dist-git conversion

#2781)

.cvsignore

@@ -1 +0,0 @@
-openssh-5.2p1-noacss.tar.bz2

.gitignore

@@ -0,0 +1,2 @@
+openssh-5.3p1-noacss.tar.bz2
+pam_ssh_agent_auth-0.9.tar.bz2

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: openssh
-# $Id: Makefile,v 1.1 2004/09/09 09:34:58 cvsdist Exp $
-NAME := openssh
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

openssh-3.8.1p1-krb5-config.patch

@@ -1,16 +0,0 @@
-Search the path for krb5-config if the prefix wasn't specified.
---- openssh-3.8p1/configure.ac	2004-02-26 21:17:12.000000000 -0500
-+++ openssh-3.8p1/configure.ac	2004-02-26 21:17:06.000000000 -0500
-@@ -2077,8 +2077,10 @@
- 		KRB5_MSG="yes"
- 
- 		AC_MSG_CHECKING(for krb5-config)
--		if test -x  $KRB5ROOT/bin/krb5-config ; then
--			KRB5CONF=$KRB5ROOT/bin/krb5-config
-+		AC_PATH_PROG([KRB5CONF],[krb5-config],
-+			     [$KRB5ROOT/bin/krb5-config],
-+			     [$KRB5ROOT/bin:$PATH])
-+		if test -x $KRB5CONF ; then
- 			AC_MSG_RESULT($KRB5CONF)
- 
- 			AC_MSG_CHECKING(for gssapi support)

openssh-4.3p2-gssapi-canohost.patch

@@ -1,22 +1,20 @@
-Symptom: intermittent errors on GSSAPI authentication vs 
-machines on DNS loadbalancer, stupid client message "Generic Error",
-server-side debug complains about unknown principal.
-
-Comes from the fact that we resolve the generic DNS name once for
-the connection, then again for getting the GSSAPI/Kerberos service
-ticket. So the service ticket may be for a different host, if
-the DNS alias switches in between the two resolves.
---- openssh-4.3p2/sshconnect2.c.gss-canohost	2006-11-28 21:58:03.000000000 +0100
-+++ openssh-4.3p2/sshconnect2.c	2006-11-30 11:33:14.000000000 +0100
-@@ -485,6 +485,7 @@
+diff -up openssh-5.3p1/sshconnect2.c.canohost openssh-5.3p1/sshconnect2.c
+--- openssh-5.3p1/sshconnect2.c.canohost	2009-03-05 14:58:22.000000000 +0100
++++ openssh-5.3p1/sshconnect2.c	2009-11-02 11:55:00.000000000 +0100
+@@ -542,6 +542,12 @@ userauth_gssapi(Authctxt *authctxt)
  	static u_int mech = 0;
  	OM_uint32 min;
  	int ok = 0;
-+	const char* remotehost = get_canonical_hostname(1);
++	char* remotehost = NULL;
++	const char* canonicalhost = get_canonical_hostname(1);
++	if ( strcmp( canonicalhost, "UNKNOWN" )  == 0 )
++		remotehost = authctxt->host;
++	else
++		remotehost = canonicalhost;
  
  	/* Try one GSSAPI method at a time, rather than sending them all at
  	 * once. */
-@@ -497,7 +498,7 @@
+@@ -554,7 +560,7 @@ userauth_gssapi(Authctxt *authctxt)
  		/* My DER encoding requires length<128 */
  		if (gss_supported->elements[mech].length < 128 &&
  		    ssh_gssapi_check_mechanism(&gssctxt, 

openssh-4.7p1-audit.patch

@@ -1,267 +0,0 @@
-diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c
---- openssh-5.2p1/auth.c.audit	2008-11-05 06:12:54.000000000 +0100
-+++ openssh-5.2p1/auth.c	2009-08-09 09:22:23.634850536 +0200
-@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
- 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
- # endif
- #endif
-+#if HAVE_LINUX_AUDIT
-+	if (authenticated == 0 && !authctxt->postponed) {
-+		linux_audit_record_event(-1, authctxt->user, NULL,
-+			get_remote_ipaddr(), "sshd", 0);
-+	}
-+#endif
- #ifdef SSH_AUDIT_EVENTS
- 	if (authenticated == 0 && !authctxt->postponed)
- 		audit_event(audit_classify_auth(method));
-@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
- 		record_failed_login(user,
- 		    get_canonical_hostname(options.use_dns), "ssh");
- #endif
-+#ifdef HAVE_LINUX_AUDIT
-+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
-+			"sshd", 0);
-+#endif
- #ifdef SSH_AUDIT_EVENTS
- 		audit_event(SSH_INVALID_USER);
- #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in
---- openssh-5.2p1/config.h.in.audit	2009-02-23 01:18:12.000000000 +0100
-+++ openssh-5.2p1/config.h.in	2009-08-09 09:22:28.825939998 +0200
-@@ -1,5 +1,8 @@
- /* config.h.in.  Generated from configure.ac by autoheader.  */
- 
-+/* Define if building universal (internal helper macro) */
-+#undef AC_APPLE_UNIVERSAL_BUILD
-+
- /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
-    */
- #undef AIX_GETNAMEINFO_HACK
-@@ -521,6 +524,9 @@
- /* Define to 1 if you have the <lastlog.h> header file. */
- #undef HAVE_LASTLOG_H
- 
-+/* Define to 1 if you have the <libaudit.h> header file. */
-+#undef HAVE_LIBAUDIT_H
-+
- /* Define to 1 if you have the `bsm' library (-lbsm). */
- #undef HAVE_LIBBSM
- 
-@@ -560,6 +566,9 @@
- /* Define to 1 if you have the <limits.h> header file. */
- #undef HAVE_LIMITS_H
- 
-+/* Define if you want Linux audit support. */
-+#undef HAVE_LINUX_AUDIT
-+
- /* Define to 1 if you have the <linux/if_tun.h> header file. */
- #undef HAVE_LINUX_IF_TUN_H
- 
-@@ -756,6 +765,9 @@
- /* Define to 1 if you have the `setgroups' function. */
- #undef HAVE_SETGROUPS
- 
-+/* Define to 1 if you have the `setkeycreatecon' function. */
-+#undef HAVE_SETKEYCREATECON
-+
- /* Define to 1 if you have the `setlogin' function. */
- #undef HAVE_SETLOGIN
- 
-@@ -1330,6 +1342,10 @@
- /* Prepend the address family to IP tunnel traffic */
- #undef SSH_TUN_PREPEND_AF
- 
-+/* Define to your vendor patch level, if it has been modified from the
-+   upstream source release. */
-+#undef SSH_VENDOR_PATCHLEVEL
-+
- /* Define to 1 if you have the ANSI C header files. */
- #undef STDC_HEADERS
- 
-@@ -1397,9 +1413,17 @@
- /* Define if you want SELinux support. */
- #undef WITH_SELINUX
- 
--/* Define to 1 if your processor stores words with the most significant byte
--   first (like Motorola and SPARC, unlike Intel and VAX). */
--#undef WORDS_BIGENDIAN
-+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
-+   significant byte first (like Motorola and SPARC, unlike Intel). */
-+#if defined AC_APPLE_UNIVERSAL_BUILD
-+# if defined __BIG_ENDIAN__
-+#  define WORDS_BIGENDIAN 1
-+# endif
-+#else
-+# ifndef WORDS_BIGENDIAN
-+#  undef WORDS_BIGENDIAN
-+# endif
-+#endif
- 
- /* Define if xauth is found in your path */
- #undef XAUTH_PATH
-diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac
---- openssh-5.2p1/configure.ac.audit	2009-08-09 09:22:23.608877833 +0200
-+++ openssh-5.2p1/configure.ac	2009-08-09 09:22:23.646244409 +0200
-@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux,
- 	fi ]
- )
- 
-+# Check whether user wants Linux audit support
-+LINUX_AUDIT_MSG="no"
-+AC_ARG_WITH(linux-audit,
-+	[  --with-linux-audit   Enable Linux audit support],
-+	[ if test "x$withval" != "xno" ; then
-+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
-+		LINUX_AUDIT_MSG="yes"
-+		AC_CHECK_HEADERS(libaudit.h)
-+		SSHDLIBS="$SSHDLIBS -laudit"
-+	fi ]
-+)
-+
- # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
- AC_ARG_WITH(kerberos5,
-@@ -4170,6 +4182,7 @@ echo "                       PAM support
- echo "                   OSF SIA support: $SIA_MSG"
- echo "                 KerberosV support: $KRB5_MSG"
- echo "                   SELinux support: $SELINUX_MSG"
-+echo "               Linux audit support: $LINUX_AUDIT_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
- echo "              TCP Wrappers support: $TCPW_MSG"
-diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c
---- openssh-5.2p1/loginrec.c.audit	2009-02-12 03:12:22.000000000 +0100
-+++ openssh-5.2p1/loginrec.c	2009-08-09 09:22:23.667199702 +0200
-@@ -176,6 +176,10 @@
- #include "auth.h"
- #include "buffer.h"
- 
-+#ifdef HAVE_LINUX_AUDIT
-+# include <libaudit.h>
-+#endif
-+
- #ifdef HAVE_UTIL_H
- # include <util.h>
- #endif
-@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
- int utmpx_write_entry(struct logininfo *li);
- int wtmp_write_entry(struct logininfo *li);
- int wtmpx_write_entry(struct logininfo *li);
-+#ifdef HAVE_LINUX_AUDIT
-+int linux_audit_write_entry(struct logininfo *li);
-+#endif
- int lastlog_write_entry(struct logininfo *li);
- int syslogin_write_entry(struct logininfo *li);
- 
-@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
- 
- 	/* set the timestamp */
- 	login_set_current_time(li);
-+#ifdef HAVE_LINUX_AUDIT
-+	if (linux_audit_write_entry(li) == 0)
-+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
-+#endif
- #ifdef USE_LOGIN
- 	syslogin_write_entry(li);
- #endif
-@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
- }
- #endif /* USE_WTMPX */
- 
-+#ifdef HAVE_LINUX_AUDIT
-+static void
-+_audit_hexscape(const char *what, char *where, unsigned int size)
-+{
-+	const char *ptr = what;
-+	const char *hex = "0123456789ABCDEF";
-+
-+	while (*ptr) {
-+		if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
-+			unsigned int i;
-+			ptr = what;
-+			for (i = 0; *ptr && i+2 < size; i += 2) {
-+				where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
-+				where[i+1] = hex[(unsigned)*ptr & 0x0F];   /* Lower nibble */
-+				ptr++;
-+			}
-+			where[i] = '\0';
-+			return;
-+		}
-+		ptr++;
-+	}
-+	where[0] = '"';
-+	if ((unsigned)(ptr - what) < size - 3)
-+	{
-+		size = ptr - what + 3;
-+	}
-+	strncpy(where + 1, what, size - 3);
-+	where[size-2] = '"';
-+	where[size-1] = '\0';
-+}
-+
-+#define AUDIT_LOG_SIZE 128
-+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
-+
-+int
-+linux_audit_record_event(int uid, const char *username,
-+	const char *hostname, const char *ip, const char *ttyn, int success)
-+{
-+	char buf[AUDIT_LOG_SIZE];
-+	int audit_fd, rc;
-+
-+	audit_fd = audit_open();
-+	if (audit_fd < 0) {
-+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-+					errno == EAFNOSUPPORT)
-+			return 1; /* No audit support in kernel */
-+		else
-+			return 0; /* Must prevent login */
-+	}
-+	if (username == NULL)
-+		snprintf(buf, sizeof(buf), "uid=%d", uid);
-+	else {
-+		char encoded[AUDIT_ACCT_SIZE];
-+		_audit_hexscape(username, encoded, sizeof(encoded));
-+		snprintf(buf, sizeof(buf), "acct=%s", encoded);
-+	}
-+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
-+		buf, hostname, ip, ttyn, success);
-+	close(audit_fd);
-+	if (rc >= 0)
-+		return 1;
-+	else
-+		return 0;
-+}
-+
-+int
-+linux_audit_write_entry(struct logininfo *li)
-+{
-+	switch(li->type) {
-+	case LTYPE_LOGIN:
-+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
-+			NULL, li->line, 1));
-+	case LTYPE_LOGOUT:
-+		return (1);	/* We only care about logins */
-+	default:
-+		logit("%s: invalid type field", __func__);
-+		return (0);
-+	}
-+}
-+#endif /* HAVE_LINUX_AUDIT */
-+
- /**
-  ** Low-level libutil login() functions
-  **/
-diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h
---- openssh-5.2p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.2p1/loginrec.h	2009-08-09 09:22:23.641175349 +0200
-@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
- char *line_abbrevname(char *dst, const char *src, int dstsize);
- 
- void record_failed_login(const char *, const char *, const char *);
-+#ifdef HAVE_LINUX_AUDIT
-+int linux_audit_record_event(int uid, const char *username,
-+	const char *hostname, const char *ip, const char *ttyn, int success);
-+#endif /* HAVE_LINUX_AUDIT */
- 
- #endif /* _HAVE_LOGINREC_H_ */

