Fix malformed patch

This only version does incorrectly reports server_sig_algorithms
extension and in Fedora 33 with disabled SHA1, clients are unable
to connect to Debian servers

.gitignore

@@ -42,3 +42,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.2p1.tar.gz.asc
 /openssh-8.3p1.tar.gz
 /openssh-8.3p1.tar.gz.asc
+/openssh-8.4p1.tar.gz
+/openssh-8.4p1.tar.gz.asc
+/pam_ssh_agent_auth-0.10.4.tar.gz

openssh-5.1p1-askpass-progress.patch

@@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:16.545211926 +0100
 @@ -53,6 +53,7 @@
- #include <string.h>
  #include <unistd.h>
+ 
  #include <X11/Xlib.h>
 +#include <glib.h>
  #include <gtk/gtk.h>
  #include <gdk/gdkx.h>
- 
+ #include <gdk/gdkkeysyms.h>
 @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
- 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ 	return 1;
  }
  
 +static void
@@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 -	GtkWidget *parent_window, *dialog, *entry;
 +	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
  	GdkGrabStatus status;
+ 	GdkColor fg, bg;
+ 	int fg_set = 0, bg_set = 0;
+@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
+ 		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
  
- 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+ 	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
-@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
- 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
- 
- 	if (prompt_type == PROMPT_ENTRY) {
 +		hbox = gtk_hbox_new(FALSE, 0);
 +		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 +		    FALSE, 0);
 +		gtk_widget_show(hbox);
 +
 		entry = gtk_entry_new();
+		if (fg_set)
+			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
+		if (bg_set)
+			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
 		gtk_box_pack_start(
 -		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
 -		    entry, FALSE, FALSE, 0);
-+		    GTK_BOX(hbox), entry,
++		    GTK_BOX(hbox), entry, TRUE, FALSE, 0);
-+		    TRUE, FALSE, 0);
 +		gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
  		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
  		gtk_widget_grab_focus(entry);
- 		gtk_widget_show(entry);
+ 		if (prompt_type == PROMPT_ENTRY) {
- 		/* Make <enter> close dialog */
+@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
- 		g_signal_connect(G_OBJECT(entry), "activate",
+ 			g_signal_connect(G_OBJECT(entry), "key_press_event",
- 				 G_CALLBACK(ok_dialog), dialog);
+ 			                 G_CALLBACK(check_none), dialog);
+ 		}
 +
 +		hbox = gtk_hbox_new(FALSE, 0);
-+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
++		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
-+	    FALSE, 8);
++		    hbox, FALSE, FALSE, 8);
 +		gtk_widget_show(hbox);
 +
 +		progress = gtk_progress_bar_new();
 +
-+		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
++		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
++		    "Passphrase length hidden intentionally");
 +		gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
 +		    TRUE, 5);
 +		gtk_widget_show(progress);

openssh-6.6.1p1-log-in-chroot.patch

@@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
  	    session_type,
  	    tty == NULL ? "" : " on ",
 @@ -1486,14 +1492,6 @@ child_close_fds(void)
- 	 * descriptors left by system functions.  They will be closed later.
+ 
- 	 */
+ 	/* Stop directing logs to a high-numbered fd before we close it */
- 	endpwent();
+ 	log_redirect_stderr_to(NULL);
 -
 -	/*
 -	 * Close any extra open file descriptors so that we don't have them

openssh-6.6p1-ctr-cavstest.patch

@@ -2,8 +2,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
 --- openssh-6.8p1/Makefile.in.ctr-cavs	2015-03-18 11:22:05.493289018 +0100
 +++ openssh-6.8p1/Makefile.in	2015-03-18 11:22:44.504196316 +0100
 @@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+ SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
  SSH_KEYCAT=$(libexecdir)/ssh-keycat
 +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -13,8 +13,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
  
  .SUFFIXES: .lo
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
@@ -29,8 +29,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
  
 @@ -326,6 +330,7 @@ install-files:
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)

openssh-6.6p1-keycat.patch

@@ -36,16 +36,16 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 --- openssh/Makefile.in.keycat	2015-06-24 10:57:50.152849621 +0200
 +++ openssh/Makefile.in	2015-06-24 10:57:50.157849608 +0200
 @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 +SSH_KEYCAT=$(libexecdir)/ssh-keycat
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
  SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
  PRIVSEP_PATH=@PRIVSEP_PATH@
 @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
+ K5LIBS=@K5LIBS@
  GSSLIBS=@GSSLIBS@
- SSHLIBS=@SSHLIBS@
  SSHDLIBS=@SSHDLIBS@
 +KEYCATLIBS=@KEYCATLIBS@
  LIBEDIT=@LIBEDIT@
@@ -55,14 +55,14 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
  
  .SUFFIXES: .lo
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
 @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
 +	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
@@ -71,9 +71,9 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
  
 @@ -321,6 +325,7 @@ install-files:
- 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
+ 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -466,16 +466,16 @@ index 3bbccfd..6481f1f 100644
  				esac
  			fi
 @@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
+ 	fi ]
  )
- AC_SUBST([SSHLIBS])
  AC_SUBST([SSHDLIBS])
 +AC_SUBST([KEYCATLIBS])
  
  # Check whether user wants Kerberos 5 support
  KRB5_MSG="no"
 @@ -5031,6 +5034,9 @@ fi
- if test ! -z "${SSHLIBS}"; then
+ if test ! -z "${SSHDLIBS}"; then
- echo "          +for ssh: ${SSHLIBS}"
+ echo "         +for sshd: ${SSHDLIBS}"
  fi
 +if test ! -z "${KEYCATLIBS}"; then
 +echo "   +for ssh-keycat: ${KEYCATLIBS}"

openssh-6.6p1-kuserok.patch

@@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
  	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
  	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
 @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
- 		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+ 		*inc_flags &= ~SSHCFG_MATCH_ONLY;
  		break;
  
 +	case sKerberosUseKuserok:

openssh-6.7p1-kdf-cavs.patch

@@ -2,7 +2,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
 --- openssh-6.8p1/Makefile.in.kdf-cavs	2015-03-18 11:23:46.346049359 +0100
 +++ openssh-6.8p1/Makefile.in	2015-03-18 11:24:20.395968445 +0100
 @@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
  SSH_KEYCAT=$(libexecdir)/ssh-keycat
  CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 +SSH_CAVS=$(libexecdir)/ssh-cavs
@@ -13,8 +13,8 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
  
  .SUFFIXES: .lo
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
@@ -29,7 +29,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
  	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
  
