update to openssh-8.8p1

Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-4.3p2-askpass-grab-info.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.1p1-askpass-progress.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.8p2-sigpipe.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.9p1-ipv6man.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.3p1-ctr-evp-fast.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.4p1-fromto-remote.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-log-in-chroot.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-scp-non-existing-directory.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-selinux-contexts.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-allow-ip-opts.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-force_krb.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-GSSAPIEnablek5users.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keycat.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keyperm.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-kuserok.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-privsep-selinux.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-sftp-force-permission.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.8p1-sshdT-output.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.1p2-audit-race-condition.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-k5login_directory.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-s390-closefrom.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-x11.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.3p1-x11-max-displays.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-systemd.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.5p1-sandbox.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.6p1-audit.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.6p1-cleanup-selinux.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-gssapi-new-unique.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-scp-ipv6.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-UsePAM-warning.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-crypto-policies.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-gssapi-keyex.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-keygen-strip-doseol.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-openssl-evp.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-openssl-kdf.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-preserve-pam-errors.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.2p1-visibility.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.2p1-x11-without-ipv6.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.7p1-scp-kill-switch.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.2-compat.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.2-dereference.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.3-seteuid.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.2-visibility.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.3-agent_structure.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.3-build.patch
2021-12-08 15:39:13 +08:00 · 2021-12-08 15:39:13 +08:00 · f2c3d6e19a
commit f2c3d6e19a
parent bfec14efe3
86 changed files with 4356 additions and 7893 deletions
--- a/CVE-2018-15919.patch
+++ b/CVE-2018-15919.patch
@ -1,60 +0,0 @@
 From 4286e434ab29c077a42d52c97e7a2e92f93fc1c3 Mon Sep 17 00:00:00 2001
 From: zhuqingfu <zhuqingfu1@huawei.com>
 Date: Tue, 15 Sep 2020 15:09:52 +0800
 Subject: [PATCH] CVE-2018-15919
 ---
 auth.h      | 1 +
 auth2-gss.c | 1 +
 auth2.c     | 4 ++++
 3 files changed, 6 insertions(+)
 diff --git a/auth.h b/auth.h
 index c3a92df..1127fdf 100644
 --- a/auth.h
 +++ b/auth.h
@@ -58,6 +58,7 @@ struct Authctxt {
 	int		 attempt;
 	int		 failures;
 	int		 server_caused_failure;
 +	int		 server_caused_gssapi_failure;
 	int		 force_pwchange;
 	char		*user;		/* username sent by the client */
 	char		*service;
 diff --git a/auth2-gss.c b/auth2-gss.c
 index 4708375..6008319 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
@@ -156,6 +156,7 @@ userauth_gssapi(struct ssh *ssh)
 			ssh_gssapi_delete_ctx(&ctxt);
 		free(doid);
 		authctxt->server_caused_failure = 1;
 +		authctxt->server_caused_gssapi_failure = 1;
 		return (0);
 	}
 diff --git a/auth2.c b/auth2.c
 index 956b9cf..2c4fc97 100644
 --- a/auth2.c
 +++ b/auth2.c
@@ -345,6 +345,7 @@ if (options.check_user_splash)
 	auth2_authctxt_reset_info(authctxt);
 	authctxt->postponed = 0;
 	authctxt->server_caused_failure = 0;
 +	authctxt->server_caused_gssapi_failure = 0;
 	/* try to authenticate user */
 	m = authmethod_lookup(authctxt, method);
@@ -442,6 +443,9 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method,
 		if (!partial && !authctxt->server_caused_failure &&
 		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 			authctxt->failures++;
 +		if (!partial && authctxt->server_caused_gssapi_failure &&
 +		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
 +			authctxt->failures++;
 		if (authctxt->failures >= options.max_authtries) {
 #ifdef SSH_AUDIT_EVENTS
 			PRIVSEP(audit_event(ssh, SSH_LOGIN_EXCEED_MAXTRIES));
 -- 
 1.8.3.1
--- a/CVE-2020-12062-1.patch
+++ b/CVE-2020-12062-1.patch
@ -1,202 +0,0 @@
 From aad87b88fc2536b1ea023213729aaf4eaabe1894 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 1 May 2020 06:31:42 +0000
 Subject: [PATCH] upstream: when receving a file in sink(), be careful to send
 at
 most a single error response after the file has been opened. Otherwise the
 source() and sink() can become desyncronised. Reported by Daniel Goujot,
 Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache.
 ok deraadt@ markus@
 OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035
 ---
 scp.c | 96 ++++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 59 insertions(+), 37 deletions(-)
 diff --git a/scp.c b/scp.c
 index 812ab5301..439025980 100644
 --- a/scp.c
 +++ b/scp.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: scp.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */
 +/* $OpenBSD: scp.c,v 1.209 2020/05/01 06:31:42 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -374,6 +374,7 @@ BUF *allocbuf(BUF *, int, int);
 void lostconn(int);
 int okname(char *);
 void run_err(const char *,...);
 +int note_err(const char *,...);
 void verifydir(char *);
 struct passwd *pwd;
@@ -1231,9 +1232,6 @@ sink(int argc, char **argv, const char *src)
 {
 	static BUF buffer;
 	struct stat stb;
 -	enum {
 -		YES, NO, DISPLAYED
 -	} wrerr;
 	BUF *bp;
 	off_t i;
 	size_t j, count;
@@ -1241,7 +1239,7 @@ sink(int argc, char **argv, const char *src)
 	mode_t mode, omode, mask;
 	off_t size, statbytes;
 	unsigned long long ull;
 -	int setimes, targisdir, wrerrno = 0;
 +	int setimes, targisdir, wrerr;
 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 	char **patterns = NULL;
 	size_t n, npatterns = 0;
@@ -1450,8 +1448,13 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			continue;
 		}
 		cp = bp->buf;
 -		wrerr = NO;
 +		wrerr = 0;
 +		/*
 +		 * NB. do not use run_err() unless immediately followed by
 +		 * exit() below as it may send a spurious reply that might
 +		 * desyncronise us from the peer. Use note_err() instead.
