New testing snapshot of 6.9 version for copr

- snapshot 20140825

openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch

@@ -0,0 +1,162 @@
+From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Sun, 20 Apr 2014 13:44:47 +1000
+Subject: [PATCH]  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
+ version.h]    OpenSSH 6.5 and 6.6 sometimes encode a value used in the
+ curve25519    key exchange incorrectly, causing connection failures about
+ 0.2% of    the time when this method is used against a peer that implements  
+  the method properly.
+
+   Fix the problem and disable the curve25519 KEX when speaking to
+   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
+   to enable the compatability code.
+---
+ ChangeLog     | 11 +++++++++++
+ bufaux.c      |  5 ++++-
+ compat.c      | 17 ++++++++++++++++-
+ compat.h      |  2 ++
+ sshconnect2.c |  2 ++
+ sshd.c        |  3 +++
+ version.h     |  2 +-
+ 7 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 9c59cc4..60f181a 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,14 @@
++20140420
++ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
++   OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
++   key exchange incorrectly, causing connection failures about 0.2% of
++   the time when this method is used against a peer that implements
++   the method properly.
++
++   Fix the problem and disable the curve25519 KEX when speaking to
++   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
++   to enable the compatability code.
++
+ 20140313
+  - (djm) Release OpenSSH 6.6
+ 
+diff --git a/bufaux.c b/bufaux.c
+index e24b5fc..f6a6f2a 100644
+--- a/bufaux.c
++++ b/bufaux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
+ 
+ 	if (l > 8 * 1024)
+ 		fatal("%s: length %u too long", __func__, l);
++	/* Skip leading zero bytes */
++	for (; l > 0 && *s == 0; l--, s++)
++		;
+ 	p = buf = xmalloc(l + 1);
+ 	/*
+ 	 * If most significant bit is set then prepend a zero byte to
+diff --git a/compat.c b/compat.c
+index 9d9fabe..2709dc5 100644
+--- a/compat.c
++++ b/compat.c
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ 		{ "OpenSSH_4*",		0 },
+ 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
++		{ "OpenSSH_6.5*,"
++		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
+ 		{ "*MindTerm*",		0 },
+ 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
+ 	return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
+ 	return pkalg_prop;
+ }
+ 
++char *
++compat_kex_proposal(char *kex_prop)
++{
++	if (!(datafellows & SSH_BUG_CURVE25519PAD))
++		return kex_prop;
++	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++	if (*kex_prop == '\0')
++		fatal("No supported key exchange algorithms found");
++	return kex_prop;
++}
++
+diff --git a/compat.h b/compat.h
+index b174fa1..a6c3f3d 100644
+--- a/compat.h
++++ b/compat.h
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR	0x02000000
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
++#define SSH_BUG_CURVE25519PAD	0x10000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
+ int	 proto_spec(const char *);
+ char	*compat_cipher_proposal(char *);
+ char	*compat_pkalg_proposal(char *);
++char	*compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 7f4ff41..ec3ad6a 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -195,6 +195,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ 	}
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+diff --git a/sshd.c b/sshd.c
+index 7523de9..e9084b7 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2462,6 +2462,9 @@ do_ssh2_kex(void)
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
++
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
+diff --git a/version.h b/version.h
+index a1579ac..a33e77c 100644
+--- a/version.h
++++ b/version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION	"OpenSSH_6.6"
++#define SSH_VERSION	"OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE	"p1"
+ #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+-- 
+1.8.3.1
+

openssh.spec

@@ -1,10 +1,3 @@
-# Do we want SELinux & Audit
-%if 0%{?!noselinux:1}
-%define WITH_SELINUX 1
-%else
-%define WITH_SELINUX 0
-%endif
-
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    74
 %define sshd_gid    74
@@ -12,74 +5,31 @@
 # Do we want to disable building of gnome-askpass? (1=yes 0=no)
 %define no_gnome_askpass 0
 
-# Do we want to link against a static libcrypto? (1=yes 0=no)
-%define static_libcrypto 0
-
 # Use GTK2 instead of GNOME in gnome-ssh-askpass
 %define gtk2 1
 