 @@ -331,6 +335,8 @@ install-files:
- 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)

openssh-6.7p1-sftp-force-permission.patch

@@ -2,21 +2,23 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
 --- openssh-7.2p2/sftp-server.8.sftp-force-mode	2016-03-09 19:04:48.000000000 +0100
 +++ openssh-7.2p2/sftp-server.8	2016-06-23 16:18:20.463854117 +0200
 @@ -38,6 +38,7 @@
- .Op Fl P Ar blacklisted_requests
+ .Op Fl P Ar denied_requests
- .Op Fl p Ar whitelisted_requests
+ .Op Fl p Ar allowed_requests
  .Op Fl u Ar umask
 +.Op Fl m Ar force_file_perms
  .Ek
  .Nm
  .Fl Q Ar protocol_feature
-@@ -138,6 +139,10 @@ Sets an explicit
+@@ -138,6 +139,12 @@ Sets an explicit
  .Xr umask 2
  to be applied to newly-created files and directories, instead of the
  user's default mask.
 +.It Fl m Ar force_file_perms
 +Sets explicit file permissions to be applied to newly-created files instead
 +of the default or client requested mode.  Numeric values include:
-+777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
++777, 755, 750, 666, 644, 640, etc.  Using both -m and -u switches makes the
++umask (-u) effective only for newly created directories and explicit mode (-m)
++for newly created files.
  .El
  .Pp
  On some systems,
@@ -65,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
 @@ -1494,7 +1505,7 @@ sftp_server_usage(void)
  	fprintf(stderr,
  	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
- 	    "[-l log_level]\n\t[-P blacklisted_requests] "
+ 	    "[-l log_level]\n\t[-P denied_requests] "
--	    "[-p whitelisted_requests] [-u umask]\n"
+-	    "[-p allowed_requests] [-u umask]\n"
-+	    "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
++	    "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
  	    "       %s -Q protocol_feature\n",
  	    __progname, __progname);
  	exit(1);

openssh-7.1p2-audit-race-condition.patch

@@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
  }
  
 @@ -1538,6 +1565,34 @@ child_close_fds(void)
- 	endpwent();
+ 	log_redirect_stderr_to(NULL);
  }
  
 +void

openssh-7.6p1-audit.patch

@@ -1158,8 +1158,8 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
      {0, 0, NULL}
  };
 @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
- 	size_t signaturelen, datalen, bloblen;
+ 	int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
- 	int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
+ 	int encoded_ret;
  	struct sshkey_sig_details *sig_details = NULL;
 +	int type = 0;
  

openssh-7.7p1-fips.patch

@@ -173,20 +173,20 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
  	/* remove unsupported algos from default lists */
--	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+-	def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
--	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+-	def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
--	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+-	def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
--	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
--	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
++	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
++	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
++	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
++	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
++	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
  #define ASSEMBLE(what, defaults, all) \
  	do { \
@@ -211,20 +211,20 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
  	/* remove unsupported algos from default lists */
--	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+-	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
--	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+-	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
--	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+-	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
--	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
--	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
++	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
++	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
++	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
++	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
++	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
  #define ASSEMBLE(what, defaults, all) \
  	do { \

openssh-7.7p1-redhat.patch

@@ -2,9 +2,9 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
 --- openssh/ssh_config.redhat	2020-02-11 23:28:35.000000000 +0100
 +++ openssh/ssh_config	2020-02-13 18:13:39.180641839 +0100
 @@ -43,3 +43,10 @@
- #   VisualHostKey no
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
+ #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 +#
 +# This system is following system-wide crypto policy.
 +# To modify the crypto properties (Ciphers, MACs, ...), create a  *.conf
@@ -86,7 +86,7 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
 diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 --- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
 +++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,28 @@
 +# This system is following system-wide crypto policy. The changes to
 +# crypto properties (Ciphers, MACs, ...) will not have any effect in
 +# this or following included files. To override some configuration option,
@@ -96,7 +96,6 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 +
 +SyslogFacility AUTHPRIV
 +
-+PasswordAuthentication yes
 +ChallengeResponseAuthentication no
 +
 +GSSAPIAuthentication yes

openssh-7.8p1-role-mls.patch

@@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
  char ** fetch_pam_environment(void);
  char ** fetch_pam_child_environment(void);
  void free_pam_environment(char **);
-diff -up openssh/configure.ac.role-mls openssh/configure.ac
---- openssh/configure.ac.role-mls	2018-08-20 07:57:29.000000000 +0200
-+++ openssh/configure.ac	2018-08-22 11:14:56.820430957 +0200
-@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
- 			  LIBS="$LIBS -lselinux"
- 			],
- 			AC_MSG_ERROR([SELinux support requires libselinux library]))
--		SSHLIBS="$SSHLIBS $LIBSELINUX"
--		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
- 		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
--		LIBS="$save_LIBS"
- 	fi ]
- )
- AC_SUBST([SSHLIBS])
 diff -up openssh/misc.c.role-mls openssh/misc.c
 --- openssh/misc.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/misc.c	2018-08-22 11:14:56.817430932 +0200
@@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 --- openssh/monitor_wrap.h.role-mls	2018-08-22 11:14:56.818430941 +0200
 +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
 @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
+     const u_char *, size_t, const char *, const char *,
-     const u_char *, size_t, const char *, const char *, u_int compat);
+     const char *, u_int compat);
  void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);

openssh-7.9p1-ssh-copy-id.patch

@@ -1,31 +1,27 @@
-diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
+From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
---- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id	2018-10-17 02:01:20.000000000 +0200
+From: Jakub Jelen <jjelen@redhat.com>
-+++ openssh-7.9p1/contrib/ssh-copy-id	2019-01-23 20:49:30.513393667 +0100
+Date: Tue, 29 Sep 2020 10:02:45 +0000
-@@ -112,7 +112,8 @@ do
+Subject: [PATCH] Fail hard on the first failed attempt to write the
-         usage
+ authorized_keys_file
-   }
+
- 
+---
--  OPT= OPTARG=
+ ssh-copy-id | 2 +-
-+  OPT=
+ 1 file changed, 1 insertion(+), 1 deletion(-)
-+  OPTARG=
+
-   # implement something like getopt to avoid Solaris pain
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
-   case "$1" in
+index 392f64f..e69a23f 100755
-     -i?*|-o?*|-p?*)
+--- a/contrib/ssh-copy-id
-@@ -261,7 +262,7 @@ populate_new_ids() {
++++ b/contrib/ssh-copy-id
-   fi
+@@ -251,7 +251,7 @@ installkeys_sh() {
-   if [ -z "$NEW_IDS" ] ; then
+ 	cd;
-     printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
+ 	umask 077;
--    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
-+    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
+-	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
-     exit 0
++	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
-   fi
+ 	  cat >> ${AUTH_KEY_FILE} ||
-   printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
+ 	  exit 1;
-@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
+ 	if type restorecon >/dev/null 2>&1; then
-     # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+-- 
-     #     'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
+GitLab
-     [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
+
--      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
+
-+      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
-       || exit 1
-     ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
-     ;;