 +		 */
 		statbytes = 0;
 		if (showprogress)
 			start_progress_meter(curfile, size, &statbytes);
@@ -1476,11 +1479,12 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			if (count == bp->cnt) {
 				/* Keep reading so we stay sync'd up. */
 -				if (wrerr == NO) {
 +				if (!wrerr) {
 					if (atomicio(vwrite, ofd, bp->buf,
 					    count) != count) {
 -						wrerr = YES;
 -						wrerrno = errno;
 +						note_err("%s: %s", np,
 +						    strerror(errno));
 +						wrerr = 1;
 					}
 				}
 				count = 0;
@@ -1488,16 +1492,14 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			}
 		}
 		unset_nonblock(remin);
 -		if (count != 0 && wrerr == NO &&
 +		if (count != 0 && !wrerr &&
 		    atomicio(vwrite, ofd, bp->buf, count) != count) {
 -			wrerr = YES;
 -			wrerrno = errno;
 -		}
 -		if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) &&
 -		    ftruncate(ofd, size) != 0) {
 -			run_err("%s: truncate: %s", np, strerror(errno));
 -			wrerr = DISPLAYED;
 +			note_err("%s: %s", np, strerror(errno));
 +			wrerr = 1;
 		}
 +		if (!wrerr && (!exists || S_ISREG(stb.st_mode)) &&
 +		    ftruncate(ofd, size) != 0)
 +			note_err("%s: truncate: %s", np, strerror(errno));
 		if (pflag) {
 			if (exists || omode != mode)
 #ifdef HAVE_FCHMOD
@@ -1505,9 +1507,8 @@ bad:			run_err("%s: %s", np, strerror(errno));
 #else /* HAVE_FCHMOD */
 				if (chmod(np, omode)) {
 #endif /* HAVE_FCHMOD */
 -					run_err("%s: set mode: %s",
 +					note_err("%s: set mode: %s",
 					    np, strerror(errno));
 -					wrerr = DISPLAYED;
 				}
 		} else {
 			if (!exists && omode != mode)
@@ -1516,36 +1517,25 @@ bad:			run_err("%s: %s", np, strerror(errno));
 #else /* HAVE_FCHMOD */
 				if (chmod(np, omode & ~mask)) {
 #endif /* HAVE_FCHMOD */
 -					run_err("%s: set mode: %s",
 +					note_err("%s: set mode: %s",
 					    np, strerror(errno));
 -					wrerr = DISPLAYED;
 				}
 		}
 -		if (close(ofd) == -1) {
 -			wrerr = YES;
 -			wrerrno = errno;
 -		}
 +		if (close(ofd) == -1)
 +			note_err(np, "%s: close: %s", np, strerror(errno));
 		(void) response();
 		if (showprogress)
 			stop_progress_meter();
 -		if (setimes && wrerr == NO) {
 +		if (setimes && !wrerr) {
 			setimes = 0;
 			if (utimes(np, tv) == -1) {
 -				run_err("%s: set times: %s",
 +				note_err("%s: set times: %s",
 				    np, strerror(errno));
 -				wrerr = DISPLAYED;
 			}
 		}
 -		switch (wrerr) {
 -		case YES:
 -			run_err("%s: %s", np, strerror(wrerrno));
 -			break;
 -		case NO:
 +		/* If no error was noted then signal success for this file */
 +		if (note_err(NULL) == 0)
 			(void) atomicio(vwrite, remout, "", 1);
 -			break;
 -		case DISPLAYED:
 -			break;
 -		}
 	}
 done:
 	for (n = 0; n < npatterns; n++)
@@ -1633,6 +1623,38 @@ run_err(const char *fmt,...)
 	}
 }
 +/*
 + * Notes a sink error for sending at the end of a file transfer. Returns 0 if
 + * no error has been noted or -1 otherwise. Use note_err(NULL) to flush
 + * any active error at the end of the transfer.
 + */
 +int
 +note_err(const char *fmt, ...)
 +{
 +	static char *emsg;
 +	va_list ap;
 +
 +	/* Replay any previously-noted error */
 +	if (fmt == NULL) {
 +		if (emsg == NULL)
 +			return 0;
 +		run_err("%s", emsg);
 +		free(emsg);
 +		emsg = NULL;
 +		return -1;
 +	}
 +
 +	errs++;
 +	/* Prefer first-noted error */
 +	if (emsg != NULL)
 +		return -1;
 +
 +	va_start(ap, fmt);
 +	vasnmprintf(&emsg, INT_MAX, NULL, fmt, ap);
 +	va_end(ap);
 +	return -1;
 +}
 +
 void
 verifydir(char *cp)
 {
--- a/CVE-2020-12062-2.patch
+++ b/CVE-2020-12062-2.patch
@ -1,34 +0,0 @@
 From 955854cafca88e0cdcd3d09ca1ad4ada465364a1 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Wed, 6 May 2020 20:57:38 +0000
 Subject: [PATCH] upstream: another case where a utimes() failure could make
 scp send
 a desynchronising error; reminded by Aymeric Vincent ok deraadt markus
 OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381
 ---
 scp.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 diff --git a/scp.c b/scp.c
 index 439025980..b4492a062 100644
 --- a/scp.c
 +++ b/scp.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: scp.c,v 1.209 2020/05/01 06:31:42 djm Exp $ */
 +/* $OpenBSD: scp.c,v 1.210 2020/05/06 20:57:38 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -1427,9 +1427,7 @@ sink(int argc, char **argv, const char *src)
 			sink(1, vect, src);
 			if (setimes) {
 				setimes = 0;
 -				if (utimes(vect[0], tv) == -1)
 -					run_err("%s: set times: %s",
 -					    vect[0], strerror(errno));
 +				(void) utimes(vect[0], tv);
 			}
 			if (mod_flag)
 				(void) chmod(vect[0], mode);
--- a/CVE-2020-14145.patch
+++ b/CVE-2020-14145.patch
@ -1,92 +0,0 @@
 From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 18 Sep 2020 05:23:03 +0000
 Subject: upstream: tweak the client hostkey preference ordering algorithm to
 prefer the default ordering if the user has a key that matches the
 best-preference default algorithm.
 feedback and ok markus@
 OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f
 ---
 sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)
 diff --git a/sshconnect2.c b/sshconnect2.c
 index 347e348c..f64aae66 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */
 +/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
 	return 0;
 }
 +/* Returns the first item from a comma-separated algorithm list */
 +static char *
 +first_alg(const char *algs)
 +{
 +	char *ret, *cp;
 +
 +	ret = xstrdup(algs);
 +	if ((cp = strchr(ret, ',')) != NULL)
 +		*cp = '\0';
 +	return ret;
 +}
 +
 static char *
 order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
 {
 -	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
 +	char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL;
 +	char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL;
 	size_t maxlen;
 -	struct hostkeys *hostkeys;
 +	struct hostkeys *hostkeys = NULL;
 	int ktype;
 	u_int i;
@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
 	for (i = 0; i < options.num_system_hostfiles; i++)
 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
 +	/*
 +	 * If a plain public key exists that matches the type of the best
 +	 * preference HostkeyAlgorithms, then use the whole list as is.
 +	 * Note that we ignore whether the best preference algorithm is a
 +	 * certificate type, as sshconnect.c will downgrade certs to
 +	 * plain keys if necessary.
 +	 */
 +	best = first_alg(options.hostkeyalgorithms);
 +	if (lookup_key_in_hostkeys_by_type(hostkeys,
 +	    sshkey_type_plain(sshkey_type_from_name(best)), NULL)) {
 +		debug3("%s: have matching best-preference key type %s, "
 +		    "using HostkeyAlgorithms verbatim", __func__, best);
 +		ret = xstrdup(options.hostkeyalgorithms);
 +		goto out;
 +	}
 +
 +	/*
 +	 * Otherwise, prefer the host key algorithms that match known keys
 +	 * while keeping the ordering of HostkeyAlgorithms as much as possible.
