Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2025-09-15 19:50:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Mon Sep 15 19:50:24 2025 rev:195 rq:1304676 version:10.0p2 Changes: -------- +++ only whitespace diff in changes, re-diffing --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2025-05-15 16:59:54.986526996 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1977/openssh.changes 2025-09-15 19:54:24.130874065 +0200 @@ -1,0 +2,10 @@ +Tue Sep 9 07:26:02 UTC 2025 - Luna D Dragon <[email protected]> + +- Update [email protected] to match upstream more closely, to enable + support for ephemeral sshd keys. +- Add openssh-9.6p1-pam-rhost.patch which fixes a performance issue + where pam can do a reverse dns query of "UNKNOWN" which times out + multiple times, causing a substantial slowdown when logging in + (bsc#1249352). + +------------------------------------------------------------------- New: ---- openssh-9.6p1-pam-rhost.patch ----------(New B)---------- New:/work/SRC/openSUSE:Factory/.openssh.new.1977/openssh.changes- support for ephemeral sshd keys. /work/SRC/openSUSE:Factory/.openssh.new.1977/openssh.changes:- Add openssh-9.6p1-pam-rhost.patch which fixes a performance issue /work/SRC/openSUSE:Factory/.openssh.new.1977/openssh.changes- where pam can do a reverse dns query of "UNKNOWN" which times out ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.AVMBPx/_old 2025-09-15 19:54:25.414927902 +0200 +++ /var/tmp/diff_new_pack.AVMBPx/_new 2025-09-15 19:54:25.414927902 +0200 @@ -146,6 +146,8 @@ Patch105: openssh-6.6.1p1-selinux-contexts.patch Patch106: openssh-7.6p1-cleanup-selinux.patch Patch107: openssh-send-extra-term-env.patch +# upstream patch https://github.com/openssh/openssh-portable/pull/388 +Patch108: openssh-9.6p1-pam-rhost.patch # 200 - 300 -- Patches submitted to upstream # PATCH-FIX-UPSTREAM -- https://github.com/openssh/openssh-portable/pull/452 boo#1229010 Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch ++++++ openssh-9.6p1-pam-rhost.patch ++++++ >From 3cf600f626422ff0af03b0c6f200f0a29eded89d Mon Sep 17 00:00:00 2001 From: Daan De Meyer <[email protected]> Date: Mon, 20 Mar 2023 20:22:14 +0100 Subject: [PATCH] Only set PAM_RHOST if the remote host is not "UNKNOWN" When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then set as the value of PAM_RHOST, causing pam to try to do a reverse DNS query of "UNKNOWN", which times out multiple times, causing a substantial slowdown when logging in. To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". --- auth-pam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth-pam.c b/auth-pam.c index e143304e3fe..39b4e4563ec 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) sshpam_laddr = get_local_ipaddr( ssh_packet_get_connection_in(ssh)); } - if (sshpam_rhost != NULL) { + if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, sshpam_rhost); ++++++ [email protected] ++++++ --- /var/tmp/diff_new_pack.AVMBPx/_old 2025-09-15 19:54:25.818944841 +0200 +++ /var/tmp/diff_new_pack.AVMBPx/_new 2025-09-15 19:54:25.822945009 +0200 @@ -2,11 +2,12 @@ Description=OpenSSH Per-Connection Server Daemon Documentation=man:systemd-ssh-generator(8) man:sshd(8) After=network.target - + [Service] EnvironmentFile=-/etc/sysconfig/ssh ExecStartPre=/usr/sbin/sshd-gen-keys-start ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS -ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS +ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS -o "AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys" StandardInput=socket +ImportCredential=ssh.ephemeral-authorized_keys-all
