Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2026-04-26 21:10:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Sun Apr 26 21:10:51 2026 rev:201 rq:1348978 version:10.3p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2025-11-01 23:34:13.337483709 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh-askpass-gnome.changes 2026-04-26 21:11:46.770562915 +0200 @@ -1,0 +2,7 @@ +Thu Apr 23 11:57:57 UTC 2026 - Hans Petter Jansson <[email protected]> + +- "Update" to openssh 10.3p1: + * No changes for askpass, see main package changelog for + details. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2026-04-23 17:04:19.424033202 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes 2026-04-26 21:11:46.802564224 +0200 @@ -1,0 +2,243 @@ +Thu Apr 23 11:57:57 UTC 2026 - Hans Petter Jansson <[email protected]> + +- Update to openssh 10.3p1: + = Potentially-incompatible changes + * ssh(1), sshd(8): remove bug compatibility for implementations + that don't support rekeying. If such an implementation tries to + interoperate with OpenSSH, it will now eventually fail when the + transport needs rekeying. + * sshd(8): prior to this release, a certificate that had an empty + principals section would be treated as matching any principal + (i.e. as a wildcard) when used via authorized_keys principals="" + option. This was intentional, but created a surprising and + potentially risky situation if a CA accidentally issued a + certificate with an empty principals section: instead of being + useless as one might expect, it could be used to authenticate as + any user who trusted the CA via authorized_keys. [Note that this + condition did not apply to CAs trusted via the sshd_config(5) + TrustedUserCAKeys option.] + This release treats an empty principals section as never matching + any principal, and also fixes interpretation of wildcard + characters in certificate principals. Now they are consistently + implemented for host certificates and not supported for user + certificates. + * ssh(1): the -J and equivalent -oProxyJump="..." options now + validate user and host names for ProxyJump/-J options passed + via the command-line (no such validation is performed for this + option in configuration files). This prevents shell injection in + situations where these were directly exposed to adversarial + input, which would have been a terrible idea to begin with. + Reported by rabbit. + = Security + * ssh(1): validation of shell metacharacters in user names supplied + on the command-line was performed too late to prevent some + situations where they could be expanded from %-tokens in + ssh_config. For certain configurations, such as those that use a + "%u" token in a "Match exec" block, an attacker who can control + the user name passed to ssh(1) could potentially execute arbitrary + shell commands. Reported by Florian Kohnhäuser. + We continue to recommend against directly exposing ssh(1) and + other tools' command-lines to untrusted input. Mitigations such + as this can not be absolute given the variety of shells and user + configurations in use. + * sshd(8): when matching an authorized_keys principals="" option + against a list of principals in a certificate, an incorrect + algorithm was used that could allow inappropriate matching in + cases where a principal name in the certificate contains a + comma character. Exploitation of the condition requires an + authorized_keys principals="" option that lists more than one + principal *and* a CA that will issue a certificate that encodes + more than one of these principal names separated by a comma + (typical CAs strongly constrain which principal names they will + place in a certificate). This condition only applies to user- + trusted CA keys in authorized_keys, the main certificate + authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile) + is not affected. Reported by Vladimir Tokarev. + * scp(1): when downloading files as root in legacy (-O) mode and + without the -p (preserve modes) flag set, scp did not clear + setuid/setgid bits from downloaded files as one might typically + expect. This bug dates back to the original Berkeley rcp program. + Reported by Christos Papakonstantinou of Cantina and Spearbit. + * sshd(8): fix incomplete application of PubkeyAcceptedAlgorithms + and HostbasedAcceptedAlgorithms with regard to ECDSA keys. + Previously if one of these directives contains any ECDSA algorithm + name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm + would be accepted in its place regardless of whether it was + listed or not. Reported by Christos Papakonstantinou of Cantina + and Spearbit. + * ssh(1): connection multiplexing confirmation (requested using + "ControlMaster ask/autoask") was not being tested for proxy mode + multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by + Michalis Vasileiadis. + = New features + * ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent + forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new + names is advertised via the EXT_INFO message. If a server offers + support for the new names, then they are used preferentially. + Support for the pre-standardisation "@openssh.com" extensions for + agent forwarding remains supported. + * ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent + "query" extension. + * ssh-add(1): support querying the protocol extensions via the + agent "query" extension with a new -Q flag. + * ssh(1): support multiple files in a ssh_config RevokedHostKeys + directive. + * sshd(8): support multiple files in a sshd_config RevokedKeys + directive. + * ssh(1): add a ~I escape option that shows information about the + current SSH connection. + * ssh(1): add an "ssh -Oconninfo user@host" multiplexing command + that shows connection information, similar to the ~I escapechar. + * ssh(1): add an "ssh -O channels user@host" multiplexing command to + get a running mux process to show information about what channels + are currently open. + * sshd(8): add 'invaliduser' penalty to PerSourcePenalties, which is + applied to login attempts for usernames that do not match real + accounts. Defaults to 5s to match 'authfail' but allows + administrators to block such attempts for longer if desired. + * sshd(8): add a GSSAPIDelegateCredentials option for the server, + controlling whether it accepts delegated credentials offered by + the client. This option mirrors the same option in ssh_config. + * ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS + directive. + * sshd(8): convert PerSourcePenalties to using floating point time, + allowing penalties to be less than a second. This is useful if you + need to penalise things you expect to occur at >=1 QPS. + * ssh-keygen(1): support writing ED25519 keys in PKCS8 format. + * Support the ed25519 signature scheme via libcrypto. + + = Bugfixes + * sshd(8): make IPQoS first-match-wins in sshd_config, like other + configuration directives. + * sshd(8): fix potential crash when MaxStartups is using a single + argument (i.e. not using the MaxStartps x:y:z form) to a value + below 10. + * sshd(8): fix a potential hang during key exchange if needed DH + group values were missing from /etc/moduli. + * ssh-agent(1): fix return values from extensions to be correct wrt + draft-ietf-sshm-ssh-agent: extension requests should indicate + failure using SSH_AGENT_EXTENSION_FAILURE rather than the generic + SSH_AGENT_FAILURE error code. This allows the client to discern + between "the request failed" and "the agent doesn't support this + extension". + * ssh(1): use fmprintf for showing challenge-response name and info + to preserve UTF-8 characters where appropriate. Prompted by GitHub + PR#452. + * scp(1): when uploading a directory using sftp/sftp (e.g. during a + recursive transfer), don't clobber the remote directory + permissions unless either we created the directory during the + transfer or the -p flag was set. + * All: implement missing pieces of FIDO/webauthn signature support, + mostly related to certificate handling and enable acceptance of this + signature format by default. + * sshd_config(5): make it clear that DenyUsers/DenyGroups overrides + AllowUsers/AllowGroups. Previously we specified the order in which + the directives are processed but it was ambiguous as to what + happened if both matched. + * ssh(1): don't try to match certificates held in an agent to + private keys. This matching is done to support certificates that + were loaded without their private key material, but is + unnecessary for agent-hosted certificate which always have + private key material available in the agent. Worse, this matching + would mess up the request sent to the agent in such a way as to + break usage of these keys when the key usage was restricted in + the agent. + * sftp(1): if editline has been switched to vi mode (i.e. via "bind + -v" in .editrc), setup a keybinding so that command mode can be + entered. + * ssh(1), sshd(8): improve performance of keying the sntrup761 key + agreement algorithm. + * ssh(1), sshd(8): enforce maximum packet/block limit during + pre-authentication phase. + * sftp(1): don't misuse the sftp limits extension's open-handles + field. This value is supposed to be the number of handles a + server will allow to be opened and not a number of outstanding + read/write requests that can be sent during an upload/download. + * sshd(8): don't crash at connection time if the main sshd_config + lacks any subsystem directive but one is defined in a Match block. + * sshd_config(5): add a warning next to the ForceCommand directive + that forcing a command doesn't automatically disable forwarding. + * sshd_config(5): add a warning that TOKENS are replaced without + filtering or escaping and that it's the administrator's + responsibility to ensure they are used safely in context. + * scp(1): correctly quote filenames in