 +	 */
 	oavail = avail = xstrdup(options.hostkeyalgorithms);
 	maxlen = strlen(avail) + 1;
 	first = xmalloc(maxlen);
@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
 	if (*first != '\0')
 		debug3("%s: prefer hostkeyalgs: %s", __func__, first);
 + out:
 +	free(best);
 	free(first);
 	free(last);
 	free(hostname);
 -- 
 cgit v1.2.3
--- a/add-strict-scp-check-for-CVE-2020-15778.patch
+++ b/add-strict-scp-check-for-CVE-2020-15778.patch
@ -1,159 +0,0 @@
 From 2e0b74242220a97926d006719d1ac6e113918e2b Mon Sep 17 00:00:00 2001
 From: seuzw <930zhaowei@163.com>
 Date: Thu, 20 May 2021 20:23:30 +0800
 Subject: [PATCH] add strict-scp-check for CVE-2020-15778
 ---
 servconf.c | 12 ++++++++++++
 servconf.h |  1 +
 session.c  | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)
 diff --git a/servconf.c b/servconf.c
 index 76147f9..4e0401f 100644
 --- a/servconf.c
 +++ b/servconf.c
@@ -90,6 +90,7 @@ initialize_server_options(ServerOptions *options)
 {
 	memset(options, 0, sizeof(*options));
 +	options->strict_scp_check = -1;
 	/* Portable-specific options */
 	options->use_pam = -1;
@@ -330,6 +331,8 @@ fill_default_server_options(ServerOptions *options)
 		    _PATH_HOST_XMSS_KEY_FILE, 0);
 #endif /* WITH_XMSS */
 	}
 +	if (options->strict_scp_check == -1)
 +		options->strict_scp_check = 0;
 	/* No certificates by default */
 	if (options->num_ports == 0)
 		options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
@@ -540,6 +543,7 @@ fill_default_server_options(ServerOptions *options)
 /* Keyword tokens. */
 typedef enum {
 	sBadOption,		/* == unknown option */
 +	sStrictScpCheck,
 	/* Portable-specific options */
 	sUsePAM,
 	/* Standard Options */
@@ -598,6 +602,7 @@ static struct {
 #else
 	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
 #endif
 +	{ "strictscpcheck", sStrictScpCheck, SSHCFG_GLOBAL },
 	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
 	/* Standard Options */
 	{ "port", sPort, SSHCFG_GLOBAL },
@@ -1372,6 +1377,11 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 	/* Standard Options */
 	case sBadOption:
 		return -1;
 +
 +	case sStrictScpCheck:
 +		intptr = &options->strict_scp_check;
 +		goto parse_flag;
 +
 	case sPort:
 		/* ignore ports from configfile if cmdline specifies ports */
 		if (options->ports_from_cmdline)
@@ -2556,6 +2566,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
 		dst->n = src->n; \
 } while (0)
 +	M_CP_INTOPT(strict_scp_check);
 	M_CP_INTOPT(password_authentication);
 	M_CP_INTOPT(gss_authentication);
 	M_CP_INTOPT(pubkey_authentication);
@@ -2846,6 +2857,7 @@ dump_config(ServerOptions *o)
 #ifdef USE_PAM
 	dump_cfg_fmtint(sUsePAM, o->use_pam);
 #endif
 +	dump_cfg_fmtint(sStrictScpCheck, o->strict_scp_check);
 	dump_cfg_int(sLoginGraceTime, o->login_grace_time);
 	dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
 	dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
 diff --git a/servconf.h b/servconf.h
 index 2c16b5a..e37dc25 100644
 --- a/servconf.h
 +++ b/servconf.h
@@ -192,6 +192,7 @@ typedef struct {
 					 * disconnect the session
 					 */
 +	int	strict_scp_check;
 	u_int	num_authkeys_files;	/* Files containing public keys */
 	char   **authorized_keys_files;
 diff --git a/session.c b/session.c
 index 607f17a..383c8ee 100644
 --- a/session.c
 +++ b/session.c
@@ -175,6 +175,50 @@ static char *auth_sock_dir = NULL;
 /* removes the agent forwarding socket */
 +int scp_check(const char *command)
 +{
 +	debug("Entering scp check");
 +        int check = 0;
 +        if (command == NULL) {
 +		debug("scp check succeeded for shell mode");
 +                return check;
 +        }
 +        int lc = strlen(command);
 +        char special_characters[] = "|;&$><`\\!\n";
 +        int ls = strlen(special_characters);
 +        int count_char[128] = {0};
 +
 +        for (int i = 0; i < ls; i++) {
 +                count_char[special_characters[i]] = 1;
 +        }
 +
 +        char scp_prefix[6] = "scp -";
 +        int lp = 5;
 +
 +        if (lc <= lp) {
 +		debug("scp check succeeded for length");
 +                return check;
 +        }
 +
 +        for (int i = 0; i < lp; i++) {
 +                if (command[i] - scp_prefix[i]) {
 +			debug("scp check succeeded for prefix");
 +                        return check;
 +                }
 +        }
 +
 +        for (int i = lp; i < lc; i++) {
 +                if (command[i] > 0 && command[i] < 128) {
 +                        if (count_char[command[i]]) {
 +                                check = 1;
 +				debug("scp check failed at %d: %c", i, command[i]);
 +                                break;
 +                        }
 +                }
 +        }
 +        return check;
 +}
 +
 static void
 auth_sock_cleanup_proc(struct passwd *pw)
 {
@@ -696,6 +740,12 @@ do_exec(struct ssh *ssh, Session *s, const char *command)
 		command = auth_opts->force_command;
 		forced = "(key-option)";
 	}
 +
 +	if (options.strict_scp_check && scp_check(command)) {
 +        verbose("Special characters not allowed in scp");
 +        return 1;
 +    }
 +
 #ifdef GSSAPI
 #ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
 	else if (k5users_allowed_cmds) {
 -- 
 2.23.0
--- a/backport-CVE-2021-41617-1.patch
+++ b/backport-CVE-2021-41617-1.patch
@ -1,34 +0,0 @@
 From f3cbe43e28fe71427d41cfe3a17125b972710455 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sun, 26 Sep 2021 14:01:03 +0000
 Subject: upstream: need initgroups() before setresgid(); reported by anton@,
 ok deraadt@
 OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
 ---
 auth.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/auth.c b/auth.c
 index c73444a..e510a05 100644
 --- a/auth.c
 +++ b/auth.c
@@ -852,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
 		}
 		closefrom(STDERR_FILENO + 1);
 +		if (geteuid() == 0 &&
 +		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
 +			error("%s: initgroups(%s, %u): %s", tag,
 +			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
 +			_exit(1);
 +		}
 +
 		/* Don't use permanently_set_uid() here to avoid fatal() */
 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
 -- 
 1.8.3.1
--- a/backport-CVE-2021-41617-2.patch
+++ b/backport-CVE-2021-41617-2.patch
@ -1,28 +0,0 @@
 From f3cbe43e28fe71427d41cfe3a17125b972710455 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Sun, 26 Sep 2021 14:01:03 +0000
 Subject: upstream: need initgroups() before setresgid(); reported by anton@,
 ok deraadt@
 OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
 ---
 auth.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/auth.c b/auth.c
 index e510a05..46b56cf 100644
 --- a/auth.c
 +++ b/auth.c
@@ -39,6 +39,7 @@
 # include <paths.h>
 #endif
 #include <pwd.h>
 +#include <grp.h>
 #ifdef HAVE_LOGIN_H
 #include <login.h>
 #endif
 -- 
 1.8.3.1
--- a/backport-move-closefrom-to-before-first-malloc.patch
+++ b/backport-move-closefrom-to-before-first-malloc.patch
@ -1,46 +0,0 @@
 From c9f7bba2e6f70b7ac1f5ea190d890cb5162ce127 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@dtucker.net>
 Date: Fri, 25 Jun 2021 15:08:18 +1000
 Subject: Move closefrom() to before first malloc.
