6.1p1-11 + 0.9.3-3

<john_florian@dart.biz> (#865803)

openssh-5.9p1-keycat.patch

@@ -1,9 +1,9 @@
 diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
---- openssh-6.1p1/auth2-pubkey.c.keycat	2012-11-01 13:37:59.000000000 +0100
-+++ openssh-6.1p1/auth2-pubkey.c	2012-11-01 14:03:47.402279914 +0100
-@@ -564,6 +564,14 @@ user_key_command_allowed2(struct passwd 
+--- openssh-6.1p1/auth2-pubkey.c.keycat	2013-02-14 17:39:21.000000000 +0100
++++ openssh-6.1p1/auth2-pubkey.c	2013-02-14 17:40:42.600050510 +0100
+@@ -571,6 +571,14 @@ user_key_command_allowed2(struct passwd
+ 			_exit(1);
  		}
- 		closefrom(STDERR_FILENO + 1);
  
 +#ifdef WITH_SELINUX
 +		if (ssh_selinux_setup_env_variables() < 0) {
@@ -14,11 +14,11 @@ diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
 +#endif
 +
  		execl(options.authorized_keys_command,
- 		    options.authorized_keys_command, pw->pw_name, NULL);
+ 		    options.authorized_keys_command, user_pw->pw_name, NULL);
  
 diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
---- openssh-6.1p1/HOWTO.ssh-keycat.keycat	2012-11-01 13:37:59.417280097 +0100
-+++ openssh-6.1p1/HOWTO.ssh-keycat	2012-11-01 13:37:59.417280097 +0100
+--- openssh-6.1p1/HOWTO.ssh-keycat.keycat	2013-02-14 17:39:21.148382013 +0100
++++ openssh-6.1p1/HOWTO.ssh-keycat	2013-02-14 17:39:21.148382013 +0100
 @@ -0,0 +1,12 @@
 +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
 +of an user in any environment. This includes environments with
@@ -26,15 +26,15 @@ diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
 +
 +To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
 +        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
-+        AuthorizedKeysCommandRunAs root
++        AuthorizedKeysCommandUser root
 +
 +Do not forget to enable public key authentication:
 +        PubkeyAuthentication yes
 +
 +
 diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
---- openssh-6.1p1/Makefile.in.keycat	2012-11-01 13:37:59.413280097 +0100
-+++ openssh-6.1p1/Makefile.in	2012-11-01 13:37:59.418280097 +0100
+--- openssh-6.1p1/Makefile.in.keycat	2013-02-14 17:39:21.143382033 +0100
++++ openssh-6.1p1/Makefile.in	2013-02-14 17:39:21.148382013 +0100
 @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
  SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -71,8 +71,8 @@ diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
  	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-compat/port-linux.c
---- openssh-6.1p1/openbsd-compat/port-linux.c.keycat	2012-11-01 13:37:59.367280097 +0100
-+++ openssh-6.1p1/openbsd-compat/port-linux.c	2012-11-01 13:37:59.419280097 +0100
+--- openssh-6.1p1/openbsd-compat/port-linux.c.keycat	2013-02-14 17:39:21.126382101 +0100
++++ openssh-6.1p1/openbsd-compat/port-linux.c	2013-02-14 17:39:21.149382009 +0100
 @@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
  
  /* Setup environment variables for pam_selinux */
@@ -128,8 +128,8 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-
  void
  ssh_selinux_setup_exec_context(char *pwname)
 diff -up openssh-6.1p1/ssh-keycat.c.keycat openssh-6.1p1/ssh-keycat.c
---- openssh-6.1p1/ssh-keycat.c.keycat	2012-11-01 13:37:59.420280097 +0100
-+++ openssh-6.1p1/ssh-keycat.c	2012-11-01 13:37:59.420280097 +0100
+--- openssh-6.1p1/ssh-keycat.c.keycat	2013-02-14 17:39:21.149382009 +0100
++++ openssh-6.1p1/ssh-keycat.c	2013-02-14 17:39:21.149382009 +0100
 @@ -0,0 +1,238 @@
 +/*
 + * Redistribution and use in source and binary forms, with or without