verbose output for local-> + local copies. + * sshd(8): don't mess up the PerSourceNetBlockSize IPv6 mask if + sscanf didn't decode it. + * ssh-add(1): when loading FIDO2 resident keys, set the comment to + the FIDO application string. This matches the behaviour of + ssh-keygen -K. + * sshd(8): don't strnvis() log messages that are going to be logged + by sshd-auth via its parent sshd-session process, as the parent + will also run them though strnvis(). Prevents double-escaping of + non-printing characters in some log messages. + * ssh-agent(1): escape SSH_AUTH_SOCK paths that are sent to the + shell as setenv commands. Unbreaks ssh-agent for home directory + paths that contain whitespace. + * All: Remove unnecessary checks for ECDSA public key validity. + * sshd(8): activate UnusedConnectionTimeout only after the last + channel has closed. Previously UnusedConnectionTimeout could fire + early after a ChannelTimeout. This was not a problem for the + OpenSSH client because it terminates once all channels have + closed but could cause problems for other clients (e.g. API + clients) that do things differently. + * All: fix PKCS#11 key PIN entry problems introduced in + openssh-10.1/10.2. + * scp(1): when using the SFTP protocol for transfers, fix implicit + destination path selection when source path ends with "..". + * sftp(1): when tab-completing a filename, ensure that the completed + string does not end up mid-way through a multibyte character, as + this will cause a fatal() later on. + * ssh-keygen(1): fix crash at exit (visible via ssh-keygen -D) when + multiple keys loaded. + * scp(1)/sftp(1): correctly display bandwidths >2GBps in the + progress meter. + + = Portability + * sshd(8): fix condition introduced in openssh 10.2p1 stable branch + here a PAM module that changed the requested username between + SSH_MSG_USERAUTH_REQUEST messages during authentication could + confuse the PAM stack and let it proceed with a different + understanding of the active username than the rest of sshd. + Reported by Mike Damm. + * sshd(8): immediately report interactive instructions to clients + when using keyboard-interactive authentication with PAM. + * sshd(8): fix duplicate PAM messages under some situations. + * sshd(8): don't leak PAM handle on repeat invocations. + * All: support linking libcrypto implementations (e.g. BoringSSL) + that require libstdc++. + * sshd(8): fix ut_type for btmp records, correctly using + LOGIN_PROCESS and USER_PROCESS. + * sshd(8): allow uname(3) in the seccomp sandbox. This is needed by + zlib-ng on RISC-V platforms. + * All: remove remaining OpenSSL_add_all_algorithms() calls. + We already have OPENSSL_init_crypto() in the compat layer. + Prompted by github PR#606 + * All: fix builds on older Mac OS wrt nfds_t. + * mdoc2man: several improvements including better support for Dl + and Ns inside Ic. + + - Updated openssh-7.9p1-revert-new-qos-defaults.patch: Rebased and fixed a + config roundtripping issue. + - Updated openssh-8.1p1-audit.patch: Rebased and fixed a potential + use-after-free. + - Further improvements to patch annotations. + + - Rebased patches: + * openssh-7.7p1-disable_openssl_abi_check.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-gssapi-new-unique.patch + * openssh-7.8p1-role-mls.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.4p1-vendordir.patch + * openssh-9.6p1-crypto-policies-man.patch + * openssh-mitigate-lingering-secrets.patch + + - Dropped patches (implemented upstream): + * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch + * 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch + * 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch + * 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch + +------------------------------------------------------------------- Old: ---- 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch openssh-10.2p1.tar.gz openssh-10.2p1.tar.gz.asc New: ---- openssh-10.3p1.tar.gz openssh-10.3p1.tar.gz.asc ----------(Old B)---------- Old:/work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- - Dropped patches (implemented upstream): /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes: * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- * 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- * 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes: * 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- * 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- * 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes: * 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- * 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- * 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes: * 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh.changes- ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:49.802686886 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:49.838688358 +0200 @@ -18,8 +18,8 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 10.2p1 -%define wrongly_named_version 10.2p1 +Version: 10.3p1 +%define wrongly_named_version 10.3p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:50.322708148 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:50.334708639 +0200 @@ -59,7 +59,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 10.2p1 +Version: 10.3p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -121,13 +121,13 @@ Patch26: openssh-7.7p1-disable_openssl_abi_check.patch # PATCH-FIX-SUSE openssh-7.7p1-no_fork-no_pid_file.patch mindrot#2641 -- Skip pid file when not daemonizing Patch27: openssh-7.7p1-no_fork-no_pid_file.patch -# PATCH-FEATURE-SUSE openssh-7.7p1-host_ident.patch -- Suggest ssh-keygen -R when reporting offending known_hosts keys +# PATCH-FEATURE-SUSE openssh-7.7p1-host_ident.patch bsc#625552 -- Suggest ssh-keygen -R when reporting offending known_hosts keys Patch28: openssh-7.7p1-host_ident.patch -# PATCH-FEATURE-SUSE openssh-7.7p1-sftp_force_permissions.patch mindrot#1844 -- sftp-server -m: force perms on upload +# PATCH-FEATURE-SUSE openssh-7.7p1-sftp_force_permissions.patch fate#312774 mindrot#1844 -- sftp-server -m: force perms on upload Patch29: openssh-7.7p1-sftp_force_permissions.patch # PATCH-FIX-SUSE openssh-7.7p1-X_forward_with_disabled_ipv6.patch bsc#712683 mindrot#2143 fate#31503 -- Keep bound X11 sockets on bind fail Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch -# PATCH-FEATURE-SUSE openssh-7.7p1-ldap.patch [email protected] -- ssh-ldap-helper: authorized keys from LDAP +# PATCH-FEATURE-SUSE openssh-7.7p1-ldap.patch bsc#683733 fate#302144 [email protected] -- ssh-ldap-helper: authorized keys from LDAP Patch31: openssh-7.7p1-ldap.patch # PATCH-FIX-SUSE openssh-7.7p1-IPv6_X_forwarding.patch bsc#847710 mindrot#2213 -- Parse IPv6 literals in DISPLAY Patch32: openssh-7.7p1-IPv6_X_forwarding.patch @@ -135,13 +135,13 @@ Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch # PATCH-FIX-SUSE openssh-7.9p1-keygen-preserve-perms.patch bsc#1150574 [email protected] -- Preserve known_hosts perms Patch34: openssh-7.9p1-keygen-preserve-perms.patch -# PATCH-FIX-SUSE openssh-7.9p1-revert-new-qos-defaults.patch [email protected] -- Revert upstream IPQoS AF21/CS1 defaults +# PATCH-FIX-SUSE openssh-7.9p1-revert-new-qos-defaults.patch bsc#1136402 [email protected] -- Revert upstream IPQoS AF21/CS1 defaults Patch35: openssh-7.9p1-revert-new-qos-defaults.patch # PATCH-FIX-SUSE openssh-8.1p1-seccomp-clock_nanosleep.patch -- Allow clock_nanosleep() in seccomp sandbox Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch -# PATCH-FIX-UPSTREAM openssh-8.1p1-seccomp-clock_nanosleep_time64.patch mindrot#3100 -- Allow clock_nanosleep_time64 (ARM) +# PATCH-FIX-UPSTREAM openssh-8.1p1-seccomp-clock_nanosleep_time64.patch boo#1164061 mindrot#3100 -- Allow clock_nanosleep_time64 (ARM) Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch -# PATCH-FIX-UPSTREAM openssh-8.1p1-seccomp-clock_gettime64.patch [email protected] -- Allow clock_gettime64() (mips) +# PATCH-FIX-UPSTREAM openssh-8.1p1-seccomp-clock_gettime64.patch boo#1164061 [email protected] -- Allow clock_gettime64() (mips) Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch # PATCH-FEATURE-SUSE openssh-8.1p1-use-openssl-kdf.patch jsc#SLE-9443 -- Use OpenSSL KDF API to stay in FIPS boundary Patch39: openssh-8.1p1-use-openssl-kdf.patch @@ -167,30 +167,22 @@ Patch52: logind_set_tty.patch # PATCH-FIX-SUSE openssh-mitigate-lingering-secrets.patch bsc#1186673 -- explicit_bzero() key/iv instead of memset Patch54: openssh-mitigate-lingering-secrets.patch -# PATCH-FEATURE-SUSE openssh-7.8p1-role-mls.patch -- SELinux role/MLS: allow "username/role" login form and MLS range +# PATCH-FEATURE-SUSE openssh-7.8p1-role-mls.patch bsc#1214788 -- SELinux role/MLS: allow "username/role" login form and MLS range Patch102: openssh-7.8p1-role-mls.patch -# PATCH-FEATURE-SUSE openssh-6.6p1-privsep-selinux.patch -- Propagate SELinux security context across privsep child +# PATCH-FEATURE-SUSE openssh-6.6p1-privsep-selinux.patch bsc#1214788 -- Propagate SELinux security context across privsep child Patch103: openssh-6.6p1-privsep-selinux.patch # PATCH-FEATURE-SUSE openssh-6.6p1-keycat.patch boo#1229072 -- SELinux env setup in subprocess() (ex-ssh-keycat) Patch104: openssh-6.6p1-keycat.patch -# PATCH-FEATURE-SUSE openssh-6.6.1p1-selinux-contexts.patch -- SELinux context handling in sshd_selinux_copy_context() +# PATCH-FEATURE-SUSE openssh-6.6.1p1-selinux-contexts.patch bsc#1214788 -- SELinux context handling in sshd_selinux_copy_context() Patch105: openssh-6.6.1p1-selinux-contexts.patch -# PATCH-FIX-SUSE openssh-7.6p1-cleanup-selinux.patch -- SELinux: pass context to AuthorizedKeysCommand subprocess +# PATCH-FIX-SUSE openssh-7.6p1-cleanup-selinux.patch bsc#1214788 -- SELinux: pass context to AuthorizedKeysCommand subprocess Patch106: openssh-7.6p1-cleanup-selinux.patch # PATCH-FEATURE-SUSE