,7 +311,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
 
     if(ruser_ptr) {
         strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
-@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -151,12 +151,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
 #ifdef ENABLE_SUDO_HACK
         if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
             strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
@ -326,7 +326,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
                 goto cleanexit;
             }
             strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
-@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -165,11 +165,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
 
     /* Might as well explicitely confirm the user exists here */
     if(! getpwnam(ruser) ) {
@ -340,7 +340,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
         goto cleanexit;
     }
 
-@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -179,8 +179,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
          */
         parse_authorized_key_file(user, authorized_keys_file_input);
     } else {
@ -351,7 +351,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
     }
 
     /*
-@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -189,7 +189,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
      */
 
     if(user && strlen(ruser) > 0) {
@ -359,11 +359,26 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
 +        verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
 
         /*
+          * Attempt to read data from the sshd if we're being called as an auth agent.
+@@ -197,10 +197,10 @@ pam_sm_authenticate(pam_handle_t * pamh,
+         const char* ssh_user_auth = pam_getenv(pamh, "SSH_AUTH_INFO_0");
+         int sshd_service = strncasecmp(servicename, sshd_service_name, sizeof(sshd_service_name) - 1);
+         if (sshd_service == 0 && ssh_user_auth != NULL) {
+-            pamsshagentauth_verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
+            verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
+             if (userauth_pubkey_from_pam(ruser, ssh_user_auth) > 0) {
+                 retval = PAM_SUCCESS;
+-                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+                logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+                 goto cleanexit;
+             }
+         }
+@@ -208,13 +208,13 @@ pam_sm_authenticate(pam_handle_t * pamh,
          * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
          */
         if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
-            pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
-+            logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+-            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+            logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
             retval = PAM_SUCCESS;
         } else {
 -            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
@ -375,9 +390,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
     }
 
 cleanexit:
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2020-02-07 10:43:05.012757972 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c	2020-09-23 10:52:16.424001475 +0200
@@ -66,8 +66,8 @@
 #include "xmalloc.h"
 #include "match.h"
@ -442,9 +457,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa
 {
     return
         pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2020-02-07 10:43:05.012757972 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h	2020-09-23 10:52:16.424001475 +0200
@@ -32,7 +32,7 @@
 #define _PAM_USER_KEY_ALLOWED_H
 
@ -454,9 +469,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa
 void parse_authorized_key_file(const char *, const char *);
 
 #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c	2020-02-07 10:43:05.012757972 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c	2020-09-23 10:52:16.424001475 +0200
@@ -45,44 +45,46 @@
 #include "xmalloc.h"
 #include "ssh.h"
@ -731,9 +746,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o
 +    restore_uid();
     return found_key;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h	2020-02-07 10:43:05.012757972 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h	2020-09-23 10:52:16.424001475 +0200
@@ -32,7 +32,7 @@
 #define _PAM_USER_KEY_ALLOWED_H
 
@ -744,9 +759,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o
 +int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
 
 #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c	2020-02-07 10:43:05.012757972 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c	2020-09-23 10:52:16.424001475 +0200
@@ -53,8 +53,8 @@
 #include "xmalloc.h"
 #include "match.h"
@ -788,9 +803,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh
 			    buf);
 			break;
 		}
-diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2020-02-07 10:43:23.520048960 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c	2020-09-23 10:52:16.424001475 +0200
@@ -37,10 +37,11 @@
 #include "xmalloc.h"
 #include "ssh.h"
@ -887,9 +902,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
     CRYPTO_cleanup_all_ex_data();
     return authenticated;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2020-02-07 10:43:05.013757988 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h	2020-09-23 10:52:16.424001475 +0200
@@ -31,7 +31,7 @@
 #ifndef _USERAUTH_PUBKEY_FROM_ID_H
 #define _USERAUTH_PUBKEY_FROM_ID_H
@ -900,9 +915,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat
 +int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
 
 #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
-+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c	2020-02-07 10:43:05.013757988 +0100
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c	2020-09-23 10:52:16.424001475 +0200
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
 	/* and remove trailing whitespace because __b64_pton needs this */
 	*p = '\0';
@ -928,3 +943,50 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ss
 -	pamsshagentauth_xfree(buf);
 +	free(buf);
 }
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c.compat	2020-09-23 11:32:30.783695267 +0200
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c	2020-09-23 11:33:21.383389036 +0200
+@@ -33,7 +33,8 @@
+ #include <string.h>
+ 
+ #include "defines.h"
+-#include "key.h"
+#include <includes.h>
+#include "sshkey.h"
+ #include "log.h"
+ 
+ #include "pam_user_authorized_keys.h"
+@@ -42,28 +42,28 @@
+     int authenticated = 0;
+     const char method[] = "publickey ";
+ 
+-    char* ai = pamsshagentauth_xstrdup(ssh_auth_info);
+    char* ai = xstrdup(ssh_auth_info);
+     char* saveptr;
+ 
+     char* auth_line = strtok_r(ai, "\n", &saveptr);
+     while (auth_line != NULL) {
+         if (strncmp(auth_line, method, sizeof(method) - 1) == 0) {
+             char* key_str = auth_line + sizeof(method) - 1;
+-            Key* key = pamsshagentauth_key_new(KEY_UNSPEC);
+            struct sshkey* key = sshkey_new(KEY_UNSPEC);
+             if (key == NULL) {
+                 continue;
+             }
+-            int r = pamsshagentauth_key_read(key, &key_str);
+            int r = sshkey_read(key, &key_str);
+             if (r == 1) {
+                 if (pam_user_key_allowed(ruser, key)) {
+                     authenticated = 1;
+-                    pamsshagentauth_key_free(key);
+                    sshkey_free(key);
+                     break;
+                 }
+             } else {
+-                pamsshagentauth_verbose("Failed to create key for %s: %d", auth_line, r);
+                verbose("Failed to create key for %s: %d", auth_line, r);
+             }
+-            pamsshagentauth_key_free(key);
+            sshkey_free(key);
+         }
+         auth_line = strtok_r(NULL, "\n", &saveptr);
+     }
--- a/pam_ssh_agent_auth-0.9.3-build.patch
+++ b/pam_ssh_agent_auth-0.9.3-build.patch
@ -174,8 +174,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
 