openssh-5.1p1-cloexec.patch

@@ -1,6 +1,6 @@
-diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
---- openssh-5.1p1/channels.c.cloexec	2008-12-11 22:24:49.000000000 +0100
-+++ openssh-5.1p1/channels.c	2008-12-11 22:29:52.000000000 +0100
+diff -up openssh-5.3p1/channels.c.cloexec openssh-5.3p1/channels.c
+--- openssh-5.3p1/channels.c.cloexec	2010-01-25 17:25:58.000000000 +0100
++++ openssh-5.3p1/channels.c	2010-01-25 17:26:01.000000000 +0100
 @@ -60,6 +60,7 @@
  #include <termios.h>
  #include <unistd.h>
@@ -28,10 +28,10 @@ diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
  	c->rfd = rfd;
  	c->wfd = wfd;
  	c->sock = (rfd == wfd) ? rfd : -1;
-diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
---- openssh-5.1p1/sshconnect2.c.cloexec	2008-12-11 22:24:49.000000000 +0100
-+++ openssh-5.1p1/sshconnect2.c	2008-12-11 22:24:49.000000000 +0100
-@@ -38,6 +38,7 @@
+diff -up openssh-5.3p1/sshconnect2.c.cloexec openssh-5.3p1/sshconnect2.c
+--- openssh-5.3p1/sshconnect2.c.cloexec	2010-01-25 17:25:58.000000000 +0100
++++ openssh-5.3p1/sshconnect2.c	2010-01-25 17:26:01.000000000 +0100
+@@ -39,6 +39,7 @@
  #include <stdio.h>
  #include <string.h>
  #include <unistd.h>
@@ -39,7 +39,7 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
  #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
  #include <vis.h>
  #endif
-@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
+@@ -1512,6 +1513,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
  		return -1;
  	}
  	if (pid == 0) {
@@ -47,9 +47,9 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
  		permanently_drop_suid(getuid());
  		close(from[0]);
  		if (dup2(from[1], STDOUT_FILENO) < 0)
-diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
---- openssh-5.1p1/sshconnect.c.cloexec	2008-07-02 14:34:30.000000000 +0200
-+++ openssh-5.1p1/sshconnect.c	2008-12-11 22:24:49.000000000 +0100
+diff -up openssh-5.3p1/sshconnect.c.cloexec openssh-5.3p1/sshconnect.c
+--- openssh-5.3p1/sshconnect.c.cloexec	2009-06-21 10:53:53.000000000 +0200
++++ openssh-5.3p1/sshconnect.c	2010-01-25 17:26:01.000000000 +0100
 @@ -38,6 +38,7 @@
  #include <stdlib.h>
  #include <string.h>
@@ -58,7 +58,7 @@ diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
  
  #include "xmalloc.h"
  #include "key.h"
-@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct
+@@ -191,8 +192,11 @@ ssh_create_socket(int privileged, struct
  		return sock;
  	}
  	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
@@ -71,3 +71,17 @@ diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
  
  	/* Bind the socket to an alternative local IP address */
  	if (options.bind_address == NULL)
+diff -up openssh-5.3p1/sshd.c.cloexec openssh-5.3p1/sshd.c
+--- openssh-5.3p1/sshd.c.cloexec	2010-01-25 17:25:55.000000000 +0100
++++ openssh-5.3p1/sshd.c	2010-01-25 18:29:23.000000000 +0100
+@@ -1756,6 +1756,10 @@ main(int ac, char **av)
+ 		    sock_in, sock_out, newsock, startup_pipe, config_s[0]);
+ 	}
+ 
++	/* set fd cloexec on io/sockets to avoid to forward them to childern */
++	fcntl(sock_out, F_SETFD, FD_CLOEXEC);
++	fcntl(sock_in, F_SETFD, FD_CLOEXEC);
++
+ 	/*
+ 	 * Disable the key regeneration alarm.  We will not regenerate the
+ 	 * key since we are no longer in a position to give it to anyone. We

openssh-5.1p1-skip-initial.patch

@@ -1,28 +0,0 @@
-Skip the initial empty-password check if permit_empty_passwd is disabled.  This
-doesn't change the timing profiles of the host because the additional condition
-check which can short-circuit the call to pam_authenticate() has no dependency
-on the identity of the user who is being authenticated.
-diff -up openssh-5.1p1/auth1.c.skip-initial openssh-5.1p1/auth1.c
---- openssh-5.1p1/auth1.c.skip-initial	2008-07-09 12:54:05.000000000 +0200
-+++ openssh-5.1p1/auth1.c	2008-07-23 18:26:01.000000000 +0200
-@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
- 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
- 
- 	/* If the user has no password, accept authentication immediately. */
--	if (options.password_authentication &&
-+	if (options.permit_empty_passwd && options.password_authentication &&
- #ifdef KRB5
- 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
- #endif
-diff -up openssh-5.1p1/auth2-none.c.skip-initial openssh-5.1p1/auth2-none.c
---- openssh-5.1p1/auth2-none.c.skip-initial	2008-07-02 14:56:09.000000000 +0200
-+++ openssh-5.1p1/auth2-none.c	2008-07-23 18:26:01.000000000 +0200
-@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt)
- 	if (check_nt_auth(1, authctxt->pw) == 0)
- 		return (0);
- #endif
--	if (options.password_authentication)
-+	if (options.permit_empty_passwd && options.password_authentication)
- 		return (PRIVSEP(auth_password(authctxt, "")));
- 	return (0);
- }

openssh-5.2p1-engine.patch

@@ -0,0 +1,9 @@
+--- openssh-5.2p1/openbsd-compat/openssl-compat.c~	2010-01-27 17:36:29.000000000 -0500
++++ openssh-5.2p1/openbsd-compat/openssl-compat.c	2010-01-28 10:52:53.000000000 -0500
+@@ -58,5 +58,6 @@
+ 	/* Enable use of crypto hardware */
+ 	ENGINE_load_builtin_engines();
+ 	ENGINE_register_all_complete();
++	OPENSSL_config(NULL);
+ }
+ #endif

