Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2026-05-10 16:46:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Sun May 10 16:46:59 2026 rev:202 rq:1351501 version:10.3p1 Changes: -------- +++ only whitespace diff in changes, re-diffing --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2026-04-26 21:11:46.802564224 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.1966/openssh.changes 2026-05-10 16:47:10.729966563 +0200 @@ -1,0 +2,8 @@ +Thu May 7 21:15:35 UTC 2026 - Hans Petter Jansson <[email protected]> + +- Update openssh-7.7p1-fips.patch (bsc#1262555): Don't bail out on + startup if a non-FIPS algorithm is requested. Filter it out and + warn instead. +- Update openssh-8.0p1-gssapi-keyex.patch: Apply to GSS too. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ openssh.spec: same change ++++++ openssh-7.7p1-allow_root_password_login.patch ++++++ --- /var/tmp/diff_new_pack.8gj6jJ/_old 2026-05-10 16:47:12.674046123 +0200 +++ /var/tmp/diff_new_pack.8gj6jJ/_new 2026-05-10 16:47:12.678046287 +0200 @@ -5,11 +5,11 @@ temporarily introducing this change to keep the default used in older OpenSSH versions shipped with SLE. -Index: openssh-8.4p1/servconf.c +Index: openssh-10.3p1/servconf.c =================================================================== ---- openssh-8.4p1.orig/servconf.c -+++ openssh-8.4p1/servconf.c -@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption +--- openssh-10.3p1.orig/servconf.c ++++ openssh-10.3p1/servconf.c +@@ -355,7 +355,7 @@ fill_default_server_options(ServerOption if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->permit_root_login == PERMIT_NOT_SET) @@ -18,11 +18,11 @@ if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -Index: openssh-8.4p1/sshd_config +Index: openssh-10.3p1/sshd_config =================================================================== ---- openssh-8.4p1.orig/sshd_config -+++ openssh-8.4p1/sshd_config -@@ -29,7 +29,7 @@ +--- openssh-10.3p1.orig/sshd_config ++++ openssh-10.3p1/sshd_config +@@ -36,7 +36,7 @@ Include /usr/etc/ssh/sshd_config.d/*.con # Authentication: #LoginGraceTime 2m @@ -31,11 +31,11 @@ #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -Index: openssh-8.4p1/sshd_config.0 +Index: openssh-10.3p1/sshd_config.0 =================================================================== ---- openssh-8.4p1.orig/sshd_config.0 -+++ openssh-8.4p1/sshd_config.0 -@@ -778,7 +778,7 @@ DESCRIPTION +--- openssh-10.3p1.orig/sshd_config.0 ++++ openssh-10.3p1/sshd_config.0 +@@ -909,7 +909,7 @@ DESCRIPTION PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The @@ -44,11 +44,11 @@ If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive -Index: openssh-8.4p1/sshd_config.5 +Index: openssh-10.3p1/sshd_config.5 =================================================================== ---- openssh-8.4p1.orig/sshd_config.5 -+++ openssh-8.4p1/sshd_config.5 -@@ -1331,7 +1331,7 @@ The argument must be +--- openssh-10.3p1.orig/sshd_config.5 ++++ openssh-10.3p1/sshd_config.5 +@@ -1519,7 +1519,7 @@ The argument must be or .Cm no . The default is ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.8gj6jJ/_old 2026-05-10 16:47:12.714047760 +0200 +++ /var/tmp/diff_new_pack.8gj6jJ/_new 2026-05-10 16:47:12.718047924 +0200 @@ -99,7 +99,7 @@ if ((c->flags & CFLAG_INTERNAL) != 0) continue; if (auth_only && c->auth_len == 0) -@@ -193,7 +238,7 @@ const struct sshcipher * +@@ -193,19 +238,19 @@ const struct sshcipher * cipher_by_name(const char *name) { const struct sshcipher *c; @@ -108,11 +108,68 @@ if (strcmp(c->name, name) == 0) return c; return NULL; + } + + #define CIPHER_SEP "," +-int +-ciphers_valid(const char *names) ++static int ++ciphers_valid_internal(const char *names, ++ const struct sshcipher *(*by_name)(const char *)) + { + const struct sshcipher *c; +- char *cipher_list, *cp; +- char *p; ++ char *cipher_list, *cp, *p; + + if (names == NULL || strcmp(names, "") == 0) + return 0; +@@ -213,7 +258,7 @@ ciphers_valid(const char *names) + return 0; + for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0'; + (p = strsep(&cp, CIPHER_SEP))) { +- c = cipher_by_name(p); ++ c = by_name(p); + if (c == NULL || (c->flags & CFLAG_INTERNAL) != 0) { + free(cipher_list); + return 0; +@@ -223,6 +268,31 @@ ciphers_valid(const char *names) + return 1; + } + ++int ++ciphers_valid(const char *names) ++{ ++ return ciphers_valid_internal(names, cipher_by_name); ++} ++ ++/* Like cipher_by_name() but ignores the FIPS filter, so it returns valid ++ * non-FIPS-approved names too. Used at config-parse time to distinguish a ++ * typo (unknown name) from a known-but-FIPS-rejected name in FIPS mode. */ ++static const struct sshcipher * ++cipher_by_name_any(const char *name) ++{ ++ const struct sshcipher *c; ++ for (c = ciphers_all; c->name != NULL; c++) ++ if (strcmp(c->name, name) == 0) ++ return c; ++ return NULL; ++} ++ ++int ++ciphers_valid_any(const char *names) ++{ ++ return ciphers_valid_internal(names, cipher_by_name_any); ++} ++ + const char * + cipher_warning_message(const struct sshcipher_ctx *cc) + { Index: openssh-10.3p1/fips.c =================================================================== --- /dev/null +++ openssh-10.3p1/fips.c -@@ -0,0 +1,212 @@ +@@ -0,0 +1,230 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. + * @@ -303,6 +360,24 @@ + return (!empty); +} + ++/* Wrap fips_filter_crypto: if the FIPS filter dropped any names, emit a ++ * one-line warning naming what was kept. Returns the same value as ++ * fips_filter_crypto (0 if the list ended up empty, non-zero otherwise); ++ * the empty-list case skips the warning so the caller's fatal is the only ++ * diagnostic. */ ++int ++fips_filter_warn(char **crypto, fips_filters filter, const char *what) ++{ ++ char *before = xstrdup(*crypto); ++ int rv = fips_filter_crypto(crypto, filter); ++ ++ if (rv && strcmp(before, *crypto) != 0) ++ logit("%s: non-FIPS names in '%s' ignored; using '%s'", ++ what, before, *crypto); ++ free(before); ++ return rv; ++} ++ +int +fips_dgst_min(void) +{ @@ -329,7 +404,7 @@ =================================================================== --- /dev/null +++ openssh-10.3p1/fips.h -@@ -0,0 +1,44 @@ +@@ -0,0 +1,45 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. + * @@ -370,6 +445,7 @@ +int fips_correct_dgst(int); +int fips_dgst_min(void); +enum fp_type fips_correct_fp_type(enum fp_type); ++int fips_filter_warn(char **, fips_filters, const char *); +int fips_filter_crypto(char **, fips_filters); + +#endif @@ -475,17 +551,67 @@ if (strcmp(k->name, name) == 0) return k; } -@@ -173,7 +216,10 @@ kex_names_valid(const char *names) +@@ -161,8 +204,9 @@ kex_nid_from_name(const char *name) + } + + /* Validate KEX method name list */ +-int +-kex_names_valid(const char *names) ++static int ++kex_names_valid_internal(const char *names, ++ const struct kexalg *(*by_name)(const char *)) + { + char *s, *cp, *p; + +@@ -172,17 +216,45 @@ kex_names_valid(const char *names) + return 0; for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { - if (kex_alg_by_name(p) == NULL) { -+ /* do not complain here - MACs and ciphers checks -+ * are silent here - error("Unsupported KEX algorithm \"%.100s\"", p); -+ */ +- if (kex_alg_by_name(p) == NULL) { +- error("Unsupported KEX algorithm \"%.100s\"", p); ++ if (by_name(p) == NULL) { free(s); return 0; } + } +- debug3("kex names