openssh-8.0p1-crypto-policies.patch

@@ -39,18 +39,19 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
  If the specified list begins with a
  .Sq +
 -character, then the specified ciphers will be appended to the default set
-+character, then the specified ciphers will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified ciphers will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified ciphers (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified ciphers will be placed at the head of the
 -default set.
-+built-in default set.
++built-in openssh default set.
  .Pp
  The supported ciphers are:
  .Bd -literal -offset indent
@@ -106,13 +107,14 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
  If the specified list begins with a
  .Sq +
 -character, then the specified methods will be appended to the default set
-+character, then the specified methods will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified methods will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified methods (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified methods will be placed at the head of the
@@ -126,7 +128,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 -diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256
 -.Ed
-+built-in default set.
++built-in openssh default set.
  .Pp
  The list of available key exchange algorithms may also be obtained using
  .Qq ssh -Q kex .
@@ -146,18 +148,19 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
  If the specified list begins with a
  .Sq +
 -character, then the specified algorithms will be appended to the default set
-+character, then the specified algorithms will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified algorithms will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified algorithms will be placed at the head of the
 -default set.
-+built-in default set.
++built-in openssh default set.
  .Pp
  The algorithms that contain
  .Qq -etm
@@ -190,13 +193,14 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
  If the specified list begins with a
  .Sq +
 -character, then the key types after it will be appended to the default
-+character, then the key types after it will be appended to the built-in default
+-instead of replacing it.
- instead of replacing it.
++character, then the key types after it will be appended to the built-in
++openssh default instead of replacing it.
  If the specified list begins with a
  .Sq -
  character, then the specified key types (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified key types will be placed at the head of the
@@ -217,7 +221,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
-+built-in default set.
++built-in openssh default set.
  .Pp
  The list of available key types may also be obtained using
  .Qq ssh -Q PubkeyAcceptedKeyTypes .
@@ -261,18 +265,19 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
  If the specified list begins with a
  .Sq +
 -character, then the specified ciphers will be appended to the default set
-+character, then the specified ciphers will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified ciphers will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified ciphers (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified ciphers will be placed at the head of the
 -default set.
-+built-in default set.
++built-in openssh default set.
  .Pp
  The supported ciphers are:
  .Pp
@@ -370,18 +375,19 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
  Alternately if the specified list begins with a
  .Sq +
 -character, then the specified methods will be appended to the default set
-+character, then the specified methods will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified methods will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified methods (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified methods will be placed at the head of the
 -default set.
-+built-in default set.
++built-in openssh default set.
  The supported algorithms are:
  .Pp
  .Bl -item -compact -offset indent
@@ -416,18 +422,19 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
  If the specified list begins with a
  .Sq +
 -character, then the specified algorithms will be appended to the default set
-+character, then the specified algorithms will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified algorithms will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified algorithms will be placed at the head of the
 -default set.
-+built-in default set.
++built-in openssh default set.
  .Pp
  The algorithms that contain
  .Qq -etm
@@ -461,13 +468,14 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
  Alternately if the specified list begins with a
  .Sq +
 -character, then the specified key types will be appended to the default set
-+character, then the specified key types will be appended to the built-in default set
+-instead of replacing them.
- instead of replacing them.
++character, then the specified key types will be appended to the built-in
++openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq -
  character, then the specified key types (including wildcards) will be removed
 -from the default set instead of replacing them.
-+from the built-in default set instead of replacing them.
++from the built-in openssh default set instead of replacing them.
  If the specified list begins with a
  .Sq ^
  character, then the specified key types will be placed at the head of the
@@ -488,7 +496,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
-+built-in default set.
++built-in openssh default set.
  .Pp
  The list of available key types may also be obtained using
  .Qq ssh -Q PubkeyAcceptedKeyTypes .

openssh-8.0p1-pkcs11-uri.patch

@@ -568,8 +568,8 @@ index 4e56e110..2690ebeb 100644
  
  REGRESS_FAIL_EARLY?=	yes
  SUBDIR=	test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
--SUBDIR+=authopt misc
+-SUBDIR+=authopt misc sshsig
-+SUBDIR+=authopt misc pkcs11
++SUBDIR+=authopt misc sshsig pkcs11
  
  .include <bsd.subdir.mk>
 diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c
@@ -807,7 +807,7 @@ index 00000000..b637cb13
 +}
 +
 +void
-+check_encode(char *source, size_t len, char *whitelist, char *expect)
++check_encode(char *source, size_t len, char *allow_list, char *expect)
 +{
 +	char *buf = NULL;
 +	struct sshbuf *b;
@@ -816,7 +816,7 @@ index 00000000..b637cb13
 +	TEST_START(buf);
 +	free(buf);
 +
-+	b = percent_encode(source, len, whitelist);
++	b = percent_encode(source, len, allow_list);
 +	ASSERT_STRING_EQ(sshbuf_ptr(b), expect);
 +	sshbuf_free(b);
 +	TEST_DONE();
@@ -841,14 +841,14 @@ index 00000000..b637cb13
 +static void
 +test_percent_encode(void)
 +{
-+	/* Without whitelist encodes everything (for CKA_ID) */
++	/* Without allow list encodes everything (for CKA_ID) */
 +	check_encode("A*", 2, "", "%41%2A");
 +	check_encode("\x00", 1, "", "%00");
 +	check_encode("\x7F", 1, "", "%7F");
 +	check_encode("\x80", 1, "", "%80");
 +	check_encode("\xff", 1, "", "%FF");
 +
-+	/* Default whitelist encodes anything but safe letters */
++	/* Default allow list encodes anything but safe letters */
 +	check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST,
 +	    "test%000alpha");
 +	check_encode(" ", 1, PKCS11_URI_WHITELIST,
@@ -920,9 +920,9 @@ index 8057eb1f..0c470e32 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
 @@ -67,6 +67,7 @@
- #include "ssherr.h"
  #include "digest.h"
  #include "ssh-sk.h"
+ #include "sk-api.h"
 +#include "ssh-pkcs11-uri.h"
  