openssh-5.2p1-pathmax.patch

@@ -1,47 +0,0 @@
-diff -up openssh-5.2p1/ssh.c.pathmax openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.pathmax	2009-07-08 14:23:19.000000000 +0200
-+++ openssh-5.2p1/ssh.c	2009-07-08 14:26:26.000000000 +0200
-@@ -49,6 +49,7 @@
- #include <sys/resource.h>
- #include <sys/ioctl.h>
- #include <sys/socket.h>
-+#include <sys/param.h>
- 
- #include <ctype.h>
- #include <errno.h>
-@@ -208,8 +209,8 @@ void muxserver_listen(void);
- int
- main(int ac, char **av)
- {
--	int i, opt, exit_status, use_syslog;
--	char *p, *cp, *line, buf[256];
-+	int i, r, opt, exit_status, use_syslog;
-+	char *p, *cp, *line, buf[MAXPATHLEN];
- 	struct stat st;
- 	struct passwd *pw;
- 	int dummy, timeout_ms;
-@@ -624,9 +625,10 @@ main(int ac, char **av)
- 			fatal("Can't open user config file %.100s: "
- 			    "%.100s", config, strerror(errno));
- 	} else {
--		snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
-+		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
- 		    _PATH_SSH_USER_CONFFILE);
--		(void)read_config_file(buf, host, &options, 1);
-+		if (r > 0 && (size_t)r < sizeof(buf))
-+			(void)read_config_file(buf, host, &options, 1);
- 
- 		/* Read systemwide configuration file after use config. */
- 		(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
-@@ -787,9 +789,9 @@ main(int ac, char **av)
- 	 * Now that we are back to our own permissions, create ~/.ssh
- 	 * directory if it doesn't already exist.
- 	 */
--	snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
-+	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
- 	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
--	if (stat(buf, &st) < 0)
-+	if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
- 		if (mkdir(buf, 0700) < 0)
- 			error("Could not create directory '%.200s'.", buf);
- 

openssh-5.3p1-audit.patch

@@ -0,0 +1,153 @@
+diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
+--- openssh-5.3p1/auth.c.audit	2008-11-05 06:12:54.000000000 +0100
++++ openssh-5.3p1/auth.c	2009-12-21 08:50:12.000000000 +0100
+@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
+ 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+ # endif
+ #endif
++#if HAVE_LINUX_AUDIT
++        if (authenticated == 0 && !authctxt->postponed) {
++                linux_audit_record_event(-1, authctxt->user, NULL,
++                        get_remote_ipaddr(), "sshd", 0);
++        }
++#endif
+ #ifdef SSH_AUDIT_EVENTS
+ 	if (authenticated == 0 && !authctxt->postponed)
+ 		audit_event(audit_classify_auth(method));
+@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
+ 		record_failed_login(user,
+ 		    get_canonical_hostname(options.use_dns), "ssh");
+ #endif
++#ifdef HAVE_LINUX_AUDIT
++                linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
++                        "sshd", 0);
++#endif
+ #ifdef SSH_AUDIT_EVENTS
+ 		audit_event(SSH_INVALID_USER);
+ #endif /* SSH_AUDIT_EVENTS */
+diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
+--- openssh-5.3p1/configure.ac.audit	2009-12-21 08:48:59.000000000 +0100
++++ openssh-5.3p1/configure.ac	2009-12-21 08:51:47.000000000 +0100
+@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux,
+ 	fi ]
+ )
+ 
++# Check whether user wants Linux audit support
++LINUX_AUDIT_MSG="no"
++AC_ARG_WITH(linux-audit,
++        [  --with-linux-audit   Enable Linux audit support],
++        [ if test "x$withval" != "xno" ; then
++                AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
++                LINUX_AUDIT_MSG="yes"
++                AC_CHECK_HEADERS(libaudit.h)
++                SSHDLIBS="$SSHDLIBS -laudit"
++        fi ]
++)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH(kerberos5,
+@@ -4234,6 +4246,7 @@ echo "                       PAM support
+ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
++echo "               Linux audit support: $LINUX_AUDIT_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
+diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
+--- openssh-5.3p1/loginrec.c.audit	2009-02-12 03:12:22.000000000 +0100
++++ openssh-5.3p1/loginrec.c	2009-12-21 08:54:17.000000000 +0100
+@@ -176,6 +176,10 @@
+ #include "auth.h"
+ #include "buffer.h"
+ 
++#ifdef HAVE_LINUX_AUDIT
++# include <libaudit.h>
++#endif
++
+ #ifdef HAVE_UTIL_H
+ # include <util.h>
+ #endif
+@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
+ int utmpx_write_entry(struct logininfo *li);
+ int wtmp_write_entry(struct logininfo *li);
+ int wtmpx_write_entry(struct logininfo *li);
++#ifdef HAVE_LINUX_AUDIT
++int linux_audit_write_entry(struct logininfo *li);
++#endif
+ int lastlog_write_entry(struct logininfo *li);
+ int syslogin_write_entry(struct logininfo *li);
+ 
+@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
+ 
+ 	/* set the timestamp */
+ 	login_set_current_time(li);
++#ifdef HAVE_LINUX_AUDIT
++        if (linux_audit_write_entry(li) == 0)
++                fatal("linux_audit_write_entry failed: %s", strerror(errno));
++#endif
+ #ifdef USE_LOGIN
+ 	syslogin_write_entry(li);
+ #endif
+@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li)
+ }
+ #endif /* USE_WTMPX */
+ 
++#ifdef HAVE_LINUX_AUDIT
++int
++linux_audit_record_event(int uid, const char *username,
++        const char *hostname, const char *ip, const char *ttyn, int success)
++{
++        int audit_fd, rc;
++
++        audit_fd = audit_open();
++        if (audit_fd < 0) {
++                 if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++                                        errno == EAFNOSUPPORT)
++                        return 1; /* No audit support in kernel */
++                else
++                        return 0; /* Must prevent login */
++        }
++        rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
++                NULL, "login", username ? username : "(unknown)",
++                username == NULL ? uid : -1, hostname, ip, ttyn, success);
++        close(audit_fd);
++        if (rc >= 0)
++                return 1;
++        else
++                return 0;
++}
++
++int
++linux_audit_write_entry(struct logininfo *li)
++{
++        switch(li->type) {
++        case LTYPE_LOGIN:
++                return (linux_audit_record_event(li->uid, NULL, li->hostname,
++                        NULL, li->line, 1));
++        case LTYPE_LOGOUT:
++                return (1);        /* We only care about logins */
++        default:
++                logit("%s: invalid type field", __func__);
++                return (0);
++        }
++}
++#endif /* HAVE_LINUX_AUDIT */
++
+ /**
+  ** Low-level libutil login() functions
+  **/
+diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
+--- openssh-5.3p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
++++ openssh-5.3p1/loginrec.h	2009-12-21 08:48:59.000000000 +0100
+@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
+ char *line_abbrevname(char *dst, const char *src, int dstsize);
+ 
+ void record_failed_login(const char *, const char *, const char *);
++#ifdef HAVE_LINUX_AUDIT
++int linux_audit_record_event(int uid, const char *username,
++        const char *hostname, const char *ip, const char *ttyn, int success);
++#endif /* HAVE_LINUX_AUDIT */
+ 
+ #endif /* _HAVE_LOGINREC_H_ */

openssh-5.3p1-fips.patch

@@ -1,6 +1,6 @@
-diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
---- openssh-5.2p1/auth2-pubkey.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/auth2-pubkey.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
+--- openssh-5.3p1/auth2-pubkey.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/auth2-pubkey.c	2009-10-02 14:12:00.000000000 +0200
 @@ -33,6 +33,7 @@
  #include <stdio.h>
  #include <stdarg.h>
@@ -9,7 +9,7 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
  
  #include "xmalloc.h"
  #include "ssh.h"
-@@ -243,7 +244,7 @@ user_key_allowed2(struct passwd *pw, Key
+@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
  			found_key = 1;
  			debug("matching key found: file %s, line %lu",
  			    file, linenum);
@@ -18,9 +18,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
  			verbose("Found matching %s key: %s",
  			    key_type(found), fp);
  			xfree(fp);
-diff -up openssh-5.2p1/authfile.c.fips openssh-5.2p1/authfile.c
---- openssh-5.2p1/authfile.c.fips	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.2p1/authfile.c	2009-05-15 16:08:34.000000000 +0200
+diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
+--- openssh-5.3p1/authfile.c.fips	2006-09-01 07:38:36.000000000 +0200
++++ openssh-5.3p1/authfile.c	2009-10-02 14:12:00.000000000 +0200
 @@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
  	/* Allocate space for the private part of the key in the buffer. */
  	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -55,9 +55,9 @@ diff -up openssh-5.2p1/authfile.c.fips openssh-5.2p1/authfile.c
  	cipher_crypt(&ciphercontext, cp,
  	    buffer_ptr(&buffer), buffer_len(&buffer));
  	cipher_cleanup(&ciphercontext);
-diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
---- openssh-5.2p1/cipher.c.fips	2009-03-06 18:23:21.000000000 +0100
-+++ openssh-5.2p1/cipher.c	2009-05-15 16:14:16.000000000 +0200
+diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
+--- openssh-5.3p1/cipher.c.fips	2009-10-02 13:44:03.000000000 +0200
++++ openssh-5.3p1/cipher.c	2009-10-02 14:12:00.000000000 +0200
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -142,9 +142,9 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
  }
  
  /*
-diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c
---- openssh-5.2p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
-+++ openssh-5.2p1/cipher-ctr.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
+--- openssh-5.3p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
++++ openssh-5.3p1/cipher-ctr.c	2009-10-02 14:12:00.000000000 +0200
 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
  	aes_ctr.do_cipher = ssh_aes_ctr;
  #ifndef SSH_OLD_EVP
@@ -155,9 +155,9 @@ diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c
  #endif
  	return (&aes_ctr);
  }
-diff -up openssh-5.2p1/cipher.h.fips openssh-5.2p1/cipher.h
---- openssh-5.2p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.2p1/cipher.h	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
+--- openssh-5.3p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
++++ openssh-5.3p1/cipher.h	2009-10-02 14:12:00.000000000 +0200
 @@ -78,7 +78,7 @@ void	 cipher_init(CipherContext *, Ciphe
      const u_char *, u_int, int);
  void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@@ -167,9 +167,9 @@ diff -up openssh-5.2p1/cipher.h.fips openssh-5.2p1/cipher.h
  u_int	 cipher_blocksize(const Cipher *);
  u_int	 cipher_keylen(const Cipher *);
  u_int	 cipher_is_cbc(const Cipher *);
-diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
---- openssh-5.2p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.2p1/mac.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
+--- openssh-5.3p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
++++ openssh-5.3p1/mac.c	2009-10-02 14:12:00.000000000 +0200
 @@ -28,6 +28,7 @@
  #include <sys/types.h>
  