ok: [%s]", names); + free(s); + return 1; + } + ++int ++kex_names_valid(const char *names) ++{ ++ int r = kex_names_valid_internal(names, kex_alg_by_name); ++ if (r) ++ debug3("kex names ok: [%s]", names); ++ return r; ++} ++ ++/* Like kex_alg_by_name() but ignores the FIPS filter, so it returns valid ++ * non-FIPS-approved names too. Used at config-parse time to distinguish a ++ * typo from a known-but-FIPS-rejected name in FIPS mode. */ ++static const struct kexalg * ++kex_alg_by_name_any(const char *name) ++{ ++ const struct kexalg *k; ++ ++ for (k = kexalgs_all; k->name != NULL; k++) { ++ if (strcmp(k->name, name) == 0) ++ return k; ++ } ++ return NULL; ++} ++ ++int ++kex_names_valid_any(const char *names) ++{ ++ return kex_names_valid_internal(names, kex_alg_by_name_any); ++} ++ + /* returns non-zero if proposal contains any algorithm from algs */ + int + kex_has_any_alg(const char *proposal, const char *algs) Index: openssh-10.3p1/mac.c =================================================================== --- openssh-10.3p1.orig/mac.c @@ -560,15 +686,70 @@ xextendf(&ret, sep_str, "%s", m->name); return ret; -@@ -117,7 +155,7 @@ mac_setup(struct sshmac *mac, char *name +@@ -117,7 +155,25 @@ mac_setup(struct sshmac *mac, char *name { const struct macalg *m; - for (m = macs; m->name != NULL; m++) { + for (m = fips_select_macs(); m->name != NULL; m++) { ++ if (strcmp(name, m->name) != 0) ++ continue; ++ if (mac != NULL) ++ return mac_setup_by_alg(mac, m); ++ return 0; ++ } ++ return SSH_ERR_INVALID_ARGUMENT; ++} ++ ++/* Like mac_setup() but ignores the FIPS filter, so it accepts valid ++ * non-FIPS-approved names too. Used at config-parse time to distinguish a ++ * typo from a known-but-FIPS-rejected name in FIPS mode. */ ++static int ++mac_setup_any(struct sshmac *mac, char *name) ++{ ++ const struct macalg *m; ++ ++ for (m = macs_all; m->name != NULL; m++) { if (strcmp(name, m->name) != 0) continue; if (mac != NULL) +@@ -232,8 +288,9 @@ mac_clear(struct sshmac *mac) + + /* XXX copied from ciphers_valid */ + #define MAC_SEP "," +-int +-mac_valid(const char *names) ++static int ++mac_valid_internal(const char *names, ++ int (*setup)(struct sshmac *, char *)) + { + char *maclist, *cp, *p; + +@@ -243,7 +300,7 @@ mac_valid(const char *names) + return 0; + for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0'; + (p = strsep(&cp, MAC_SEP))) { +- if (mac_setup(NULL, p) < 0) { ++ if (setup(NULL, p) < 0) { + free(maclist); + return 0; + } +@@ -251,3 +308,15 @@ mac_valid(const char *names) + free(maclist); + return 1; + } ++ ++int ++mac_valid(const char *names) ++{ ++ return mac_valid_internal(names, mac_setup); ++} ++ ++int ++mac_valid_any(const char *names) ++{ ++ return mac_valid_internal(names, mac_setup_any); ++} Index: openssh-10.3p1/readconf.c =================================================================== --- openssh-10.3p1.orig/readconf.c @@ -582,7 +763,34 @@ /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -2691,6 +2693,23 @@ config_has_permitted_cnames(Options *opt +@@ -1594,7 +1596,7 @@ parse_int: + goto out; + } + if (*arg != '-' && +- !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)){ ++ !ciphers_valid_any(*arg == '+' || *arg == '^' ? arg + 1 : arg)){ + error("%.200s line %d: Bad SSH2 cipher spec '%s'.", + filename, linenum, arg ? arg : "<NONE>"); + goto out; +@@ -1611,7 +1613,7 @@ parse_int: + goto out; + } + if (*arg != '-' && +- !