  /* argv0 */
@@ -1045,9 +1045,9 @@ index 7eb6f0dc..27d8e4af 100644
 +			return NULL;
 +		}
 +		free(module_path);
-+		if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
++		if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
 +			verbose("refusing PKCS#11 provider \"%.100s\": "
-+			    "not whitelisted", canonical_provider);
++			    "not allowed", canonical_provider);
 +			pkcs11_uri_cleanup(uri);
 +			return NULL;
 +		}
@@ -1085,9 +1085,9 @@ index 7eb6f0dc..27d8e4af 100644
 -		    provider, strerror(errno));
 -		goto send;
 -	}
--	if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+-	if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
 -		verbose("refusing PKCS#11 add of \"%.100s\": "
--		    "provider not whitelisted", canonical_provider);
+-		    "provider not allowed", canonical_provider);
 +
 +	sane_uri = sanitize_pkcs11_provider(provider);
 +	if (sane_uri == NULL)
@@ -1216,7 +1216,7 @@ new file mode 100644
 index 00000000..e1a7b4e0
 --- /dev/null
 +++ b/ssh-pkcs11-uri.c
-@@ -0,0 +1,421 @@
+@@ -0,0 +1,425 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@@ -1342,7 +1342,7 @@ index 00000000..e1a7b4e0
 +}
 +
 +struct sshbuf *
-+percent_encode(const char *data, size_t length, const char *whitelist)
++percent_encode(const char *data, size_t length, const char *allow_list)
 +{
 +	struct sshbuf *b = NULL;
 +	char tmp[4], *cp;
@@ -1351,7 +1351,7 @@ index 00000000..e1a7b4e0
 +	if ((b = sshbuf_new()) == NULL)
 +		return NULL;
 +	for (i = 0; i < length; i++) {
-+		cp = strchr(whitelist, data[i]);
++		cp = strchr(allow_list, data[i]);
 +		/* if c is specified as '\0' pointer to terminator is returned !! */
 +		if (cp != NULL && *cp != '\0') {
 +			if (sshbuf_put(b, &data[i], 1) != 0)
@@ -1468,6 +1468,10 @@ index 00000000..e1a7b4e0
 +void
 +pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11)
 +{
++	if (pkcs11 == NULL) {
++		return;
++	}
++
 +	free(pkcs11->id);
 +	free(pkcs11->module_path);
 +	free(pkcs11->token);
@@ -3111,7 +3115,7 @@ index 15aee569..976844cb 100644
 +		}
 +#endif /* ENABLE_PKCS11 */
 +		cp = tilde_expand_filename(name, getuid());
- 		filename = default_client_percent_expand(cp,
+ 		filename = default_client_percent_dollar_expand(cp,
  		    pw->pw_dir, host, options.user, pw->pw_name);
  		free(cp);
 diff --git a/ssh_config.5 b/ssh_config.5

openssh-8.3p1-sshd_include.patch

@@ -1,227 +0,0 @@
-From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 25 May 2020 15:46:51 +0200
-Subject: [PATCH 1/3] regress: Add more test cases
-
----
- regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++-
- 1 file changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
-index b25c8faa..b6a9a248 100644
---- a/regress/servcfginclude.sh
-+++ b/regress/servcfginclude.sh
-@@ -146,9 +146,43 @@ Include
- _EOF
- 
- trace "disallow invalid with no argument"
--${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
-+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
-     -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
- 	fail "sshd allowed Include with no argument"
- 
-+# Ensure the Include before any Match block works as expected (bug #3122)
-+cat > $OBJ/sshd_config.i << _EOF
-+Banner /xx
-+HostKey $OBJ/host.ssh-ed25519
-+Include $OBJ/sshd_config.i.2
-+Match host a
-+	Banner /aaaa
-+_EOF
-+cat > $OBJ/sshd_config.i.2 << _EOF
-+Match host a
-+	Banner /aa
-+_EOF
-+
-+trace "Include before match blocks"
-+trial a /aa "included file before match blocks is properly evaluated"
-+
-+# Port in included file is correctly interpretted (bug #3169)
-+cat > $OBJ/sshd_config.i << _EOF
-+Include $OBJ/sshd_config.i.2
-+Port 7722
-+_EOF
-+cat > $OBJ/sshd_config.i.2 << _EOF
-+HostKey $OBJ/host.ssh-ed25519
-+_EOF
-+
-+trace "Port after included files"
-+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
-+    -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
-+	fail "failed to parse Port after included files"
-+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
-+if test "x7722" != "x$_port" ; then
-+	fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
-+fi
-+
- # cleanup
- rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
--- 
-2.25.4
-
-
-From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Mon, 25 May 2020 16:56:39 +0200
-Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every
- included file
-
-Fixes #3169
----
- servconf.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/servconf.c b/servconf.c
-index 5bb4b1f8..78a7d87d 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *,
-     const char *, int);
- static void add_one_listen_addr(ServerOptions *, const char *,
-     const char *, int);
--void parse_server_config_depth(ServerOptions *options, const char *filename,
-+static void parse_server_config_depth(ServerOptions *options, const char *filename,
-     struct sshbuf *conf, struct include_list *includes,
-     struct connection_info *connectinfo, int flags, int *activep, int depth);
- 
-@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
- #undef M_CP_STRARRAYOPT
- 
- #define SERVCONF_MAX_DEPTH	16
--void
-+static void
- parse_server_config_depth(ServerOptions *options, const char *filename,
-     struct sshbuf *conf, struct include_list *includes,
-     struct connection_info *connectinfo, int flags, int *activep, int depth)
-@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
- 	if (bad_options > 0)
- 		fatal("%s: terminating, %d bad configuration options",
- 		    filename, bad_options);
--	process_queued_listen_addrs(options);
- }
- 
- void
-@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename,
- 	int active = connectinfo ? 0 : 1;
- 	parse_server_config_depth(options, filename, conf, includes,
- 	    connectinfo, 0, &active, 0);
-+	process_queued_listen_addrs(options);
- }
- 
- static const char *
--- 
-2.25.4
-
-
-From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 26 May 2020 16:25:24 +0200
-Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files
- (#3122)
-
----
- servconf.c | 28 +++++++++++++++++++---------
- 1 file changed, 19 insertions(+), 9 deletions(-)
-
-diff --git a/servconf.c b/servconf.c
-index 78a7d87d..a8541514 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -554,6 +554,7 @@ typedef enum {
- #define SSHCFG_MATCH		0x02	/* allowed inside a Match section */
- #define SSHCFG_ALL		(SSHCFG_GLOBAL|SSHCFG_MATCH)
- #define SSHCFG_NEVERMATCH	0x04  /* Match never matches; internal only */
-+#define SSHCFG_MATCH_ONLY	0x08  /* Match only in conditional blocks; internal only */
- 
- /* Textual representation of the tokens. */
- static struct {
-@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = {
- static int
- process_server_config_line_depth(ServerOptions *options, char *line,
-     const char *filename, int linenum, int *activep,
--    struct connection_info *connectinfo, int inc_flags, int depth,
-+    struct connection_info *connectinfo, int *inc_flags, int depth,
-     struct include_list *includes)
- {
- 	char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
-@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 					parse_server_config_depth(options,
- 					    item->filename, item->contents,
- 					    includes, connectinfo,
--					    (oactive ? 0 : SSHCFG_NEVERMATCH),
-+					    (*inc_flags & SSHCFG_MATCH_ONLY
-+					        ? SSHCFG_MATCH_ONLY : (oactive
-+					            ? 0 : SSHCFG_NEVERMATCH)),
- 					    activep, depth + 1);
- 				}
- 				found = 1;
-@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 				parse_server_config_depth(options,
- 				    item->filename, item->contents,
- 				    includes, connectinfo,
--				    (oactive ? 0 : SSHCFG_NEVERMATCH),
-+				    (*inc_flags & SSHCFG_MATCH_ONLY
-+				        ? SSHCFG_MATCH_ONLY : (oactive
-+				            ? 0 : SSHCFG_NEVERMATCH)),
- 				    activep, depth + 1);
- 				*activep = oactive;
- 				TAILQ_INSERT_TAIL(includes, item, entry);
-@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
- 		if (cmdline)
- 			fatal("Match directive not supported as a command-line "
- 			   "option");
--		value = match_cfg_line(&cp, linenum, connectinfo);
-+		value = match_cfg_line(&cp, linenum,
-+		    (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
- 		if (value < 0)
- 			fatal("%s line %d: Bad Match condition", filename,
- 			    linenum);
--		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+		*activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
-+		/* The MATCH_ONLY is applicable only until the first match block */
-+		*inc_flags &= ~SSHCFG_MATCH_ONLY;
- 		break;
- 
- 	case sKerberosUseKuserok:
-@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line,
-     const char *filename, int linenum, int *activep,
-     struct connection_info *connectinfo, struct include_list *includes)
- {
-+	int inc_flags = 0;
- 	return process_server_config_line_depth(options, line, filename,
--	    linenum, activep, connectinfo, 0, 0, includes);
-+	    linenum, activep, connectinfo, &inc_flags, 0, includes);
- }
- 
- 
-@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
- 	if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
- 		fatal("Too many recursive configuration includes");
- 
--	debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
-+	debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
-+	    (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
- 
- 	if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
- 		fatal("%s: sshbuf_dup_string failed", __func__);
- 	linenum = 1;
- 	while ((cp = strsep(&cbuf, "\n")) != NULL) {
- 		if (process_server_config_line_depth(options, cp,
--		    filename, linenum++, activep, connectinfo, flags,
-+		    filename, linenum++, activep, connectinfo, &flags,
- 		    depth, includes) != 0)
- 			bad_options++;
- 	}
-@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename,
- {
- 	int active = connectinfo ? 0 : 1;
- 	parse_server_config_depth(options, filename, conf, includes,
--	    connectinfo, 0, &active, 0);
-+	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
- 	process_queued_listen_addrs(options);
- }
- 
--- 
-2.25.4
-
-