@@ -219,10 +219,10 @@ diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
  
  	for (i = 0; macs[i].name; i++) {
  		if (strcmp(name, macs[i].name) == 0) {
-diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
---- openssh-5.2p1/Makefile.in.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/Makefile.in	2009-05-15 15:51:01.000000000 +0200
-@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
+diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
+--- openssh-5.3p1/Makefile.in.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/Makefile.in	2009-10-02 14:20:18.000000000 +0200
+@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -231,7 +231,7 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
-+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
++	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
  
  scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
  	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -248,19 +248,19 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
 -	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
--	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
+-	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
--	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+-	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
  sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
  	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
---- openssh-5.2p1/myproposal.h.fips	2009-01-28 06:33:31.000000000 +0100
-+++ openssh-5.2p1/myproposal.h	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
+--- openssh-5.3p1/myproposal.h.fips	2009-01-28 06:33:31.000000000 +0100
++++ openssh-5.3p1/myproposal.h	2009-10-02 14:12:00.000000000 +0200
 @@ -53,7 +53,12 @@
  	"hmac-sha1-96,hmac-md5-96"
  #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
@@ -275,9 +275,9 @@ diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
  
  static char *myproposal[PROPOSAL_MAX] = {
  	KEX_DEFAULT_KEX,
-diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
---- openssh-5.2p1/nsskeys.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/nsskeys.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
+--- openssh-5.3p1/nsskeys.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/nsskeys.c	2009-10-02 14:12:00.000000000 +0200
 @@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
  			break;
  	}
@@ -289,9 +289,9 @@ diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
  	xfree(p);
  
  	return 0;
-diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c
---- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips	2008-06-04 02:54:00.000000000 +0200
-+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
+--- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips	2008-06-04 02:54:00.000000000 +0200
++++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c	2009-10-02 14:12:00.000000000 +0200
 @@ -39,6 +39,7 @@
  static int rc4_ready = 0;
  static RC4_KEY rc4;
@@ -333,9 +333,9 @@ diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbs
  #endif /* !HAVE_ARC4RANDOM */
  
  #ifndef ARC4RANDOM_BUF
-diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
---- openssh-5.2p1/ssh-add.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/ssh-add.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
+--- openssh-5.3p1/ssh-add.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/ssh-add.c	2009-10-02 14:12:00.000000000 +0200
 @@ -42,6 +42,7 @@
  #include <sys/param.h>
  
@@ -353,9 +353,9 @@ diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
  				    SSH_FP_HEX);
  				printf("%d %s %s (%s)\n",
  				    key_size(key), fp, comment, key_type(key));
-diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
---- openssh-5.2p1/ssh-agent.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/ssh-agent.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
+--- openssh-5.3p1/ssh-agent.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/ssh-agent.c	2009-10-02 14:12:00.000000000 +0200
 @@ -51,6 +51,7 @@
  
  #include <openssl/evp.h>
@@ -377,10 +377,10 @@ diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
  		ret = 0;
  	xfree(p);
  
-diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/ssh.c	2009-05-15 15:51:01.000000000 +0200
-@@ -71,6 +71,8 @@
+diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
+--- openssh-5.3p1/ssh.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/ssh.c	2009-10-02 14:12:00.000000000 +0200
+@@ -72,6 +72,8 @@
  
  #include <openssl/evp.h>
  #include <openssl/err.h>
@@ -389,7 +389,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -220,6 +222,10 @@ main(int ac, char **av)
+@@ -221,6 +223,10 @@ main(int ac, char **av)
  	sanitise_stdfd();
  
  	__progname = ssh_get_progname(av[0]);
@@ -400,7 +400,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
  	init_rng();
  
  	/*
-@@ -279,6 +285,9 @@ main(int ac, char **av)
+@@ -281,6 +287,9 @@ main(int ac, char **av)
  	    "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
  		switch (opt) {
  		case '1':
@@ -410,7 +410,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
  			options.protocol = SSH_PROTO_1;
  			break;
  		case '2':
-@@ -550,7 +559,6 @@ main(int ac, char **av)
+@@ -552,7 +561,6 @@ main(int ac, char **av)
  	if (!host)
  		usage();
  
@@ -418,7 +418,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
  	ERR_load_crypto_strings();
  
  	/* Initialize the command to execute on remote host. */
-@@ -635,6 +643,10 @@ main(int ac, char **av)
+@@ -638,6 +646,10 @@ main(int ac, char **av)
  
  	seed_rng();
  
@@ -429,7 +429,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
  	if (options.user == NULL)
  		options.user = xstrdup(pw->pw_name);
  
-@@ -701,6 +713,12 @@ main(int ac, char **av)
+@@ -704,6 +716,12 @@ main(int ac, char **av)
  
  	timeout_ms = options.connection_timeout * 1000;
  
@@ -442,9 +442,9 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
  	/* Open a connection to the remote host. */
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
-diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
---- openssh-5.2p1/sshconnect2.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/sshconnect2.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
+--- openssh-5.3p1/sshconnect2.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/sshconnect2.c	2009-10-02 14:12:00.000000000 +0200
 @@ -44,6 +44,8 @@
  #include <vis.h>
  #endif
@@ -454,7 +454,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
  #include "openbsd-compat/sys-queue.h"
  
  #include "xmalloc.h"
-@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -116,6 +118,10 @@ ssh_kex2(char *host, struct sockaddr *ho
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -465,7 +465,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
  	}
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -131,7 +137,11 @@ ssh_kex2(char *host, struct sockaddr *ho
  	if (options.macs != NULL) {
  		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
  		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -477,7 +477,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
  	if (options.hostkeyalgorithms != NULL)
  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
  		    options.hostkeyalgorithms;
-@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
  		    key->type, pktype);
  		goto done;
  	}
@@ -488,9 +488,9 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
  	xfree(fp);
  
  	/*
-diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
---- openssh-5.2p1/sshconnect.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/sshconnect.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
+--- openssh-5.3p1/sshconnect.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/sshconnect.c	2009-10-02 14:12:00.000000000 +0200
 @@ -40,6 +40,8 @@
  #include <unistd.h>
  #include <fcntl.h>
@@ -500,7 +500,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  #include "xmalloc.h"
  #include "key.h"
  #include "hostfile.h"
-@@ -761,6 +763,7 @@ check_host_key(char *hostname, struct so
+@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
  			goto fail;
  		} else if (options.strict_host_key_checking == 2) {
  			char msg1[1024], msg2[1024];
@@ -508,7 +508,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  
  			if (show_other_keys(host, host_key))
  				snprintf(msg1, sizeof(msg1),
-@@ -769,8 +772,8 @@ check_host_key(char *hostname, struct so
+@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
  			else
  				snprintf(msg1, sizeof(msg1), ".");
  			/* The default */
@@ -519,7 +519,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  			    SSH_FP_RANDOMART);
  			msg2[0] = '\0';
  			if (options.verify_host_key_dns) {
-@@ -786,10 +789,10 @@ check_host_key(char *hostname, struct so
+@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
  			snprintf(msg, sizeof(msg),
  			    "The authenticity of host '%.200s (%s)' can't be "
  			    "established%s\n"
@@ -532,7 +532,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  			    options.visual_host_key ? "\n" : "",
  			    options.visual_host_key ? ra : "",
  			    msg2);
-@@ -1077,17 +1080,18 @@ show_key_from_file(const char *file, con
+@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
  	Key *found;
  	char *fp, *ra;
  	int line, ret;
@@ -555,7 +555,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  		xfree(ra);
  		xfree(fp);
  	}
-@@ -1133,8 +1137,9 @@ warn_changed_key(Key *host_key)
+@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
  {
  	char *fp;
  	const char *type = key_type(host_key);
@@ -566,7 +566,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  
  	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
  	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
-@@ -1142,8 +1147,8 @@ warn_changed_key(Key *host_key)
+@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
  	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
  	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
  	error("It is also possible that the %s host key has just been changed.", type);
@@ -577,9 +577,9 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
  	error("Please contact your system administrator.");
  
  	xfree(fp);
-diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
---- openssh-5.2p1/sshd.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/sshd.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
+--- openssh-5.3p1/sshd.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/sshd.c	2009-10-02 14:12:00.000000000 +0200
 @@ -76,6 +76,8 @@
  #include <openssl/bn.h>
  #include <openssl/md5.h>
@@ -589,7 +589,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  #include "openbsd-compat/openssl-compat.h"
  
  #ifdef HAVE_SECUREWARE
-@@ -1260,6 +1262,12 @@ main(int ac, char **av)
+@@ -1261,6 +1263,12 @@ main(int ac, char **av)
  	(void)set_auth_parameters(ac, av);
  #endif
  	__progname = ssh_get_progname(av[0]);
@@ -602,7 +602,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  	init_rng();
  
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1412,8 +1420,6 @@ main(int ac, char **av)
+@@ -1413,8 +1421,6 @@ main(int ac, char **av)
  	else
  		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
  
@@ -611,7 +611,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  	/*
  	 * Force logging to stderr until we have loaded the private host
  	 * key (unless started from inetd)
-@@ -1531,6 +1537,10 @@ main(int ac, char **av)
+@@ -1532,6 +1538,10 @@ main(int ac, char **av)
  		debug("private host key: #%d type %d %s", i, key->type,
  		    key_type(key));
  	}
@@ -622,7 +622,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
-@@ -1655,6 +1665,10 @@ main(int ac, char **av)
+@@ -1656,6 +1666,10 @@ main(int ac, char **av)
  	/* Initialize the random number generator. */
  	arc4random_stir();
  