openssh-6.1p1-akc.patch

@@ -1,6 +1,6 @@
 diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
---- openssh-6.1p1/auth2-pubkey.c.akc	2012-11-28 17:12:43.238524384 +0100
-+++ openssh-6.1p1/auth2-pubkey.c	2012-11-28 17:12:43.263524297 +0100
+--- openssh-6.1p1/auth2-pubkey.c.akc	2013-02-14 17:46:45.259546968 +0100
++++ openssh-6.1p1/auth2-pubkey.c	2013-02-14 17:48:19.072137541 +0100
 @@ -27,9 +27,13 @@
  
  #include <sys/types.h>
@@ -71,7 +71,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
  	key_free(found);
  	if (!found_key)
  		debug2("key not found");
-@@ -453,7 +446,173 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -453,7 +446,180 @@ user_cert_trusted_ca(struct passwd *pw,
  	return ret;
  }
  
@@ -112,45 +112,48 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +	struct stat st;
 +	int status, devnull, p[2], i;
 +	pid_t pid;
-+	char errmsg[512];
++	char *username, errmsg[512];
 +
 +	if (options.authorized_keys_command == NULL ||
 +	    options.authorized_keys_command[0] != '/')
 +		return 0;
 +
-+	/* If no user specified to run commands the default to target user */
-+	if (options.authorized_keys_command_user == NULL)
++	if (options.authorized_keys_command_user == NULL) {
 +		pw = user_pw;
++	}
 +	else {
-+		pw = getpwnam(options.authorized_keys_command_user);
++		username = percent_expand(options.authorized_keys_command_user,
++		    "u", user_pw->pw_name, (char *)NULL);
++		pw = getpwnam(username);
 +		if (pw == NULL) {
 +			error("AuthorizedKeyCommandUser \"%s\" not found: %s",
-+			    options.authorized_keys_command, strerror(errno));
++			    username, strerror(errno));
++			free(username);
 +			return 0;
 +		}
++		free(username);
 +	}
 +
 +	temporarily_use_uid(pw);
++
 +	if (stat(options.authorized_keys_command, &st) < 0) {
 +		error("Could not stat AuthorizedKeysCommand \"%s\": %s",
 +		    options.authorized_keys_command, strerror(errno));
 +		goto out;
 +	}
-+
 +	if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
 +	    errmsg, sizeof(errmsg)) != 0) {
 +		error("Unsafe AuthorizedKeysCommand: %s", errmsg);
 +		goto out;
 +	}
 +
-+	/* open the pipe and read the keys */
 +	if (pipe(p) != 0) {
 +		error("%s: pipe: %s", __func__, strerror(errno));
 +		goto out;
-+ 	}
++	}
 +
-+	debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"",
-+	    options.authorized_keys_command, pw->pw_name);
++	debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
++	    options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
 +
 +	/*
 +	 * Don't want to call this in the child, where it can fatal() and
@@ -168,6 +171,19 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +		for (i = 0; i < NSIG; i++)
 +			signal(i, SIG_DFL);
 +
++		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
++			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
++			    strerror(errno));
++			_exit(1);
++		}
++		/* Keep stderr around a while longer to catch errors */
++		if (dup2(devnull, STDIN_FILENO) == -1 ||
++		    dup2(p[1], STDOUT_FILENO) == -1) {
++			error("%s: dup2: %s", __func__, strerror(errno));
++			_exit(1);
++		}
++		closefrom(STDERR_FILENO + 1);
++
 +		/* Don't use permanently_set_uid() here to avoid fatal() */
 +		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
 +			error("setresgid %u: %s", (u_int)pw->pw_gid,
@@ -179,23 +195,14 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +			    strerror(errno));
 +			_exit(1);
 +		}
-+
-+		close(p[0]);
-+		if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
-+			error("%s: open %s: %s", __func__, _PATH_DEVNULL,
-+			    strerror(errno));
-+			_exit(1);
-+		}
-+		if (dup2(devnull, STDIN_FILENO) == -1 ||
-+		    dup2(p[1], STDOUT_FILENO) == -1 ||
-+		    dup2(devnull, STDERR_FILENO) == -1) {
++		/* stdin is pointed to /dev/null at this point */
++		if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
 +			error("%s: dup2: %s", __func__, strerror(errno));
 +			_exit(1);
 +		}
-+		closefrom(STDERR_FILENO + 1);
 +
 +		execl(options.authorized_keys_command,
-+		    options.authorized_keys_command, pw->pw_name, NULL);
++		    options.authorized_keys_command, user_pw->pw_name, NULL);
 +
 +		error("AuthorizedKeysCommand %s exec failed: %s",
 +		    options.authorized_keys_command, strerror(errno));
@@ -203,7 +210,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +	default: /* parent */
 +		break;
 +	}
-+	
++
 +	temporarily_use_uid(pw);
 +
 +	close(p[1]);
@@ -211,6 +218,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +		error("%s: fdopen: %s", __func__, strerror(errno));
 +		close(p[0]);
 +		/* Don't leave zombie child */
++		kill(pid, SIGTERM);
 +		while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
 +			;
 +		goto out;
@@ -236,7 +244,6 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +	found_key = ok;
 + out:
 +	restore_uid();
-+
 +	return found_key;
 +}
 +
@@ -246,7 +253,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
  int
  user_key_allowed(struct passwd *pw, Key *key)
  {
-@@ -469,6 +628,10 @@ user_key_allowed(struct passwd *pw, Key
+@@ -469,9 +635,17 @@ user_key_allowed(struct passwd *pw, Key
  	if (success)
  		return success;
  