-# Build position-independent executables (requires toolchain support)?
-%define pie 1
-
-# Do we want kerberos5 support (1=yes 0=no)
-%define kerberos5 1
-
 # Do we want libedit support
 %define libedit 1
 
-# Do we want LDAP support
-%define ldap 1
-
-# Whether to build pam_ssh_agent_auth
-%if 0%{?!nopam:1}
-%define pam_ssh_agent 1
-%else
-%define pam_ssh_agent 0
-%endif
-
 # Reserve options to override askpass settings with:
 # rpm -ba|--rebuild --define 'skip_xxx 1'
 %{?skip_gnome_askpass:%global no_gnome_askpass 1}
 
-# Add option to build without GTK2 for older platforms with only GTK+.
-# Red Hat Linux <= 7.2 and Red Hat Advanced Server 2.1 are examples.
-# rpm -ba|--rebuild --define 'no_gtk2 1'
-%{?no_gtk2:%global gtk2 0}
-
-# Options for static OpenSSL link:
-# rpm -ba|--rebuild --define "static_openssl 1"
-%{?static_openssl:%global static_libcrypto 1}
-
-# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
-%define rescue 0
-%{?build_rescue:%global rescue 1}
-%{?build_rescue:%global rescue_rel rescue}
-
-# Turn off some stuff for resuce builds
-%if %{rescue}
-%define kerberos5 0
-%define libedit 0
-%define pam_ssh_agent 0
-%endif
-
-# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_ver 6.4p1
-%define openssh_rel 3
-%define pam_ssh_agent_ver 0.9.3
-%define pam_ssh_agent_rel 1
+%define openssh_ver 6.9p1
+%define openssh_rel 0
+%define snap 20150617
 
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}
+Release: %{openssh_rel}.%{snap}%{?dist}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
-Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+Source0: http://www.mindrot.org/openssh_snap/openssh-SNAP-%{snap}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2: sshd.pam
 Source3: sshd.init
-Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
-Source5: pam_ssh_agent-rmheaders
 Source6: ssh-keycat.pam
 Source7: sshd.sysconfig
 Source9: sshd@.service
@@ -87,112 +37,10 @@ Source10: sshd.socket
 Source11: sshd.service
 Source12: sshd-keygen.service
 Source13: sshd-keygen
-
-# Internal debug
-Patch0: openssh-5.9p1-wIm.patch
-
-#?
-Patch100: openssh-6.3p1-coverity.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
-Patch101: openssh-6.3p1-fingerprint.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
-#https://bugzilla.redhat.com/show_bug.cgi?id=735889
-Patch102: openssh-5.8p1-getaddrinfo.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
-Patch103: openssh-5.8p1-packet.patch
-
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch200: openssh-6.4p1-audit.patch
-
-# --- pam_ssh-agent ---
-# make it build reusing the openssh sources
-Patch300: pam_ssh_agent_auth-0.9.3-build.patch
-# check return value of seteuid()
-Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
-# explicitly make pam callbacks visible
-Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
-# don't use xfree (#1024965)
-Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
-Patch400: openssh-6.3p1-role-mls.patch
-#https://bugzilla.redhat.com/show_bug.cgi?id=781634
-Patch404: openssh-6.3p1-privsep-selinux.patch
-
-#?-- unwanted child :(
-Patch501: openssh-6.3p1-ldap.patch
-#?
-Patch502: openssh-6.3p1-keycat.patch
-
-#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
-Patch601: openssh-5.2p1-allow-ip-opts.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
-Patch602: openssh-5.9p1-randclean.patch
-#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
-Patch603: openssh-5.8p1-glob.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1893
-Patch604: openssh-5.8p1-keyperm.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
-Patch605: openssh-5.8p2-remove-stale-control-socket.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1925
-Patch606: openssh-5.9p1-ipv6man.patch
-#?
-Patch607: openssh-5.8p2-sigpipe.patch
-#?
-Patch608: openssh-6.1p1-askpass-ld.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
-Patch609: openssh-5.5p1-x11.patch
-
-#?
-Patch700: openssh-6.3p1-fips.patch
-#?
-Patch701: openssh-5.6p1-exit-deadlock.patch
-#?
-Patch702: openssh-5.1p1-askpass-progress.patch
-#?
-Patch703: openssh-4.3p2-askpass-grab-info.patch
-#?
-Patch704: openssh-5.9p1-edns.patch
-#?
-Patch705: openssh-5.1p1-scp-manpage.patch
-#?
-Patch706: openssh-5.8p1-localdomain.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
-Patch707: openssh-6.3p1-redhat.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
-Patch708: openssh-6.2p1-entropy.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
-Patch709: openssh-6.2p1-vendor.patch
-# warn users for unsupported UsePAM=no (#757545)
-Patch711: openssh-6.1p1-log-usepam-no.patch
-# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
-Patch712: openssh-6.3p1-ctr-evp-fast.patch
-# add cavs test binary for the aes-ctr
-Patch713: openssh-6.3p1-ctr-cavstest.patch
-
-
-#http://www.sxw.org.uk/computing/patches/openssh.html
-#changed cache storage type - #848228
-Patch800: openssh-6.3p1-gsskex.patch
-#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
-Patch801: openssh-6.3p1-force_krb.patch
-Patch900: openssh-6.1p1-gssapi-canohost.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-6.3p1-kuserok.patch
-# use default_ccache_name from /etc/krb5.conf (#991186)
-Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
-# increase the size of the Diffie-Hellman groups (#1010607)
-Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
-# FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748)
-Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch
-# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
-Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
-# Use tty allocation for a remote scp (#985650)
-Patch906: openssh-6.4p1-fromto-remote.patch
-
+Source14: sshd_config
 
