7.6p1-6 + 0.10.3-3

Per announcement on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/LLG4T53FW2BGVZLGLKNYTKPD5SQNBZ2Y/

openssh-6.7p1-ldap.patch

@@ -736,7 +736,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
 +	timeout.tv_sec = options.bind_timelimit;
 +	timeout.tv_usec = 0;
 +	result = NULL;
-+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
++	if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
 +		error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
 +		ldap_msgfree (result);
 +		return LDAP_OPERATIONS_ERROR;
@@ -837,7 +837,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
 +			}
 +
 +			if (options.ssl_on != SSL_OFF) {
-+				if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
++				if ((ld = ldapssl_init (options.host, options.port, 1)) == NULL)
 +				    fatal ("ldapssl_init failed");
 +				debug3 ("LDAPssl init");
 +			}
@@ -1041,7 +1041,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
 +
 +	timeout.tv_sec = options.bind_timelimit;
 +	timeout.tv_usec = 0;
-+	if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
++	if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
 +		ld_errno = ldap_get_lderrno (ld, 0, 0);
 +
 +		error ("ldap_result %s", ldap_err2string (ld_errno));
@@ -1052,7 +1052,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
 +
 +#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
 +	controls = NULL;
-+	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
++	if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, 1)) != LDAP_SUCCESS)
 +	    fatal ("ldap_parse_result %s", ldap_err2string (parserc));
 +	debug3 ("LDAP parse result OK");
 +
@@ -1060,7 +1060,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
 +		ldap_controls_free (controls);
 +	}
 +#else
-+	rc = ldap_result2error (session->ld, result, TRUE);
++	rc = ldap_result2error (session->ld, result, 1);
 +#endif
 +	if (rc != LDAP_SUCCESS)
 +	    fatal ("error trying to bind as user \"%s\" (%s)",

openssh-7.6p1-CVE-2018-15473.patch

@@ -0,0 +1,146 @@
+From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 31 Jul 2018 03:10:27 +0000
+Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
+ =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
+ =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
+ =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ usr.bin/ssh/auth2-gss.c       | 11 +++++++----
+ usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
+ usr.bin/ssh/auth2-pubkey.c    | 25 +++++++++++++++----------
+ 3 files changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
+index 649c830916a..c919ef4c353 100644
+--- a/usr.bin/ssh/auth2-gss.c
++++ b/usr.bin/ssh/auth2-gss.c
+@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
+ 	u_int len;
+ 	u_char *doid = NULL;
+ 
+-	if (!authctxt->valid || authctxt->user == NULL)
+-		return (0);
+-
+ 	mechs = packet_get_int();
+ 	if (mechs == 0) {
+ 		debug("Mechanism negotiation is not supported");
+@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
+ 		return (0);
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		free(doid);
++		return (0);
++	}
++
+ 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ 		if (ctxt != NULL)
+ 			ssh_gssapi_delete_ctx(&ctxt);
+diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
+index ad335555934..fb5e5f42272 100644
+--- a/usr.bin/ssh/auth2-hostbased.c
++++ b/usr.bin/ssh/auth2-hostbased.c
+@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
+ 	size_t alen, blen, slen;
+ 	int r, pktype, authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	/* XXX use sshkey_froms() */
+ 	if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
+ 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
+@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
+ 		goto done;
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		goto done;
++	}
++
+ 	service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
+ 	    authctxt->service;
+ 	if ((b = sshbuf_new()) == NULL)
+diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
+index 195da5e2111..af9e5f04c45 100644
+--- a/usr.bin/ssh/auth2-pubkey.c
++++ b/usr.bin/ssh/auth2-pubkey.c
+@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)
+ userauth_pubkey(struct ssh *ssh)
+ {
+ 	Authctxt *authctxt = ssh->authctxt;
+-	struct sshbuf *b;
++	struct sshbuf *b = NULL;
+ 	struct sshkey *key = NULL;
+-	char *pkalg, *userstyle = NULL, *fp = NULL;
+-	u_char *pkblob, *sig, have_sig;
++	char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
++	u_char *pkblob = NULL, *sig = NULL, have_sig;
+ 	size_t blen, slen;
+ 	int r, pktype;
+ 	int authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
+ 		fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
+ 	if (ssh->compat & SSH_BUG_PKAUTH) {
+@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
+ 				fatal("%s: sshbuf_put_string session id: %s",
+ 				    __func__, ssh_err(r));
+ 		}
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			goto done;
++		}
+ 		/* reconstruct packet */
+ 		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
+ 		    authctxt->style ? ":" : "",
+@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
+ #ifdef DEBUG_PK
+ 		sshbuf_dump(b, stderr);
+ #endif
+-
+ 		/* test for correct signature */
+ 		authenticated = 0;
+ 		if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
+@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
+ 			authenticated = 1;
+ 		}
+ 		sshbuf_free(b);
+-		free(sig);
+ 		auth2_record_key(authctxt, authenticated, key);
+ 	} else {
+ 		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
+ 		if ((r = sshpkt_get_end(ssh)) != 0)
+ 			fatal("%s: %s", __func__, ssh_err(r));
+ 
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			goto done;
++		}
+ 		/* XXX fake reply and always send PK_OK ? */
+ 		/*
+ 		 * XXX this allows testing whether a user is allowed
+@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
+ 	free(pkalg);
+ 	free(pkblob);
+ 	free(fp);
++	free(sig);
+ 	return authenticated;
+ }
+ 
+