@@ -255,12 +262,19 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
 +		return success;
 +
  	for (i = 0; !success && i < options.num_authkeys_files; i++) {
++
++		if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
++			continue;
  		file = expand_authorized_keys(
  		    options.authorized_keys_files[i], pw);
++
+ 		success = user_key_allowed2(pw, key, file);
+ 		xfree(file);
+ 	}
 diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
---- openssh-6.1p1/auth.c.akc	2012-11-28 17:12:43.187524558 +0100
-+++ openssh-6.1p1/auth.c	2012-11-28 17:12:43.263524297 +0100
-@@ -411,39 +411,41 @@ check_key_in_hostfiles(struct passwd *pw
+--- openssh-6.1p1/auth.c.akc	2013-02-14 17:46:45.189547274 +0100
++++ openssh-6.1p1/auth.c	2013-02-14 17:46:45.273546907 +0100
+@@ -415,39 +415,41 @@ check_key_in_hostfiles(struct passwd *pw
  
  
  /*
@@ -315,7 +329,7 @@ diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
  		snprintf(err, errlen, "bad ownership or modes for file %s",
  		    buf);
  		return -1;
-@@ -479,6 +481,31 @@ secure_filename(FILE *f, const char *fil
+@@ -483,6 +485,31 @@ secure_filename(FILE *f, const char *fil
  	return 0;
  }
  