 License: BSD
 Group: Applications/Internet
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: /sbin/nologin
 Obsoletes: openssh-clients-fips, openssh-server-fips
 
@@ -205,32 +53,22 @@ BuildRequires: gnome-libs-devel
 %endif
 %endif
 
-%if %{ldap}
-BuildRequires: openldap-devel
-%endif
 BuildRequires: autoconf, automake, perl, zlib-devel
 BuildRequires: audit-libs-devel >= 2.0.5
 BuildRequires: util-linux, groff
 BuildRequires: pam-devel
 BuildRequires: tcp_wrappers-devel
-BuildRequires: fipscheck-devel >= 1.3.0
 BuildRequires: openssl-devel >= 0.9.8j
-BuildRequires: perl-podlators
-
-%if %{kerberos5}
 BuildRequires: krb5-devel
-%endif
 
 %if %{libedit}
 BuildRequires: libedit-devel ncurses-devel
 %endif
 
-%if %{WITH_SELINUX}
 Requires: libselinux >= 1.27.7
 BuildRequires: libselinux-devel >= 1.27.7
 Requires: audit-libs >= 1.0.8
 BuildRequires: audit-libs >= 1.0.8
-%endif
 
 BuildRequires: xauth
 
@@ -238,7 +76,6 @@ BuildRequires: xauth
 Summary: An open source SSH client applications
 Group: Applications/Internet
 Requires: openssh = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.3.0
 
 %package server
 Summary: An open source SSH server daemon
@@ -246,34 +83,19 @@ Group: System Environment/Daemons
 Requires: openssh = %{version}-%{release}
 Requires(pre): /usr/sbin/useradd
 Requires: pam >= 1.0.1-3
-Requires: fipscheck-lib%{_isa} >= 1.3.0
+%if 0%{?fedora}
+%if 0%{?rhel} > 6
 Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
-
-# Not yet ready
-# %package server-ondemand
-# Summary: Systemd unit file to run an ondemand OpenSSH server
-# Group: System Environment/Daemons
-# Requires: %{name}-server%{?_isa} = %{version}-%{release}
+%endif
+%endif
 
 %package server-sysvinit
 Summary: The SysV initscript to manage the OpenSSH server.
 Group: System Environment/Daemons
 Requires: %{name}-server%{?_isa} = %{version}-%{release}
 