openssh-7.6p1-audit.patch

@@ -31,7 +31,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
  }
  
 +int
-+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
++audit_keyusage(int host_user, char *fp, int rv)
 +{
 +	/* not implemented */
 +}
@@ -39,7 +39,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
  void
  audit_event(ssh_audit_event_t event)
  {
-@@ -452,4 +471,40 @@ audit_event(ssh_audit_event_t event)
+@@ -452,4 +471,34 @@ audit_event(ssh_audit_event_t event)
  		debug("%s: unhandled event %d", __func__, event);
  	}
  }
@@ -72,12 +72,6 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
 +audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
 +{
 +	/* not implemented */
-+}
-+
-+void
-+audit_generate_ephemeral_server_key(const char *fp)
-+{
-+	/* not implemented */
 +}
  #endif /* BSM */
 diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
@@ -91,7 +85,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
  
  #ifdef SSH_AUDIT_EVENTS
  
-@@ -34,6 +35,11 @@
+@@ -34,6 +35,12 @@
  #include "key.h"
  #include "hostfile.h"
  #include "auth.h"
@@ -100,6 +94,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
 +#include "xmalloc.h"
 +#include "misc.h"
 +#include "servconf.h"
++#include "ssherr.h"
  
  /*
   * Care must be taken when using this since it WILL NOT be initialized when
@@ -127,7 +122,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
  	return (the_authctxt->user);
  }
  
-@@ -109,6 +113,37 @@ audit_event_lookup(ssh_audit_event_t ev)
+@@ -109,6 +113,35 @@ audit_event_lookup(ssh_audit_event_t ev)
  	return(event_lookup[i].name);
  }
  
@@ -135,12 +130,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
 +audit_key(int host_user, int *rv, const Key *key)
 +{
 +	char *fp;
-+	const char *crypto_name;
 +
 +	fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
-+	crypto_name = key_ssh_name(key);
-+	if (audit_keyusage(host_user, crypto_name, sshkey_size(key), fp, *rv) == 0)
-+		*rv = 0;
++	if (audit_keyusage(host_user, fp, (*rv == 0)) == 0)
++		*rv = -SSH_ERR_INTERNAL_ERROR;
 +	free(fp);
 +}
 +
@@ -183,7 +176,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
   * Called when a user session is started.  Argument is the tty allocated to
   * the session, or NULL if no tty was allocated.
   *
-@@ -172,13 +218,91 @@ audit_session_close(struct logininfo *li
+@@ -172,13 +218,82 @@ audit_session_close(struct logininfo *li
  /*
   * This will be called when a user runs a non-interactive command.  Note that
   * it may be called multiple times for a single connection since SSH2 allows
@@ -219,10 +212,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
 + * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
 + */
 +int
-+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
++audit_keyusage(int host_user, char *fp, int rv)
 +{
-+	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
-+		host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
++	debug("audit %s key usage euid %d user %s fingerprint %s, result %d",
++		host_user ? "pubkey" : "hostbased", geteuid(), audit_username(),
 +		fp, rv);
 +}
 +
@@ -265,15 +258,6 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
 +{
 +	debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
 +		geteuid(), fp, (long)pid, (unsigned)uid);
-+}
-+
-+/*
-+ * This will be called on generation of the ephemeral server key
-+ */
-+void
-+audit_generate_ephemeral_server_key(const char *)
-+{
-+	debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
  }
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
@@ -288,7 +272,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
  