 When built against tcmalloc, tcmalloc allocates a descriptor for its
 internal use, so calling closefrom() afterward causes the descriptor
 number to be reused resulting in a corrupted connection.  Moving the
 closefrom a little earlier should resolve this.  From kircherlike at
 outlook.com via bz#3321, ok djm@
 ---
 ssh.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
 diff --git a/ssh.c b/ssh.c
 index cf8c018e..0343cba3 100644
 --- a/ssh.c
 +++ b/ssh.c
@@ -609,6 +609,12 @@ main(int ac, char **av)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 +	/*
 +	 * Discard other fds that are hanging around. These can cause problem
 +	 * with backgrounded ssh processes started by ControlPersist.
 +	 */
 +	closefrom(STDERR_FILENO + 1);
 +
 	__progname = ssh_get_progname(av[0]);
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSLeay_add_all_algorithms();
@@ -638,12 +644,6 @@ main(int ac, char **av)
 		debug("FIPS mode initialized");
 	}
 -	/*
 -	 * Discard other fds that are hanging around. These can cause problem
 -	 * with backgrounded ssh processes started by ControlPersist.
 -	 */
 -	closefrom(STDERR_FILENO + 1);
 -
 	/* Get user data. */
 	pw = getpwuid(getuid());
 	if (!pw) {
 -- 
 cgit v1.2.3
--- a/backport-openssh-4.3p2-askpass-grab-info.patch
+++ b/backport-openssh-4.3p2-askpass-grab-info.patch
@ -0,0 +1,19 @@
 diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
 --- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info	2021-04-19 13:57:11.720113536 +0200
 +++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c	2021-04-19 13:59:29.842163204 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-4.3p2-askpass-grab-info.patch
@@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
 	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
 	    GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
 -	    "Could not grab %s. A malicious client may be eavesdropping "
 -	    "on your session.", what);
 +	    "SSH password dialog could not grab the %s input.\n"
 +	    "This might be caused by application such as screensaver, "
 +	    "however it could also mean that someone may be eavesdropping "
 +	    "on your session.\n"
 +	    "Either close the application which grabs the %s or "
 +	    "log out and log in again to prevent this from happening.", what, what);
 	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
 	gtk_dialog_run(GTK_DIALOG(err));
--- a/backport-openssh-5.1p1-askpass-progress.patch
+++ b/backport-openssh-5.1p1-askpass-progress.patch
@ -1,16 +1,17 @@
 diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:16.545211926 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.1p1-askpass-progress.patch
@@ -53,6 +53,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <X11/Xlib.h>
 +#include <glib.h>
 #include <gtk/gtk.h>
 #include <gdk/gdkx.h>
- 
+ #include <gdk/gdkkeysyms.h>
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
- 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ 	return 1;
 }
 +static void
@ -34,39 +35,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 -	GtkWidget *parent_window, *dialog, *entry;
 +	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
 	GdkGrabStatus status;
 	GdkColor fg, bg;
 	int fg_set = 0, bg_set = 0;
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
 		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
- 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+ 	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
 	if (prompt_type == PROMPT_ENTRY) {
 +		hbox = gtk_hbox_new(FALSE, 0);
 +		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
 +		    FALSE, 0);
 +		gtk_widget_show(hbox);
 +
 		entry = gtk_entry_new();
 		if (fg_set)
 			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
 		if (bg_set)
 			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
 		gtk_box_pack_start(
 -		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
 -		    entry, FALSE, FALSE, 0);
-+		    GTK_BOX(hbox), entry,
+		    GTK_BOX(hbox), entry, TRUE, FALSE, 0);
 +		    TRUE, FALSE, 0);
 +		gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
 		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
 		gtk_widget_grab_focus(entry);
- 		gtk_widget_show(entry);
+ 		if (prompt_type == PROMPT_ENTRY) {
- 		/* Make <enter> close dialog */
+@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
- 		g_signal_connect(G_OBJECT(entry), "activate",
+ 			g_signal_connect(G_OBJECT(entry), "key_press_event",
- 				 G_CALLBACK(ok_dialog), dialog);
+ 			    G_CALLBACK(check_none), dialog);
 		}
 +
 +		hbox = gtk_hbox_new(FALSE, 0);
-+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
-+	    FALSE, 8);
+		    hbox, FALSE, FALSE, 8);
 +		gtk_widget_show(hbox);
 +
 +		progress = gtk_progress_bar_new();
 +
-+		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
+		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
 +		    "Passphrase length hidden intentionally");
 +		gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
 +		    TRUE, 5);
 +		gtk_widget_show(progress);
--- a/backport-openssh-5.8p2-sigpipe.patch
+++ b/backport-openssh-5.8p2-sigpipe.patch
@ -1,6 +1,7 @@
 diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
 --- openssh-5.8p2/ssh-keyscan.c.sigpipe	2011-08-23 18:30:33.873025916 +0200
 +++ openssh-5.8p2/ssh-keyscan.c	2011-08-23 18:32:24.574025362 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.8p2-sigpipe.patch
@@ -715,6 +715,8 @@ main(int argc, char **argv)
 		fdlim_set(maxfd);
 	fdcon = xcalloc(maxfd, sizeof(con));
--- a/backport-openssh-5.9p1-ipv6man.patch
+++ b/backport-openssh-5.9p1-ipv6man.patch
@ -1,6 +1,7 @@
 diff -up openssh-5.9p0/ssh.1.ipv6man openssh-5.9p0/ssh.1
 --- openssh-5.9p0/ssh.1.ipv6man	2011-08-05 22:17:32.000000000 +0200
 +++ openssh-5.9p0/ssh.1	2011-08-31 13:08:34.880024485 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.9p1-ipv6man.patch
@@ -1400,6 +1400,8 @@ manual page for more information.