openssh-8.4p1-debian-compat.patch

@@ -0,0 +1,57 @@
+--- compat.h.orig	2020-10-05 10:09:02.953505129 -0700
++++ compat.h	2020-10-05 10:10:17.587733113 -0700
+@@ -34,7 +34,7 @@
+ 
+ #define SSH_BUG_UTF8TTYMODE	0x00000001
+ #define SSH_BUG_SIGTYPE		0x00000002
+-/* #define unused		0x00000004 */
++#define SSH_BUG_SIGTYPE74	0x00000004
+ /* #define unused		0x00000008 */
+ #define SSH_OLD_SESSIONID	0x00000010
+ /* #define unused		0x00000020 */
+--- compat.c.orig	2020-10-05 10:25:02.088720562 -0700
++++ compat.c	2020-10-05 10:13:11.637282492 -0700
+@@ -65,11 +65,12 @@
+ 		{ "OpenSSH_6.5*,"
+ 		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
+ 					SSH_BUG_SIGTYPE},
++		{ "OpenSSH_7.4*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
++		  			SSH_BUG_SIGTYPE74},
+ 		{ "OpenSSH_7.0*,"
+ 		  "OpenSSH_7.1*,"
+ 		  "OpenSSH_7.2*,"
+ 		  "OpenSSH_7.3*,"
+-		  "OpenSSH_7.4*,"
+ 		  "OpenSSH_7.5*,"
+ 		  "OpenSSH_7.6*,"
+ 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
+--- sshconnect2.c.orig	2020-09-26 07:26:37.618010545 -0700
++++ sshconnect2.c	2020-10-05 10:47:22.116315148 -0700
+@@ -1305,6 +1305,26 @@
+ 			break;
+ 	}
+ 	free(oallowed);
++	/*
++	 * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
++	 * support.  For that release, check the local policy against the
++	 * SHA2 signature types.
++	 */
++	if (alg == NULL &&
++	    (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
++		oallowed = allowed = xstrdup(options.pubkey_key_types);
++		while ((cp = strsep(&allowed, ",")) != NULL) {
++			if (sshkey_type_from_name(cp) != key->type)
++				continue;
++			tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
++			if (tmp != NULL)
++				alg = xstrdup(cp);
++			free(tmp);
++			if (alg != NULL)
++				break;
++		}
++		free(oallowed);
++	}
+ 	return alg;
+ }
+ 
+

openssh-8.4p1-sandbox-seccomp.patch

@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c06..5065ae7e 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++	SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif

openssh-8.4p1-ssh-copy-id.patch

@@ -0,0 +1,130 @@
+From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
+From: Oleg <Fallmay@users.noreply.github.com>
+Date: Thu, 1 Oct 2020 12:09:08 +0300
+Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
+
+---
+ contrib/ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f94..a76907717 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+   #    the cat adds the keys we're getting via STDIN
+   #    and if available restorecon is used to restore the SELinux context
+-  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
++  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ 	  restorecon -F .ssh ${AUTH_KEY_FILE};
+ 	fi
+ EOF
++  )
+ 
+   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
+
+From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
+From: Philip Hands <phil@hands.com>
+Date: Sat, 3 Oct 2020 00:20:07 +0200
+Subject: [PATCH] un-nest $() to make ksh cheerful
+
+---
+ ssh-copy-id | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
+From: Philip Hands <phil@hands.com>
+Date: Fri, 2 Oct 2020 21:30:10 +0200
+Subject: [PATCH] ksh doesn't grok 'local'
+
+and AFAICT it's not actually doing anything useful in the code, so let's
+see how things go without it.
+---
+ ssh-copy-id | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index a769077..11c9463 100755
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -76,7 +76,7 @@ quote() {
+ }
+ 
+ use_id_file() {
+-  local L_ID_FILE="$1"
++  L_ID_FILE="$1"
+ 
+   if [ -z "$L_ID_FILE" ] ; then
+     printf '%s: ERROR: no ID file found\n' "$0"
+@@ -94,7 +94,7 @@ use_id_file() {
+   # check that the files are readable
+   for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
+     ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
+-      local L_PRIVMSG=""
++      L_PRIVMSG=""
+       [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG="	(to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
+       printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
+       exit 1
+@@ -169,7 +169,7 @@ fi
+ # populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
+ # and has the side effect of setting $NEW_IDS
+ populate_new_ids() {
+-  local L_SUCCESS="$1"
++  L_SUCCESS="$1"
+ 
+   # shellcheck disable=SC2086
+   if [ "$FORCED" ] ; then
+@@ -181,13 +181,12 @@ populate_new_ids() {
+   eval set -- "$SSH_OPTS"
+ 
+   umask 0177
+-  local L_TMP_ID_FILE
+   L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
+   if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
+     printf '%s: ERROR: mktemp failed\n' "$0" >&2
+     exit 1
+   fi
+-  local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
++  L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+   # shellcheck disable=SC2064
+   trap "$L_CLEANUP" EXIT TERM INT QUIT
+   printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
+@@ -237,7 +236,7 @@ populate_new_ids() {
+ #    produce a one-liner to add the keys to remote authorized_keys file
+ #    optionally takes an alternative path for authorized_keys
+ installkeys_sh() {
+-  local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
++  AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+ 
+   # In setting INSTALLKEYS_SH:
+   #    the tr puts it all on one line (to placate tcsh)
+-- 
+
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 11c9463..ee3f637 100755
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -237,6 +237,7 @@ populate_new_ids() {
+ #    optionally takes an alternative path for authorized_keys
+ installkeys_sh() {
+   AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
++  AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
+ 
+   # In setting INSTALLKEYS_SH:
+   #    the tr puts it all on one line (to placate tcsh)
+@@ -249,7 +250,7 @@ installkeys_sh() {
+   INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+-	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
++	mkdir -p "${AUTH_KEY_DIR}" &&
+ 	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
+ 	  cat >> ${AUTH_KEY_FILE} ||
+ 	  exit 1;
+-- 