  enum ssh_audit_event_type {
  	SSH_LOGIN_EXCEED_MAXTRIES,
-@@ -43,13 +44,33 @@ enum ssh_audit_event_type {
+@@ -43,13 +44,32 @@ enum ssh_audit_event_type {
  	SSH_CONNECTION_ABANDON,	/* closed without completing auth */
  	SSH_AUDIT_UNKNOWN
  };
@@ -311,7 +295,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
 +int	audit_run_command(const char *);
 +void 	audit_end_command(int, const char *);
  ssh_audit_event_t audit_classify_auth(const char *);
-+int	audit_keyusage(int, const char *, unsigned, char *, int);
++int	audit_keyusage(int, char *, int);
 +void	audit_key(int, int *, const Key *);
 +void	audit_unsupported(int);
 +void	audit_kex(int, char *, char *, char *, char *);
@@ -320,13 +304,12 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
 +void	audit_session_key_free(int ctos);
 +void	audit_session_key_free_body(int ctos, pid_t, uid_t);
 +void	audit_destroy_sensitive_data(const char *, pid_t, uid_t);
-+void	audit_generate_ephemeral_server_key(const char *);
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 --- openssh-7.6p1/audit-linux.c.audit	2017-10-02 21:34:26.000000000 +0200
 +++ openssh-7.6p1/audit-linux.c	2017-10-04 17:18:32.835505053 +0200
-@@ -33,25 +33,38 @@
+@@ -33,27 +33,40 @@
  
  #include "log.h"
  #include "audit.h"
@@ -353,7 +336,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 -linux_audit_record_event(int uid, const char *username, const char *hostname,
 -    const char *ip, const char *ttyn, int success)
 +static void
-+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
++linux_audit_user_logxxx(int uid, const char *username,
 +    const char *ip, const char *ttyn, int success, int event)
  {
  	int audit_fd, rc, saved_errno;
@@ -370,9 +353,12 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 -	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
 +	rc = audit_log_acct_message(audit_fd, event,
  	    NULL, "login", username ? username : "(unknown)",
- 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
+-	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
++	    username == NULL ? uid : -1, NULL, ip, ttyn, success);
  	saved_errno = errno;
-@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
+ 	close(audit_fd);
+ 
+@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
  		rc = 0;
  	errno = saved_errno;
  
@@ -385,7 +371,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +
 +static void
 +linux_audit_user_auth(int uid, const char *username,
-+    const char *hostname, const char *ip, const char *ttyn, int success, int event)
++    const char *ip, const char *ttyn, int success, int event)
 +{
 +	int audit_fd, rc, saved_errno;
 +	static const char *event_name[] = {
@@ -419,7 +405,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +
 +	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
 +	    NULL, event_name[event], username ? username : "(unknown)",
-+	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
++	    username == NULL ? uid : -1, NULL, ip, ttyn, success);
 +	saved_errno = errno;
 +	close(audit_fd);
 +	/*
@@ -436,7 +422,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +}
 +
 +int
-+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
++audit_keyusage(int host_user, char *fp, int rv)
 +{
 +	char buf[AUDIT_LOG_SIZE];
 +	int audit_fd, rc, saved_errno;
@@ -449,15 +435,14 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +		else
 +			return 0; /* Must prevent login */
 +	}
-+	snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", ssh_remote_port(active_state));
++	snprintf(buf, sizeof(buf), "%s_auth grantors=auth-key", host_user ? "pubkey" : "hostbased");
 +	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
 +		buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
 +	if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
 +		goto out;
-+	snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
-+			type, bits, fp, ssh_remote_port(active_state));
-+	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
-+		buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
++	snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp);
++	rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL,
++		ssh_remote_ipaddr(active_state), NULL, rv);
 +out:
 +	saved_errno = errno;
 +	audit_close(audit_fd);
@@ -471,7 +456,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  /* Below is the sshd audit API code */
  
  void
-@@ -76,24 +177,51 @@ audit_connection_from(const char *host,
+@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
  	/* not implemented */
  }
  