openssh-send-extra-term-env.patch [email protected] -- Send LC_TERMINAL/COLORTERM/TERM_PROGRAM env vars Patch107: openssh-send-extra-term-env.patch # PATCH-FIX-SUSE openssh-7.7p1-gssapi-new-unique.patch bsc#1258166 [email protected] -- SSSD non-file ccache: krb5 new_unique Patch108: openssh-7.7p1-gssapi-new-unique.patch -# 200 - 300 -- Patches submitted to upstream -# PATCH-FIX-UPSTREAM 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch boo#1229010 [email protected] -- PAM kbdint: explicit KbdintResult enum (PR #452) -Patch200: 0001-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch -# PATCH-FIX-UPSTREAM 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch boo#1229010 [email protected] -- PAM: SshPamDone enum for done-status (PR #452) -Patch201: 0002-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch -# PATCH-FIX-UPSTREAM 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch boo#1229010 [email protected] -- PAM: debug-log received PAM messages (PR #452) -Patch202: 0003-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch -# PATCH-FIX-UPSTREAM 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch boo#1229010 [email protected] -- PAM: immediately report interactive instructions per RFC4256 (PR #452) -Patch203: 0004-auth-pam-Immediately-report-instructions-to-clients-and-fix-handling-in-ssh-client.patch -# 1000 - 2000 -- Conditional patches +# 200..300 -- Patches submitted to upstream +# 1000..2000 -- Conditional patches %if %{with crypto_policies} # PATCH-FEATURE-SUSE openssh-9.6p1-crypto-policies.patch bsc#1211301 -- Integrate system-wide crypto-policies(7) Patch1000: openssh-9.6p1-crypto-policies.patch ++++++ openssh-10.2p1.tar.gz -> openssh-10.3p1.tar.gz ++++++ ++++ 41279 lines of diff (skipped) ++++++ openssh-7.7p1-disable_openssl_abi_check.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:53.894854198 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:53.970857306 +0200 @@ -4,11 +4,11 @@ reliable indicator of ABI changes and doesn't make much sense in a distribution package -Index: openssh-8.8p1/configure.ac +Index: openssh-10.3p1/configure.ac =================================================================== ---- openssh-8.8p1.orig/configure.ac -+++ openssh-8.8p1/configure.ac -@@ -5236,6 +5236,19 @@ AC_ARG_WITH([bsd-auth], +--- openssh-10.3p1.orig/configure.ac ++++ openssh-10.3p1/configure.ac +@@ -5602,6 +5602,19 @@ AC_ARG_WITH([bsd-auth], ] ) @@ -28,13 +28,13 @@ # Where to place sshd.pid piddir=/var/run # make sure the directory exists -Index: openssh-8.8p1/entropy.c +Index: openssh-10.3p1/entropy.c =================================================================== ---- openssh-8.8p1.orig/entropy.c -+++ openssh-8.8p1/entropy.c -@@ -100,11 +100,13 @@ seed_rng(void) - /* Initialise libcrypto */ - ssh_libcrypto_init(); +--- openssh-10.3p1.orig/entropy.c ++++ openssh-10.3p1/entropy.c +@@ -67,11 +67,13 @@ seed_rng(void) + if (ssh_libcrypto_init() != 1) + fatal("libcrypto failed to initialize."); +#ifndef DISTRO_SSL if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:54.230867936 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:54.274869735 +0200 @@ -3,24 +3,24 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. -Index: openssh-9.6p1/Makefile.in +Index: openssh-10.3p1/Makefile.in =================================================================== ---- openssh-9.6p1.orig/Makefile.in -+++ openssh-9.6p1/Makefile.in -@@ -115,6 +115,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +--- openssh-10.3p1.orig/Makefile.in ++++ openssh-10.3p1/Makefile.in +@@ -113,6 +113,8 @@ P11OBJS= ssh-pkcs11-client.o SKOBJS= ssh-sk-client.o +LIBSSH_OBJS += fips.o + SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ - sshconnect.o sshconnect2.o mux.o $(P11OBJS) $(SKOBJS) + sshconnect.o sshconnect2.o mux.o ssh-pkcs11.o $(SKOBJS) -Index: openssh-9.6p1/cipher.c +Index: openssh-10.3p1/cipher.c =================================================================== ---- openssh-9.6p1.orig/cipher.c -+++ openssh-9.6p1/cipher.c -@@ -51,6 +51,9 @@ +--- openssh-10.3p1.orig/cipher.c ++++ openssh-10.3p1/cipher.c +@@ -50,6 +50,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -30,7 +30,7 @@ #ifndef WITH_OPENSSL #define EVP_CIPHER_CTX void #endif -@@ -83,7 +86,7 @@ struct sshcipher { +@@ -82,7 +85,7 @@ struct sshcipher { #endif }; @@ -39,7 +39,7 @@ #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -@@ -110,8 +113,50 @@ static const struct sshcipher ciphers[] +@@ -109,8 +112,50 @@ static const struct sshcipher ciphers[] { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -90,7 +90,7 @@ /* Returns a comma-separated list of supported ciphers. */ char * cipher_alg_list(char sep, int auth_only) -@@ -120,7 +167,7 @@ cipher_alg_list(char sep, int auth_only) +@@ -119,7 +164,7 @@ cipher_alg_list(char sep, int auth_only) const struct sshcipher *c; char sep_str[2] = {sep, '\0'}; @@ -99,7 +99,7 @@ if ((c->flags & CFLAG_INTERNAL) != 0) continue; if (auth_only && c->auth_len == 0) -@@ -203,7 +250,7 @@ const struct sshcipher * +@@ -193,7 +238,7 @@ const struct sshcipher * cipher_by_name(const char *name) { const struct sshcipher *c; @@ -108,10 +108,10 @@ if (strcmp(c->name, name) == 0) return c; return NULL; -Index: openssh-9.6p1/fips.c +Index: openssh-10.3p1/fips.c =================================================================== --- /dev/null -+++ openssh-9.6p1/fips.c ++++ openssh-10.3p1/fips.c @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -325,10 +325,10 @@ + return dgst; +} + -Index: openssh-9.6p1/fips.h +Index: openssh-10.3p1/fips.h =================================================================== --- /dev/null -+++ openssh-9.6p1/fips.h ++++ openssh-10.3p1/fips.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -374,11 +374,11 @@ + +#endif + -Index: openssh-9.6p1/hmac.c +Index: openssh-10.3p1/hmac.c =================================================================== ---- openssh-9.6p1.orig/hmac.c -+++ openssh-9.6p1/hmac.c -@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void * +--- openssh-10.3p1.orig/hmac.c ++++ openssh-10.3p1/hmac.c +@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void * size_t i; u_char digest[16]; @@ -387,20 +387,20 @@ printf("ssh_hmac_start failed"); if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || -Index: openssh-9.6p1/kex.c +Index: openssh-10.3p1/kex-names.c =================================================================== ---- openssh-9.6p1.orig/kex-names.c -+++ openssh-9.6p1/kex-names.c -@@ -64,6 +64,8 @@ +--- openssh-10.3p1.orig/kex-names.c ++++ openssh-10.3p1/kex-names.c +@@ -43,6 +43,8 @@ + #include "ssherr.h" - #include "xmalloc.h" +#include "fips.h" + struct kexalg { char *name; u_int type; -@@ -87,7 +89,7 @@ struct kexalg { +@@ -50,7 +52,7 @@ struct kexalg { int hash_alg; int pq_alg; }; @@ -409,7 +409,7 @@ #ifdef WITH_OPENSSL { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ }, { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1, KEX_NOT_PQ }, -@@ -120,6 +122,47 @@ static const struct kexalg kexalgs[] = { +@@ -89,6 +91,47 @@ static const struct kexalg kexalgs[] = { { NULL, 0, -1, -1, 0 }, }; @@ -457,7 +457,7 @@ char * kex_alg_list(char sep) { -@@ -127,7 +170,7 @@ kex_alg_list(char sep) +@@ -96,7 +139,7 @@ kex_alg_list(char sep) const struct kexalg *k; char sep_str[2] = {sep, '\0'}; @@ -466,7 +466,7 @@ xextendf(&ret, sep_str, "%s", k->name); return ret; -@@ -147,7 +190,7 @@ kex_alg_by_name(const char *name) +@@ -107,7 +150,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -475,7 +475,7 @@ if (strcmp(k->name, name) == 0) return k; } -@@ -167,7 +210,10 @@ kex_names_valid(const char *names) +@@ -173,7 +216,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -486,10 +486,10 @@ free(s); return 0; } -Index: openssh-9.6p1/mac.c +Index: openssh-10.3p1/mac.c =================================================================== ---- openssh-9.6p1.orig/mac.c -+++ openssh-9.6p1/mac.c +--- openssh-10.3p1.orig/mac.c ++++ openssh-10.3p1/mac.c @@ -41,6 +41,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -560,7 +560,7 @@ xextendf(&ret, sep_str, "%s", m->name); return ret; -@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name +@@ -117,7 +155,7 @@ mac_setup(struct sshmac *mac, char *name { const struct macalg *m; @@ -569,11 +569,11 @@ if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -Index: openssh-9.6p1/readconf.c +Index: openssh-10.3p1/readconf.c =================================================================== ---- openssh-9.6p1.orig/readconf.c -+++ openssh-9.6p1/readconf.c -@@ -71,6 +71,8 @@ +--- openssh-10.3p1.orig/readconf.c ++++ openssh-10.3p1/readconf.c +@@ -58,6 +58,8 @@ #include "digest.h" #include "version.h" @@ -582,7 +582,7 @@ /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -2478,6 +2480,23 @@ config_has_permitted_cnames(Options *opt +@@ -2691,6 +2693,23 @@ config_has_permitted_cnames(Options *opt return options->num_permitted_cnames > 0; } @@ -606,7 +606,7 @@ /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -2796,6 +2815,9 @@ fill_default_options(Options * options) +@@ -3010,6 +3029,9 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -616,7 +616,7 @@ #ifdef ENABLE_SK_INTERNAL if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); -@@ -2840,6 +2862,8 @@ fill_default_options(Options * options) +@@ -3057,6 +3079,8 @@ fill_default_options(Options * options) ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE @@ -625,11 +625,11 @@ #define CLEAR_ON_NONE(v) \ do { \ if (option_clear_or_none(v)) { \ -Index: openssh-9.6p1/readconf.h +Index: openssh-10.3p1/readconf.h =================================================================== ---- openssh-9.6p1.orig/readconf.h -+++ openssh-9.6p1/readconf.h -@@ -231,6 +231,7 @@ typedef struct { +--- openssh-10.3p1.orig/readconf.h ++++ openssh-10.3p1/readconf.h +@@ -235,6 +235,7 @@ typedef struct { #define SSH_KEYSTROKE_CHAFF_MIN_MS 