@@ -348,8 +362,8 @@ diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
  auth_openfile(const char *file, struct passwd *pw, int strict_modes,
      int log_missing, char *file_type)
 diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
---- openssh-6.1p1/auth.h.akc	2012-11-28 17:12:43.239524381 +0100
-+++ openssh-6.1p1/auth.h	2012-11-28 17:12:43.263524297 +0100
+--- openssh-6.1p1/auth.h.akc	2013-02-14 17:46:45.259546968 +0100
++++ openssh-6.1p1/auth.h	2013-02-14 17:46:45.274546903 +0100
 @@ -125,6 +125,10 @@ int	 auth_rhosts_rsa_key_allowed(struct
  int	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
  int	 user_key_allowed(struct passwd *, Key *);
@@ -362,8 +376,8 @@ diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
  int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
  int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
 diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
---- openssh-6.1p1/servconf.c.akc	2012-11-28 17:12:43.198524521 +0100
-+++ openssh-6.1p1/servconf.c	2012-11-28 17:14:50.314005026 +0100
+--- openssh-6.1p1/servconf.c.akc	2013-02-14 17:46:45.193547257 +0100
++++ openssh-6.1p1/servconf.c	2013-02-14 17:46:45.274546903 +0100
 @@ -137,6 +137,8 @@ initialize_server_options(ServerOptions
  	options->num_permitted_opens = -1;
  	options->adm_forced_command = NULL;
@@ -437,8 +451,8 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
  	/* string arguments requiring a lookup */
  	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
 diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
---- openssh-6.1p1/servconf.h.akc	2012-11-28 17:12:43.000000000 +0100
-+++ openssh-6.1p1/servconf.h	2012-11-28 17:18:41.217055157 +0100
+--- openssh-6.1p1/servconf.h.akc	2013-02-14 17:46:45.194547252 +0100
++++ openssh-6.1p1/servconf.h	2013-02-14 17:46:45.275546898 +0100
 @@ -167,6 +167,8 @@ typedef struct {
  	char   *revoked_keys_file;
  	char   *trusted_user_ca_keys;
@@ -449,8 +463,8 @@ diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
  	char   *version_addendum;	/* Appended to SSH banner */
  
 diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
---- openssh-6.1p1/sshd.c.akc	2012-11-28 17:12:43.245524360 +0100
-+++ openssh-6.1p1/sshd.c	2012-11-28 17:12:43.265524291 +0100
+--- openssh-6.1p1/sshd.c.akc	2013-02-14 17:46:45.270546920 +0100
++++ openssh-6.1p1/sshd.c	2013-02-14 17:46:45.276546894 +0100
 @@ -366,9 +366,20 @@ main_sigchld_handler(int sig)
  static void
  grace_alarm_handler(int sig)
@@ -474,7 +488,7 @@ diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
  }
 diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
 --- openssh-6.1p1/sshd_config.0.akc	2012-08-29 02:53:04.000000000 +0200
-+++ openssh-6.1p1/sshd_config.0	2012-11-28 17:12:43.265524291 +0100
++++ openssh-6.1p1/sshd_config.0	2013-02-14 17:46:45.276546894 +0100
 @@ -71,6 +71,23 @@ DESCRIPTION
  
               See PATTERNS in ssh_config(5) for more information on patterns.
@@ -510,8 +524,8 @@ diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
               GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
               HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
 diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
---- openssh-6.1p1/sshd_config.5.akc	2012-11-28 17:12:43.199524517 +0100
-+++ openssh-6.1p1/sshd_config.5	2012-11-28 17:16:23.736624980 +0100
+--- openssh-6.1p1/sshd_config.5.akc	2013-02-14 17:46:45.195547248 +0100
++++ openssh-6.1p1/sshd_config.5	2013-02-14 17:46:45.277546890 +0100
 @@ -173,6 +173,20 @@ Note that each authentication method lis
  in the configuration.
  The default is not to require multiple authentication; successful completion
@@ -552,7 +566,7 @@ diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
  .Cm PermitOpen ,
 diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
 --- openssh-6.1p1/sshd_config.akc	2012-07-31 04:21:34.000000000 +0200
-+++ openssh-6.1p1/sshd_config	2012-11-28 17:12:43.265524291 +0100
++++ openssh-6.1p1/sshd_config	2013-02-14 17:46:45.277546890 +0100
 @@ -49,6 +49,9 @@
  # but this is overridden so installations will only check .ssh/authorized_keys
  AuthorizedKeysFile	.ssh/authorized_keys