 .Nm
 exits with the exit status of the remote command or with 255
@ -13,6 +14,7 @@ diff -up openssh-5.9p0/ssh.1.ipv6man openssh-5.9p0/ssh.1
 diff -up openssh-5.9p0/sshd.8.ipv6man openssh-5.9p0/sshd.8
 --- openssh-5.9p0/sshd.8.ipv6man	2011-08-05 22:17:32.000000000 +0200
 +++ openssh-5.9p0/sshd.8	2011-08-31 13:10:34.129039094 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-5.9p1-ipv6man.patch
@@ -940,6 +940,8 @@ concurrently for different ports, this c
 started last).
 The content of this file is not sensitive; it can be world-readable.
--- a/backport-openssh-6.3p1-ctr-evp-fast.patch
+++ b/backport-openssh-6.3p1-ctr-evp-fast.patch
@ -1,6 +1,7 @@
 diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
 --- openssh-5.9p1/cipher-ctr.c.ctr-evp	2012-01-11 09:24:06.000000000 +0100
 +++ openssh-5.9p1/cipher-ctr.c	2012-01-11 15:54:04.675956600 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.3p1-ctr-evp-fast.patch
@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in
 struct ssh_aes_ctr_ctx
--- a/backport-openssh-6.4p1-fromto-remote.patch
+++ b/backport-openssh-6.4p1-fromto-remote.patch
@ -2,6 +2,7 @@ diff --git a/scp.c b/scp.c
 index d98fa67..25d347b 100644
 --- a/scp.c
 +++ b/scp.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.4p1-fromto-remote.patch
@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
 			addargs(&alist, "%s", ssh_program);
 			addargs(&alist, "-x");
--- a/backport-openssh-6.6.1p1-log-in-chroot.patch
+++ b/backport-openssh-6.6.1p1-log-in-chroot.patch
@ -1,19 +1,20 @@
-diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
+diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/log.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/log.c	2016-12-23 15:14:33.330168088 +0100
+++ openssh-8.6p1/log.c	2021-04-19 14:43:08.544843434 +0200
-@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
- void
+@@ -194,6 +194,11 @@ void
- log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+ log_init(const char *av0, LogLevel level, SyslogFacility facility,
     int on_stderr)
 {
 +	log_init_handler(av0, level, facility, on_stderr, 1);
 +}
 +
 +void
-+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
-@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
+@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
 		exit(1);
 	}
@ -26,21 +27,23 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
 	log_on_stderr = on_stderr;
 	if (on_stderr)
-diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
+diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/log.h.log-in-chroot	2021-04-19 14:43:08.544843434 +0200
-+++ openssh-7.4p1/log.h	2016-12-23 15:14:33.330168088 +0100
+++ openssh-8.6p1/log.h	2021-04-19 14:56:46.931042176 +0200
-@@ -49,6 +49,7 @@ typedef enum {
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
- typedef void (log_handler_fn)(LogLevel, const char *, void *);
+@@ -52,6 +52,7 @@ typedef enum {
 typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
- void     log_init(char *, LogLevel, SyslogFacility, int);
+ void     log_init(const char *, LogLevel, SyslogFacility, int);
-+void     log_init_handler(char *, LogLevel, SyslogFacility, int, int);
+void     log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
 LogLevel log_level_get(void);
 int      log_change_level(LogLevel);
 int      log_is_on_stderr(void);
-diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
+diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot	2016-12-23 15:14:33.311168085 +0100
+--- openssh-8.6p1/monitor.c.log-in-chroot	2021-04-19 14:43:08.526843298 +0200
-+++ openssh-7.4p1/monitor.c	2016-12-23 15:16:42.154193100 +0100
+++ openssh-8.6p1/monitor.c	2021-04-19 14:55:25.286424043 +0200
-@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
 		close(pmonitor->m_log_sendfd);
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +52,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 	authctxt = (Authctxt *)ssh->authctxt;
 	memset(authctxt, 0, sizeof(*authctxt));
 	ssh->authctxt = authctxt;
-@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
+@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
 	close(pmonitor->m_recvfd);
 	pmonitor->m_recvfd = -1;
@ -58,16 +61,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 	monitor_set_child_handler(pmonitor->m_pid);
 	ssh_signal(SIGHUP, &monitor_child_handler);
 	ssh_signal(SIGTERM, &monitor_child_handler);
-@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
+@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
 	/* Log it */
 	if (log_level_name(level) == NULL)
- 		fatal("%s: invalid log level %u (corrupted message?)",
+ 		fatal_f("invalid log level %u (corrupted message?)", level);
- 		    __func__, level);
+-	sshlogdirect(level, forced, "%s [preauth]", msg);
-	do_log2(level, "%s [preauth]", msg);
+	sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
 +	do_log2(level, "%s [%s]", msg, pmonitor->m_state);
 	sshbuf_free(logmsg);
 	free(msg);
-@@ -1719,13 +1723,28 @@ monitor_init(void)
+@@ -1868,13 +1872,28 @@ monitor_init(void)
 	mon = xcalloc(1, sizeof(*mon));
 	monitor_openfds(mon, 1);
@ -89,7 +92,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 +		xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
 +
 +		if (stat(dev_log_path, &dev_log_stat) != 0) {
-+			debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
+			debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
 +			do_logfds = 1;
 +		}
 +		free(dev_log_path);
@ -98,10 +101,11 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 }
 #ifdef GSSAPI
-diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
+diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot	2016-12-23 15:14:33.330168088 +0100
+--- openssh-8.6p1/monitor.h.log-in-chroot	2021-04-19 14:43:08.527843305 +0200
-+++ openssh-7.4p1/monitor.h	2016-12-23 15:16:28.372190424 +0100
+++ openssh-8.6p1/monitor.h	2021-04-19 14:43:08.545843441 +0200
-@@ -83,10 +83,11 @@ struct monitor {
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -80,10 +80,11 @@ struct monitor {
 	int			 m_log_sendfd;
 	struct kex		**m_pkex;
 	pid_t			 m_pid;
@ -114,9 +118,10 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
 struct Authctxt;
 void monitor_child_preauth(struct ssh *, struct monitor *);
-diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
+diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot	2016-12-23 15:14:33.319168086 +0100
+--- openssh-8.6p1/session.c.log-in-chroot	2021-04-19 14:43:08.534843358 +0200
-+++ openssh-7.4p1/session.c	2016-12-23 15:18:18.742211853 +0100
+++ openssh-8.6p1/session.c	2021-04-19 14:43:08.545843441 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -160,6 +160,7 @@ login_cap_t *lc;
 static int is_child = 0;
@ -125,7 +130,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 /* File containing userauth info, if ExposeAuthInfo set */
 static char *auth_info_file = NULL;
-@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
+@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
 	int ret;
 	const char *forced = NULL, *tty = NULL;
 	char session_type[1024];
@ -133,7 +138,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	if (options.adm_forced_command) {
 		original_command = command;
-@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
+@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
 			tty += 5;
 	}
@ -144,10 +149,10 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
 	    session_type,
 	    tty == NULL ? "" : " on ",
-@@ -1486,14 +1492,6 @@ child_close_fds(void)
+@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
- 	 * descriptors left by system functions.  They will be closed later.