openssh.spec

@@ -29,9 +29,6 @@
 # Do we want libedit support
 %global libedit 1
 
-# Do we want LDAP support
-%global ldap 1
-
 # Whether to build pam_ssh_agent_auth
 %if 0%{?!nopam:1}
 %global pam_ssh_agent 1
@@ -52,35 +49,23 @@
 # rpm -ba|--rebuild --define "static_openssl 1"
 %{?static_openssl:%global static_libcrypto 1}
 
-# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
-%global rescue 0
-%{?build_rescue:%global rescue 1}
-%{?build_rescue:%global rescue_rel rescue}
-
-# Turn off some stuff for resuce builds
-%if %{rescue}
-%global kerberos5 0
-%global libedit 0
-%global pam_ssh_agent 0
-%endif
-
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.3p1
+%global openssh_ver 8.4p1
-%global openssh_rel 3
+%global openssh_rel 4
-%global pam_ssh_agent_ver 0.10.3
+%global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 10
+%global pam_ssh_agent_rel 1
 
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}
+Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
-#URL1: http://pamsshagentauth.sourceforge.net
+#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2: sshd.pam
 Source3: DJM-GPG-KEY.gpg
-Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
+Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
 Source5: pam_ssh_agent-rmheaders
 Source6: ssh-keycat.pam
 Source7: sshd.sysconfig
@@ -122,9 +107,6 @@ Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
 Patch400: openssh-7.8p1-role-mls.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=781634
 Patch404: openssh-6.6p1-privsep-selinux.patch
-
-#?-- unwanted child :(
-Patch501: openssh-6.7p1-ldap.patch
 #?
 Patch502: openssh-6.6p1-keycat.patch
 
@@ -156,7 +138,7 @@ Patch713: openssh-6.6p1-ctr-cavstest.patch
 # add SSH KDF CAVS test driver
 Patch714: openssh-6.7p1-kdf-cavs.patch
 
-# GSSAPI Key Exchange (RFC 4462 + draft-ietf-curdle-gss-keyex-sha2-08)
+# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
 # from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
 Patch800: openssh-8.0p1-gssapi-keyex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
@@ -202,8 +184,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
 # ssh-copy-id is unmaintained: Aggreagete patches
-#  - do not return 0 if the write fails (full disk)
+# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
-#  - shellcheck reports (upstream #2902)
 Patch958: openssh-7.9p1-ssh-copy-id.patch
 # Mention crypto-policies in manual pages (#1668325)
 Patch962: openssh-8.0p1-crypto-policies.patch
@@ -215,8 +196,11 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
 Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
-# Unbreak sshd_config include corner cases (#3122)
+Patch967: openssh-8.4p1-ssh-copy-id.patch
-Patch967: openssh-8.3p1-sshd_include.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
+Patch968: openssh-8.4p1-sandbox-seccomp.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
+Patch969: openssh-8.4p1-debian-compat.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -230,9 +214,6 @@ BuildRequires: gnome-libs-devel
 %endif
 %endif
 
-%if %{ldap}
-BuildRequires: openldap-devel
-%endif
 BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
 BuildRequires: audit-libs-devel >= 2.0.5
 BuildRequires: util-linux, groff
@@ -240,10 +221,11 @@ BuildRequires: pam-devel
 BuildRequires: openssl-devel >= 0.9.8j
 BuildRequires: perl-podlators
 BuildRequires: systemd-devel
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: p11-kit-devel
 BuildRequires: libfido2-devel
 Recommends: p11-kit
+Obsoletes: openssh-ldap < 8.3p1-4
 
 %if %{kerberos5}
 BuildRequires: krb5-devel
@@ -277,12 +259,6 @@ Requires: pam >= 1.0.1-3
 Requires: crypto-policies >= 20200610-1
 %{?systemd_requires}
 
-%if %{ldap}
-%package ldap
-Summary: A LDAP support for open source SSH server daemon
-Requires: openssh = %{version}-%{release}
-%endif
-
 %package keycat
 Summary: A mls keycat backend for openssh
 Requires: openssh = %{version}-%{release}
@@ -298,7 +274,7 @@ Requires: openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary: PAM module for authentication with ssh-agent
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
 License: BSD
 
 %description
@@ -326,12 +302,6 @@ into and executing commands on a remote machine. This package contains
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
 securely connect to your SSH server.
 
-%if %{ldap}
-%description ldap
-OpenSSH LDAP backend is a way how to distribute the authorized tokens
-among the servers in the network.
-%endif
-
 %description keycat
 OpenSSH mls keycat is backend for using the authorized keys in the
 openssh in the mls mode.
@@ -358,7 +328,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %setup -q -a 4
 
 %if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 %patch300 -p2 -b .psaa-build
 %patch301 -p2 -b .psaa-seteuid
 %patch302 -p2 -b .psaa-visibility
@@ -373,9 +343,6 @@ popd
 %patch400 -p1 -b .role-mls
 %patch404 -p1 -b .privsep-selinux
 
-%if %{ldap}
-%patch501 -p1 -b .ldap
-%endif
 %patch502 -p1 -b .keycat
 
 %patch601 -p1 -b .ip-opts
@@ -417,7 +384,9 @@ popd
 %patch964 -p1 -b .openssl-kdf
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
-%patch967 -p1 -b .include
+%patch967 -p1 -b .ssh-copy-id
+%patch968 -p1 -b .seccomp
+%patch969 -p0 -b .debian
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -426,7 +395,7 @@ popd
 %patch100 -p1 -b .coverity
 
 autoreconf
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 autoreconf
 popd
 