openssh-6.1p1-change-max-startups.patch

@@ -0,0 +1,45 @@
+diff --git a/servconf.c b/servconf.c
+index 684fbb4..a230c7b 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -267,11 +267,11 @@ fill_default_server_options(ServerOptions *options)
+ 	if (options->gateway_ports == -1)
+ 		options->gateway_ports = 0;
+ 	if (options->max_startups == -1)
+-		options->max_startups = 10;
++		options->max_startups = 100;
+ 	if (options->max_startups_rate == -1)
+-		options->max_startups_rate = 100;		/* 100% */
++		options->max_startups_rate = 30;		/* 30% */
+ 	if (options->max_startups_begin == -1)
+-		options->max_startups_begin = options->max_startups;
++		options->max_startups_begin = 10;
+ 	if (options->max_authtries == -1)
+ 		options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
+ 	if (options->max_sessions == -1)
+diff --git a/sshd_config b/sshd_config
+index d1b85d0..5c03fd9 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -126,7 +126,7 @@ UsePrivilegeSeparation sandbox		# Default for new installations.
+ #ShowPatchLevel no
+ #UseDNS yes
+ #PidFile /var/run/sshd.pid
+-#MaxStartups 10
++#MaxStartups 10:30:100
+ #PermitTunnel no
+ #ChrootDirectory none
+ #VersionAddendum none
+diff --git a/sshd_config.5 b/sshd_config.5
+index fd0d35a..f02f6cc 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -826,7 +826,7 @@ SSH daemon.
+ Additional connections will be dropped until authentication succeeds or the
+ .Cm LoginGraceTime
+ expires for a connection.
+-The default is 10.
++The default is 10:30:100.
+ .Pp
+ Alternatively, random early drop can be enabled by specifying
+ the three colon separated values

openssh-6.1p1-increase-size-of-DF-groups.patch

@@ -0,0 +1,59 @@
+diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
+--- openssh-6.2p2/ChangeLog.dh	2013-11-18 12:14:09.662240103 +0100
++++ openssh-6.2p2/ChangeLog	2013-11-18 12:14:09.665240089 +0100
+@@ -0,0 +1,8 @@
++20131010
++ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
++   [dh.c dh.h]
++   Increase the size of the Diffie-Hellman groups requested for a each
++   symmetric key size.  New values from NIST Special Publication 800-57 with
++   the upper limit specified by RFC4419.  Pointed out by Peter Backes, ok
++   djm@.
++
+diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
+--- openssh-6.2p2/dh.c.dh	2011-12-19 00:52:52.000000000 +0100
++++ openssh-6.2p2/dh.c	2013-11-18 12:14:09.665240089 +0100
+@@ -332,17 +332,20 @@ dh_new_group14(void)
+ 
+ /*
+  * Estimates the group order for a Diffie-Hellman group that has an
+- * attack complexity approximately the same as O(2**bits).  Estimate
+- * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
++ * attack complexity approximately the same as O(2**bits).
++ * Values from NIST Special Publication 800-57: Recommendation for Key
++ * Management Part 1 (rev 3) limited by the recommended maximum value
++ * from RFC4419 section 3.
+  */
+ 
+ int
+ dh_estimate(int bits)
+ {
+-
++	if (bits <= 112)
++		return 2048;
+ 	if (bits <= 128)
+-		return (1024);	/* O(2**86) */
++		return 3072;
+ 	if (bits <= 192)
+-		return (2048);	/* O(2**116) */
+-	return (4096);		/* O(2**156) */
++		return 7680;
++	return 8192;
+ }
+diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
+--- openssh-6.2p2/dh.h.dh	2008-06-29 14:47:04.000000000 +0200
++++ openssh-6.2p2/dh.h	2013-11-18 12:14:09.665240089 +0100
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
++/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
+ 
+ /*
+  * Copyright (c) 2000 Niels Provos.  All rights reserved.
+@@ -43,6 +43,7 @@ int	 dh_pub_is_valid(DH *, BIGNUM *);
+ 
+ int	 dh_estimate(int);
+ 
++/* Min and max values from RFC4419. */
+ #define DH_GRP_MIN	1024
+ #define DH_GRP_MAX	8192
+ 