1024 #define SSH_KEYSTROKE_CHAFF_RNG_MS 2048 @@ -637,11 +637,11 @@ const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, const char *portstr, const char *user, const char *jump_host); -Index: openssh-9.6p1/servconf.c +Index: openssh-10.3p1/servconf.c =================================================================== ---- openssh-9.6p1.orig/servconf.c -+++ openssh-9.6p1/servconf.c -@@ -68,6 +68,7 @@ +--- openssh-10.3p1.orig/servconf.c ++++ openssh-10.3p1/servconf.c +@@ -62,6 +62,7 @@ #include "myproposal.h" #include "digest.h" #include "version.h" @@ -649,7 +649,7 @@ #if !defined(SSHD_PAM_SERVICE) # define SSHD_PAM_SERVICE "sshd" -@@ -207,6 +208,23 @@ option_clear_or_none(const char *o) +@@ -223,6 +224,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -673,7 +673,7 @@ static void assemble_algorithms(ServerOptions *o) { -@@ -248,6 +266,8 @@ assemble_algorithms(ServerOptions *o) +@@ -264,6 +282,8 @@ assemble_algorithms(ServerOptions *o) free(def_kex); free(def_key); free(def_sig); @@ -682,7 +682,7 @@ } void -@@ -440,6 +460,8 @@ fill_default_server_options(ServerOption +@@ -482,6 +502,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -691,10 +691,10 @@ if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) -Index: openssh-9.6p1/ssh-keygen.c +Index: openssh-10.3p1/ssh-keygen.c =================================================================== ---- openssh-9.6p1.orig/ssh-keygen.c -+++ openssh-9.6p1/ssh-keygen.c +--- openssh-10.3p1.orig/ssh-keygen.c ++++ openssh-10.3p1/ssh-keygen.c @@ -18,6 +18,8 @@ #include <sys/socket.h> #include <sys/stat.h> @@ -704,7 +704,7 @@ #ifdef WITH_OPENSSL #include "openbsd-compat/openssl-compat.h" #include <openssl/bn.h> -@@ -1040,11 +1042,13 @@ do_fingerprint(struct passwd *pw) +@@ -1003,11 +1005,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -720,7 +720,7 @@ #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, #ifdef OPENSSL_HAS_ECC -@@ -1058,6 +1062,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1018,6 +1022,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -735,10 +735,10 @@ + }; + + struct Key_types *key_types; - u_int32_t bits = 0; + uint32_t bits = 0; int first = 0; struct stat st; -@@ -1065,6 +1080,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1025,6 +1040,12 @@ do_gen_all_hostkeys(struct passwd *pw) char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; int i, type, fd, r; @@ -751,7 +751,7 @@ for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -3794,6 +3815,14 @@ main(int argc, char **argv) +@@ -3771,6 +3792,14 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_shortname(key_type_name); @@ -766,11 +766,11 @@ type_bits_valid(type, key_type_name, &bits); if (!quiet) -Index: openssh-9.6p1/ssh_config.5 +Index: openssh-10.3p1/ssh_config.5 =================================================================== ---- openssh-9.6p1.orig/ssh_config.5 -+++ openssh-9.6p1/ssh_config.5 -@@ -831,6 +831,8 @@ The argument to this keyword must be +--- openssh-10.3p1.orig/ssh_config.5 ++++ openssh-10.3p1/ssh_config.5 +@@ -879,6 +879,8 @@ The argument to this keyword must be option) or .Cm no (the default). @@ -779,11 +779,11 @@ .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -Index: openssh-9.6p1/sshd.c +Index: openssh-10.3p1/sshd.c =================================================================== ---- openssh-9.6p1.orig/sshd.c -+++ openssh-9.6p1/sshd.c -@@ -128,6 +128,8 @@ +--- openssh-10.3p1.orig/sshd.c ++++ openssh-10.3p1/sshd.c +@@ -84,6 +84,8 @@ #endif #include "monitor_wrap.h" @@ -792,11 +792,11 @@ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 2) -Index: openssh-9.6p1/sshd_config.5 +Index: openssh-10.3p1/sshd_config.5 =================================================================== ---- openssh-9.6p1.orig/sshd_config.5 -+++ openssh-9.6p1/sshd_config.5 -@@ -681,6 +681,8 @@ and +--- openssh-10.3p1.orig/sshd_config.5 ++++ openssh-10.3p1/sshd_config.5 +@@ -693,6 +693,8 @@ and .Cm sha256 . The default is .Cm sha256 . ++++++ openssh-7.7p1-gssapi-new-unique.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:54.462877422 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:54.490878567 +0200 @@ -1,7 +1,7 @@ -Index: openssh-10.2p1/auth-krb5.c +Index: openssh-10.3p1/auth-krb5.c =================================================================== ---- openssh-10.2p1.orig/auth-krb5.c -+++ openssh-10.2p1/auth-krb5.c +--- openssh-10.3p1.orig/auth-krb5.c ++++ openssh-10.3p1/auth-krb5.c @@ -51,6 +51,7 @@ #include <unistd.h> #include <string.h> @@ -318,10 +318,10 @@ } #endif /* !HEIMDAL */ #endif /* KRB5 */ -Index: openssh-10.2p1/auth.h +Index: openssh-10.3p1/auth.h =================================================================== ---- openssh-10.2p1.orig/auth.h -+++ openssh-10.2p1/auth.h +--- openssh-10.3p1.orig/auth.h ++++ openssh-10.3p1/auth.h @@ -85,6 +85,7 @@ struct Authctxt { krb5_principal krb5_user; char *krb5_ticket_file; @@ -330,7 +330,7 @@ #endif struct sshbuf *loginmsg; -@@ -249,7 +250,7 @@ FILE *auth_openprincipals(const char *, +@@ -247,7 +248,7 @@ FILE *auth_openprincipals(const char *, int sys_auth_passwd(struct ssh *, const char *); #if defined(KRB5) && !defined(HEIMDAL) @@ -339,10 +339,10 @@ #endif #endif /* AUTH_H */ -Index: openssh-10.2p1/gss-serv-krb5.c +Index: openssh-10.3p1/gss-serv-krb5.c =================================================================== ---- openssh-10.2p1.orig/gss-serv-krb5.c -+++ openssh-10.2p1/gss-serv-krb5.c +--- openssh-10.3p1.orig/gss-serv-krb5.c ++++ openssh-10.3p1/gss-serv-krb5.c @@ -113,7 +113,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ @@ -454,11 +454,11 @@ } int -Index: openssh-10.2p1/gss-serv.c +Index: openssh-10.3p1/gss-serv.c =================================================================== ---- openssh-10.2p1.orig/gss-serv.c -+++ openssh-10.2p1/gss-serv.c -@@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void) +--- openssh-10.3p1.orig/gss-serv.c ++++ openssh-10.3p1/gss-serv.c +@@ -415,18 +415,20 @@ ssh_gssapi_cleanup_creds(void) } /* As user */ @@ -466,6 +466,12 @@ +int ssh_gssapi_storecreds(void) { + if (options.gss_deleg_creds == 0) { + debug_f("delegate credential is disabled, doing nothing"); +- return; ++ return 0; + } + if (gssapi_client.mech && gssapi_client.mech->storecreds) { - (*gssapi_client.mech->storecreds)(&gssapi_client); + return (*gssapi_client.mech->storecreds)(&gssapi_client); @@ -476,7 +482,7 @@ } /* This allows GSSAPI methods to do things to the child's environment based -@@ -500,9 +502,7 @@ ssh_gssapi_rekey_creds(void) { +@@ -506,9 +508,7 @@ ssh_gssapi_rekey_creds(void) { char *envstr; #endif @@ -487,11 +493,11 @@ return; ok = mm_ssh_gssapi_update_creds(&gssapi_client.store); -Index: openssh-10.2p1/servconf.c +Index: openssh-10.3p1/servconf.c =================================================================== ---- openssh-10.2p1.orig/servconf.c -+++ openssh-10.2p1/servconf.c -@@ -138,6 +138,7 @@ initialize_server_options(ServerOptions +--- openssh-10.3p1.orig/servconf.c ++++ openssh-10.3p1/servconf.c +@@ -133,6 +133,7 @@ initialize_server_options(ServerOptions options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; @@ -499,7 +505,7 @@ options->gss_authentication=-1; options->gss_keyex = -1; options->gss_cleanup_creds = -1; -@@ -399,6 +400,8 @@ fill_default_server_options(ServerOption +@@ -397,6 +398,8 @@ fill_default_server_options(ServerOption options->kerberos_ticket_cleanup = 1; if (options->kerberos_get_afs_token == -1) options->kerberos_get_afs_token = 0; @@ -508,7 +514,7 @@ if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_keyex == -1) -@@ -583,7 +586,7 @@ typedef enum { +@@ -586,7 +589,7 @@ typedef enum { sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -517,7 +523,7 @@ sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, -@@ -676,11 +679,13 @@ static struct { +@@ -679,11 +682,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -531,7 +537,7 @@ #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1692,6 +1697,10 @@ process_server_config_line_depth(ServerO +@@ -1699,6 +1704,10 @@ process_server_config_line_depth(ServerO intptr = &options->kerberos_get_afs_token; goto parse_flag; @@ -542,7 +548,7 @@ case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; -@@ -3325,6 +3334,7 @@ dump_config(ServerOptions *o) +@@ -3359,6 +3368,7 @@ dump_config(ServerOptions *o) # ifdef USE_AFS dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); # endif @@ -550,11 +556,11 @@ #endif #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); -Index: openssh-10.2p1/servconf.h +Index: openssh-10.3p1/servconf.h =================================================================== ---- openssh-10.2p1.orig/servconf.h -+++ openssh-10.2p1/servconf.h -@@ -149,6 +149,8 @@ typedef struct { +--- openssh-10.3p1.orig/servconf.h ++++ openssh-10.3p1/servconf.h +@@ -150,6 +150,8 @@ typedef struct { * file on logout. */ int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ @@ -563,11 +569,11 @@ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ -Index: openssh-10.2p1/session.c +Index: openssh-10.3p1/session.c =================================================================== ---- openssh-10.2p1.orig/session.c -+++ openssh-10.2p1/session.c -@@ -976,7 +976,8 @@ do_setup_env(struct ssh *ssh, Session *s +--- openssh-10.3p1.orig/session.c ++++ openssh-10.3p1/session.c +@@ -977,7 +977,8 @@ do_setup_env(struct ssh *ssh, Session *s /* Allow any GSSAPI methods that we've used to alter * the child's environment as they see fit */ @@ -577,7 +583,7 @@ #endif /* Set basic environment. */ -@@ -1052,7 +1053,7 @@ do_setup_env(struct ssh *ssh, Session *s +@@ -1059,7 +1060,7 @@ do_setup_env(struct ssh *ssh, Session *s } #endif #ifdef KRB5 @@ -586,10 +592,10 @@ child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ccname); #endif -Index: openssh-10.2p1/ssh-gss.h +Index: openssh-10.3p1/ssh-gss.h =================================================================== ---- openssh-10.2p1.orig/ssh-gss.h -+++ openssh-10.2p1/ssh-gss.h +--- openssh-10.3p1.orig/ssh-gss.h ++++ openssh-10.3p1/ssh-gss.h @@ -110,7 +110,7 @@ typedef struct ssh_gssapi_mech_struct { int (*dochild) (ssh_gssapi_client *); int (*userok) (ssh_gssapi_client *, char *); @@ -608,11 +614,11 @@ const char *ssh_gssapi_displayname(void); char *ssh_gssapi_server_mechanisms(void); -Index: openssh-10.2p1/sshd-session.c +Index: openssh-10.3p1/sshd-session.c =================================================================== ---- openssh-10.2p1.orig/sshd-session.c -+++ openssh-10.2p1/sshd-session.c -@@ -1360,7 +1360,7 @@ main(int ac, char **av) +--- openssh-10.3p1.orig/sshd-session.c ++++ openssh-10.3p1/sshd-session.c +@@ -1328,7 +1328,7 @@ main(int ac, char **av) #ifdef GSSAPI if (options.gss_authentication) { temporarily_use_uid(authctxt->pw); @@ -621,11 +627,11 @@ restore_uid(); } #endif -Index: openssh-10.2p1/sshd_config.5 +Index: openssh-10.3p1/sshd_config.5 =================================================================== ---- openssh-10.2p1.orig/sshd_config.5 -+++ openssh-10.2p1/sshd_config.5 -@@ -1034,6 +1034,14 @@ Specifies whether to automatically destr +--- openssh-10.3p1.orig/sshd_config.5 ++++ openssh-10.3p1/sshd_config.5 +@@ -1054,6 +1054,14 @@ Specifies whether to automatically destr file on logout. The default is .Cm yes . ++++++ openssh-7.8p1-role-mls.