@@ -434,9 +403,6 @@ popd
 # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
 # it is needed for lib(open)ssh build too since it is linked to the pam module too
 CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
-%if %{rescue}
-CFLAGS="$CFLAGS -Os"
-%endif
 %if %{pie}
 %ifarch s390 s390x sparc sparcv9 sparc64
 CFLAGS="$CFLAGS -fPIC"
@@ -482,14 +448,7 @@ fi
 	--with-systemd \
 	--with-default-pkcs11-provider=yes \
 	--with-security-key-builtin=yes \
-%if %{ldap}
-	--with-ldap \
-%endif
-%if %{rescue}
-	--without-pam \
-%else
 	--with-pam \
-%endif
 %if %{WITH_SELINUX}
 	--with-selinux --with-audit=linux \
 	--with-sandbox=seccomp_filter \
@@ -509,7 +468,7 @@ fi
 perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
 %endif
 
-make
+%make_build
 
 # Define a variable to toggle gnome1/gtk2 building.  This is necessary
 # because RPM doesn't handle nested %%if statements.
@@ -534,13 +493,13 @@ popd
 %endif
 
 %if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 LDFLAGS="$SAVE_LDFLAGS"
 %configure --with-selinux \
 	--libexecdir=/%{_libdir}/security \
 	--with-mantype=man \
 	--without-openssl-header-check `# The check is broken`
-make
+%make_build
 popd
 %endif
 
@@ -557,8 +516,7 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
 mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
 mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
-rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
 
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/sysconfig/
@@ -597,8 +555,8 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
 
 %if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install
 popd
 %endif
 %pre
@@ -612,6 +570,17 @@ getent passwd sshd >/dev/null || \
 
 %post server
 %systemd_post sshd.service sshd.socket
+# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
+# drop-in directory (in F32+).
+# Do this only if the file generated by anaconda exists, contains our config
+# directive and sshd_config contains include directive as shipped in our package
+%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin
+test -f %{sysconfig_anaconda} && \
+  test ! -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf && \
+  grep -q '^PERMITROOTLOGIN="-oPermitRootLogin=yes"' %{sysconfig_anaconda} && \
+  grep -q '^Include /etc/ssh/sshd_config.d/\*.conf' /etc/ssh/sshd_config && \
+  echo "PermitRootLogin yes" >> /etc/ssh/sshd_config.d/25-permitrootlogin.conf && \
+  rm %{sysconfig_anaconda} || :
 
 %preun server
 %systemd_preun sshd.service sshd.socket
@@ -624,13 +593,11 @@ getent passwd sshd >/dev/null || \
 %doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
-%if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
 %attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
-%endif
 
 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
@@ -641,7 +608,6 @@ getent passwd sshd >/dev/null || \
 %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
 %attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
-%if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
@@ -656,9 +622,7 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
 %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
 %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
-%endif
 
-%if ! %{rescue}
 %files server
 %dir %attr(0711,root,root) %{_var}/empty/sshd
 %attr(0755,root,root) %{_sbindir}/sshd
@@ -679,17 +643,6 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
 %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
-%endif
-
-%if %{ldap}
-%files ldap
-%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
-%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
-%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
-%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
-%endif
 
 %files keycat
 %doc HOWTO.ssh-keycat
@@ -710,12 +663,36 @@ getent passwd sshd >/dev/null || \
 
 %if %{pam_ssh_agent}
 %files -n pam_ssh_agent_auth
-%license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
+%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
 %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
 %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
 %endif
 
 %changelog
+* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
+- Remove "PasswordAuthentication yes" from vendor configuration as it is
+  already default and it might be hard to override.
+- Fix broken obsoletes for openssh-ldap (#1902084)
+
+* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
+- Unbreak seccomp filter on arm (#1897712)
+- Add a workaround for Debian's broken OpenSSH (#1881301)
+
+* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
+- Unbreak ssh-copy-id after a release (#1884231)
+- Remove misleading comment from sysconfig
+
+* Tue Sep 29 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-1 + 0.10.4-1
+- New upstream release of OpenSSH and pam_ssh_agent_auth (#1882995)
+
+* Fri Aug 21 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-4 + 0.10.3-10
+- Remove openssh-ldap subpackage (#1871025)
+- pkcs11: Do not crash with invalid paths in ssh-agent (#1868996)
+- Clarify documentation about sftp-server -m (#1862504)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.3p1-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
 * Wed Jun 10 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-3 + 0.10.3-10
 - Do not lose PIN when more slots match PKCS#11 URI (#1843372)
 - Update to new crypto-policies version on server (using sshd_config include)

pam_ssh_agent-rmheaders

@@ -9,7 +9,6 @@ buffer.c
 cleanup.c
 cipher.h
 compat.h
-defines.h
 entropy.c
 entropy.h
 fatal.c

pam_ssh_agent_auth-0.10.2-compat.patch

@@ -1,6 +1,6 @@
-diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c
---- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c	2020-02-07 10:43:05.011757956 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c	2020-09-23 10:52:16.424001475 +0200
 @@ -27,6 +27,7 @@
   * or implied, of Jamie Beverly.
   */
@@ -9,7 +9,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
  #include <stdio.h>
  #include <errno.h>
  #include <string.h>
-@@ -65,8 +66,8 @@ proc_pid_cmdline(char *** inargv)
+@@ -66,8 +67,8 @@ proc_pid_cmdline(char *** inargv)
                  case EOF:
                  case '\0':
                      if (len > 0) { 
@@ -20,7 +20,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
                          strncpy(argv[count++], argbuf, len);
                          memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
                          len = 0;
-@@ -105,9 +106,9 @@ pamsshagentauth_free_command_line(char *
+@@ -106,9 +107,9 @@ pamsshagentauth_free_command_line(char *
  {
      size_t i;
      for (i = 0; i < n_args; i++)
@@ -32,9 +32,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
      return;
  }
  
-diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h
---- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2020-02-07 10:43:05.011757956 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h	2020-09-23 10:52:16.424001475 +0200
 @@ -30,8 +30,8 @@
  #include "openbsd-compat/sys-queue.h"
  #include "xmalloc.h"
@@ -55,9 +55,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss
      char    *filename;      /* comment for agent-only keys */
      int tried;
      int isprivate;      /* key points to the private key */
-diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c
---- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat	2020-02-07 10:43:05.009757925 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat	2020-09-23 10:52:16.421001434 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c	2020-09-23 10:52:16.424001475 +0200
 @@ -36,8 +36,8 @@
  #include "openbsd-compat/sys-queue.h"
  #include "xmalloc.h"
@@ -285,10 +285,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
      EVP_cleanup();
      return retval;
  }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c
---- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat	2020-02-07 10:43:05.010757940 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat	2020-09-23 10:52:16.423001461 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c	2020-09-23 10:53:10.631727657 +0200
-@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -106,7 +106,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
   * a patch 8-)
   */
  #if ! HAVE___PROGNAME || HAVE_BUNDLE
@@ -297,7 +297,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
  #endif
  
      for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
-@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -132,11 +132,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
  #endif
      }
  
@@ -311,7 +311,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
  
      if(ruser_ptr) {
          strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
-@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -151,12 +151,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
  #ifdef ENABLE_SUDO_HACK
          if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
              strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
@@ -326,7 +326,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
                  goto cleanexit;
              }
              strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
-@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -165,11 +165,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
  