openssh-6.1p1-sftp-multibyte.patch

@@ -0,0 +1,59 @@
+diff -U0 openssh-6.1p1/ChangeLog.sftp-multibyte openssh-6.1p1/ChangeLog
+--- openssh-6.1p1/ChangeLog.sftp-multibyte	2013-06-19 17:32:22.527999462 +0200
++++ openssh-6.1p1/ChangeLog	2013-06-19 17:34:12.236533762 +0200
+@@ -0,0 +1,8 @@
++20130605
++   - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
++     [sftp.c]
++     Make sftp's libedit interface marginally multibyte aware by building up
++     the quoted string by character instead of by byte.  Prevents failures
++     when linked against a libedit built with wide character support (bz#1990).
++     "looks ok" djm
++
+diff -up openssh-6.1p1/sftp.c.sftp-multibyte openssh-6.1p1/sftp.c
+--- openssh-6.1p1/sftp.c.sftp-multibyte	2013-06-19 17:32:22.353000206 +0200
++++ openssh-6.1p1/sftp.c	2013-06-19 17:36:46.947876920 +0200
+@@ -38,6 +38,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif
++#include <locale.h>
+ #ifdef USE_LIBEDIT
+ #include <histedit.h>
+ #else
+@@ -1694,8 +1695,9 @@ complete_match(EditLine *el, struct sftp
+     char *file, int remote, int lastarg, char quote, int terminated)
+ {
+ 	glob_t g;
+-	char *tmp, *tmp2, ins[3];
++	char *tmp, *tmp2, ins[8];
+ 	u_int i, hadglob, pwdlen, len, tmplen, filelen;
++	int clen;
+ 	const LineInfo *lf;
+ 	
+ 	/* Glob from "file" location */
+@@ -1751,10 +1753,13 @@ complete_match(EditLine *el, struct sftp
+ 		tmp2 = tmp + filelen;
+ 		len = strlen(tmp2); 
+ 		/* quote argument on way out */
+-		for (i = 0; i < len; i++) {
++		for (i = 0; i < len; i += clen) {
++			if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
++			    (size_t)clen > sizeof(ins) - 2)
++				fatal("invalid multibyte character");
+ 			ins[0] = '\\';
+-			ins[1] = tmp2[i];
+-			ins[2] = '\0';
++			memcpy(ins + 1, tmp2 + i, clen);
++			ins[clen + 1] = '\0';
+ 			switch (tmp2[i]) {
+ 			case '\'':
+ 			case '"':
+@@ -2096,6 +2101,7 @@ main(int argc, char **argv)
+ 
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
++	setlocale(LC_CTYPE, "");
+ 
+ 	__progname = ssh_get_progname(argv[0]);
+ 	memset(&args, '\0', sizeof(args));

openssh-6.1p1-ssh_gai_strerror.patch

@@ -0,0 +1,23 @@
+diff -U0 openssh-6.2p2/ChangeLog.ssh_gai_strerror openssh-6.2p2/ChangeLog
+--- openssh-6.2p2/ChangeLog.ssh_gai_strerror	2013-07-23 12:03:41.467902339 +0200
++++ openssh-6.2p2/ChangeLog	2013-07-23 12:06:03.414281151 +0200
+@@ -0,0 +1,7 @@
++20130718
++   - djm@cvs.openbsd.org 2013/07/12 00:43:50
++     [misc.c]
++     in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
++     errno == 0. Avoids confusing error message in some broken resolver
++     cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
++
+diff -up openssh-6.2p2/misc.c.ssh_gai_strerror openssh-6.2p2/misc.c
+--- openssh-6.2p2/misc.c.ssh_gai_strerror	2013-07-23 12:03:41.321902978 +0200
++++ openssh-6.2p2/misc.c	2013-07-23 12:03:41.467902339 +0200
+@@ -127,7 +127,7 @@ unset_nonblock(int fd)
+ const char *
+ ssh_gai_strerror(int gaierr)
+ {
+-	if (gaierr == EAI_SYSTEM)
++	if (gaierr == EAI_SYSTEM && errno != 0)
+ 		return strerror(errno);
+ 	return gai_strerror(gaierr);
+ }

openssh.spec

@@ -67,7 +67,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 6.1p1
-%define openssh_rel 4
+%define openssh_rel 11
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 3
 