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) { ++ !mac_valid_any(*arg == '+' || *arg == '^' ? arg + 1 : arg)) { + error("%.200s line %d: Bad SSH2 MAC spec '%s'.", + filename, linenum, arg ? arg : "<NONE>"); + goto out; +@@ -1628,7 +1630,7 @@ parse_int: + goto out; + } + if (*arg != '-' && +- !kex_names_valid(*arg == '+' || *arg == '^' ? ++ !kex_names_valid_any(*arg == '+' || *arg == '^' ? + arg + 1 : arg)) { + error("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", + filename, linenum, arg ? arg : "<NONE>"); +@@ -2691,6 +2693,25 @@ config_has_permitted_cnames(Options *opt return options->num_permitted_cnames > 0; } @@ -593,11 +801,13 @@ +filter_fips_algorithms(Options *o) +{ + if (fips_mode()) { -+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS)) ++ if (!fips_filter_warn(&o->ciphers, FIPS_FILTER_CIPHERS, ++ "Ciphers")) + fatal("None of selected ciphers can be used in FIPS mode"); -+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS)) ++ if (!fips_filter_warn(&o->macs, FIPS_FILTER_MACS, "MACs")) + fatal("None of selected MAC algorithms can be used in FIPS mode"); -+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS)) ++ if (!fips_filter_warn(&o->kex_algorithms, ++ FIPS_FILTER_KEX_ALGS, "KexAlgorithms")) + fatal("None of selected KEX algorithms can be used in FIPS mode"); + } + return; @@ -606,7 +816,7 @@ /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -3010,6 +3029,9 @@ fill_default_options(Options * options) +@@ -3010,6 +3031,9 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -616,7 +826,7 @@ #ifdef ENABLE_SK_INTERNAL if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); -@@ -3057,6 +3079,8 @@ fill_default_options(Options * options) +@@ -3057,6 +3081,8 @@ fill_default_options(Options * options) ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE @@ -649,7 +859,7 @@ #if !defined(SSHD_PAM_SERVICE) # define SSHD_PAM_SERVICE "sshd" -@@ -223,6 +224,23 @@ option_clear_or_none(const char *o) +@@ -223,6 +224,25 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -660,11 +870,13 @@ +filter_fips_algorithms_s(ServerOptions *o) +{ + if (fips_mode()) { -+ if (!fips_filter_crypto(&o->ciphers, FIPS_FILTER_CIPHERS)) ++ if (!fips_filter_warn(&o->ciphers, FIPS_FILTER_CIPHERS, ++ "Ciphers")) + fatal("None of selected ciphers can be used in FIPS mode"); -+ if (!fips_filter_crypto(&o->macs, FIPS_FILTER_MACS)) ++ if (!fips_filter_warn(&o->macs, FIPS_FILTER_MACS, "MACs")) + fatal("None of selected MAC algorithms can be used in FIPS mode"); -+ if (!fips_filter_crypto(&o->kex_algorithms, FIPS_FILTER_KEX_ALGS)) ++ if (!fips_filter_warn(&o->kex_algorithms, ++ FIPS_FILTER_KEX_ALGS, "KexAlgorithms")) + fatal("None of selected KEX algorithms can be used in FIPS mode"); + } + return; @@ -673,7 +885,7 @@ static void assemble_algorithms(ServerOptions *o) { -@@ -264,6 +282,8 @@ assemble_algorithms(ServerOptions *o) +@@ -264,6 +284,8 @@ assemble_algorithms(ServerOptions *o) free(def_kex); free(def_key); free(def_sig); @@ -682,7 +894,7 @@ } void -@@ -482,6 +502,8 @@ fill_default_server_options(ServerOption +@@ -482,6 +504,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -691,6 +903,33 @@ if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) +@@ -1928,7 +1952,7 @@ process_server_config_line_depth(ServerO + fatal("%s line %d: %s missing argument.", + filename, linenum, keyword); + if (*arg != '-' && +- !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) ++ !ciphers_valid_any(*arg == '+' || *arg == '^' ? arg + 1 : arg)) + fatal("%s line %d: Bad SSH2 cipher spec '%s'.", + filename, linenum, arg ? arg : "<NONE>"); + if (options->ciphers == NULL) +@@ -1941,7 +1965,7 @@ process_server_config_line_depth(ServerO + fatal("%s line %d: %s missing argument.", + filename, linenum, keyword); + if (*arg != '-' && +- !