+ 
- 	 */
+ 	/* Stop directing logs to a high-numbered fd before we close it */
- 	endpwent();
+ 	log_redirect_stderr_to(NULL);
 -
 -	/*
 -	 * Close any extra open file descriptors so that we don't have them
@ -159,7 +164,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 }
 /*
-@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
+@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
 			exit(1);
 	}
@ -168,7 +173,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	do_rc_files(ssh, s, shell);
 	/* restore SIGPIPE for child */
-@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
+@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -187,9 +192,10 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	fflush(NULL);
 	/* Get the last component of the shell name. */
-diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
+diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/sftp.h.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/sftp.h	2016-12-23 15:14:33.331168088 +0100
+++ openssh-8.6p1/sftp.h	2021-04-19 14:43:08.545843441 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -97,5 +97,5 @@
 struct passwd;
@ -197,10 +203,11 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
 -int	sftp_server_main(int, char **, struct passwd *);
 +int	sftp_server_main(int, char **, struct passwd *, int);
 void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
-diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
+diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/sftp-server.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/sftp-server.c	2016-12-23 15:14:33.331168088 +0100
+++ openssh-8.6p1/sftp-server.c	2021-04-19 14:43:08.545843441 +0200
-@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
 }
 int
@ -209,7 +216,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 {
 	fd_set *rset, *wset;
 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
 	extern char *__progname;
 	__progname = ssh_get_progname(argv[0]);
@ -218,7 +225,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 	pw = pwcopy(user_pw);
-@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
 		}
 	}
@ -227,20 +234,22 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 	/*
 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
-diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
+diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
+--- openssh-8.6p1/sftp-server-main.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-7.4p1/sftp-server-main.c	2016-12-23 15:14:33.331168088 +0100
+++ openssh-8.6p1/sftp-server-main.c	2021-04-19 14:43:08.545843441 +0200
-@@ -49,5 +49,5 @@ main(int argc, char **argv)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -50,5 +50,5 @@ main(int argc, char **argv)
 		return 1;
 	}
 -	return (sftp_server_main(argc, argv, user_pw));
 +	return (sftp_server_main(argc, argv, user_pw, 0));
 }
-diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
+diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot	2016-12-23 15:14:33.328168088 +0100
+--- openssh-8.6p1/sshd.c.log-in-chroot	2021-04-19 14:43:08.543843426 +0200
-+++ openssh-7.4p1/sshd.c	2016-12-23 15:14:33.332168088 +0100
+++ openssh-8.6p1/sshd.c	2021-04-19 14:43:08.545843441 +0200
-@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-log-in-chroot.patch
@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
 	}
 	/* New socket pair */
@ -249,7 +258,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
 	pmonitor->m_pid = fork();
 	if (pmonitor->m_pid == -1)
-@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
--- a/backport-openssh-6.6.1p1-scp-non-existing-directory.patch
+++ b/backport-openssh-6.6.1p1-scp-non-existing-directory.patch
@ -1,5 +1,6 @@
 --- a/scp.c	
 +++ a/scp.c	
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-scp-non-existing-directory.patch
@@ -1084,6 +1084,10 @@ sink(int argc, char **argv)
 			free(vect[0]);
 			continue;
--- a/backport-openssh-6.6.1p1-selinux-contexts.patch
+++ b/backport-openssh-6.6.1p1-selinux-contexts.patch
@ -2,6 +2,7 @@ diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
 index 8f32464..18a2ca4 100644
 --- a/openbsd-compat/port-linux-sshd.c
 +++ b/openbsd-compat/port-linux-sshd.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch
@@ -32,6 +32,7 @@
 #include "misc.h"      /* servconf.h needs misc.h for struct ForwardOptions */
 #include "servconf.h"
@ -34,19 +35,19 @@ index 8f32464..18a2ca4 100644
 +
 +	contexts_path = selinux_openssh_contexts_path();
 +	if (contexts_path == NULL) {
-+		debug3("%s: Failed to get the path to SELinux context", __func__);
+		debug3_f("Failed to get the path to SELinux context");
 +		return;
 +	}
 +
 +	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
-+		debug("%s: Failed to open SELinux context file", __func__);
+		debug_f("Failed to open SELinux context file");
 +		return;
 +	}
 +
 +	if (fstat(fileno(contexts_file), &sb) != 0 ||
 +	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
-+		logit("%s: SELinux context file needs to be owned by root"
+		logit_f("SELinux context file needs to be owned by root"
-+		    " and not writable by anyone else", __func__);
+		    " and not writable by anyone else");
 +		fclose(contexts_file);
 +		return;
 +	}
@ -70,7 +71,7 @@ index 8f32464..18a2ca4 100644
 +		if (arg && strcmp(arg, "privsep_preauth") == 0) {
 +			arg = strdelim(&cp);
 +			if (!arg || *arg == '\0') {
-+				debug("%s: privsep_preauth is empty", __func__);
+				debug_f("privsep_preauth is empty");
 +				fclose(contexts_file);
 +				return;
 +			}
@ -80,8 +81,8 @@ index 8f32464..18a2ca4 100644
 +	fclose(contexts_file);
 +
 +	if (preauth_context == NULL) {
-+		debug("%s: Unable to find 'privsep_preauth' option in"
+		debug_f("Unable to find 'privsep_preauth' option in"
-+		    " SELinux context file", __func__);
+		    " SELinux context file");
 +		return;
 +	}
 +
@ -96,19 +97,22 @@ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
 index 22ea8ef..1fc963d 100644
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
 	strlcpy(newctx + len, newname, newlen - len);
 	if ((cx = index(cx + 1, ':')))
 		strlcat(newctx, cx, newlen);
 -	debug3("%s: setting context from '%s' to '%s'", __func__,
-+	debug("%s: setting context from '%s' to '%s'", __func__,
+	debug_f("setting context from '%s' to '%s'",
 	    oldctx, newctx);
 	if (setcon(newctx) < 0)
- 		switchlog("%s: setcon %s from %s failed with %s", __func__,
+ 		do_log2(log_level, "%s: setcon %s from %s failed with %s",
 		    __func__, newctx, oldctx, strerror(errno));
 diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
 index cb51f99..8b7cda2 100644
 --- a/openbsd-compat/port-linux.h
 +++ b/openbsd-compat/port-linux.h
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch
@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
 void sshd_selinux_copy_context(void);
 void sshd_selinux_setup_exec_context(char *);
@ -121,6 +125,7 @@ diff --git a/sshd.c b/sshd.c
 index 2871fe9..39b9c08 100644
 --- a/sshd.c
 +++ b/sshd.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6.1p1-selinux-contexts.patch
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
 	demote_sensitive_data();
--- a/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
 --- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
 +++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 	FILE *fp;
 	char file[MAXPATHLEN];
@ -21,6 +22,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-ser
 diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
 	options->gss_store_rekey = -1;
 	options->gss_kex_algorithms = NULL;
@ -28,7 +30,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +	options->enable_k5users = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+	options->permit_empty_passwd = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
 #endif
 	if (options->use_kuserok == -1)
@ -39,8 +41,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum {
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
- 	sHostKeyAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 -	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
@ -72,9 +74,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +		intptr = &options->enable_k5users;
 +		goto parse_flag;
 +
- 	case sPermitListen:
+	case sMatch:
- 	case sPermitOpen:
+		if (cmdline)
- 		if (opcode == sPermitListen) {
+			fatal("Match directive not supported as a command-line "
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
@ -94,6 +96,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
 --- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
 +++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -174,6 +174,7 @@ typedef struct {
 	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
 						 * be stored in per-session ccache */
@ -105,6 +108,7 @@ diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
 diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
 on logout.