 ED25519OBJS=ed25519-donna/ed25519.o
 
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
-+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
+-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
 
 
 MANPAGES_IN	= pam_ssh_agent_auth.pod
--- a/6
+++ b/6
@ -1,4 +1,4 @@
-SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
-SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75
+SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
+SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
+SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
 SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
-SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
--- a/sshd.service
+++ b/sshd.service
@ -6,9 +6,8 @@ Wants=sshd-keygen.target

 [Service]
 Type=notify
-EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStart=/usr/sbin/sshd -D $OPTIONS $PERMITROOTLOGIN
+ExecStart=/usr/sbin/sshd -D $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@ -5,7 +5,3 @@
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
-
-# System-wide crypto policy:
-# To opt-out, uncomment the following line
-# CRYPTO_POLICY=
--- a/sshd@.service
+++ b/sshd@.service
@ -5,7 +5,6 @@ Wants=sshd-keygen.target
 After=sshd-keygen.target

 [Service]
-EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStart=-/usr/sbin/sshd -i $OPTIONS $PERMITROOTLOGIN
+ExecStart=-/usr/sbin/sshd -i $OPTIONS
 StandardInput=socket
Author	SHA1	Message	Date
Jakub Jelen	557f728956	Fix malformed patch	2020-12-01 11:43:46 +01:00
Jakub Jelen	258db094bd	8.4p1-4 + 0.10.4-1	2020-12-01 09:54:21 +01:00
Jakub Jelen	d8a80c8be6	Fix Obsoletes for openssh-ldap (#1902084 )	2020-12-01 09:53:40 +01:00
Jakub Jelen	eced70a8bd	Remove PasswordAuthentication yes from shipped configuration as it is already default and it might be hard to override	2020-11-30 08:52:02 +01:00
Jakub Jelen	b6df6b3e29	List updated RFC	2020-11-26 11:48:54 +01:00
Jakub Jelen	126d278fec	8.4p1-3 + 0.10.4-1	2020-11-19 15:08:05 +01:00
Jakub Jelen	6a07699454	Compatibility with Debian's openssh-7.4p1 (#1881301 ) This only version does incorrectly reports server_sig_algorithms extension and in Fedora 33 with disabled SHA1, clients are unable to connect to Debian servers	2020-11-19 15:08:05 +01:00
Jakub Jelen	bbe3c2e156	Fix missing syscall in sandbox on arm (#1897712 )	2020-11-19 15:08:02 +01:00
Jakub Jelen	a048fcc3d0	8.4p1-2 + 0.10.4-1	2020-10-06 10:01:41 +02:00
Jakub Jelen	914eb2d891	Drop misleading comment about crypto policies	2020-10-06 10:01:41 +02:00
Jakub Jelen	62e762b7d5	ssh-copy-id compatibility with ksh	2020-10-06 10:01:41 +02:00
Jakub Jelen	dc5e3131ec	Unbreak ssh-copy-id (#1884231 )	2020-10-06 10:01:23 +02:00
Jakub Jelen	7b064ea363	Add missing changelog	2020-09-29 16:10:09 +02:00
Jakub Jelen	527f79ee8c	Remove the snap version, which is not used for build	2020-09-29 15:56:35 +02:00
Jakub Jelen	bd35168662	8.4p1-1 + 0.10.4-1	2020-09-29 14:53:14 +02:00
Jakub Jelen	3783a5da43	Rebase pam_ssh_agent_auth to 0.10.4	2020-09-29 14:53:14 +02:00
Jakub Jelen	9c88962b82	Improve crypto policies mention in manual pages (#1881301 )	2020-09-29 14:53:06 +02:00
Jakub Jelen	7e9d046986	Remove support for building rescue CD This is not used for close to 20 years and is broken at least from Fedora 31	2020-09-07 09:37:58 +02:00
Jakub Jelen	10cdecf4f1	8.3p1-4 + 0.10.3-10	2020-08-28 20:14:42 +02:00
Jakub Jelen	26c894b07f	Second iteration of sftp-server -m documentation (#1862504 )	2020-08-28 20:14:42 +02:00
Jakub Jelen	44157573e5	Remove openssh-ldap subpackage	2020-08-21 09:40:42 +02:00
Jakub Jelen	4c85eb3d53	pkcs11: Do not crash with invalid paths in ssh-agent (#1868996 )	2020-08-17 09:37:02 +02:00
Jakub Jelen	77aa771110	Clarify documentation about sftp-server -m (#1862504 )	2020-08-12 15:09:02 +02:00
Jakub Jelen	68460c09bb	Use make macros Based on https://src.fedoraproject.org/rpms/openssh/pull-request/11 https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro	2020-07-31 15:33:21 +02:00
Jakub Jelen	dfeecfb1e8	Drop loading of anaconda configuration from sysconfig including scriptlet to migrate to include drop-in directory	2020-07-31 15:26:55 +02:00
Fedora Release Engineering	fccd87eb18	- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2020-07-28 12:48:46 +00:00