@@ -633,7 +633,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  	/* Chdir to the root directory so that the current disk can be
  	   unmounted if desired. */
  	chdir("/");
-@@ -2182,6 +2196,9 @@ do_ssh2_kex(void)
+@@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -643,7 +643,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  	}
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2191,6 +2208,9 @@ do_ssh2_kex(void)
+@@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
  	if (options.macs != NULL) {
  		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
  		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -653,9 +653,9 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
  	}
  	if (options.compression == COMP_NONE) {
  		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
---- openssh-5.2p1/ssh-keygen.c.fips	2009-05-15 15:51:01.000000000 +0200
-+++ openssh-5.2p1/ssh-keygen.c	2009-05-15 15:51:01.000000000 +0200
+diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
+--- openssh-5.3p1/ssh-keygen.c.fips	2009-10-02 14:12:00.000000000 +0200
++++ openssh-5.3p1/ssh-keygen.c	2009-10-02 14:12:00.000000000 +0200
 @@ -21,6 +21,7 @@
  
  #include <openssl/evp.h>

openssh-5.3p1-mls.patch

@@ -1,7 +1,18 @@
-diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
---- openssh-5.1p1/misc.c.mls	2008-06-13 06:48:59.000000000 +0200
-+++ openssh-5.1p1/misc.c	2008-07-23 18:53:37.000000000 +0200
-@@ -427,6 +427,7 @@ char *
+diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
+--- openssh-5.3p1/configure.ac.mls	2009-10-02 14:04:31.000000000 +0200
++++ openssh-5.3p1/configure.ac	2009-10-02 14:04:31.000000000 +0200
+@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux,
+ 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+ 		LIBS="$LIBS $LIBSELINUX"
+ 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
++		AC_CHECK_FUNCS(setkeycreatecon)
+ 		LIBS="$save_LIBS"
+ 	fi ]
+ )
+diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
+--- openssh-5.3p1/misc.c.mls	2009-02-21 22:47:02.000000000 +0100
++++ openssh-5.3p1/misc.c	2009-10-02 14:04:31.000000000 +0200
+@@ -423,6 +423,7 @@ char *
  colon(char *cp)
  {
  	int flag = 0;
@@ -9,7 +20,7 @@ diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
  
  	if (*cp == ':')		/* Leading colon is part of file name. */
  		return (0);
-@@ -440,8 +441,13 @@ colon(char *cp)
+@@ -436,8 +437,13 @@ colon(char *cp)
  			return (cp+1);
  		if (*cp == ':' && !flag)
  			return (cp);
@@ -25,23 +36,9 @@ diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
  	}
  	return (0);
  }
-diff -up openssh-5.1p1/session.c.mls openssh-5.1p1/session.c
---- openssh-5.1p1/session.c.mls	2008-06-16 15:29:18.000000000 +0200
-+++ openssh-5.1p1/session.c	2008-07-23 18:53:37.000000000 +0200
-@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
- #endif
- 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
- 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
--
--#ifdef WITH_SELINUX
--	ssh_selinux_setup_exec_context(pw->pw_name);
--#endif
- }
- 
- static void
-diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-compat/port-linux.c
---- openssh-5.1p1/openbsd-compat/port-linux.c.mls	2008-07-23 18:53:37.000000000 +0200
-+++ openssh-5.1p1/openbsd-compat/port-linux.c	2008-07-23 18:53:37.000000000 +0200
+diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c
+--- openssh-5.3p1/openbsd-compat/port-linux.c.mls	2009-10-02 14:04:31.000000000 +0200
++++ openssh-5.3p1/openbsd-compat/port-linux.c	2009-10-02 14:04:31.000000000 +0200
 @@ -33,12 +33,23 @@
  #include "key.h"
  #include "hostfile.h"
@@ -419,20 +416,23 @@ diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-com
  
  	/* XXX: should these calls fatal() upon failure in enforcing mode? */
  
-diff -up openssh-5.1p1/configure.ac.mls openssh-5.1p1/configure.ac
---- openssh-5.1p1/configure.ac.mls	2008-07-23 18:53:37.000000000 +0200
-+++ openssh-5.1p1/configure.ac	2008-07-23 18:53:37.000000000 +0200
-@@ -3311,6 +3311,7 @@ AC_ARG_WITH(selinux,
- 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
- 		LIBS="$LIBS $LIBSELINUX"
- 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
-+		AC_CHECK_FUNCS(setkeycreatecon)
- 		LIBS="$save_LIBS"
- 	fi ]
- )
-diff -up openssh-5.1p1/sshd.c.mls openssh-5.1p1/sshd.c
---- openssh-5.1p1/sshd.c.mls	2008-07-23 18:53:37.000000000 +0200
-+++ openssh-5.1p1/sshd.c	2008-07-23 18:53:37.000000000 +0200
+diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
+--- openssh-5.3p1/session.c.mls	2009-08-20 08:20:50.000000000 +0200
++++ openssh-5.3p1/session.c	2009-10-02 14:06:12.000000000 +0200
+@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
+ 
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+ 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+-
+-#ifdef WITH_SELINUX
+-	ssh_selinux_setup_exec_context(pw->pw_name);
+-#endif
+ }
+ 
+ static void
+diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c
+--- openssh-5.3p1/sshd.c.mls	2009-10-02 14:04:31.000000000 +0200
++++ openssh-5.3p1/sshd.c	2009-10-02 14:04:31.000000000 +0200
 @@ -1896,6 +1896,9 @@ main(int ac, char **av)
  		restore_uid();
  	}

