5.8p2-26 + 0.9.2-31

sshd_sftpd_t type doesn't exist in F16 anymore

openssh-5.8p1-entropy.patch

@@ -89,10 +89,12 @@ diff -up openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p2/op
 diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
 --- openssh-5.8p2/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
 +++ openssh-5.8p2/ssh.1	2011-05-28 21:15:27.375920967 +0200
-@@ -1250,6 +1250,20 @@ For more information, see the
+@@ -1250,6 +1250,23 @@ For more information, see the
  .Cm PermitUserEnvironment
  option in
  .Xr sshd_config 5 .
++.Sh ENVIRONMENT
++.Bl -tag -width Ds -compact
 +.It Ev SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
@@ -107,6 +109,7 @@ diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
++.El
  .Sh FILES
  .Bl -tag -width Ds -compact
  .It Pa ~/.rhosts
@@ -137,7 +140,7 @@ diff -up openssh-5.8p2/ssh-add.1.entropy openssh-5.8p2/ssh-add.1
 diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
 --- openssh-5.8p2/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
 +++ openssh-5.8p2/ssh-agent.1	2011-05-28 21:13:10.086864993 +0200
-@@ -198,6 +198,23 @@ sockets used to contain the connection t
+@@ -198,6 +198,24 @@ sockets used to contain the connection t
  These sockets should only be readable by the owner.
  The sockets should get automatically removed when the agent exits.
  .El
@@ -158,13 +161,14 @@ diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
++.El
  .Sh SEE ALSO
  .Xr ssh 1 ,
  .Xr ssh-add 1 ,
 diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
 --- openssh-5.8p2/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
 +++ openssh-5.8p2/sshd.8	2011-05-28 21:13:10.241861760 +0200
-@@ -937,6 +937,23 @@ concurrently for different ports, this c
+@@ -937,6 +937,24 @@ concurrently for different ports, this c
  started last).
  The content of this file is not sensitive; it can be world-readable.
  .El
@@ -185,13 +189,14 @@ diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
++.El
  .Sh SEE ALSO
  .Xr scp 1 ,
  .Xr sftp 1 ,
 diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
 --- openssh-5.8p2/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
 +++ openssh-5.8p2/ssh-keygen.1	2011-05-28 21:13:10.389856432 +0200
-@@ -655,6 +655,23 @@ Contains Diffie-Hellman groups used for
+@@ -655,6 +655,24 @@ Contains Diffie-Hellman groups used for
  The file format is described in
  .Xr moduli 5 .
  .El
@@ -212,13 +217,14 @@ diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
++.El
  .Sh SEE ALSO
  .Xr ssh 1 ,
  .Xr ssh-add 1 ,
 diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
 --- openssh-5.8p2/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
 +++ openssh-5.8p2/ssh-keysign.8	2011-05-28 21:17:32.399856797 +0200
-@@ -78,6 +78,23 @@ must be set-uid root if host-based authe
+@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
  If these files exist they are assumed to contain public certificate
  information corresponding with the private keys above.
  .El
@@ -239,6 +245,7 @@ diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
 +This setting is not recommended on the computers without the hardware
 +random generator because insufficient entropy causes the connection to 
 +be blocked until enough entropy is available.
++.El
  .Sh SEE ALSO
  .Xr ssh 1 ,
  .Xr ssh-keygen 1 ,

openssh-5.8p1-getaddrinfo.patch

@@ -1,7 +1,20 @@
-diff -up openssh-5.8p1/sshconnect.c.getaddrinfo openssh-5.8p1/sshconnect.c
---- openssh-5.8p1/sshconnect.c.getaddrinfo	2011-04-27 09:51:44.521384633 +0200
-+++ openssh-5.8p1/sshconnect.c	2011-04-27 09:53:21.224443308 +0200
-@@ -355,6 +355,7 @@ ssh_connect(const char *host, struct soc
+diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
+--- openssh-5.6p1/channels.c.getaddrinfo	2012-02-14 16:12:54.427852524 +0100
++++ openssh-5.6p1/channels.c	2012-02-14 16:13:22.818928690 +0100
+@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
+ 		memset(&hints, 0, sizeof(hints));
+ 		hints.ai_family = IPv4or6;
+ 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++		hints.ai_flags |= AI_ADDRCONFIG;
++#endif
+ 		hints.ai_socktype = SOCK_STREAM;
+ 		snprintf(strport, sizeof strport, "%d", port);
+ 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
+diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
+--- openssh-5.6p1/sshconnect.c.getaddrinfo	2012-02-14 16:09:25.057964291 +0100
++++ openssh-5.6p1/sshconnect.c	2012-02-14 16:09:25.106047007 +0100
+@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
  	memset(&hints, 0, sizeof(hints));
  	hints.ai_family = family;
  	hints.ai_socktype = SOCK_STREAM;