-%if %{ldap}
-%package ldap
-Summary: A LDAP support for open source SSH server daemon
-Requires: openssh = %{version}-%{release}
-Group: System Environment/Daemons
-%endif
-
-%package keycat
-Summary: A mls keycat backend for openssh
-Requires: openssh = %{version}-%{release}
-Group: System Environment/Daemons
-
 %package askpass
 Summary: A passphrase dialog for OpenSSH and X
 Group: Applications/Internet
@@ -281,13 +103,6 @@ Requires: openssh = %{version}-%{release}
 Obsoletes: openssh-askpass-gnome
 Provides: openssh-askpass-gnome
 
-%package -n pam_ssh_agent_auth
-Summary: PAM module for authentication with ssh-agent
-Group: System Environment/Base
-Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
-License: BSD
-
 %description
 SSH (Secure SHell) is a program for logging into and executing
 commands on a remote machine. SSH is intended to replace rlogin and
@@ -321,116 +136,18 @@ SysV-compatible init system.
 
 It is not required when the init system used is systemd.
 
-%if %{ldap}
-%description ldap
-OpenSSH LDAP backend is a way how to distribute the authorized tokens
-among the servers in the network.
-%endif
-
-%description keycat
-OpenSSH mls keycat is backend for using the authorized keys in the
-openssh in the mls mode.
-
 %description askpass
 OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH.
 
-%description -n pam_ssh_agent_auth
-This package contains a PAM module which can be used to authenticate
-users using ssh keys stored in a ssh-agent. Through the use of the
-forwarding of ssh-agent connection it also allows to authenticate with
-remote ssh-agent instance.
-
-The module is most useful for su and sudo service stacks.
-
 %prep
-%setup -q -a 4
-#Do not enable by default
-%if 0
-%patch0 -p1 -b .wIm
-%endif
-
-%patch100 -p1 -b .coverity
-%patch101 -p1 -b .fingerprint
-%patch102 -p1 -b .getaddrinfo
-%patch103 -p1 -b .packet
-
-%patch200 -p1 -b .audit
-
-%if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-%patch300 -p1 -b .psaa-build
-%patch301 -p1 -b .psaa-seteuid
-%patch302 -p1 -b .psaa-visibility
-%patch303 -p1 -b .psaa-xfree
-# Remove duplicate headers
-rm -f $(cat %{SOURCE5})
-popd
-%endif
-
-%if %{WITH_SELINUX}
-%patch400 -p1 -b .role-mls
-%patch404 -p1 -b .privsep-selinux
-%endif
-
-%if %{ldap}
-%patch501 -p1 -b .ldap
-%endif
-%patch502 -p1 -b .keycat
-
-%patch601 -p1 -b .ip-opts
-%patch602 -p1 -b .randclean
-%patch603 -p1 -b .glob
-%patch604 -p1 -b .keyperm
-%patch605 -p1 -b .remove_stale
-%patch606 -p1 -b .ipv6man
-%patch607 -p1 -b .sigpipe
-%patch608 -p1 -b .askpass-ld
-%patch609 -p1 -b .x11
-
-%patch700 -p1 -b .fips
-%patch701 -p1 -b .exit-deadlock
-%patch702 -p1 -b .progress
-%patch703 -p1 -b .grab-info
-%patch704 -p1 -b .edns
-%patch705 -p1 -b .manpage
-%patch706 -p1 -b .localdomain
-%patch707 -p1 -b .redhat
-%patch708 -p1 -b .entropy
-%patch709 -p1 -b .vendor
-%patch711 -p1 -b .log-usepam-no
-%patch712 -p1 -b .evp-ctr
-%patch713 -p1 -b .ctr-cavs
-
-%patch800 -p1 -b .gsskex
-%patch801 -p1 -b .force_krb
-
-%patch900 -p1 -b .canohost
-%patch901 -p1 -b .kuserok
-%patch902 -p1 -b .ccache_name
-%patch903 -p1 -b .dh
-%patch904 -p1 -b .SP800-131A
-%patch905 -p1 -b .legacy-ssh-copy-id
-%patch906 -p1 -b .fromto-remote
-
-%if 0
-# Nothing here yet
-%endif
-
-autoreconf
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-autoreconf
-popd
+%setup -q -n openssh
 