openssh-5.3p1-pka.patch

@@ -0,0 +1,444 @@
+diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
+--- openssh-5.3p1/auth2-pubkey.c.pka	2009-03-08 01:40:28.000000000 +0100
++++ openssh-5.3p1/auth2-pubkey.c	2010-01-04 16:07:53.000000000 +0100
+@@ -175,26 +175,14 @@ done:
+ 
+ /* return 1 if user allows given key */
+ static int
+-user_key_allowed2(struct passwd *pw, Key *key, char *file)
++user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
+ {
+ 	char line[SSH_MAX_PUBKEY_BYTES];
+ 	int found_key = 0;
+-	FILE *f;
+ 	u_long linenum = 0;
+ 	Key *found;
+ 	char *fp;
+ 
+-	/* Temporarily use the user's uid. */
+-	temporarily_use_uid(pw);
+-
+-	debug("trying public key file %s", file);
+-	f = auth_openkeyfile(file, pw, options.strict_modes);
+-
+-	if (!f) {
+-		restore_uid();
+-		return 0;
+-	}
+-
+ 	found_key = 0;
+ 	found = key_new(key->type);
+ 
+@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key
+ 			break;
+ 		}
+ 	}
+-	restore_uid();
+-	fclose(f);
+ 	key_free(found);
+ 	if (!found_key)
+ 		debug2("key not found");
+ 	return found_key;
+ }
+ 
+-/* check whether given key is in .ssh/authorized_keys* */
++
++/* return 1 if user allows given key */
++static int
++user_key_allowed2(struct passwd *pw, Key *key, char *file)
++{
++	FILE *f;
++	int found_key = 0;
++
++	/* Temporarily use the user's uid. */
++	temporarily_use_uid(pw);
++
++	debug("trying public key file %s", file);
++	f = auth_openkeyfile(file, pw, options.strict_modes);
++
++ 	if (f) {
++ 		found_key = user_search_key_in_file (f, file, key, pw);
++		fclose(f);
++	}
++
++	restore_uid();
++	return found_key;
++}
++
++#ifdef WITH_PUBKEY_AGENT
++
++#define WHITESPACE " \t\r\n"
++
++/* return 1 if user allows given key */
++static int
++user_key_via_agent_allowed2(struct passwd *pw, Key *key)
++{
++	FILE *f;
++	int found_key = 0;
++	char *pubkey_agent_string = NULL;
++	char *tmp_pubkey_agent_string = NULL;
++	char *progname;
++	char *cp;
++	struct passwd *runas_pw;
++	struct stat st;
++
++	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
++		return -1;
++
++	/* get the run as identity from config */
++	runas_pw = (options.pubkey_agent_runas == NULL)? pw
++	    : getpwnam (options.pubkey_agent_runas);
++	if (!runas_pw) {
++		error("%s: getpwnam(\"%s\"): %s", __func__,
++		    options.pubkey_agent_runas, strerror(errno));
++		return 0;
++	}
++
++	/* Temporarily use the specified uid. */
++	if (runas_pw->pw_uid != 0)
++		temporarily_use_uid(runas_pw);
++
++	pubkey_agent_string = percent_expand(options.pubkey_agent,
++	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
++
++	/* Test whether agent can be modified by non root user */
++	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
++	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
++
++	debug3("%s: checking program '%s'", __func__, progname);
++
++	if (stat (progname, &st) < 0) {
++		error("%s: stat(\"%s\"): %s", __func__,
++		    progname, strerror(errno));
++		goto go_away;
++	}
++
++	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
++		error("bad ownership or modes for pubkey agent \"%s\"",
++		    progname);
++		goto go_away;
++	}
++
++	if (!S_ISREG(st.st_mode)) {
++		error("pubkey agent \"%s\" is not a regular file",
++		    progname);
++		goto go_away;
++	}
++
++	/*
++	 * Descend the path, checking that each component is a
++	 * root-owned directory with strict permissions.
++	 */
++	do {
++		if ((cp = strrchr(progname, '/')) == NULL)
++			break;
++		else 
++			*cp = '\0';
++	
++		debug3("%s: checking component '%s'", __func__, progname);
++
++		if (stat(progname, &st) != 0) {
++			error("%s: stat(\"%s\"): %s", __func__,
++			    progname, strerror(errno));
++			goto go_away;
++		}
++		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
++			error("bad ownership or modes for pubkey agent path component \"%s\"",
++			    progname);
++			goto go_away;
++		}
++		if (!S_ISDIR(st.st_mode)) {
++			error("pubkey agent path component \"%s\" is not a directory",
++			    progname);
++			goto go_away;
++		}
++	} while (0);
++
++	/* open the pipe and read the keys */
++	f = popen (pubkey_agent_string, "r");
++	if (!f) {
++		error("%s: popen (\"%s\", \"r\"): %s", __func__,
++		    pubkey_agent_string, strerror (errno));
++		goto go_away;
++	}
++
++	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
++	pclose (f);
++
++go_away:
++	if (tmp_pubkey_agent_string)
++		xfree (tmp_pubkey_agent_string);
++	if (pubkey_agent_string)
++		xfree (pubkey_agent_string);
++
++	if (runas_pw->pw_uid != 0)
++		restore_uid();
++	return found_key;
++}
++#endif
++
++/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
+ int
+ user_key_allowed(struct passwd *pw, Key *key)
+ {
+ 	int success;
+ 	char *file;
+ 
++#ifdef WITH_PUBKEY_AGENT
++	success = user_key_via_agent_allowed2(pw, key);
++	if (success >= 0)
++		return success;
++#endif
++
+ 	file = authorized_keys_file(pw);
+ 	success = user_key_allowed2(pw, key, file);
+ 	xfree(file);
+diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure
+--- openssh-5.3p1/configure.pka	2009-10-13 19:27:51.000000000 +0200
++++ openssh-5.3p1/configure	2009-10-15 06:26:33.000000000 +0200
+@@ -769,6 +769,7 @@ with_skey
+ with_tcp_wrappers
+ with_libedit
+ with_audit
++with_pka
+ with_ssl_dir
+ with_openssl_header_check
+ with_ssl_engine
+@@ -1473,6 +1474,7 @@ Optional Packages:
+   --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
+   --with-libedit[=PATH]   Enable libedit support for sftp
+   --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
++  --with-pka      Enable pubkey agent support
+   --with-ssl-dir=PATH     Specify path to OpenSSL installation
+   --without-openssl-header-check Disable OpenSSL version consistency check
+   --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
+@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m
+ fi
+ 
+ 
++# Check whether user wants pubkey agent support
++PKA_MSG="no"
++
++# Check whether --with-pka was given.
++if test "${with_pka+set}" = set; then
++  withval=$with_pka;
++		if test "x$withval" != "xno" ; then
++
++cat >>confdefs.h <<\_ACEOF
++#define WITH_PUBKEY_AGENT 1
++_ACEOF
++
++			PKA_MSG="yes"
++		fi
++
++
++fi
++
++
+ 
+ 
+ 
+@@ -32772,6 +32793,7 @@ echo "               Linux audit support
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
++echo "                       PKA support: $PKA_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
+--- openssh-5.3p1/configure.ac.pka	2009-09-11 06:56:08.000000000 +0200
++++ openssh-5.3p1/configure.ac	2010-01-04 16:07:53.000000000 +0100
+@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit,
+ 	esac ]
+ )
+ 
++# Check whether user wants pubkey agent support
++PKA_MSG="no"
++AC_ARG_WITH(pka,
++	[  --with-pka      Enable pubkey agent support],
++	[
++		if test "x$withval" != "xno" ; then
++			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
++			PKA_MSG="yes"
++		fi
++	]
++)
++
+ dnl    Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS( \
+ 	arc4random \
+@@ -4229,6 +4241,7 @@ echo "                   SELinux support
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
++echo "                       PKA support: $PKA_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
+--- openssh-5.3p1/servconf.c.pka	2009-06-21 12:26:17.000000000 +0200
++++ openssh-5.3p1/servconf.c	2010-01-04 16:07:53.000000000 +0100
+@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions 
+ 	options->num_permitted_opens = -1;
+ 	options->adm_forced_command = NULL;
+ 	options->chroot_directory = NULL;
++	options->pubkey_agent = NULL;
++	options->pubkey_agent_runas = NULL;
+ 	options->zero_knowledge_password_authentication = -1;
+ }
+ 
+@@ -306,6 +308,7 @@ typedef enum {
+ 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+ 	sZeroKnowledgePasswordAuthentication,
++	sPubkeyAgent, sPubkeyAgentRunAs,
+ 	sDeprecated, sUnsupported
+ } ServerOpCodes;
+ 
+@@ -424,6 +427,13 @@ static struct {
+ 	{ "permitopen", sPermitOpen, SSHCFG_ALL },
+ 	{ "forcecommand", sForceCommand, SSHCFG_ALL },
+ 	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
++#ifdef WITH_PUBKEY_AGENT
++	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
++	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
++#else
++	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
++	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
++#endif
+ 	{ NULL, sBadOption, 0 }
+ };
+ 
+@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions
+ 			*charptr = xstrdup(arg);
+ 		break;
+ 
++	case sPubkeyAgent:
++		len = strspn(cp, WHITESPACE);
++		if (*activep && options->pubkey_agent == NULL)
++			options->pubkey_agent = xstrdup(cp + len);
++		return 0;
++
++	case sPubkeyAgentRunAs:
++		charptr = &options->pubkey_agent_runas;
++
++		arg = strdelim(&cp);
++		if (*activep && *charptr == NULL)
++			*charptr = xstrdup(arg);
++		break;
++
+ 	case sDeprecated:
+ 		logit("%s line %d: Deprecated option %s",
+ 		    filename, linenum, arg);
+@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d
+ 	M_CP_INTOPT(gss_authentication);
+ 	M_CP_INTOPT(rsa_authentication);
+ 	M_CP_INTOPT(pubkey_authentication);
++	M_CP_STROPT(pubkey_agent);
++	M_CP_STROPT(pubkey_agent_runas);
+ 	M_CP_INTOPT(kerberos_authentication);
+ 	M_CP_INTOPT(hostbased_authentication);
+ 	M_CP_INTOPT(kbd_interactive_authentication);
+@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
+ 	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
+ 	dump_cfg_string(sForceCommand, o->adm_forced_command);
++#ifdef WITH_PUBKEY_AGENT
++	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
++	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
++#endif
+ 
+ 	/* string arguments requiring a lookup */
+ 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
+diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
+--- openssh-5.3p1/servconf.h.pka	2009-01-28 06:31:23.000000000 +0100
++++ openssh-5.3p1/servconf.h	2010-01-04 16:07:53.000000000 +0100
+@@ -151,6 +151,8 @@ typedef struct {
+ 	int	num_permitted_opens;
+ 
+ 	char   *chroot_directory;
++	char   *pubkey_agent;
++	char   *pubkey_agent_runas;
+ }       ServerOptions;
+ 
+ void	 initialize_server_options(ServerOptions *);
+diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
+--- openssh-5.3p1/sshd_config.0.pka	2009-09-26 08:31:16.000000000 +0200
++++ openssh-5.3p1/sshd_config.0	2010-01-04 16:07:53.000000000 +0100
+@@ -344,10 +344,11 @@ DESCRIPTION
+              AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
+              GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
+              KbdInteractiveAuthentication, KerberosAuthentication,
+-             MaxAuthTries, MaxSessions, PasswordAuthentication,
+-             PermitEmptyPasswords, PermitOpen, PermitRootLogin,
+-             RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
+-             X11Forwarding and X11UseLocalHost.
++             MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
++             PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
++             PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
++             RSAAuthentication, X11DisplayOffset, X11Forwarding and
++             X11UseLocalHost.
+ 
+      MaxAuthTries
+              Specifies the maximum number of authentication attempts permitted
+@@ -455,6 +456,17 @@ DESCRIPTION
+              fault is ``yes''.  Note that this option applies to protocol ver-
+              sion 2 only.
+ 
++     PubkeyAgent
++             Specifies which agent is used for lookup of the user's public
++             keys. Empty string means to use the authorized_keys file.  By
++             default there is no PubkeyAgent set.  Note that this option has
++             an effect only with PubkeyAuthentication switched on.
++
++     PubkeyAgentRunAs
++             Specifies the user under whose account the PubkeyAgent is run.
++             Empty string (the default value) means the user being authorized
++             is used.
++
+      RhostsRSAAuthentication
+              Specifies whether rhosts or /etc/hosts.equiv authentication to-
+              gether with successful RSA host authentication is allowed.  The
+diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config
+--- openssh-5.3p1/sshd_config.pka	2008-07-02 14:35:43.000000000 +0200
++++ openssh-5.3p1/sshd_config	2010-01-04 16:07:53.000000000 +0100
+@@ -46,6 +46,8 @@ Protocol 2
+ #RSAAuthentication yes
+ #PubkeyAuthentication yes
+ #AuthorizedKeysFile	.ssh/authorized_keys
++#PubkeyAgent none
++#PubkeyAgentRunAs nobody
+ 
+ # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+ #RhostsRSAAuthentication no
+diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
+--- openssh-5.3p1/sshd_config.5.pka	2009-08-28 02:27:08.000000000 +0200
++++ openssh-5.3p1/sshd_config.5	2010-01-04 16:07:53.000000000 +0100
+@@ -610,6 +610,9 @@ Available keywords are
+ .Cm KerberosAuthentication ,
+ .Cm MaxAuthTries ,
+ .Cm MaxSessions ,
++.Cm PubkeyAuthentication ,
++.Cm PubkeyAgent ,
++.Cm PubkeyAgentRunAs ,
+ .Cm PasswordAuthentication ,
+ .Cm PermitEmptyPasswords ,
+ .Cm PermitOpen ,
+@@ -805,6 +808,16 @@ Specifies whether public key authenticat
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm PubkeyAgent
++Specifies which agent is used for lookup of the user's public
++keys. Empty string means to use the authorized_keys file.
++By default there is no PubkeyAgent set.
++Note that this option has an effect only with PubkeyAuthentication
++switched on.
++.It Cm PubkeyAgentRunAs
++Specifies the user under whose account the PubkeyAgent is run. Empty
++string (the default value) means the user being authorized is used.
++.Dq 
+ .It Cm RhostsRSAAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication together
+ with successful RSA host authentication is allowed.