 The default is
@ -121,6 +125,7 @@ diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_conf
 diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
 --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
 +++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
--- a/backport-openssh-6.6p1-allow-ip-opts.patch
+++ b/backport-openssh-6.6p1-allow-ip-opts.patch
@ -1,6 +1,7 @@
 diff -up openssh/sshd.c.ip-opts openssh/sshd.c
 --- openssh/sshd.c.ip-opts	2016-07-25 13:58:48.998507834 +0200
 +++ openssh/sshd.c	2016-07-25 14:01:28.346469878 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-allow-ip-opts.patch
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
 	if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
--- a/backport-openssh-6.6p1-force_krb.patch
+++ b/backport-openssh-6.6p1-force_krb.patch
@ -2,6 +2,7 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
 index 413b845..54dd383 100644
 --- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch
@@ -32,7 +32,9 @@
 #include <sys/types.h>
@ -208,6 +209,7 @@ diff --git a/session.c b/session.c
 index 28659ec..9c94d8e 100644
 --- a/session.c
 +++ b/session.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
 		command = auth_opts->force_command;
 		forced = "(key-option)";
@ -242,6 +244,7 @@ diff --git a/ssh-gss.h b/ssh-gss.h
 index 0374c88..509109a 100644
 --- a/ssh-gss.h
 +++ b/ssh-gss.h
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch
@@ -49,6 +49,10 @@
 #  endif /* !HAVE_DECL_GSS_C_NT_... */
@ -257,6 +260,7 @@ diff --git a/sshd.8 b/sshd.8
 index adcaaf9..824163b 100644
 --- a/sshd.8
 +++ b/sshd.8
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-force_krb.patch
@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
 host-based authentication,
--- a/backport-openssh-6.6p1-keycat.patch
+++ b/backport-openssh-6.6p1-keycat.patch
@ -1,10 +1,11 @@
-diff -up openssh/auth.c.keycat openssh/misc.c
+diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/auth.c.keycat	2015-06-24 10:57:50.158849606 +0200
+--- openssh/misc.c.keycat	2015-06-24 10:57:50.158849606 +0200
-+++ openssh/auth.c	2015-06-24 11:04:23.989868638 +0200
+++ openssh/misc.c	2015-06-24 11:04:23.989868638 +0200
-@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
 			error("%s: dup2: %s", tag, strerror(errno));
 			_exit(1);
 		}
 +#ifdef WITH_SELINUX
 +		if (sshd_selinux_setup_env_variables() < 0) {
 +			error ("failed to copy environment:  %s",
@ -12,13 +13,13 @@ diff -up openssh/auth.c.keycat openssh/misc.c
 +			_exit(127);
 +		}
 +#endif
-+
+ 		if (env != NULL)
- 		execve(av[0], av, child_env);
+ 			execve(av[0], av, env);
- 		error("%s exec \"%s\": %s", tag, command, strerror(errno));
+ 		else
 		_exit(127);
 diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
 --- openssh/HOWTO.ssh-keycat.keycat	2015-06-24 10:57:50.157849608 +0200
 +++ openssh/HOWTO.ssh-keycat	2015-06-24 10:57:50.157849608 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -0,0 +1,12 @@
 +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
 +of an user in any environment. This includes environments with
@ -35,17 +36,18 @@ diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
 diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 --- openssh/Makefile.in.keycat	2015-06-24 10:57:50.152849621 +0200
 +++ openssh/Makefile.in	2015-06-24 10:57:50.157849608 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
 ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 +SSH_KEYCAT=$(libexecdir)/ssh-keycat
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
 K5LIBS=@K5LIBS@
 GSSLIBS=@GSSLIBS@
 SSHLIBS=@SSHLIBS@
 SSHDLIBS=@SSHDLIBS@
 +KEYCATLIBS=@KEYCATLIBS@
 LIBEDIT=@LIBEDIT@
@ -55,25 +57,25 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 .SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
-+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
+	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
 +
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -321,6 +325,7 @@ install-files:
- 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
+ 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -81,6 +83,7 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.keycat	2015-06-24 10:57:50.150849626 +0200
 +++ openssh/openbsd-compat/port-linux.h	2015-06-24 10:57:50.160849601 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
 void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
@ -95,6 +98,7 @@ diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-
 diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c
 --- openssh/openbsd-compat/port-linux-sshd.c.keycat	2015-06-24 10:57:50.150849626 +0200
 +++ openssh/openbsd-compat/port-linux-sshd.c	2015-06-24 10:57:50.159849603 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
 extern int inetd_flag;
 extern int rexeced_flag;
@ -191,6 +195,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/
 diff -up openssh/platform.c.keycat openssh/platform.c
 --- openssh/platform.c.keycat	2015-06-24 10:57:50.147849633 +0200
 +++ openssh/platform.c	2015-06-24 10:57:50.160849601 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
 {
 #ifdef WITH_SELINUX
@ -203,6 +208,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c
 diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
 --- openssh/ssh-keycat.c.keycat	2015-06-24 10:57:50.161849599 +0200
 +++ openssh/ssh-keycat.c	2015-06-24 10:57:50.161849599 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -0,0 +1,241 @@
 +/*
 + * Redistribution and use in source and binary forms, with or without
@ -449,6 +455,7 @@ diff --git a/configure.ac b/configure.ac
 index 3bbccfd..6481f1f 100644
 --- a/configure.ac
 +++ b/configure.ac
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keycat.patch
@@ -2952,6 +2952,7 @@ AC_ARG_WITH([pam],
 			PAM_MSG="yes"
@ -466,16 +473,16 @@ index 3bbccfd..6481f1f 100644
 				esac
 			fi
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
 	fi ]
 )
 AC_SUBST([SSHLIBS])
 AC_SUBST([SSHDLIBS])
 +AC_SUBST([KEYCATLIBS])
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
@@ -5031,6 +5034,9 @@ fi
- if test ! -z "${SSHLIBS}"; then
+ if test ! -z "${SSHDLIBS}"; then
- echo "          +for ssh: ${SSHLIBS}"
+ echo "         +for sshd: ${SSHDLIBS}"
 fi
 +if test ! -z "${KEYCATLIBS}"; then
 +echo "   +for ssh-keycat: ${KEYCATLIBS}"
--- a/backport-openssh-6.6p1-keyperm.patch
+++ b/backport-openssh-6.6p1-keyperm.patch
@ -1,6 +1,7 @@
 diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
 --- openssh-8.2p1/authfile.c.keyperm	2020-02-14 01:40:54.000000000 +0100
 +++ openssh-8.2p1/authfile.c	2020-02-17 11:55:12.841729758 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keyperm.patch
@@ -31,6 +31,7 @@
 #include <errno.h>
--- a/backport-openssh-6.6p1-kuserok.patch
+++ b/backport-openssh-6.6p1-kuserok.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
 --- openssh-7.4p1/auth-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
 +++ openssh-7.4p1/auth-krb5.c	2016-12-23 14:36:07.644465936 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch
@@ -56,6 +56,21 @@
 extern ServerOptions	 options;