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg)) ++ !mac_valid_any(*arg == '+' || *arg == '^' ? arg + 1 : arg)) + fatal("%s line %d: Bad SSH2 mac spec '%s'.", + filename, linenum, arg ? arg : "<NONE>"); + if (options->macs == NULL) +@@ -1954,7 +1978,7 @@ process_server_config_line_depth(ServerO + fatal("%s line %d: %s missing argument.", + filename, linenum, keyword); + if (*arg != '-' && +- !kex_names_valid(*arg == '+' || *arg == '^' ? ++ !kex_names_valid_any(*arg == '+' || *arg == '^' ? + arg + 1 : arg)) + fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", + filename, linenum, arg ? arg : "<NONE>"); Index: openssh-10.3p1/ssh-keygen.c =================================================================== --- openssh-10.3p1.orig/ssh-keygen.c @@ -805,4 +1044,40 @@ .It Cm ForceCommand Forces the execution of the command specified by .Cm ForceCommand , +Index: openssh-10.3p1/cipher.h +=================================================================== +--- openssh-10.3p1.orig/cipher.h ++++ openssh-10.3p1/cipher.h +@@ -53,6 +53,7 @@ struct sshcipher_ctx; + const struct sshcipher *cipher_by_name(const char *); + const char *cipher_warning_message(const struct sshcipher_ctx *); + int ciphers_valid(const char *); ++int ciphers_valid_any(const char *); + char *cipher_alg_list(char, int); + const char *compression_alg_list(int); + int cipher_init(struct sshcipher_ctx **, const struct sshcipher *, +Index: openssh-10.3p1/kex.h +=================================================================== +--- openssh-10.3p1.orig/kex.h ++++ openssh-10.3p1/kex.h +@@ -196,6 +196,7 @@ int kex_hash_from_name(const char *); + int kex_nid_from_name(const char *); + int kex_is_pq_from_name(const char *); + int kex_names_valid(const char *); ++int kex_names_valid_any(const char *); + char *kex_alg_list(char); + char *kex_names_cat(const char *, const char *); + int kex_has_any_alg(const char *, const char *); +Index: openssh-10.3p1/mac.h +=================================================================== +--- openssh-10.3p1.orig/mac.h ++++ openssh-10.3p1/mac.h +@@ -41,6 +41,7 @@ struct sshmac { + }; + + int mac_valid(const char *); ++int mac_valid_any(const char *); + char *mac_alg_list(char); + int mac_setup(struct sshmac *, char *); + int mac_init(struct sshmac *); ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ --- /var/tmp/diff_new_pack.8gj6jJ/_old 2026-05-10 16:47:12.798051198 +0200 +++ /var/tmp/diff_new_pack.8gj6jJ/_new 2026-05-10 16:47:12.802051362 +0200 @@ -1274,7 +1274,18 @@ return NULL; } -@@ -380,3 +442,26 @@ kex_assemble_names(char **listp, const c +@@ -246,6 +308,10 @@ kex_alg_by_name_any(const char *name) + if (strcmp(k->name, name) == 0) + return k; + } ++ for (k = gss_kexalgs_all; k->name != NULL; k++) { ++ if (strncmp(k->name, name, strlen(k->name)) == 0) ++ return k; ++ } + return NULL; + } + +@@ -406,3 +472,26 @@ kex_assemble_names(char **listp, const c free(ret); return r; } @@ -1334,9 +1345,9 @@ char *failed_choice; int (*verify_host_key)(struct sshkey *, struct ssh *); struct sshkey *(*load_host_public_key)(int, int, struct ssh *); -@@ -197,8 +212,10 @@ int kex_nid_from_name(const char *); - int kex_is_pq_from_name(const char *); +@@ -198,8 +213,10 @@ int kex_is_pq_from_name(const char *); int kex_names_valid(const char *); + int kex_names_valid_any(const char *); char *kex_alg_list(char); +char *kex_gss_alg_list(char); char *kex_names_cat(const char *, const char *); @@ -1345,7 +1356,7 @@ int kex_assemble_names(char **, const char *, const char *); void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], const char *, const char *, const char *, const char *, const char *); -@@ -232,6 +249,12 @@ int kexgex_client(struct ssh *); +@@ -233,6 +250,12 @@ int kexgex_client(struct ssh *); int kexgex_server(struct ssh *); int kex_gen_client(struct ssh *); int kex_gen_server(struct ssh *); @@ -1358,7 +1369,7 @@ int kex_dh_keypair(struct kex *); int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, -@@ -270,6 +293,12 @@ int kexgex_hash(int, const struct sshbu +@@ -271,6 +294,12 @@ int kexgex_hash(int, const struct sshbu const BIGNUM *, const u_char *, size_t, u_char *, size_t *); @@ -2963,7 +2974,7 @@ case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -2737,7 +2784,13 @@ initialize_options(Options * options) +@@ -2739,7 +2786,13 @@ initialize_options(Options * options) options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; options->gss_authentication = -1; @@ -2977,7 +2988,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2903,8 +2956,18 @@ fill_default_options(Options * options) +@@ -2905,8 +2958,18 @@ fill_default_options(Options * options) options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2996,7 +3007,7 @@ if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -3789,7 +3852,14 @@ dump_client_config(Options *o, const cha +@@ -3791,7 +3854,14 @@ dump_client_config(Options *o, const cha dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3054,7 +3065,7 @@ options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->permit_empty_passwd = -1; -@@ -395,12 +399,20 @@ fill_default_server_options(ServerOption +@@ -397,12 +401,20 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3075,7 +3086,7 @@ if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -590,6 +602,7 @@ typedef enum { +@@ -592,6 +604,7 @@ typedef enum { sPerSourcePenalties, sPerSourcePenaltyExemptList, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssDelegateCreds, sGssStrictAcceptor, @@ -3083,7 +3094,7 @@ sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -677,14 +690,24 @@ static struct { +@@ -679,14 +692,24 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -3108,7 +3119,7 @@ { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ -@@ -1680,6 +1703,10 @@ process_server_config_line_depth(ServerO +@@ -1682,6 +1705,10 @@ process_server_config_line_depth(ServerO intptr = &options->gss_authentication; goto parse_flag; @@ -3119,7 +3130,7 @@ case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1692,6 +1719,22 @@ process_server_config_line_depth(ServerO +@@ -1694,6 +1721,22 @@ process_server_config_line_depth(ServerO intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3142,7 +3153,7 @@ case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -3322,6 +3365,9 @@ dump_config(ServerOptions *o) +@@ -3324,6 +3367,9 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssDelegateCreds, o->gss_deleg_creds); dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); ++++++ openssh-8.1p1-audit.patch ++++++ --- /var/tmp/diff_new_pack.8gj6jJ/_old 2026-05-10 16:47:12.814051853 +0200 +++ /var/tmp/diff_new_pack.8gj6jJ/_new 2026-05-10 16:47:12.818052016 +0200 @@ -894,7 +894,7 @@ static const struct sshcipher ciphers_all[] = { #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES -@@ -446,7 +427,7 @@ cipher_get_length(struct sshcipher_ctx * +@@ -471,7 +452,7 @@ cipher_get_length(struct sshcipher_ctx * void cipher_free(struct sshcipher_ctx *cc) { @@ -1081,7 +1081,7 @@ =================================================================== --- openssh-10.3p1.orig/mac.c +++ openssh-10.3p1/mac.c -@@ -268,6 +268,20 @@ mac_clear(struct sshmac *mac) +@@ -286,6 +286,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } @@ -1101,7 +1101,7 @@ + /* XXX copied from ciphers_valid */ #define MAC_SEP "," - int + static int Index: openssh-10.3p1/mac.h =================================================================== --- openssh-10.3p1.orig/mac.h