 %build
 # the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
 # and it makes the ssh build more clean and even optimized better
 CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
-%if %{rescue}
-CFLAGS="$CFLAGS -Os"
-%endif
-%if %{pie}
 %ifarch s390 s390x sparc sparcv9 sparc64
 CFLAGS="$CFLAGS -fPIC"
 %else
@@ -442,8 +159,6 @@ LDFLAGS="$LDFLAGS -pie -z relro -z now"
 export CFLAGS
 export LDFLAGS
 
-%endif
-%if %{kerberos5}
 if test -r /etc/profile.d/krb5-devel.sh ; then
         source /etc/profile.d/krb5-devel.sh
 fi
@@ -457,7 +172,6 @@ else
 	CPPFLAGS="-I%{_includedir}/gssapi"; export CPPFLAGS
 	CFLAGS="$CFLAGS -I%{_includedir}/gssapi"
 fi
-%endif
 
 %configure \
 	--sysconfdir=%{_sysconfdir}/ssh \
@@ -472,15 +186,7 @@ fi
 	--without-zlib-version-check \
 	--with-ssl-engine \
 	--with-ipaddr-display \
-%if %{ldap}
-	--with-ldap \
-%endif
-%if %{rescue}
-	--without-pam \
-%else
 	--with-pam \
-%endif
-%if %{WITH_SELINUX}
 	--with-selinux --with-audit=linux \
 %if 0
 #seccomp_filter cannot be build right now
@@ -488,22 +194,13 @@ fi
 %else
 	--with-sandbox=rlimit \
 %endif
-%endif
-%if %{kerberos5}
 	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
-%else
-	--without-kerberos5 \
-%endif
 %if %{libedit}
 	--with-libedit
 %else
 	--without-libedit
 %endif
 
-%if %{static_libcrypto}
-perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
-%endif
-
 make
 
 # Define a variable to toggle gnome1/gtk2 building.  This is necessary
@@ -526,20 +223,11 @@ fi
 popd
 %endif
 
-%if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-LDFLAGS="$SAVE_LDFLAGS"
-%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
-make
-popd
-%endif
-
 # Add generation of HMAC checksums of the final stripped binaries
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
-    fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
 %{nil}
 
 %check
@@ -560,17 +248,18 @@ install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/sysconfig/
 install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
-install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
-install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
 install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
 install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
+install -m644 %{SOURCE14} $RPM_BUILD_ROOT/etc/ssh/sshd_config
 install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
+%if 0%{?fedora} || 0%{?rhel} > 6
 install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
 install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
 install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
 install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
 install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
+%endif
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 
@@ -591,11 +280,6 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
 
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
 
-%if %{pam_ssh_agent}
-pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
-make install DESTDIR=$RPM_BUILD_ROOT
-popd
-%endif
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -608,6 +292,7 @@ getent passwd sshd >/dev/null || \
   useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
   -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
 
+%if 0%{?fedora} || 0%{?rhel} > 6
 %post server
 %systemd_post sshd.service sshd.socket
 
@@ -628,33 +313,29 @@ getent passwd sshd >/dev/null || \
 
 %triggerpostun -n openssh-server-sysvinit -- openssh-server < 5.8p2-12
 /sbin/chkconfig --add sshd >/dev/null 2>&1 || :
+%endif
 
 %files
 %defattr(-,root,root)
 %doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
-%if ! %{rescue}
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
 %attr(0755,root,root) %dir %{_libexecdir}/openssh
 %attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
-%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
 %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
-%endif
 
 %files clients
 %defattr(-,root,root)
 %attr(0755,root,root) %{_bindir}/ssh
-%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
 %attr(0644,root,root) %{_mandir}/man1/ssh.1*
 %attr(0755,root,root) %{_bindir}/scp
 %attr(0644,root,root) %{_mandir}/man1/scp.1*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
-%attr(0755,root,root) %{_bindir}/slogin
+%attr(-,root,root) %{_bindir}/slogin
 %attr(0644,root,root) %{_mandir}/man1/slogin.1*
 %attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
-%if ! %{rescue}
 %attr(2111,root,nobody) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
@@ -667,15 +348,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man1/sftp.1*
 %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
 %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
-%endif
 