openssh-5.3p1-randclean.patch

@@ -0,0 +1,13 @@
+diff -up openssh-5.3p1/entropy.c.randclean openssh-5.3p1/entropy.c
+--- openssh-5.3p1/entropy.c.randclean	2010-01-21 09:26:30.000000000 +0100
++++ openssh-5.3p1/entropy.c	2010-01-21 09:26:37.000000000 +0100
+@@ -159,6 +159,9 @@ init_rng(void)
+ 		fatal("OpenSSL version mismatch. Built against %lx, you "
+ 		    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ #ifndef OPENSSL_PRNG_ONLY
+ 	original_uid = getuid();
+ 	original_euid = geteuid();

openssh-5.3p1-selabel.patch

@@ -1,6 +1,6 @@
-diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-copy-id
---- openssh-5.2p1/contrib/ssh-copy-id.selabel	2009-01-21 10:29:21.000000000 +0100
-+++ openssh-5.2p1/contrib/ssh-copy-id	2009-07-08 14:28:27.000000000 +0200
+diff -up openssh-5.3p1/contrib/ssh-copy-id.selabel openssh-5.3p1/contrib/ssh-copy-id
+--- openssh-5.3p1/contrib/ssh-copy-id.selabel	2009-01-21 10:29:21.000000000 +0100
++++ openssh-5.3p1/contrib/ssh-copy-id	2009-10-02 14:21:54.000000000 +0200
 @@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || 
    exit 1
  fi
@@ -10,10 +10,10 @@ diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-cop
  
  cat <<EOF
  Now try logging into the machine, with "ssh '$1'", and check in:
-diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
---- openssh-5.2p1/Makefile.in.selabel	2009-07-08 14:28:25.000000000 +0200
-+++ openssh-5.2p1/Makefile.in	2009-07-08 14:28:27.000000000 +0200
-@@ -134,7 +134,7 @@ libssh.a: $(LIBSSH_OBJS)
+diff -up openssh-5.3p1/Makefile.in.selabel openssh-5.3p1/Makefile.in
+--- openssh-5.3p1/Makefile.in.selabel	2009-10-02 14:21:54.000000000 +0200
++++ openssh-5.3p1/Makefile.in	2009-10-02 14:23:23.000000000 +0200
+@@ -136,7 +136,7 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -21,10 +21,10 @@ diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lselinux $(LIBS)
  
  sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
- 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
-diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.selabel	2009-07-08 14:28:27.000000000 +0200
-+++ openssh-5.2p1/ssh.c	2009-07-08 14:34:00.000000000 +0200
+ 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
+diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
+--- openssh-5.3p1/ssh.c.selabel	2009-10-02 14:21:54.000000000 +0200
++++ openssh-5.3p1/ssh.c	2009-10-02 14:21:54.000000000 +0200
 @@ -74,6 +74,7 @@
  #include <openssl/err.h>
  #include <openssl/fips.h>
@@ -33,7 +33,7 @@ diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -791,10 +792,15 @@ main(int ac, char **av)
+@@ -792,10 +793,15 @@ main(int ac, char **av)
  	 */
  	r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
  	    strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);

openssh-5.3p1-skip-initial.patch

@@ -0,0 +1,24 @@
+diff -up openssh-5.3p1/auth1.c.skip-initial openssh-5.3p1/auth1.c
+--- openssh-5.3p1/auth1.c.skip-initial	2009-03-08 01:40:28.000000000 +0100
++++ openssh-5.3p1/auth1.c	2009-10-02 13:55:00.000000000 +0200
+@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
+ 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
+ 
+ 	/* If the user has no password, accept authentication immediately. */
+-	if (options.password_authentication &&
++	if (options.permit_empty_passwd && options.password_authentication &&
+ #ifdef KRB5
+ 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
+ #endif
+diff -up openssh-5.3p1/auth2-none.c.skip-initial openssh-5.3p1/auth2-none.c
+--- openssh-5.3p1/auth2-none.c.skip-initial	2009-03-08 01:40:28.000000000 +0100
++++ openssh-5.3p1/auth2-none.c	2009-10-02 13:56:21.000000000 +0200
+@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
+ {
+ 	none_enabled = 0;
+ 	packet_check_eom();
+-	if (options.password_authentication)
++	if (options.permit_empty_passwd && options.password_authentication)
+ 		return (PRIVSEP(auth_password(authctxt, "")));
+ 	return (0);
+ }

openssh.spec

@@ -32,6 +32,9 @@
 # Whether or not /sbin/nologin exists.
 %define nologin 1
 
+# Whether to build pam_ssh_agent_auth
+%define pam_ssh_agent 1
+
 # Reserve options to override askpass settings with:
 # rpm -ba|--rebuild --define 'skip_xxx 1'
 %{?skip_gnome_askpass:%define no_gnome_askpass 1}
@@ -58,13 +61,17 @@
 %if %{rescue}
 %define kerberos5 0
 %define libedit 0
+%define pam_ssh_agent 0
 %endif
 
+%define pam_ssh_agent_ver 0.9
+
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
-Version: 5.2p1
-Release: 28%{?dist}%{?rescue_rel}
+Version: 5.3p1
+Release: 19%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
+#URL1: http://pamsshauth.sourceforge.net
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 # This package differs from the upstream OpenSSH tarball in that
@@ -74,13 +81,16 @@ Source0: openssh-%{version}-noacss.tar.bz2
 Source1: openssh-nukeacss.sh
 Source2: sshd.pam
 Source3: sshd.init
+Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
+Source5: pam_ssh_agent-rmheaders
 Patch0: openssh-5.2p1-redhat.patch
-Patch2: openssh-5.1p1-skip-initial.patch
-Patch3: openssh-3.8.1p1-krb5-config.patch
+Patch2: openssh-5.3p1-skip-initial.patch
 Patch4: openssh-5.2p1-vendor.patch
+Patch5: openssh-5.2p1-engine.patch
+Patch10: pam_ssh_agent_auth-0.9-build.patch
 Patch12: openssh-5.2p1-selinux.patch
-Patch13: openssh-5.1p1-mls.patch
-Patch16: openssh-4.7p1-audit.patch
+Patch13: openssh-5.3p1-mls.patch
+Patch16: openssh-5.3p1-audit.patch
 Patch18: openssh-5.0p1-pam_selinux.patch
 Patch19: openssh-5.2p1-sesftp.patch
 Patch22: openssh-3.9p1-askpass-keep-above.patch
@@ -92,13 +102,15 @@ Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
 Patch44: openssh-5.2p1-allow-ip-opts.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
-Patch51: openssh-5.2p1-nss-keys.patch
+Patch51: openssh-5.3p1-nss-keys.patch
 Patch55: openssh-5.1p1-cloexec.patch
 Patch62: openssh-5.1p1-scp-manpage.patch
-Patch65: openssh-5.2p1-fips.patch
-Patch68: openssh-5.2p1-pathmax.patch
-Patch69: openssh-5.2p1-selabel.patch
+Patch65: openssh-5.3p1-fips.patch
+Patch69: openssh-5.3p1-selabel.patch
 Patch71: openssh-5.2p1-edns.patch
+Patch72: openssh-5.3p1-pka.patch
+Patch73: openssh-5.3p1-gsskex.patch
+Patch74: openssh-5.3p1-randclean.patch
 
 License: BSD
 Group: Applications/Internet
@@ -170,6 +182,14 @@ Requires: openssh = %{version}-%{release}
 Obsoletes: openssh-askpass-gnome
 Provides: openssh-askpass-gnome
 
+%package -n pam_ssh_agent_auth
+Summary: PAM module for authentication with ssh-agent
+Group: System Environment/Base
+Version: %{pam_ssh_agent_ver}
+# There is special exception added to the GPLv3+ license to
+# permit linking with OpenSSL licensed code
+License: GPLv3+ and OpenSSL and BSD
+
 %description
 SSH (Secure SHell) is a program for logging into and executing
 commands on a remote machine. SSH is intended to replace rlogin and
@@ -200,12 +220,28 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH.
 
+%description -n pam_ssh_agent_auth
+This package contains a PAM module which can be used to authenticate
+users using ssh keys stored in a ssh-agent. Through the use of the
+forwarding of ssh-agent connection it also allows to authenticate with
+remote ssh-agent instance.
+
+The module is most useful for su and sudo service stacks.
+
 %prep
-%setup -q
+%setup -q -a 4
 %patch0 -p1 -b .redhat
 %patch2 -p1 -b .skip-initial
-%patch3 -p1 -b .krb5-config
 %patch4 -p1 -b .vendor
+%patch5 -p1 -b .engine
+
+%if %{pam_ssh_agent}
+pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+%patch10 -p1 -b .psaa-build
+# Remove duplicate headers
+rm -f $(cat %{SOURCE5})
+popd
+%endif
 
 %if %{WITH_SELINUX}
 #SELinux
@@ -229,9 +265,11 @@ an X11 passphrase dialog for OpenSSH.
 %patch55 -p1 -b .cloexec
 %patch62 -p1 -b .manpage
 %patch65 -p1 -b .fips
-%patch68 -p1 -b .pathmax
 %patch69 -p1 -b .selabel
 %patch71 -p1 -b .edns
+%patch72 -p1 -b .pka
+%patch73 -p1 -b .gsskex
+%patch74 -p1 -b .randclean
 
 autoreconf
 
@@ -242,11 +280,12 @@ CFLAGS="$CFLAGS -Os"
 %endif
 %if %{pie}
 %ifarch s390 s390x sparc sparcv9 sparc64
-CFLAGS="$CFLAGS -fPIE"
+CFLAGS="$CFLAGS -fPIC"
 %else
-CFLAGS="$CFLAGS -fpie"
+CFLAGS="$CFLAGS -fpic"
 %endif
 export CFLAGS
+SAVE_LDFLAGS="$LDFLAGS"
 LDFLAGS="$LDFLAGS -pie"; export LDFLAGS
 %endif
 %if %{kerberos5}
@@ -326,6 +365,14 @@ fi
 popd
 %endif
 
+%if %{pam_ssh_agent}
+pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+LDFLAGS="$SAVE_LDFLAGS"
+%configure --with-selinux --libexecdir=/%{_lib}/security
+make
+popd
+%endif
+
 # Add generation of HMAC checksums of the final stripped binaries
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
@@ -375,6 +422,12 @@ rm -f README.nss.nss-keys
 %if ! %{nss}
 rm -f README.nss
 %endif
+
+%if %{pam_ssh_agent}
+pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
+make install DESTDIR=$RPM_BUILD_ROOT
+popd
+%endif
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -465,7 +518,70 @@ fi
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
 %endif
 