openssh-5.8p1-sftpcontext.patch

@@ -1,14 +0,0 @@
-diff -up openssh-5.8p1/session.c.sftpcontext openssh-5.8p1/session.c
---- openssh-5.8p1/session.c.sftpcontext	2011-04-05 19:46:53.674654050 +0200
-+++ openssh-5.8p1/session.c	2011-04-05 19:48:32.942658237 +0200
-@@ -1520,6 +1520,10 @@ do_setusercontext(struct passwd *pw)
- 			free(chroot_path);
- 		}
- 
-+#ifdef WITH_SELINUX
-+		ssh_selinux_change_context("sshd_sftpd_t");
-+#endif
-+
- #ifdef HAVE_LOGIN_CAP
- 		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUSER) < 0) {
- 			perror("unable to set user context (setuser)");

openssh-5.8p2-askpass-ld.patch

@@ -0,0 +1,18 @@
+diff -up openssh-5.8p2/contrib/Makefile.askpass-ld openssh-5.8p2/contrib/Makefile
+--- openssh-5.8p2/contrib/Makefile.askpass-ld	2011-08-08 22:54:06.050546199 +0200
++++ openssh-5.8p2/contrib/Makefile	2011-08-08 22:54:43.364420118 +0200
+@@ -2,12 +2,12 @@ all:
+ 	@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
+ 
+ gnome-ssh-askpass1: gnome-ssh-askpass1.c
+-	$(CC) `gnome-config --cflags gnome gnomeui` \
++	$(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
+ 		gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
+ 		`gnome-config --libs gnome gnomeui`
+ 
+ gnome-ssh-askpass2: gnome-ssh-askpass2.c
+-	$(CC) `pkg-config --cflags gtk+-2.0` \
++	$(CC) ${CFLAGS} `pkg-config --cflags gtk+-2.0` \
+ 		gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
+ 		`pkg-config --libs gtk+-2.0 x11`
+ 

openssh-5.8p2-change-max-startups.patch

@@ -0,0 +1,42 @@
+diff -up openssh-5.8p2/servconf.c.max-startups openssh-5.8p2/servconf.c
+--- openssh-5.8p2/servconf.c.max-startups	2013-02-08 16:54:23.003052391 +0100
++++ openssh-5.8p2/servconf.c	2013-02-08 16:54:23.021052316 +0100
+@@ -262,11 +262,11 @@ fill_default_server_options(ServerOption
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
++		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
++		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
++		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+diff -up openssh-5.8p2/sshd_config.5.max-startups openssh-5.8p2/sshd_config.5
+--- openssh-5.8p2/sshd_config.5.max-startups	2013-02-08 16:54:23.004052387 +0100
++++ openssh-5.8p2/sshd_config.5	2013-02-08 16:54:23.021052316 +0100
+@@ -778,7 +778,7 @@ SSH daemon.
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values
+diff -up openssh-5.8p2/sshd_config.max-startups openssh-5.8p2/sshd_config
+--- openssh-5.8p2/sshd_config.max-startups	2013-02-08 16:54:23.017052333 +0100
++++ openssh-5.8p2/sshd_config	2013-02-08 16:54:23.021052316 +0100
+@@ -122,7 +122,7 @@ X11Forwarding yes
+ #ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ 

openssh-5.8p2-copy-id-restorecon.patch

@@ -0,0 +1,12 @@
+diff -up openssh-5.9p1/contrib/ssh-copy-id.restorecon openssh-5.9p1/contrib/ssh-copy-id
+--- openssh-5.9p1/contrib/ssh-copy-id.restorecon	2011-08-17 04:05:49.000000000 +0200
++++ openssh-5.9p1/contrib/ssh-copy-id	2011-11-21 08:40:56.000000000 +0100
+@@ -41,7 +41,7 @@ fi
+ # strip any trailing colon
+ host=`echo $1 | sed 's/:$//'`
+ 
+-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
++{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys >/dev/null 2>&1 || true)" || exit 1
+ 
+ cat <<EOF
+ Now try logging into the machine, with "ssh '$host'", and check in:

openssh-5.8p2-ipv6man.patch

@@ -14,9 +14,9 @@ diff -up openssh-5.8p2/sshd.8.ipv6man openssh-5.8p2/sshd.8
 --- openssh-5.8p2/sshd.8.ipv6man	2011-06-21 10:40:04.623457378 +0200
 +++ openssh-5.8p2/sshd.8	2011-06-21 10:40:05.289467631 +0200
 @@ -961,6 +961,8 @@ Minimum is 6 bytes.
- This setting is not recommended on the computers without the hardware
  random generator because insufficient entropy causes the connection to 
  be blocked until enough entropy is available.
+ .El
 +.Sh IPV6
 +IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
  .Sh SEE ALSO

openssh-5.8p2-log-usepam-no.patch

@@ -0,0 +1,28 @@
+diff --git a/sshd.c b/sshd.c
+index 8dcfdf2..95b63ad 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1592,6 +1592,10 @@ main(int ac, char **av)
+ 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
+ 	    &cfg, NULL, NULL, NULL);
+ 
++	/* 'UsePAM no' is not supported in Fedora */
++	if (! options.use_pam)
++		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
++
+ 	seed_rng();
+ 
+ 	/* Fill in default values for those options not explicitly set. */
+diff --git a/sshd_config b/sshd_config
+index 8c16754..9f28b04 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -92,6 +92,8 @@ GSSAPICleanupCredentials yes
+ # If you just want the PAM account and session checks to run without
+ # PAM authentication, then enable this but set PasswordAuthentication
+ # and ChallengeResponseAuthentication to 'no'.
++# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
++# problems.
+ #UsePAM no
+ UsePAM yes
+ 

openssh-5.8p2-man-moduli.patch

@@ -0,0 +1,24 @@
+diff -up openssh-5.8p2/moduli.0.man-moduli openssh-5.8p2/moduli.0
+--- openssh-5.8p2/moduli.0.man-moduli	2011-05-05 03:58:10.000000000 +0200
++++ openssh-5.8p2/moduli.0	2012-11-06 10:18:11.301710631 +0100
+@@ -25,7 +25,7 @@ DESCRIPTION
+ 
+                         0     Unknown, not tested
+                         2     "Safe" prime; (p-1)/2 is also prime.
+-                        4     Sophie Germain; (p+1)*2 is also prime.
++                        4     Sophie Germain; (p*2)+1 is also prime.
+ 
+                         Moduli candidates initially produced by ssh-keygen(1)
+                         are Sophie Germain primes (type 4).  Futher primality
+diff -up openssh-5.8p2/moduli.5.man-moduli openssh-5.8p2/moduli.5
+--- openssh-5.8p2/moduli.5.man-moduli	2008-06-26 07:59:32.000000000 +0200
++++ openssh-5.8p2/moduli.5	2012-11-06 10:16:40.320224142 +0100
+@@ -62,7 +62,7 @@ Unknown, not tested
+ .It 2
+ "Safe" prime; (p-1)/2 is also prime.
+ .It 4
+-Sophie Germain; (p+1)*2 is also prime.
++Sophie Germain; (p*2)+1 is also prime.
+ .El
+ .Pp
+ Moduli candidates initially produced by