      /* Might as well explicitely confirm the user exists here */
      if(! getpwnam(ruser) ) {
@@ -340,7 +340,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
          goto cleanexit;
      }
  
-@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -179,8 +179,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
           */
          parse_authorized_key_file(user, authorized_keys_file_input);
      } else {
@@ -351,7 +351,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
      }
  
      /*
-@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -189,7 +189,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
       */
  
      if(user && strlen(ruser) > 0) {
@@ -359,11 +359,26 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
 +        verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
  
          /*
+          * Attempt to read data from the sshd if we're being called as an auth agent.
+@@ -197,10 +197,10 @@ pam_sm_authenticate(pam_handle_t * pamh,
+         const char* ssh_user_auth = pam_getenv(pamh, "SSH_AUTH_INFO_0");
+         int sshd_service = strncasecmp(servicename, sshd_service_name, sizeof(sshd_service_name) - 1);
+         if (sshd_service == 0 && ssh_user_auth != NULL) {
+-            pamsshagentauth_verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
++            verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
+             if (userauth_pubkey_from_pam(ruser, ssh_user_auth) > 0) {
+                 retval = PAM_SUCCESS;
+-                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++                logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+                 goto cleanexit;
+             }
+         }
+@@ -208,13 +208,13 @@ pam_sm_authenticate(pam_handle_t * pamh,
           * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
           */
          if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
--            pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+-            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
-+            logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
++            logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
              retval = PAM_SUCCESS;
          } else {
 -            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
@@ -375,9 +390,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
      }
  
  cleanexit:
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c
---- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c	2020-09-23 10:52:16.424001475 +0200
 @@ -66,8 +66,8 @@
  #include "xmalloc.h"
  #include "match.h"
@@ -442,9 +457,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa
  {
      return
          pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h
---- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h	2020-09-23 10:52:16.424001475 +0200
 @@ -32,7 +32,7 @@
  #define _PAM_USER_KEY_ALLOWED_H
  
@@ -454,9 +469,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa
  void parse_authorized_key_file(const char *, const char *);
  
  #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c
---- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c	2020-09-23 10:52:16.424001475 +0200
 @@ -45,44 +45,46 @@
  #include "xmalloc.h"
  #include "ssh.h"
@@ -731,9 +746,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o
 +    restore_uid();
      return found_key;
  }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h
---- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h	2020-09-23 10:52:16.424001475 +0200
 @@ -32,7 +32,7 @@
  #define _PAM_USER_KEY_ALLOWED_H
  
@@ -744,9 +759,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o
 +int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
  
  #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c
---- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c	2020-02-07 10:43:05.012757972 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c	2020-09-23 10:52:16.424001475 +0200
 @@ -53,8 +53,8 @@
  #include "xmalloc.h"
  #include "match.h"
@@ -788,9 +803,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh
  			    buf);
  			break;
  		}
-diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c
---- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2020-02-07 10:43:23.520048960 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c	2020-09-23 10:52:16.424001475 +0200
 @@ -37,10 +37,11 @@
  #include "xmalloc.h"
  #include "ssh.h"
@@ -887,9 +902,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
      CRYPTO_cleanup_all_ex_data();
      return authenticated;
  }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h
---- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2020-02-07 10:43:05.013757988 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h	2020-09-23 10:52:16.424001475 +0200
 @@ -31,7 +31,7 @@
  #ifndef _USERAUTH_PUBKEY_FROM_ID_H
  #define _USERAUTH_PUBKEY_FROM_ID_H
@@ -900,9 +915,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat
 +int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
  
  #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c
---- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c	2020-02-07 10:43:05.013757988 +0100
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c	2020-09-23 10:52:16.424001475 +0200
 @@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
  	/* and remove trailing whitespace because __b64_pton needs this */
  	*p = '\0';
@@ -928,3 +943,50 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ss
 -	pamsshagentauth_xfree(buf);
 +	free(buf);
  }
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c.compat	2020-09-23 11:32:30.783695267 +0200
++++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c	2020-09-23 11:33:21.383389036 +0200
+@@ -33,7 +33,8 @@
+ #include <string.h>
+ 
+ #include "defines.h"
+-#include "key.h"
++#include <includes.h>
++#include "sshkey.h"
+ #include "log.h"
+ 
+ #include "pam_user_authorized_keys.h"
+@@ -42,28 +42,28 @@
+     int authenticated = 0;
+     const char method[] = "publickey ";
+ 
+-    char* ai = pamsshagentauth_xstrdup(ssh_auth_info);
++    char* ai = xstrdup(ssh_auth_info);
+     char* saveptr;
+ 
+     char* auth_line = strtok_r(ai, "\n", &saveptr);
+     while (auth_line != NULL) {
+         if (strncmp(auth_line, method, sizeof(method) - 1) == 0) {
+             char* key_str = auth_line + sizeof(method) - 1;
+-            Key* key = pamsshagentauth_key_new(KEY_UNSPEC);
++            struct sshkey* key = sshkey_new(KEY_UNSPEC);
+             if (key == NULL) {
+                 continue;
+             }
+-            int r = pamsshagentauth_key_read(key, &key_str);
++            int r = sshkey_read(key, &key_str);
+             if (r == 1) {
+                 if (pam_user_key_allowed(ruser, key)) {
+                     authenticated = 1;
+-                    pamsshagentauth_key_free(key);
++                    sshkey_free(key);
+                     break;
+                 }
+             } else {
+-                pamsshagentauth_verbose("Failed to create key for %s: %d", auth_line, r);
++                verbose("Failed to create key for %s: %d", auth_line, r);
+             }
+-            pamsshagentauth_key_free(key);
++            sshkey_free(key);
+         }
+         auth_line = strtok_r(NULL, "\n", &saveptr);
+     }

pam_ssh_agent_auth-0.9.3-build.patch

@@ -174,8 +174,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
  
  ED25519OBJS=ed25519-donna/ed25519.o
  
--PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
+-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
-+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
++PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
  
  
  MANPAGES_IN	= pam_ssh_agent_auth.pod

sources

@@ -1,4 +1,4 @@
-SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
+SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
-SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75
+SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
+SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
 SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
-SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66

sshd.service

@@ -6,9 +6,8 @@ Wants=sshd-keygen.target
 
 [Service]
 Type=notify
-EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStart=/usr/sbin/sshd -D $OPTIONS $PERMITROOTLOGIN
+ExecStart=/usr/sbin/sshd -D $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure

sshd.sysconfig

@@ -5,7 +5,3 @@
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
-
-# System-wide crypto policy:
-# To opt-out, uncomment the following line
-# CRYPTO_POLICY=

sshd@.service

@@ -5,7 +5,6 @@ Wants=sshd-keygen.target
 After=sshd-keygen.target
 
 [Service]
-EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStart=-/usr/sbin/sshd -i $OPTIONS $PERMITROOTLOGIN
+ExecStart=-/usr/sbin/sshd -i $OPTIONS
 StandardInput=socket