-%if ! %{rescue}
 %files server
 %defattr(-,root,root)
 %dir %attr(0711,root,root) %{_var}/empty/sshd
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0755,root,root) %{_sbindir}/sshd-keygen
-%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
 %attr(0644,root,root) %{_mandir}/man5/moduli.5*
@@ -684,31 +362,16 @@ getent passwd sshd >/dev/null || \
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
 %attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
 %attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
+%if 0%{?fedora} || 0%{?rhel} > 6
 %attr(0644,root,root) %{_unitdir}/sshd.service
 %attr(0644,root,root) %{_unitdir}/sshd@.service
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.service
+%endif
 
 %files server-sysvinit
 %defattr(-,root,root)
 %attr(0755,root,root) /etc/rc.d/init.d/sshd
-%endif
-
-%if %{ldap}
-%files ldap
-%defattr(-,root,root)
-%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
-%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
-%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
-%endif
-
-%files keycat
-%defattr(-,root,root)
-%doc HOWTO.ssh-keycat
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
-%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat
 
 %if ! %{no_gnome_askpass}
 %files askpass
@@ -718,15 +381,22 @@ getent passwd sshd >/dev/null || \
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
 %endif
 
-%if %{pam_ssh_agent}
-%files -n pam_ssh_agent_auth
-%defattr(-,root,root)
-%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
-%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
-%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
-%endif
-
 %changelog
+* Tue Jun 16 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-0.20150617
+- new SNAP of 6.9 version
+
+* Tue Feb 24 2015 Jakub Jelen <jjelen@redhat.com> 6.8p1-1.20150224
+- new SNAP of 6.8 version
+
+* Thu Jan 08 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1
+- new upstream release
+
+* Wed May 14 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-1
+- backport fix of curve25519-sha256@libssh.org issue
+
+* Tue Apr 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6p1-1
+- new upstream release - vanilla version without Fedora patches
+
 * Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.4p1-3 + 0.9.3-1
 - sshd-keygen - use correct permissions on ecdsa host key (#1023945)
 - use only rsa and ecdsa host keys by default

sshd-keygen

@@ -4,7 +4,7 @@
 #
 # The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
 # variable.
-AUTOCREATE_SERVER_KEYS=NODSA
+AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
 
 # source function library
 . /etc/rc.d/init.d/functions
@@ -15,6 +15,7 @@ RSA1_KEY=/etc/ssh/ssh_host_key
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
 ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
 
 # pull in sysconfig settings
 [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
@@ -33,10 +34,10 @@ do_rsa1_keygen() {
 		rm -f $RSA1_KEY
 		if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $RSA1_KEY
-			chmod 640 $RSA1_KEY
+			chmod 600 $RSA1_KEY
 			chmod 644 $RSA1_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $RSA1_KEY.pub
+			    /sbin/restorecon $RSA1_KEY{,.pub}
 			fi
 			success $"RSA1 key generation"
 			echo
@@ -54,10 +55,10 @@ do_rsa_keygen() {
 		rm -f $RSA_KEY
 		if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $RSA_KEY
-			chmod 640 $RSA_KEY
+			chmod 600 $RSA_KEY
 			chmod 644 $RSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $RSA_KEY.pub
+			    /sbin/restorecon $RSA_KEY{,.pub}
 			fi
 			success $"RSA key generation"
 			echo
@@ -75,10 +76,10 @@ do_dsa_keygen() {
 		rm -f $DSA_KEY
 		if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $DSA_KEY
-			chmod 640 $DSA_KEY
+			chmod 600 $DSA_KEY
 			chmod 644 $DSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $DSA_KEY.pub
+			    /sbin/restorecon $DSA_KEY{,.pub}
 			fi
 			success $"DSA key generation"
 			echo
@@ -96,10 +97,10 @@ do_ecdsa_keygen() {
 		rm -f $ECDSA_KEY
 		if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
 			chgrp ssh_keys $ECDSA_KEY
-			chmod 640 $ECDSA_KEY
+			chmod 600 $ECDSA_KEY
 			chmod 644 $ECDSA_KEY.pub
 			if [ -x /sbin/restorecon ]; then
-			    /sbin/restorecon $ECDSA_KEY.pub
+			    /sbin/restorecon $ECDSA_KEY{,.pub}
 			fi
 			success $"ECDSA key generation"
 			echo
@@ -111,13 +112,43 @@ do_ecdsa_keygen() {
 	fi
 }
 