@@ -210,11 +210,15 @@ Patch901: openssh-6.1p1-kuserok.patch
 Patch902: openssh-6.1p1-man-moduli.patch
 # obsolete RequiredAuthentications options
 Patch903: openssh-6.1p1-required-authentications.patch
+# change default value of MaxStartups - CVE-2010-5107 - #908707
+Patch904: openssh-6.1p1-change-max-startups.patch
+# make sftp's libedit interface marginally multibyte aware (#841771)
+Patch908: openssh-6.1p1-sftp-multibyte.patch
+# don't show Success for EAI_SYSTEM (#985964)
+Patch909: openssh-6.1p1-ssh_gai_strerror.patch
+# increase the size of the Diffie-Hellman groups (#1010607)
+Patch910: openssh-6.1p1-increase-size-of-DF-groups.patch
 
-#---
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
-# sctp
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1873 => https://bugzilla.redhat.com/show_bug.cgi?id=668993
 
 License: BSD
 Group: Applications/Internet
@@ -455,6 +459,10 @@ popd
 %patch901 -p1 -b .kuserok
 %patch902 -p1 -b .man-moduli
 %patch903 -p1 -b .required-authentication
+%patch904 -p1 -b .max-startups
+%patch908 -p1 -b .sftp-multibyte
+%patch909 -p1 -b .ssh_gai_strerror
+%patch910 -p1 -b .dh
 
 %if 0
 # Nothing here yet
@@ -571,7 +579,7 @@ popd
 %if %{pam_ssh_agent}
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 LDFLAGS="$SAVE_LDFLAGS"
-%configure --with-selinux --libexecdir=/%{_lib}/security --with-mantype=man
+%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
 make
 popd
 %endif
@@ -772,11 +780,37 @@ getent passwd sshd >/dev/null || \
 %files -n pam_ssh_agent_auth
 %defattr(-,root,root)
 %doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
-%attr(0755,root,root) /%{_lib}/security/pam_ssh_agent_auth.so
+%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
 %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
 %endif
 
 %changelog
+* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-11 + 0.9.3-3
+- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
+
+* Mon Nov 18 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-10 + 0.9.3-3
+- increase the size of the Diffie-Hellman groups (#1010607)
+- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
+- don't show Success for EAI_SYSTEM (#985964)
+
+* Thu Jun 20 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-9 + 0.9.3-3
+- make sftp's libedit interface marginally multibyte aware (#841771)
+
+* Tue Apr 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-8 + 0.9.3-3
+- AuthorizedKeysCommandUser: use the user being authenticated by default (#953534)
+
+* Wed Apr 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-7 + 0.9.3-3
+- allow specification of alternate host key location(s) via /etc/sysconfig/sshd
+  <john_florian@dart.biz> (#865803)
+- sshd.service: use KillMode=process (#890376)
+- don't use export in sysconfig file (#953111)
+
+* Thu Feb 14 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-6 + 0.9.3-3
+- fix AuthorizedKeysCommand option
+
+* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-5 + 0.9.3-3
+- change default value of MaxStartups - CVE-2010-5107 (#908707)
+
 * Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-4 + 0.9.3-3
 - fix segfault in openssh-5.8p2-force_krb.patch (#882541)
 
@@ -834,10 +868,10 @@ getent passwd sshd >/dev/null || \
 * Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-17 + 0.9.2-32
 - run privsep slave process as the users SELinux context (#781634)
 
-* Fri Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32
+* Tue Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32
 - add CAVS test driver for the aes-ctr ciphers
 
-* Wed Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32
+* Sun Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32
 - enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
 
 * Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.9p1-14 + 0.9.2-32
@@ -1040,7 +1074,7 @@ getent passwd sshd >/dev/null || \
 - clean the data structures in the non privileged process
 - clean the data structures when roaming
 
-* Tue Feb  2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
+* Wed Feb  2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
 - clean the data structures in the privileged process
 
 * Tue Jan 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-25 + 0.9.2-29
@@ -1079,10 +1113,10 @@ getent passwd sshd >/dev/null || \
 * Wed Nov  3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27
 - add auditing the kex result
 
-* Fri Nov  2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27
+* Tue Nov  2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27
 - add auditing the key ussage
 