openssh-5.8p2-sftp-chroot.patch

@@ -0,0 +1,63 @@
+diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
+--- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot	2011-09-01 04:12:22.743024608 +0200
++++ openssh-5.9p0/openbsd-compat/port-linux.c	2011-09-01 04:12:23.069088065 +0200
+@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
+ 	xfree(newctx);
+ }
+ 
++void
++ssh_selinux_copy_context(void)
++{
++	char *ctx;
++
++	if (!ssh_selinux_enabled())
++		return;
++
++	if (getexeccon((security_context_t *)&ctx) < 0) {
++		logit("%s: getcon failed with %s", __func__, strerror (errno));
++		return;
++	}
++	if (setcon(ctx) < 0)
++		logit("%s: setcon failed with %s", __func__, strerror (errno));
++	xfree(ctx);
++}
++
+ #endif /* WITH_SELINUX */
+ 
+ #ifdef LINUX_OOM_ADJUST
+diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
+--- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot	2011-01-25 02:16:18.000000000 +0100
++++ openssh-5.9p0/openbsd-compat/port-linux.h	2011-09-01 04:12:23.163088777 +0200
+@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_change_context(const char *);
++void ssh_selinux_chopy_context(void);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+ 
+diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
+--- openssh-5.9p0/session.c.sftp-chroot	2011-09-01 04:12:19.698049195 +0200
++++ openssh-5.9p0/session.c	2011-09-01 04:40:03.598148719 +0200
+@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
+ 			    pw->pw_uid);
+ 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
+ 			    "u", pw->pw_name, (char *)NULL);
++#ifdef WITH_SELINUX
++			ssh_selinux_change_context("chroot_user_t");
++#endif
+ 			safely_chroot(chroot_path, pw->pw_uid);
+ 			free(tmp);
+ 			free(chroot_path);
+@@ -1788,7 +1791,10 @@ do_child(Session *s, const char *command
+ 		optind = optreset = 1;
+ 		__progname = argv[0];
+ #ifdef WITH_SELINUX
+-		ssh_selinux_change_context("sftpd_t");
++		if (options.chroot_directory == NULL ||
++		    strcasecmp(options.chroot_directory, "none") == 0) {
++			ssh_selinux_copy_context();
++		}
+ #endif
+ 		exit(sftp_server_main(i, argv, s->pw));
+ 	}

openssh.spec

@@ -79,7 +79,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p2
-%define openssh_rel 16
+%define openssh_rel 26
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 31
 
@@ -116,6 +116,7 @@ Patch100: openssh-5.8p1-fingerprint.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1879
 Patch200: openssh-5.8p1-exit.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
+#https://bugzilla.redhat.com/show_bug.cgi?id=735889
 Patch300: openssh-5.8p1-getaddrinfo.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 Patch8: openssh-5.8p1-audit0.patch
@@ -145,9 +146,8 @@ Patch23: openssh-5.8p1-selinux-role.patch
 Patch24: openssh-5.8p1-mls.patch
 # #https://bugzilla.mindrot.org/show_bug.cgi?id=1614
 # Patch25: openssh-5.6p1-selabel.patch
-#was https://bugzilla.mindrot.org/show_bug.cgi?id=1637
-#?
-Patch26: openssh-5.8p1-sftpcontext.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=782078
+Patch26: openssh-5.8p2-sftp-chroot.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1668
 Patch30: openssh-5.6p1-keygen.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1644
@@ -190,10 +190,21 @@ Patch63: openssh-5.8p2-force_krb.patch
 Patch64: openssh-5.8p2-kuserok.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
 Patch65: openssh-5.8p2-remove-stale-control-socket.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1919
-Patch66: openssh-5.8p2-ipv6man.patch
 #?
+Patch66: openssh-5.8p2-ipv6man.patch
+#https://bugzilla.mindrot.org/show_bug.cgi?id=1919
 Patch67: openssh-5.8p2-unconfined.patch
+#?
+Patch69: openssh-5.8p2-askpass-ld.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=739989
+Patch70: openssh-5.8p2-copy-id-restorecon.patch
+# warn users for unsupported UsePAM=no
+Patch71: openssh-5.8p2-log-usepam-no.patch
+#https://bugzilla.redhat.com/show_bug.cgi?id=841065
+Patch72: openssh-5.8p2-man-moduli.patch
+# change default value of MaxStartups - CVE-2010-5107 - #908707
+Patch73: openssh-5.8p2-change-max-startups.patch
+
 #---
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 # sctp
@@ -406,7 +417,7 @@ popd
 # %patch22 -p1 -b .selinux
 %patch23 -p1 -b .role
 %patch24 -p1 -b .mls
-%patch26 -p1 -b .sftpcontext
+%patch26 -p1 -b .sftp-chroot
 %endif
 %patch30 -p1 -b .keygen
 %patch31 -p1 -b .ip-opts
@@ -431,6 +442,11 @@ popd
 %patch65 -p1 -b .remove_stale
 %patch66 -p1 -b .ipv6man
 %patch67 -p1 -b .unconfined
+%patch69 -p1 -b .askpass-ld
+%patch70 -p1 -b .restorecon
+%patch71 -p1 -b .log-usepam-no
+%patch72 -p1 -b .man-moduli
+%patch73 -p1 -b .max-startups
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -581,7 +597,7 @@ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 
 %if ! %{no_gnome_askpass}
-install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
+install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 %endif
 