-# Create keys if necessary
-if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
-	do_rsa_keygen
-	if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
-		do_ecdsa_keygen
-		if [ "x${AUTOCREATE_SERVER_KEYS}" != xNODSA ]; then
-			do_dsa_keygen
+do_ed25519_keygen() {
+	if [ ! -s $ED25519_KEY ]; then
+		echo -n $"Generating SSH2 ED25519 host key: "
+		rm -f $ED25519_KEY
+		if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
+			chgrp ssh_keys $ED25519_KEY
+			chmod 600 $ED25519_KEY
+			chmod 644 $ED25519_KEY.pub
+			if [ -x /sbin/restorecon ]; then
+			    /sbin/restorecon $ED25519_KEY{,.pub}
+			fi
+			success $"ED25519 key generation"
+			echo
+		else
+			failure $"ED25519 key generation"
+			echo
+			exit 1
 		fi
 	fi
+}
+
+if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
+	exit 0
 fi
+
+# legacy options
+case $AUTOCREATE_SERVER_KEYS in
+	NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
+	RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
+	YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
+esac
+
+for KEY in $AUTOCREATE_SERVER_KEYS; do
+	case $KEY in
+		DSA) do_dsa_keygen;;
+		RSA) do_rsa_keygen;;
+		ECDSA) do_ecdsa_keygen;;
+		ED25519) do_ed25519_keygen;;
+	esac
+done

sshd-keygen.service

@@ -2,7 +2,10 @@
 Description=OpenSSH Server Key Generation
 ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
 ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+PartOf=sshd.service sshd.socket
 
 [Service]
 ExecStart=/usr/sbin/sshd-keygen
 Type=oneshot
+RemainAfterExit=yes

sshd.service

@@ -1,10 +1,10 @@
 [Unit]
 Description=OpenSSH server daemon
-After=syslog.target network.target auditd.service
+After=network.target sshd-keygen.service
+Wants=sshd-keygen.service
 
 [Service]
 EnvironmentFile=/etc/sysconfig/sshd
-ExecStartPre=/usr/sbin/sshd-keygen
 ExecStart=/usr/sbin/sshd -D $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process

sshd.sysconfig

@@ -1,14 +1,12 @@
 # Configuration file for the sshd service.
 
-# The server keys are automatically generated if they omitted
-# to change the automatic creation uncomment the appropriate
-# line. The default is NODSA which means rsa and ecdsa keys are
-# generated.
+# The server keys are automatically generated if they are missing.
+# To change the automatic creation uncomment and change the appropriate
+# line. Accepted key types are: DSA RSA ECDSA ED25519.
+# The default is "RSA ECDSA ED25519"
 
-# AUTOCREATE_SERVER_KEYS=NODSA
-# AUTOCREATE_SERVER_KEYS=RSAONLY
-# AUTOCREATE_SERVER_KEYS=NO
-# AUTOCREATE_SERVER_KEYS=YES
+# AUTOCREATE_SERVER_KEYS=""
+# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
 
 # Do not change this option unless you have hardware random
 # generator and you REALLY know what you are doing

sshd@.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=OpenSSH per-connection server daemon
 Wants=sshd-keygen.service
-After=auditd.service sshd-keygen.service
+After=sshd-keygen.service
 
 [Service]
 EnvironmentFile=-/etc/sysconfig/sshd

sshd_config

@@ -0,0 +1,156 @@
+#	$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication yes
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication yes
+#GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+#UsePAM no
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox		# Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Uncomment this if you want to use .local domain
+#Host *.local
+#	CheckHostIP no
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server