@@ -481,21 +466,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  {
 -	/* not implemented */
 +	if (!user_login_count++)
-+		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
-+	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+	    NULL, "ssh", 1, AUDIT_USER_START);
++		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    ssh_remote_ipaddr(active_state),
++		    "ssh", 1, AUDIT_USER_LOGIN);
++	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    ssh_remote_ipaddr(active_state),
++	    "ssh", 1, AUDIT_USER_START);
 +	return 0;
 +}
 +
 +void
 +audit_end_command(int handle, const char *command)
 +{
-+	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+	    NULL, "ssh", 1, AUDIT_USER_END);
++	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++	    ssh_remote_ipaddr(active_state),
++	    "ssh", 1, AUDIT_USER_END);
 +	if (user_login_count && !--user_login_count)
-+		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
-+		    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
++		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++		    ssh_remote_ipaddr(active_state),
++		    "ssh", 1, AUDIT_USER_LOGOUT);
 +}
 +
 +void
@@ -512,9 +501,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 -		fatal("linux_audit_write_entry failed: %s", strerror(errno));
 +	if (!user_login_count++)
 +		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+		    NULL, li->line, 1, AUDIT_USER_LOGIN);
++		    li->line, 1, AUDIT_USER_LOGIN);
 +	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1, AUDIT_USER_START);
++	    li->line, 1, AUDIT_USER_START);
  }
  
  void
@@ -522,38 +511,37 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  {
 -	/* not implemented */
 +	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+	    NULL, li->line, 1, AUDIT_USER_END);
++	    li->line, 1, AUDIT_USER_END);
 +	if (user_login_count && !--user_login_count)
 +		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-+		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
++		    li->line, 1, AUDIT_USER_LOGOUT);
  }
  
  void
-@@ -103,24 +231,180 @@ audit_event(ssh_audit_event_t event)
+@@ -102,25 +231,155 @@ audit_event(ssh_audit_event_t event)
+ 	struct ssh *ssh = active_state; /* XXX */
  