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:55.130904735 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:55.166906207 +0200 @@ -1,7 +1,8 @@ -diff -up openssh/auth2.c.role-mls openssh/auth2.c ---- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200 -@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32 +Index: openssh-10.3p1/auth2.c +=================================================================== +--- openssh-10.3p1.orig/auth2.c ++++ openssh-10.3p1/auth2.c +@@ -273,6 +273,9 @@ input_userauth_request(int type, uint32_ Authctxt *authctxt = ssh->authctxt; Authmethod *m = NULL; char *user = NULL, *service = NULL, *method = NULL, *style = NULL; @@ -11,7 +12,7 @@ int r, authenticated = 0; double tstart = monotime_double(); -@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32 +@@ -286,6 +289,11 @@ input_userauth_request(int type, uint32_ debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -23,10 +24,10 @@ if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32 +@@ -312,7 +320,13 @@ input_userauth_request(int type, uint32_ + ssh_packet_set_log_preamble(ssh, "%suser %s", + authctxt->valid ? "authenticating " : "invalid ", user); setproctitle("%s [net]", authctxt->valid ? user : "unknown"); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; +#ifdef WITH_SELINUX + authctxt->role = role ? xstrdup(role) : NULL; +#endif @@ -37,10 +38,11 @@ userauth_banner(ssh); if ((r = kex_server_update_ext_info(ssh)) != 0) fatal_fr(r, "kex_server_update_ext_info failed"); -diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c ---- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200 -@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple +Index: openssh-10.3p1/auth2-gss.c +=================================================================== +--- openssh-10.3p1.orig/auth2-gss.c ++++ openssh-10.3p1/auth2-gss.c +@@ -326,6 +326,7 @@ input_gssapi_mic(int type, uint32_t plen Authctxt *authctxt = ssh->authctxt; Gssctxt *gssctxt; int r, authenticated = 0; @@ -48,7 +50,7 @@ struct sshbuf *b; gss_buffer_desc mic, gssbuf; u_char *p; -@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -342,7 +343,13 @@ input_gssapi_mic(int type, uint32_t plen fatal_f("sshbuf_new failed"); mic.value = p; mic.length = len; @@ -63,7 +65,7 @@ "gssapi-with-mic", ssh->kex->session_id); if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) -@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -355,6 +362,8 @@ input_gssapi_mic(int type, uint32_t plen logit("GSSAPI MIC check failed"); sshbuf_free(b); @@ -72,10 +74,11 @@ free(mic.value); authctxt->postponed = 0; -diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c ---- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 -@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) +Index: openssh-10.3p1/auth2-hostbased.c +=================================================================== +--- openssh-10.3p1.orig/auth2-hostbased.c ++++ openssh-10.3p1/auth2-hostbased.c +@@ -130,7 +130,16 @@ userauth_hostbased(struct ssh *ssh, cons /* reconstruct packet */ if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || @@ -92,10 +95,11 @@ (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || -diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c ---- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200 -+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200 -@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh) +Index: openssh-10.3p1/auth2-pubkey.c +=================================================================== +--- openssh-10.3p1.orig/auth2-pubkey.c ++++ openssh-10.3p1/auth2-pubkey.c +@@ -201,9 +201,16 @@ userauth_pubkey(struct ssh *ssh, const c goto done; } /* reconstruct packet */ @@ -114,9 +118,10 @@ if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || -diff -up openssh/auth.h.role-mls openssh/auth.h ---- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200 +Index: openssh-10.3p1/auth.h +=================================================================== +--- openssh-10.3p1.orig/auth.h ++++ openssh-10.3p1/auth.h @@ -65,6 +65,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -127,10 +132,11 @@ /* Method lists for multiple authentication */ char **auth_methods; /* modified from server config */ -diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c ---- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200 -@@ -1172,7 +1172,7 @@ is_pam_session_open(void) +Index: openssh-10.3p1/auth-pam.c +=================================================================== +--- openssh-10.3p1.orig/auth-pam.c ++++ openssh-10.3p1/auth-pam.c +@@ -1147,7 +1147,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ int @@ -139,22 +145,24 @@ { int ret = 1; char *compound; -diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h ---- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200 -@@ -33,7 +33,7 @@ u_int do_pam_account(void); +Index: openssh-10.3p1/auth-pam.h +=================================================================== +--- openssh-10.3p1.orig/auth-pam.h ++++ openssh-10.3p1/auth-pam.h +@@ -32,7 +32,7 @@ void finish_pam(void); + u_int do_pam_account(void); void do_pam_session(struct ssh *); void do_pam_setcred(void); - void do_pam_chauthtok(void); -int do_pam_putenv(char *, char *); +int do_pam_putenv(char *, const char *); char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff -up openssh/misc.c.role-mls openssh/misc.c ---- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 -@@ -542,6 +542,7 @@ char * +Index: openssh-10.3p1/misc.c +=================================================================== +--- openssh-10.3p1.orig/misc.c ++++ openssh-10.3p1/misc.c +@@ -869,6 +869,7 @@ char * colon(char *cp) { int flag = 0; @@ -162,7 +170,7 @@ if (*cp == ':') /* Leading colon is part of file name. */ return NULL; -@@ -557,6 +558,13 @@ colon(char *cp) +@@ -884,6 +885,13 @@ colon(char *cp) return (cp); if (*cp == '/') return NULL; @@ -176,10 +184,11 @@ } return NULL; } -diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c ---- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200 -@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st +Index: openssh-10.3p1/monitor.c +=================================================================== +--- openssh-10.3p1.orig/monitor.c ++++ openssh-10.3p1/monitor.c +@@ -114,6 +114,9 @@ int mm_answer_sign(struct ssh *, int, st int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); int mm_answer_authserv(struct ssh *, int, struct sshbuf *); @@ -189,7 +198,7 @@ int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); -@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -198,6 +201,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -199,7 +208,7 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in +@@ -987,6 +993,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -209,7 +218,7 @@ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); #ifdef USE_PAM -@@ -877,6 +886,26 @@ key_base_type_match(const char *method, +@@ -1061,6 +1070,26 @@ key_base_type_match(const char *method, return found; } @@ -236,16 +245,16 @@ int mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) { -@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh, +@@ -1433,7 +1462,7 @@ monitor_valid_userblob(struct ssh *ssh, struct sshbuf *b; - struct sshkey *hostkey = NULL; + struct sshkey *hostkey = NULL; const u_char *p; - char *userstyle, *cp; + char *userstyle, *s, *cp; size_t len; u_char type; int hostbound = 0, r, fail = 0; -@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh, +@@ -1464,6 +1493,8 @@ monitor_valid_userblob(struct ssh *ssh, fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) fatal_fr(r, "parse userstyle"); @@ -254,7 +263,7 @@ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char +@@ -1514,7 +1545,7 @@ monitor_valid_hostbasedblob(const u_char { struct sshbuf *b; const u_char *p; @@ -263,7 +272,7 @@ size_t len; int r, fail = 0; u_char type; -@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char +@@ -1535,6 +1566,8 @@ monitor_valid_hostbasedblob(const u_char fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) fatal_fr(r, "parse userstyle"); @@ -272,10 +281,11 @@ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -diff -up openssh/monitor.h.role-mls openssh/monitor.h ---- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200 -@@ -55,6 +55,10 @@ enum monitor_reqtype { +Index: openssh-10.3p1/monitor.h +=================================================================== +--- openssh-10.3p1.orig/monitor.h ++++ openssh-10.3p1/monitor.h +@@ -57,6 +57,10 @@ enum monitor_reqtype { MONITOR_REQ_TERM = 50, MONITOR_REQ_STATE = 51, MONITOR_ANS_STATE = 52, @@ -286,10 +296,11 @@ MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, -diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c ---- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200 -+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200 -@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char * +Index: openssh-10.3p1/monitor_wrap.c +=================================================================== +--- openssh-10.3p1.orig/monitor_wrap.c ++++ openssh-10.3p1/monitor_wrap.c +@@ -473,6 +473,27 @@ mm_inform_authserv(char *service, char * sshbuf_free(m); } @@ -317,10 +328,11 @@ /* Do the password authentication */ int mm_auth_password(struct ssh *ssh, char *password) -diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h ---- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 -+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 -@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); +Index: openssh-10.3p1/monitor_wrap.h +=================================================================== +--- openssh-10.3p1.orig/monitor_wrap.h ++++ openssh-10.3p1/monitor_wrap.h +@@ -51,6 +51,9 @@ int mm_sshkey_sign(struct ssh *, struct const u_char *, size_t, const char *, const char *, const char *, u_int compat); void mm_inform_authserv(char *, char *); @@ -330,10 +342,11 @@ struct passwd *mm_getpwnamallow(struct ssh *, const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct ssh *, char *); -diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in ---- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 -@@ -92,7 +92,8 @@ PORTS= port-aix.o \ +Index: openssh-10.3p1/openbsd-compat/Makefile.in +=================================================================== +--- openssh-10.3p1.orig/openbsd-compat/Makefile.in ++++ openssh-10.3p1/openbsd-compat/Makefile.in +@@ -102,7 +102,8 @@ PORTS= port-aix.o \ port-prngd.o \ port-solaris.o \ port-net.o \ @@ -343,10 +356,11 @@ .c.o: $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< -diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c ---- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200 -@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname) +Index: openssh-10.3p1/openbsd-compat/port-linux.c +=================================================================== +--- openssh-10.3p1.orig/openbsd-compat/port-linux.c ++++ openssh-10.3p1/openbsd-compat/port-linux.c +@@ -109,37 +109,6 @@ ssh_selinux_getctxbyname(char *pwname) return sc; } @@ -384,7 +398,7 @@ /* Set the TTY context for the specified user */ void ssh_selinux_setup_pty(char *pwname, const char *tty) -@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons +@@ -152,7 +121,11 @@ ssh_selinux_setup_pty(char *pwname, cons debug3("%s: setting TTY context on %s", __func__, tty); @@ -397,9 +411,10 @@ /* XXX: should these calls fatal() upon failure in enforcing mode? */ -diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h ---- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200 +Index: openssh-10.3p1/openbsd-compat/port-linux.h +=================================================================== +--- openssh-10.3p1.orig/openbsd-compat/port-linux.h ++++ openssh-10.3p1/openbsd-compat/port-linux.h @@ -20,9 +20,10 @@ #ifdef WITH_SELINUX int ssh_selinux_enabled(void); @@ -412,9 +427,10 @@ #endif #ifdef LINUX_OOM_ADJUST -diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c ---- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 -+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +Index: openssh-10.3p1/openbsd-compat/port-linux-sshd.c +=================================================================== +--- /dev/null ++++ openssh-10.3p1/openbsd-compat/port-linux-sshd.c @@ -0,0 +1,420 @@ +/* + * Copyright (c) 2005 Daniel Walsh <[email protected]> @@ -836,10 +852,11 @@ +#endif +#endif + -diff -up openssh/platform.c.role-mls openssh/platform.c ---- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200 -@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru +Index: openssh-10.3p1/platform.c +=================================================================== +--- openssh-10.3p1.orig/platform.c ++++ openssh-10.3p1/platform.c +@@ -140,7 +140,7 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX @@ -848,10 +865,11 @@ #endif } -diff -up openssh/sshd.c.role-mls openssh/sshd.c ---- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200 -@@ -2186,6 +2186,9 @@ main(int ac, char **av) +Index: openssh-10.3p1/sshd-session.c +=================================================================== +--- openssh-10.3p1.orig/sshd-session.c ++++ openssh-10.3p1/sshd-session.c +@@ -1332,6 +1332,9 @@ main(int ac, char **av) restore_uid(); } #endif ++++++ openssh-7.9p1-revert-new-qos-defaults.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:55.398915693 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:55.446917655 +0200 @@ -6,11 +6,9 @@ Reverts OpenBSD-Commit-ID: d11d2a4484f461524ef0c20870523dfcdeb52181 -Index: openssh-8.8p1/readconf.c -=================================================================== ---- openssh-8.8p1.orig/readconf.c -+++ openssh-8.8p1/readconf.c -@@ -2679,9 +2679,9 @@ fill_default_options(Options * options) +--- a/readconf.c ++++ b/readconf.c +@@ -3071,9 +3071,9 @@ if (options->visual_host_key == -1) options->visual_host_key = 0; if (options->ip_qos_interactive == -1) @@ -22,11 +20,9 @@ if (options->request_tty == -1) options->request_tty = REQUEST_TTY_AUTO; if (options->session_type == -1) -Index: openssh-8.8p1/servconf.c -=================================================================== ---- openssh-8.8p1.orig/servconf.c -+++ openssh-8.8p1/servconf.c -@@ -459,9 +459,9 @@ fill_default_server_options(ServerOption +--- a/servconf.c ++++ b/servconf.c +@@ -503,9 +503,9 @@ if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; if (options->ip_qos_interactive == -1) @@ -38,11 +34,9 @@ if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) -Index: openssh-8.8p1/ssh_config.5 -=================================================================== ---- openssh-8.8p1.orig/ssh_config.5 -+++ openssh-8.8p1/ssh_config.5 -@@ -1182,11 +1182,9 @@ If one argument is specified, it is used +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1340,11 +1340,9 @@ If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is @@ -56,11 +50,9 @@ for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. -Index: openssh-8.8p1/sshd_config.5 -=================================================================== ---- openssh-8.8p1.orig/sshd_config.5 -+++ openssh-8.8p1/sshd_config.5 -@@ -903,11 +903,9 @@ If one argument is specified, it is used +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1010,11 +1010,9 @@ If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is @@ -74,4 +66,19 @@ for non-interactive sessions. .It Cm KbdInteractiveAuthentication Specifies whether to allow keyboard-interactive authentication. +--- a/misc.c ++++ b/misc.c +@@ -1950,9 +1950,9 @@ + { "ef", IPTOS_DSCP_EF }, + { "le", IPTOS_DSCP_LE }, + { "va", IPTOS_DSCP_VA }, +- { "lowdelay", INT_MIN }, /* deprecated */ +- { "throughput", INT_MIN }, /* deprecated */ +- { "reliability", INT_MIN }, /* deprecated */ ++ { "lowdelay", IPTOS_LOWDELAY }, ++ { "throughput", IPTOS_THROUGHPUT }, ++ { "reliability", IPTOS_RELIABILITY }, + { NULL, -1 } + }; + ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ ++++ 1602 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh-8.0p1-gssapi-keyex.patch ++++++ openssh-8.1p1-audit.patch ++++++ ++++ 1028 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.11940/openssh-8.1p1-audit.patch ++++++ openssh-8.4p1-vendordir.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:56.294952328 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:56.350954618 +0200 @@ -1,9 +1,9 @@ Gemeinsame Unterverzeichnisse: openssh-8.4p1/contrib und openssh-8.4p1-vendor/contrib. -Index: openssh-8.9p1/dh.c +Index: openssh-10.3p1/dh.c =================================================================== ---- openssh-8.9p1.orig/dh.c -+++ openssh-8.9p1/dh.c -@@ -54,7 +54,17 @@ void dh_set_moduli_file(const char *file +--- openssh-10.3p1.orig/dh.c ++++ openssh-10.3p1/dh.c +@@ -53,7 +53,17 @@ void dh_set_moduli_file(const char *file static const char * get_moduli_filename(void) { @@ -22,10 +22,10 @@ } static int -Index: openssh-8.9p1/pathnames.h +Index: openssh-10.3p1/pathnames.h =================================================================== ---- openssh-8.9p1.orig/pathnames.h -+++ openssh-8.9p1/pathnames.h +--- openssh-10.3p1.orig/pathnames.h ++++ openssh-10.3p1/pathnames.h @@ -18,6 +18,8 @@ #define SSHDIR ETCDIR "/ssh" #endif @@ -43,19 +43,19 @@ #define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config" +#define _PATH_HOST_VENDOR_CONFIG_FILE VENDORDIR "/ssh_config" #define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key" - #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key" #define _PATH_DH_MODULI SSHDIR "/moduli" +#define _PATH_VENDOR_DH_MODULI VENDORDIR "/moduli" + #ifndef _PATH_SSH_PROGRAM #define _PATH_SSH_PROGRAM "/usr/bin/ssh" -Index: openssh-8.9p1/ssh.c +Index: openssh-10.3p1/ssh.c =================================================================== ---- openssh-8.9p1.orig/ssh.c -+++ openssh-8.9p1/ssh.c -@@ -549,6 +549,7 @@ static void +--- openssh-10.3p1.orig/ssh.c ++++ openssh-10.3p1/ssh.c +@@ -565,6 +565,7 @@ static void process_config_files(const char *host_name, struct passwd *pw, int final_pass, int *want_final_pass) { @@ -63,7 +63,7 @@ char *cmd, buf[PATH_MAX]; int r; -@@ -567,10 +568,23 @@ process_config_files(const char *host_na +@@ -586,10 +587,23 @@ process_config_files(const char *host_na &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF | (final_pass ? SSHCONF_FINAL : 0), want_final_pass); @@ -91,10 +91,10 @@ } free(cmd); } -Index: openssh-8.9p1/ssh_config.5 +Index: openssh-10.3p1/ssh_config.5 =================================================================== ---- openssh-8.9p1.orig/ssh_config.5 -+++ openssh-8.9p1/ssh_config.5 +--- openssh-10.3p1.orig/ssh_config.5 ++++ openssh-10.3p1/ssh_config.5 @@ -54,6 +54,9 @@ user's configuration file .It system-wide configuration file @@ -105,7 +105,7 @@ .El .Pp Unless noted otherwise, for each parameter, the first obtained value -@@ -2220,6 +2223,11 @@ This file provides defaults for those +@@ -2515,6 +2518,11 @@ This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. @@ -117,11 +117,11 @@ .El .Sh SEE ALSO .Xr ssh 1 -Index: openssh-8.9p1/sshd.c +Index: openssh-10.3p1/sshd.c =================================================================== ---- openssh-8.9p1.orig/sshd.c -+++ openssh-8.9p1/sshd.c -@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av) +--- openssh-10.3p1.orig/sshd.c ++++ openssh-10.3p1/sshd.c +@@ -1309,7 +1309,8 @@ main(int ac, char **av) extern char *optarg; extern int optind; int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0; @@ -131,10 +131,11 @@ int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0; int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0; int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0; -@@ -1806,7 +1807,21 @@ main(int ac, char **av) +@@ -1544,7 +1545,21 @@ main(int ac, char **av) /* Fetch our configuration */ if ((cfg = sshbuf_new()) == NULL) fatal("sshbuf_new config failed"); +- if (strcasecmp(config_file_name, "none") != 0) + if (config_file_name == NULL) { + /* If only the vendor configuration file exists, use that. + * Else use the standard configuration file. @@ -148,16 +149,15 @@ + config_file_name = _PATH_SERVER_CONFIG_FILE; + } + load_server_config(config_file_name, cfg); -- if (strcasecmp(config_file_name, "none") != 0) + } else if (strcasecmp(config_file_name, "none") != 0) + /* load config specified on commandline */ load_server_config(config_file_name, cfg); parse_server_config(&options, config_file_name, cfg, -Index: openssh-8.9p1/sshd_config.5 +Index: openssh-10.3p1/sshd_config.5 =================================================================== ---- openssh-8.9p1.orig/sshd_config.5 -+++ openssh-8.9p1/sshd_config.5 +--- openssh-10.3p1.orig/sshd_config.5 ++++ openssh-10.3p1/sshd_config.5 @@ -44,7 +44,9 @@ .Xr sshd 8 reads configuration data from @@ -169,19 +169,19 @@ .Fl f on the command line). The file contains keyword-argument pairs, one per line. -Index: openssh-8.9p1/ssh-keysign.c +Index: openssh-10.3p1/ssh-keysign.c =================================================================== ---- openssh-8.9p1.orig/ssh-keysign.c -+++ openssh-8.9p1/ssh-keysign.c -@@ -186,6 +186,7 @@ main(int argc, char **argv) +--- openssh-10.3p1.orig/ssh-keysign.c ++++ openssh-10.3p1/ssh-keysign.c +@@ -184,6 +184,7 @@ main(int argc, char **argv) u_char *signature, *data, rver; char *host, *fp, *pkalg; size_t slen, dlen; + struct stat st; - if (pledge("stdio rpath getpw dns id", NULL) != 0) - fatal("%s: pledge: %s", __progname, strerror(errno)); -@@ -219,8 +220,14 @@ main(int argc, char **argv) + /* Ensure that stdin and stdout are connected */ + if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) +@@ -218,8 +219,14 @@ main(int argc, char **argv) /* verify that ssh-keysign is enabled by the admin */ initialize_options(&options); ++++++ openssh-9.6p1-crypto-policies-man.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:56.554962959 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:56.582964104 +0200 @@ -1,7 +1,7 @@ -Index: openssh-10.2p1/ssh_config.5 +Index: openssh-10.3p1/ssh_config.5 =================================================================== ---- openssh-10.2p1.orig/ssh_config.5 -+++ openssh-10.2p1/ssh_config.5 +--- openssh-10.3p1.orig/ssh_config.5 ++++ openssh-10.3p1/ssh_config.5 @@ -441,17 +441,14 @@ A single argument of causes no CNAMEs to be considered for canonicalization. This is the default behaviour. @@ -96,7 +96,7 @@ .It Cm HashKnownHosts Indicates that .Xr ssh 1 -@@ -1061,36 +1061,26 @@ will not be converted automatically, +@@ -1061,38 +1061,26 @@ will not be converted automatically, but may be manually hashed using .Xr ssh-keygen 1 . .It Cm HostbasedAcceptedAlgorithms @@ -130,19 +130,21 @@ [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected], [email protected], [email protected], -rsa-sha2-512,rsa-sha2-256 -.Ed +at the head of the built-in openssh default set. .Pp The .Fl Q -@@ -1143,6 +1133,17 @@ to prefer their algorithms. +@@ -1147,6 +1135,17 @@ to prefer their algorithms. .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . @@ -160,7 +162,7 @@ .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key -@@ -1363,6 +1364,12 @@ it may be zero or more of: +@@ -1367,6 +1366,12 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms @@ -173,7 +175,7 @@ Specifies the permitted KEX (Key Exchange) algorithms that will be used and their preference order. The selected algorithm will be the first algorithm in this list that -@@ -1371,28 +1378,16 @@ Multiple algorithms must be comma-separa +@@ -1375,28 +1380,16 @@ Multiple algorithms must be comma-separa .Pp If the specified list begins with a .Sq + @@ -206,7 +208,7 @@ .Pp The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q kex . -@@ -1509,37 +1504,34 @@ function, and all code in the +@@ -1513,37 +1506,34 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs @@ -254,7 +256,7 @@ The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm NoHostAuthenticationForLocalhost -@@ -1728,39 +1720,32 @@ instead of continuing to execute and pas +@@ -1732,41 +1722,32 @@ instead of continuing to execute and pas The default is .Cm no . .It Cm PubkeyAcceptedAlgorithms @@ -289,12 +291,14 @@ [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected], [email protected], [email protected], -rsa-sha2-512,rsa-sha2-256 -.Ed +built-in openssh default set. @@ -307,7 +311,7 @@ .It Cm PubkeyAuthentication Specifies whether to try public key authentication. The argument to this keyword must be -@@ -2512,7 +2497,9 @@ This file provides the vendor defaults a +@@ -2525,7 +2506,9 @@ This file provides the vendor defaults a configuration file does not exist. .El .Sh SEE ALSO @@ -318,11 +322,11 @@ .Sh AUTHORS .An -nosplit OpenSSH is a derivative of the original and free -Index: openssh-10.2p1/sshd_config.5 +Index: openssh-10.3p1/sshd_config.5 =================================================================== ---- openssh-10.2p1.orig/sshd_config.5 -+++ openssh-10.2p1/sshd_config.5 -@@ -381,17 +381,14 @@ If the argument is +--- openssh-10.3p1.orig/sshd_config.5 ++++ openssh-10.3p1/sshd_config.5 +@@ -385,17 +385,14 @@ If the argument is then no banner is displayed. By default, no banner is displayed. .It Cm CASignatureAlgorithms @@ -346,7 +350,7 @@ If the specified list begins with a .Sq + character, then the specified algorithms will be appended to the default set -@@ -535,20 +532,26 @@ The default is +@@ -539,20 +536,26 @@ The default is indicating not to .Xr chroot 2 . .It Cm Ciphers @@ -377,7 +381,7 @@ .Pp The supported ciphers are: .Pp -@@ -575,13 +578,6 @@ [email protected] +@@ -579,13 +582,6 @@ [email protected] [email protected] .El .Pp @@ -391,7 +395,7 @@ The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClientAliveCountMax -@@ -772,53 +768,45 @@ For this to work +@@ -788,55 +784,45 @@ For this to work .Cm GSSAPIKeyExchange needs to be enabled in the server and also used by the client. .It Cm GSSAPIKexAlgorithms @@ -454,19 +458,21 @@ [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected], [email protected], [email protected], -rsa-sha2-512,rsa-sha2-256 -.Ed +the head of the built-in openssh default set. .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q HostbasedAcceptedAlgorithms . -@@ -885,25 +873,15 @@ is specified, the location of the socket +@@ -903,27 +889,15 @@ is specified, the location of the socket .Ev SSH_AUTH_SOCK environment variable. .It Cm HostKeyAlgorithms @@ -486,19 +492,21 @@ [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected], [email protected], [email protected], -rsa-sha2-512,rsa-sha2-256 -.Ed -.Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -@@ -1043,6 +1021,12 @@ The default value +@@ -1063,6 +1037,12 @@ The default value can lead to overwriting previous tickets by subseqent connections to the same user account. .It Cm KexAlgorithms @@ -511,7 +519,7 @@ Specifies the permitted KEX (Key Exchange) algorithms that the server will offer to clients. The ordering of this list is not important, as the client specifies the -@@ -1051,16 +1035,16 @@ Multiple algorithms must be comma-separa +@@ -1071,16 +1051,16 @@ Multiple algorithms must be comma-separa .Pp If the specified list begins with a .Sq + @@ -532,7 +540,7 @@ .Pp The supported algorithms are: .Pp -@@ -1097,14 +1081,6 @@ sntrup761x25519-sha512 +@@ -1117,14 +1097,6 @@ sntrup761x25519-sha512 [email protected] .El .Pp @@ -547,7 +555,7 @@ The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress -@@ -1191,21 +1167,27 @@ function, and all code in the +@@ -1211,21 +1183,27 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs @@ -579,7 +587,7 @@ .Pp The algorithms that contain .Qq -etm -@@ -1248,15 +1230,6 @@ [email protected] +@@ -1268,15 +1246,6 @@ [email protected] [email protected] .El .Pp @@ -595,7 +603,7 @@ The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm Match -@@ -1742,36 +1715,26 @@ or equivalent.) +@@ -1765,38 +1734,26 @@ or equivalent.) The default is .Cm yes . .It Cm PubkeyAcceptedAlgorithms @@ -630,19 +638,21 @@ [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, [email protected], [email protected], [email protected], -rsa-sha2-512,rsa-sha2-256 -.Ed +built-in openssh default set. .