-* Fri Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27
+* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27
 - update gsskex patch (#645389)
 
 * Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-11 + 0.9.2-27
@@ -1124,7 +1158,7 @@ getent passwd sshd >/dev/null || \
 * Wed Jun 30 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-17 + 0.9.2-26
 - improved the x11 patch according to upstream (#598671)
 
-* Thu Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26
+* Fri Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26
 - improved the x11 patch (#598671)
 
 * Thu Jun 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-15 + 0.9.2-26
@@ -1166,7 +1200,7 @@ getent passwd sshd >/dev/null || \
 - Tweak the ldap patch
 - Rename stderr patch properly
 
-* Wed Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26
+* Thu Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26
 - Added LDAP support
 
 * Mon Apr 26 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-3 + 0.9.2-26
@@ -1449,10 +1483,10 @@ getent passwd sshd >/dev/null || \
 * Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5
 - make profile.d/gnome-ssh-askpass.* regular files (#226218)
 
-* Thu Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4
+* Tue Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4
 - reject connection if requested mls range is not obtained (#229278)
 
-* Wed Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3
+* Thu Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3
 - improve Buildroot
 - remove duplicate /etc/ssh from files
 
@@ -1818,16 +1852,16 @@ getent passwd sshd >/dev/null || \
   complain if setgroups() fails if sshd has euid == 0
 - handle krb5 installed in %%{_prefix} or elsewhere by using krb5-config
 
-* Tue Jul 28 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-5
+* Mon Jul 28 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-5
 - Add SELinux patch
 
 * Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-4
 - rebuild
 
-* Wed Jun 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-3
+* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-3
 - rebuild
 
-* Wed Jun 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-2
+* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-2
 - rebuild
 
 * Thu Jun  5 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-1
@@ -1951,7 +1985,7 @@ getent passwd sshd >/dev/null || \
 - remove dependency on db1-devel, which has just been swallowed up whole
   by gnome-libs-devel
 
-* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+* Sat Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
 - adjust build dependencies so that build6x actually works right (fix
   from Hugo van der Kooij)
 

sshd-keygen

@@ -8,14 +8,15 @@
 # source function library
 . /etc/rc.d/init.d/functions
 
-# pull in sysconfig settings
-[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
-
 # Some functions to make the below more readable
 KEYGEN=/usr/bin/ssh-keygen
 RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
 
 fips_enabled() {
 	if [ -r /proc/sys/crypto/fips_enabled ]; then
@@ -88,11 +89,33 @@ do_dsa_keygen() {
 	fi
 }
 
+do_ecdsa_keygen() {
+	if [ ! -s $ECDSA_KEY ]; then
+		echo -n $"Generating SSH2 ECDSA host key: "
+		rm -f $ECDSA_KEY
+		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
+			chgrp ssh_keys $ECDSA_KEY
+			chmod 640 $ECDSA_KEY
+			chmod 644 $ECDSA_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $ECDSA_KEY.pub
+			fi
+			success $"ECDSA key generation"
+			echo
+		else
+			failure $"ECDSA key generation"
+			echo
+			exit 1
+		fi
+	fi
+}
+
 # Create keys if necessary
 if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
 	do_rsa_keygen
 	if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
 		do_rsa1_keygen
 		do_dsa_keygen
+		do_ecdsa_keygen
 	fi
 fi

sshd.service

@@ -7,6 +7,7 @@ EnvironmentFile=/etc/sysconfig/sshd
 ExecStartPre=/usr/sbin/sshd-keygen
 ExecStart=/usr/sbin/sshd -D $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
 
 [Install]
 WantedBy=multi-user.target

sshd.sysconfig

@@ -9,8 +9,7 @@
 AUTOCREATE_SERVER_KEYS=YES
 
 # Do not change this option unless you have hardware random
-# generator and you REALLY know what you are doing/
+# generator and you REALLY know what you are doing
 
-export SSH_USE_STRONG_RNG=0
-# export SSH_USE_STRONG_RNG=1
- 
+SSH_USE_STRONG_RNG=0
+# SSH_USE_STRONG_RNG=1