+%if %{pam_ssh_agent}
+%files -n pam_ssh_agent_auth
+%defattr(-,root,root)
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/GPL_LICENSE
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
+%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/LICENSE.OpenSSL
+%attr(0755,root,root) /%{_lib}/security/pam_ssh_agent_auth.so
+%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
+%endif
+
 %changelog
+* Wed Feb 10 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-19
+- Allow to use hardware crypto if awailable (#559555)
+
+* Thu Jan 28 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-18
+- optimized FD_CLOEXEC on accept socket (#541809)
+
+* Thu Jan 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17
+- optimized RAND_cleanup patch (#557166)
+
+* Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16
+- add RAND_cleanup at the exit of each program using RAND (#557166)
+
+* Tue Jan 19 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-15
+- set FD_CLOEXEC on accepted socket (#541809)
+
+* Tue Jan  5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-14
+- Update the pka patch
+
+* Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
+- Update the audit patch
+- Add possibility to autocreate only RSA key into initscript (#533339)
+- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
+ 
+* Mon Nov 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11
+- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
+
+* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-9
+- Add gssapi key exchange patch (#455351)
+
+* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8
+- Add public key agent patch (#455350)
+
+* Mon Nov  2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-7
+- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
+
+* Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-6
+- Modify the init script to prevent it to hang during generating the keys (#515145)
+
+* Tue Oct 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-5
+- Add README.nss
+
+* Mon Oct 19 2009 Tomas Mraz <tmraz@redhat.com> - 5.3p1-4
+- Add pam_ssh_agent_auth module to a subpackage.
+
+* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-3
+- Reenable audit.
+
+* Fri Oct  2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-2
+- Upgrade to new wersion 5.3p1
+
+* Tue Sep 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-29
+- Resolve locking in ssh-add (#491312)
+
 * Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-28
 - Repair initscript to be acord to guidelines (#521860)
 - Add bugzilla# to application of edns and xmodifiers patch

pam_ssh_agent-rmheaders

@@ -0,0 +1,20 @@
+atomicio.h
+authfd.h
+buffer.h
+cipher.h
+compat.h
+defines.h
+entropy.h
+includes.h
+kex.h
+key.h
+log.h
+match.h
+misc.h
+pathnames.h
+platform.h
+rsa.h
+ssh.h
+ssh2.h
+uuencode.h
+xmalloc.h

pam_ssh_agent_auth-0.9-build.patch

@@ -0,0 +1,190 @@
+diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c
+--- pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build	2009-08-08 11:51:04.000000000 +0200
++++ pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c	2009-10-16 15:20:55.000000000 +0200
+@@ -41,7 +41,16 @@
+ #include "buffer.h"
+ #include "key.h"
+ #include "authfd.h"
++#include "ssh.h"
+ #include <stdio.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/socket.h>
++#include <sys/un.h>
++#include <unistd.h>
++#include <stdlib.h>
++#include <errno.h>
++#include <fcntl.h>
+ #include <openssl/evp.h>
+ 
+ #include "userauth_pubkey_from_id.h"
+@@ -73,6 +82,96 @@ session_id2_gen()
+     return cookie;
+ }
+ 
++/* 
++ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user 
++ * A cursory check is done, but to avoid race conditions, it is necessary 
++ * to drop effective UID when connecting to the socket. 
++ *
++ * If the cause of error is EACCES, because we verified we would not have that 
++ * problem initially, we can safely assume that somebody is attempting to find a 
++ * race condition; so a more "direct" log message is generated.
++ */
++
++int
++ssh_get_authentication_socket_for_uid(uid_t uid)
++{
++	const char *authsocket;
++	int sock;
++	struct sockaddr_un sunaddr;
++	struct stat sock_st;
++
++	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
++	if (!authsocket)
++		return -1;
++
++	/* Advisory only; seteuid ensures no race condition; but will only log if we see EACCES */
++	if( stat(authsocket,&sock_st) == 0) {
++		if(uid != 0 && sock_st.st_uid != uid) {
++			fatal("uid %lu attempted to open an agent socket owned by uid %lu", (unsigned long) uid, (unsigned long) sock_st.st_uid);
++			return -1;
++		}
++	}
++
++	/* 
++	 * Ensures that the EACCES tested for below can _only_ happen if somebody 
++	 * is attempting to race the stat above to bypass authentication.
++	 */
++	if( (sock_st.st_mode & S_IWUSR) != S_IWUSR || (sock_st.st_mode & S_IRUSR) != S_IRUSR) {
++		error("ssh-agent socket has incorrect permissions for owner");
++		return -1;
++	}
++
++	sunaddr.sun_family = AF_UNIX;
++	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
++
++	sock = socket(AF_UNIX, SOCK_STREAM, 0);
++	if (sock < 0)
++		return -1;
++
++	/* close on exec */
++	if (fcntl(sock, F_SETFD, 1) == -1) {
++		close(sock);
++		return -1;
++	}
++
++	errno = 0; 
++	seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
++	             above, we will temporarily drop UID to the caller */
++	if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
++		close(sock);
++        if(errno == EACCES)
++		fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
++		return -1;
++	}
++
++	seteuid(0); /* we now continue the regularly scheduled programming */
++
++	return sock;
++}
++
++AuthenticationConnection *
++ssh_get_authentication_connection_for_uid(uid_t uid)
++{
++	AuthenticationConnection *auth;
++	int sock;
++
++	sock = ssh_get_authentication_socket_for_uid(uid);
++
++	/*
++	 * Fail if we couldn't obtain a connection.  This happens if we
++	 * exited due to a timeout.
++	 */
++	if (sock < 0)
++		return NULL;
++
++	auth = xmalloc(sizeof(*auth));
++	auth->fd = sock;
++	buffer_init(&auth->identities);
++	auth->howmany = 0;
++
++	return auth;
++}
++
+ int
+ find_authorized_keys(uid_t uid)
+ {
+@@ -85,7 +184,7 @@ find_authorized_keys(uid_t uid)
+     OpenSSL_add_all_digests();
+     session_id2 = session_id2_gen();
+ 
+-    if ((ac = ssh_get_authentication_connection(uid))) {
++    if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
+         verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
+         for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) 
+         {
+@@ -113,3 +212,4 @@ find_authorized_keys(uid_t uid)
+     EVP_cleanup();
+     return retval;
+ }
++
+diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Makefile.in
+--- pam_ssh_agent_auth-0.9/Makefile.in.psaa-build	2009-08-06 07:40:16.000000000 +0200
++++ pam_ssh_agent_auth-0.9/Makefile.in	2009-10-16 15:20:55.000000000 +0200
+@@ -28,7 +28,7 @@ PATHS=
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ AR=@AR@
+ AWK=@AWK@
+@@ -37,7 +37,7 @@ INSTALL=@INSTALL@
+ PERL=@PERL@
+ SED=@SED@
+ ENT=@ENT@
+-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
++LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
+ LDFLAGS_SHARED = @LDFLAGS_SHARED@
+ EXEEXT=@EXEEXT@
+ 
+@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
+ 
+ SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
+ 
+-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
++PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
+ 
+ 
+ MANPAGES_IN	= pam_ssh_agent_auth.pod
+@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h
+ .c.o:
+ 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+ 
+-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
++LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
+ $(LIBCOMPAT): always
+ 	(cd openbsd-compat && $(MAKE))
+ always:
+ 
+-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
+-	$(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
++pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS)  pam_ssh_agent_auth.o
++	$(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o
+ 
+ $(MANPAGES): $(MANPAGES_IN)
+ 	pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
+diff -up pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c
+--- pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build	2009-07-29 02:46:38.000000000 +0200
++++ pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c	2009-10-16 15:50:36.000000000 +0200
+@@ -94,7 +94,7 @@ parse_authorized_key_file(const char *us
+     /*
+      * temporary copy, so that both tilde expansion and percent expansion both get to apply to the path
+      */
+-    strncat(auth_keys_file_buf, authorized_keys_file_input, 4096);
++    strncat(auth_keys_file_buf, authorized_keys_file_input, sizeof(auth_keys_file_buf)-1);
+ 
+     if(allow_user_owned_authorized_keys_file)
+         authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;

sources

@@ -1 +1,2 @@
-41c61b5e2c2cddfd53897582b114ffe1  openssh-5.2p1-noacss.tar.bz2
+89f85c1da83c24ca0b10c05344f7c93c  openssh-5.3p1-noacss.tar.bz2
+1868cb825393678489b1d48c97819f76  pam_ssh_agent_auth-0.9.tar.bz2

sshd.init

@@ -49,7 +49,8 @@ runlevel=$(set -- $(runlevel); eval "echo \$$#" )
 do_rsa1_keygen() {
 	if [ ! -s $RSA1_KEY ]; then
 		echo -n $"Generating SSH1 RSA host key: "
-		if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+		rm -f $RSA1_KEY
+		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $RSA1_KEY
 			chmod 644 $RSA1_KEY.pub
 			if [ -x /sbin/restorecon ]; then
@@ -68,7 +69,8 @@ do_rsa1_keygen() {
 do_rsa_keygen() {
 	if [ ! -s $RSA_KEY ]; then
 		echo -n $"Generating SSH2 RSA host key: "
-		if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+		rm -f $RSA_KEY
+		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $RSA_KEY
 			chmod 644 $RSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
@@ -87,7 +89,8 @@ do_rsa_keygen() {
 do_dsa_keygen() {
 	if [ ! -s $DSA_KEY ]; then
 		echo -n $"Generating SSH2 DSA host key: "
-		if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+		rm -f $DSA_KEY
+		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
 			chmod 600 $DSA_KEY
 			chmod 644 $DSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
@@ -119,9 +122,11 @@ start()
 	[ -f /etc/ssh/sshd_config ] || exit 6
 	# Create keys if necessary
 	if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
-		do_rsa1_keygen
 		do_rsa_keygen
-		do_dsa_keygen
+		if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
+			do_rsa1_keygen
+			do_dsa_keygen
+		fi
 	fi
 
 	echo -n $"Starting $prog: "