 %if ! %{scard}
@@ -768,8 +784,38 @@ fi
 %endif
 
 %changelog
+* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 5.8p2-26 + 0.9.2-31
+- change default value of MaxStartups - CVE-2010-5107 (#908707)
+
+* Wed Feb 22 2012 Petr Lautrbach <plautrba@redhat.com> 5.8p2-25 + 0.9.2-31
+- Look for x11 forward sockets with AI_ADDRCONFIG flag getaddrinfo (#735889)
+
+* Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.8p2-24 + 0.9.2-31
+- backport sftp+chroot+SELinux changes from Rawhide (#782078)
+
+* Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.8p2-23 + 0.9.2-31
+- warn about unsupported option UsePAM=no (#757545)
+
+* Wed Nov 23 2011 Petr Lautrbach <plautrba@redhat.com> 5.8p2-22 + 0.9.2-31
+- add the restorecon call to ssh-copy-id - it might be needed on older
+  distribution (#739989)
+- update openssh source file (#755531)
+
+* Fri Nov 18 2011 Tomas Mraz <tmraz@redhat.com> - 5.8p2-21 + 0.9.2-31
+- still support /etc/sysconfig/sshd loading in sshd service (#754732)
+- fix incorrect key permissions generated by sshd-keygen script (#754779)
+
+* Tue Aug  9 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-20 + 0.9.2-31
+- save ssh-askpass's debuginfo
+
+* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-19 + 0.9.2-31
+- compile ssh-askpass with corect CFLAGS
+
+* Mon Aug  8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-17 + 0.9.2-31
+- repair broken man pages
+
 * Mon Jul 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-16 + 0.9.2-31
-- rebuild
+- rebuild due to broken rpmbiild
 
 * Thu Jul 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-15 + 0.9.2-31
 - Do not change context when run under unconfined_t

sources

@@ -1,2 +1,2 @@
-123003edd779504e12e1c8b58e7ce5dc  openssh-5.8p2-noacss.tar.bz2
+5549d0b7b6bfadfd28eb90e63dd6f5f1  openssh-5.8p2-noacss.tar.bz2
 b68f1c385d7885fbe2c3626bf77aa3d6  pam_ssh_agent_auth-0.9.2.tar.bz2

sshd-keygen

@@ -23,7 +23,7 @@ do_rsa1_keygen() {
 		rm -f $RSA1_KEY
 		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $RSA1_KEY
-			chmod 640 $RSA1_KEY
+			chmod 600 $RSA1_KEY
 			chmod 644 $RSA1_KEY.pub
 			if [ -x /sbin/restorecon ]; then
 			    /sbin/restorecon $RSA1_KEY.pub
@@ -44,7 +44,7 @@ do_rsa_keygen() {
 		rm -f $RSA_KEY
 		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $RSA_KEY
-			chmod 640 $RSA_KEY
+			chmod 600 $RSA_KEY
 			chmod 644 $RSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
 			    /sbin/restorecon $RSA_KEY.pub
@@ -65,7 +65,7 @@ do_dsa_keygen() {
 		rm -f $DSA_KEY
 		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $DSA_KEY
-			chmod 640 $DSA_KEY
+			chmod 600 $DSA_KEY
 			chmod 644 $DSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
 			    /sbin/restorecon $DSA_KEY.pub

sshd-keygen.service

@@ -5,6 +5,7 @@ Before=sshd.service
 
 [Service]
 Type=oneshot
+EnvironmentFile=/etc/sysconfig/sshd
 ExecStart=/usr/sbin/sshd-keygen
 RemainAfterExit=yes
 

sshd.service

@@ -1,9 +1,10 @@
 [Unit]
-Description=OpenSSH server daemon.
+Description=OpenSSH server daemon
 After=syslog.target network.target auditd.service
 
 [Service]
-ExecStart=/usr/sbin/sshd -D
+EnvironmentFile=/etc/sysconfig/sshd
+ExecStart=/usr/sbin/sshd -D $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 
 [Install]

sshd.socket

@@ -1,4 +1,5 @@
 [Unit]
+Description=OpenSSH Server Socket
 Conflicts=sshd.service
 
 [Socket]

sshd@.service

@@ -1,7 +1,8 @@
 [Unit]
-Description=OpenSSH per-connection server daemon.
-After=syslog.target
+Description=OpenSSH per-connection server daemon
+After=syslog.target auditd.service
 
 [Service]
-ExecStart=-/usr/sbin/sshd -i
+EnvironmentFile=/etc/sysconfig/sshd
+ExecStart=-/usr/sbin/sshd -i $OPTIONS
 StandardInput=socket