  	switch(event) {
- 	case SSH_AUTH_SUCCESS:
+-	case SSH_AUTH_SUCCESS:
 -	case SSH_CONNECTION_CLOSE:
-+		linux_audit_user_auth(-1, audit_username(), NULL,
-+			ssh_remote_ipaddr(ssh), "ssh", 1, event);
-+		break;
-+
  	case SSH_NOLOGIN:
 -	case SSH_LOGIN_EXCEED_MAXTRIES:
  	case SSH_LOGIN_ROOT_DENIED:
-+		linux_audit_user_auth(-1, audit_username(), NULL,
++		linux_audit_user_auth(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, event);
-+		linux_audit_user_logxxx(-1, audit_username(), NULL,
++		linux_audit_user_logxxx(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
  		break;
-+	case SSH_LOGIN_EXCEED_MAXTRIES:
- 	case SSH_AUTH_FAIL_NONE:
+-	case SSH_AUTH_FAIL_NONE:
  	case SSH_AUTH_FAIL_PASSWD:
++		if (options.use_pam)
++			break;
++	case SSH_LOGIN_EXCEED_MAXTRIES:
  	case SSH_AUTH_FAIL_KBDINT:
  	case SSH_AUTH_FAIL_PUBKEY:
  	case SSH_AUTH_FAIL_HOSTBASED:
  	case SSH_AUTH_FAIL_GSSAPI:
-+		linux_audit_user_auth(-1, audit_username(), NULL,
++		linux_audit_user_auth(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, event);
 +		break;
 +
@@ -561,11 +549,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +		if (user_login_count) {
 +			while (user_login_count--)
 +				linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
-+				    session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
-+				    NULL, "ssh", 1, AUDIT_USER_END);
++				    ssh_remote_ipaddr(ssh),
++				    "ssh", 1, AUDIT_USER_END);
 +			linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
-+			    session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
-+			    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
++			    ssh_remote_ipaddr(ssh),
++			    "ssh", 1, AUDIT_USER_LOGOUT);
 +		}
 +		break;
 +
@@ -573,7 +561,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
  	case SSH_INVALID_USER:
 -		linux_audit_record_event(-1, audit_username(), NULL,
 -		    ssh_remote_ipaddr(ssh), "sshd", 0);
-+		linux_audit_user_logxxx(-1, audit_username(), NULL,
++		linux_audit_user_logxxx(-1, audit_username(),
 +			ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
  		break;
  	default:
@@ -690,28 +678,6 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
 +	/* do not abort if the error is EPERM and sshd is run as non root user */
 +	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
 +		error("cannot write into audit");
-+}
-+
-+void
-+audit_generate_ephemeral_server_key(const char *fp)
-+{
-+	char buf[AUDIT_LOG_SIZE];
-+	int audit_fd, audit_ok;
-+
-+	snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=? ", fp);
-+	audit_fd = audit_open();
-+	if (audit_fd < 0) {
-+		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
-+					 errno != EAFNOSUPPORT)
-+			error("cannot open audit");
-+		return;
-+	}
-+	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
-+			buf, NULL, 0, NULL, 1);
-+	audit_close(audit_fd);
-+	/* do not abort if the error is EPERM and sshd is run as non root user */
-+	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
-+		error("cannot write into audit");
 +}
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-7.6p1/auditstub.c.audit openssh-7.6p1/auditstub.c
@@ -848,6 +814,15 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c
 diff -up openssh-7.6p1/auth.c.audit openssh-7.6p1/auth.c
 --- openssh-7.6p1/auth.c.audit	2017-10-04 17:18:32.746504598 +0200
 +++ openssh-7.6p1/auth.c	2017-10-04 17:18:32.835505053 +0200
+@@ -360,7 +360,7 @@ auth_log(Authctxt *authctxt, int authent
+ # endif
+ #endif
+ #ifdef SSH_AUDIT_EVENTS
+-	if (authenticated == 0 && !authctxt->postponed)
++	if (authenticated == 0 && !authctxt->postponed && !partial)
+ 		audit_event(audit_classify_auth(method));
+ #endif
+ }
 @@ -599,9 +599,6 @@ getpwnamallow(const char *user)
  		record_failed_login(user,
  		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");

openssh.spec

@@ -66,7 +66,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 7.6p1
-%global openssh_rel 3
+%global openssh_rel 6
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 3
 
@@ -233,6 +233,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
 Patch950: openssh-7.5p1-sandbox.patch
 # PermitOpen bug in OpenSSH 7.6:
 Patch951: openssh-7.6p1-permitopen-bug.patch
+# CVE-2018-15473: User "enumeration" via malformed packets in authentication requests
+Patch952: openssh-7.6p1-CVE-2018-15473.patch
 
 
 License: BSD
@@ -295,9 +297,7 @@ Requires: openssh = %{version}-%{release}
 Requires(pre): /usr/sbin/useradd
 Requires: pam >= 1.0.1-3
 Requires: fipscheck-lib%{_isa} >= 1.3.0
-Requires(post): systemd-units
-Requires(preun): systemd-units
-Requires(postun): systemd-units
+%{?systemd_requires}
 
 %if %{ldap}
 %package ldap
@@ -458,6 +458,7 @@ popd
 %patch949 -p1 -b .refactor
 %patch950 -p1 -b .sandbox
 %patch951 -p1 -b .permitOpen
+%patch952 -p3 -b .enumeration
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -765,6 +766,18 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Sat Aug 25 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-6 + 0.10.3-3
+- Fix CVE-2018-15473 (#1619064)
+
+* Thu Feb 01 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-5 + 0.10.3-3
+- Build correctly against systemd
+
+* Thu Feb 01 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-4 + 0.10.3-3
+- Whitelist gettid() syscall in seccomp filter (#1524392)
+- Do not pass hostnames to audit -- UseDNS is usually disabled (#1534577)
+- Rework audit events to match requirements
+- Packaging details from rawhide
+
 * Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
 - Do not segfault during audit cleanup (#1524233)
 - Avoid gcc warnings about uninitialized variables