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q PubkeyAcceptedAlgorithms . -@@ -2284,7 +2247,9 @@ This file should be writable by root onl +@@ -2321,7 +2278,9 @@ This file should be writable by root onl .El .Sh SEE ALSO .Xr sftp-server 8 , ++++++ openssh-mitigate-lingering-secrets.patch ++++++ --- /var/tmp/diff_new_pack.rQwzz8/_old 2026-04-26 21:11:56.786972445 +0200 +++ /var/tmp/diff_new_pack.rQwzz8/_new 2026-04-26 21:11:56.826974081 +0200 @@ -1,8 +1,8 @@ -Index: openssh-9.3p2/kex.c +Index: openssh-10.3p1/kex.c =================================================================== ---- openssh-9.3p2.orig/kex.c -+++ openssh-9.3p2/kex.c -@@ -1564,16 +1564,16 @@ enc_destroy(struct sshenc *enc) +--- openssh-10.3p1.orig/kex.c ++++ openssh-10.3p1/kex.c +@@ -1428,16 +1428,16 @@ enc_destroy(struct sshenc *enc) return; if (enc->key) { @@ -22,7 +22,7 @@ } void -@@ -1584,7 +1584,7 @@ newkeys_destroy(struct newkeys *newkeys) +@@ -1448,7 +1448,7 @@ newkeys_destroy(struct newkeys *newkeys) enc_destroy(&newkeys->enc); mac_destroy(&newkeys->mac); @@ -31,11 +31,11 @@ } /* -Index: openssh-9.3p2/mac.c +Index: openssh-10.3p1/mac.c =================================================================== ---- openssh-9.3p2.orig/mac.c -+++ openssh-9.3p2/mac.c -@@ -284,11 +284,11 @@ mac_destroy(struct sshmac *mac) +--- openssh-10.3p1.orig/mac.c ++++ openssh-10.3p1/mac.c +@@ -275,11 +275,11 @@ mac_destroy(struct sshmac *mac) return; if (mac->key) { @@ -49,11 +49,11 @@ } /* XXX copied from ciphers_valid */ -Index: openssh-9.3p2/monitor.c +Index: openssh-10.3p1/monitor.c =================================================================== ---- openssh-9.3p2.orig/monitor.c -+++ openssh-9.3p2/monitor.c -@@ -1789,8 +1789,12 @@ mm_answer_audit_end_command(struct ssh * +--- openssh-10.3p1.orig/monitor.c ++++ openssh-10.3p1/monitor.c +@@ -1944,8 +1944,12 @@ mm_answer_audit_end_command(struct ssh * void monitor_clear_keystate(struct ssh *ssh, struct monitor *pmonitor) { @@ -68,11 +68,11 @@ sshbuf_free(child_state); child_state = NULL; } -Index: openssh-9.3p2/packet.c +Index: openssh-10.3p1/packet.c =================================================================== ---- openssh-9.3p2.orig/packet.c -+++ openssh-9.3p2/packet.c -@@ -655,6 +655,7 @@ ssh_packet_close_internal(struct ssh *ss +--- openssh-10.3p1.orig/packet.c ++++ openssh-10.3p1/packet.c +@@ -758,6 +758,7 @@ ssh_packet_close_internal(struct ssh *ss ssh->local_ipaddr = NULL; free(ssh->remote_ipaddr); ssh->remote_ipaddr = NULL; @@ -80,7 +80,7 @@ free(ssh->state); ssh->state = NULL; kex_free(ssh->kex); -@@ -783,8 +784,10 @@ compress_buffer(struct ssh *ssh, struct +@@ -887,8 +888,10 @@ compress_buffer(struct ssh *ssh, struct case Z_OK: /* Append compressed data to output_buffer. */ if ((r = sshbuf_put(out, buf, sizeof(buf) - @@ -92,7 +92,7 @@ break; case Z_STREAM_ERROR: default: -@@ -819,8 +822,10 @@ uncompress_buffer(struct ssh *ssh, struc +@@ -923,8 +926,10 @@ uncompress_buffer(struct ssh *ssh, struc switch (status) { case Z_OK: if ((r = sshbuf_put(out, buf, sizeof(buf) - @@ -104,7 +104,7 @@ break; case Z_BUF_ERROR: /* -@@ -870,6 +875,17 @@ uncompress_buffer(struct ssh *ssh, struc +@@ -974,6 +979,17 @@ uncompress_buffer(struct ssh *ssh, struc #endif /* WITH_ZLIB */ void @@ -122,7 +122,7 @@ ssh_clear_newkeys(struct ssh *ssh, int mode) { if (ssh->kex && ssh->kex->newkeys[mode]) { -@@ -1418,7 +1434,9 @@ ssh_packet_read_seqnr(struct ssh *ssh, u +@@ -1575,7 +1591,9 @@ ssh_packet_read_seqnr(struct ssh *ssh, u } /* Append it to the buffer. */ @@ -133,7 +133,7 @@ goto out; } out: -@@ -2375,9 +2393,12 @@ ssh_packet_get_state(struct ssh *ssh, st +@@ -2598,9 +2616,12 @@ ssh_packet_get_state(struct ssh *ssh, st (r = sshbuf_put_stringb(m, state->output)) != 0 || (r = sshbuf_put_u32(m, ENCODE_INT(state->interactive_mode))) != 0 || (r = sshbuf_put_u32(m, ENCODE_INT(state->qos_interactive))) != 0 || @@ -147,7 +147,7 @@ return 0; } -@@ -2496,6 +2517,8 @@ ssh_packet_set_state(struct ssh *ssh, st +@@ -2721,6 +2742,8 @@ ssh_packet_set_state(struct ssh *ssh, st int r; u_int interactive, qos_interactive, qos_other; @@ -156,7 +156,7 @@ if ((r = kex_from_blob(m, &ssh->kex)) != 0 || (r = newkeys_from_blob(m, ssh, MODE_OUT)) != 0 || (r = newkeys_from_blob(m, ssh, MODE_IN)) != 0 || -@@ -2509,7 +2532,7 @@ ssh_packet_set_state(struct ssh *ssh, st +@@ -2734,7 +2757,7 @@ ssh_packet_set_state(struct ssh *ssh, st (r = sshbuf_get_u64(m, &state->p_read.blocks)) != 0 || (r = sshbuf_get_u32(m, &state->p_read.packets)) != 0 || (r = sshbuf_get_u64(m, &state->p_read.bytes)) != 0) @@ -165,7 +165,7 @@ /* * We set the time here so that in post-auth privsep child we * count from the completion of the authentication. -@@ -2518,10 +2541,10 @@ ssh_packet_set_state(struct ssh *ssh, st +@@ -2743,10 +2766,10 @@ ssh_packet_set_state(struct ssh *ssh, st /* XXX ssh_set_newkeys overrides p_read.packets? XXX */ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0 || (r = ssh_set_newkeys(ssh, MODE_OUT)) != 0) @@ -178,7 +178,7 @@ sshbuf_reset(state->input); sshbuf_reset(state->output); -@@ -2529,22 +2552,29 @@ ssh_packet_set_state(struct ssh *ssh, st +@@ -2754,22 +2777,29 @@ ssh_packet_set_state(struct ssh *ssh, st (r = sshbuf_get_string_direct(m, &output, &olen)) != 0 || (r = sshbuf_put(state->input, input, ilen)) != 0 || (r = sshbuf_put(state->output, output, olen)) != 0) @@ -213,11 +213,11 @@ } /* NEW API */ -Index: openssh-9.3p2/packet.h +Index: openssh-10.3p1/packet.h =================================================================== ---- openssh-9.3p2.orig/packet.h -+++ openssh-9.3p2/packet.h -@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *); +--- openssh-10.3p1.orig/packet.h ++++ openssh-10.3p1/packet.h +@@ -106,6 +106,7 @@ void ssh_packet_free(struct ssh *); void ssh_packet_close(struct ssh *); void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *); void ssh_packet_clear_keys(struct ssh *); @@ -225,10 +225,10 @@ void ssh_clear_newkeys(struct ssh *, int); int ssh_packet_is_rekeying(struct ssh *); -Index: openssh-9.3p2/sshbuf.c +Index: openssh-10.3p1/sshbuf.c =================================================================== ---- openssh-9.3p2.orig/sshbuf.c -+++ openssh-9.3p2/sshbuf.c +--- openssh-10.3p1.orig/sshbuf.c ++++ openssh-10.3p1/sshbuf.c @@ -309,6 +309,31 @@ sshbuf_mutable_ptr(const struct sshbuf * return buf->d + buf->off; } @@ -261,11 +261,11 @@ int sshbuf_check_reserve(const struct sshbuf *buf, size_t len) { -Index: openssh-9.3p2/sshbuf.h +Index: openssh-10.3p1/sshbuf.h =================================================================== ---- openssh-9.3p2.orig/sshbuf.h -+++ openssh-9.3p2/sshbuf.h -@@ -298,6 +298,9 @@ int sshbuf_write_file(const char *path, +--- openssh-10.3p1.orig/sshbuf.h ++++ openssh-10.3p1/sshbuf.h +@@ -335,6 +335,9 @@ int sshbuf_write_file(const char *path, int sshbuf_read(int, struct sshbuf *, size_t, size_t *) __attribute__((__nonnull__ (2))); @@ -274,12 +274,12 @@ + /* Macros for decoding/encoding integers */ #define PEEK_U64(p) \ - (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \ -Index: openssh-9.3p2/sshd-session.c + (((uint64_t)(((const u_char *)(p))[0]) << 56) | \ +Index: openssh-10.3p1/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd-session.c -+++ openssh-9.3p2/sshd-session.c -@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *); +--- openssh-10.3p1.orig/sshd-session.c ++++ openssh-10.3p1/sshd-session.c +@@ -197,6 +197,19 @@ mm_is_monitor(void) } /* @@ -299,7 +299,7 @@ * Signal handler for the alarm after the login grace period has expired. * As usual, this may only take signal-safe actions, even though it is * terminal. -@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh, +@@ -262,6 +275,8 @@ destroy_sensitive_data(struct ssh *ssh) sensitive_data.host_certificates[i] = NULL; } } @@ -308,7 +308,7 @@ } /* Demote private to public keys for network child */ -@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh) +@@ -414,6 +429,8 @@ privsep_postauth(struct ssh *ssh, Authct { int skip_privdrop = 0; @@ -317,15 +317,7 @@ /* * Hack for systems that don't support FD passing: retain privileges * in the post-auth privsep process so it can allocate PTYs directly. -#@@ -1354,6 +1356,7 @@ main(int ac, char **av) -# */ -# mm_send_keystate(ssh, pmonitor); -# ssh_packet_clear_keys(ssh); -#+ clobber_stack(); -# exit(0); -# -# authenticated: -@@ -1431,6 +1434,7 @@ main(int ac, char **av) +@@ -1361,6 +1378,7 @@ main(int ac, char **av) mm_terminate(); @@ -333,7 +325,7 @@ exit(0); } -@@ -1577,8 +1581,10 @@ cleanup_exit(int i) +@@ -1393,8 +1411,10 @@ cleanup_exit(int i) /* cleanup_exit can be called at the very least from the privsep wrappers used for auditing. Make sure we don't recurse indefinitely. */ @@ -343,22 +335,22 @@ _exit(i); + } in_cleanup = 1; - extern int auth_attempted; /* monitor.c */ - -@@ -1604,6 +1610,8 @@ cleanup_exit(int i) + if (the_active_state != NULL && the_authctxt != NULL) { + do_cleanup(the_active_state, the_authctxt); +@@ -1415,6 +1435,8 @@ cleanup_exit(int i) mm_is_monitor()) audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif + + clobber_stack(); /* Override default fatal exit value when auth was attempted */ - if (i == 255 && auth_attempted) + if (i == 255 && monitor_auth_attempted()) _exit(EXIT_AUTH_ATTEMPTED); -Index: openssh-9.9p2/sshd-auth.c +Index: openssh-10.3p1/sshd-auth.c =================================================================== ---- openssh-9.9p2.orig/sshd-auth.c -+++ openssh-9.9p2/sshd-auth.c -@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *); +--- openssh-10.3p1.orig/sshd-auth.c ++++ openssh-10.3p1/sshd-auth.c +@@ -175,6 +175,19 @@ mm_is_monitor(void) return 0; } @@ -378,7 +370,7 @@ static void privsep_child_demote(void) { -@@ -796,6 +796,7 @@ main(int ac, char **av) +@@ -767,6 +780,7 @@ main(int ac, char **av) mm_send_keystate(ssh, pmonitor); sshauthopt_free(auth_opts); ssh_packet_clear_keys(ssh);