@ -38,6 +39,7 @@ diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
 diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
 --- openssh-7.4p1/gss-serv-krb5.c.kuserok	2016-12-23 14:36:07.640465939 +0100
 +++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 14:36:07.644465936 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
     int);
@ -175,6 +177,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
 diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.kuserok	2016-12-23 14:36:07.630465944 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:11:52.278133344 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
 	options->gss_strict_acceptor = -1;
 	options->gss_store_rekey = -1;
@ -182,7 +185,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 +	options->use_kuserok = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+	options->permit_empty_passwd = -1;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
 	if (options->gss_kex_algorithms == NULL)
 		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
@ -193,14 +196,14 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
+	sPort, sHostKeyFile, sLoginGraceTime,
- 	sRhostsRSAAuthentication, sRSAAuthentication,
+	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
- 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken, sKerberosUniqueCCache,
 +	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
- 	sChallengeResponseAuthentication,
+ 	sPasswordAuthentication,
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+ 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
- 	sListenAddress, sAddressFamily,
+ 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -478,12 +481,14 @@ static struct {
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -217,16 +220,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
- 		*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+		}
- 		break;
+		break;
- 
+
 +	case sKerberosUseKuserok:
 +		intptr = &options->use_kuserok;
 +		goto parse_flag;
 +
- 	case sPermitListen:
+	case sMatch:
- 	case sPermitOpen:
+		if (cmdline)
- 		if (opcode == sPermitListen) {
+			fatal("Match directive not supported as a command-line "
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(client_alive_interval);
 	M_CP_INTOPT(ip_qos_interactive);
@ -246,6 +249,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
 --- openssh-7.4p1/servconf.h.kuserok	2016-12-23 14:36:07.630465944 +0100
 +++ openssh-7.4p1/servconf.h	2016-12-23 14:36:07.645465936 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch
@@ -118,6 +118,7 @@ typedef struct {
 						 * authenticated with Kerberos. */
 	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
@ -257,6 +261,7 @@ diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
 diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.kuserok	2016-12-23 14:36:07.637465940 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 15:14:03.117162222 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
 .Cm no
 can lead to overwriting previous tickets by subseqent connections to the same
@ -279,6 +284,7 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
 diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
 --- openssh-7.4p1/sshd_config.kuserok	2016-12-23 14:36:07.631465943 +0100
 +++ openssh-7.4p1/sshd_config	2016-12-23 14:36:07.646465935 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-kuserok.patch
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
--- a/backport-openssh-6.6p1-privsep-selinux.patch
+++ b/backport-openssh-6.6p1-privsep-selinux.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h
 --- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux	2016-12-23 18:58:52.972122201 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux.h	2016-12-23 18:58:52.974122201 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
 void ssh_selinux_change_context(const char *);
 void ssh_selinux_setfscreatecon(const char *);
@ -12,8 +13,9 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1
 diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c
 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux	2016-12-23 18:58:52.973122201 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c	2016-12-23 18:58:52.974122201 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
- 	debug3("%s: done", __func__);
+ 	debug3_f("done");
 }
 +void
@ -25,15 +27,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
 +		return;
 +
 +	if (getexeccon((security_context_t *)&ctx) != 0) {
-+		logit("%s: getexeccon failed with %s", __func__, strerror(errno));
+		logit_f("getexeccon failed with %s", strerror(errno));
 +		return;
 +	}
 +	if (ctx != NULL) {
 +		/* unset exec context before we will lose this capabililty */
 +		if (setexeccon(NULL) != 0)
-+			fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
+			fatal_f("setexeccon failed with %s", strerror(errno));
 +		if (setcon(ctx) != 0)
-+			fatal("%s: setcon failed with %s", __func__, strerror(errno));
+			fatal_f("setcon failed with %s", strerror(errno));
 +		freecon(ctx);
 +	}
 +}
@ -44,6 +46,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
 diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
 --- openssh-7.4p1/session.c.privsep-selinux	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/session.c	2016-12-23 18:58:52.974122201 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch
@@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw)
 	platform_setusercontext(pw);
@ -98,6 +101,7 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
 diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
 --- openssh-7.4p1/sshd.c.privsep-selinux	2016-12-23 18:58:52.973122201 +0100
 +++ openssh-7.4p1/sshd.c	2016-12-23 18:59:13.808124269 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-privsep-selinux.patch
@@ -540,6 +540,10 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
--- a/backport-openssh-6.7p1-coverity.patch
+++ b/backport-openssh-6.7p1-coverity.patch
@ -0,0 +1,599 @@
 diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
 --- openssh-8.5p1/addr.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/addr.c	2021-03-24 12:03:33.782968159 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
 	if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
 		return -1;
 -	if (ai == NULL || ai->ai_addr == NULL)
 +	if (ai == NULL || ai->ai_addr == NULL) {
 +		freeaddrinfo(ai);
 		return -1;
 +	}
 	if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
 	    n) == -1) {
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
 	if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
 		return -1;
 -	if (ai == NULL || ai->ai_addr == NULL)
 +	if (ai == NULL || ai->ai_addr == NULL) {
 +		freeaddrinfo(ai);
 		return -1;
 +	}
 	if (sa != NULL) {
 -		if (slen < ai->ai_addrlen)
 +		if (slen < ai->ai_addrlen) {
 +			freeaddrinfo(ai);
 			return -1;
 +		}
 		memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
 	}
 diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
 --- openssh-8.5p1/auth-krb5.c.coverity	2021-03-24 12:03:33.724967756 +0100
 +++ openssh-8.5p1/auth-krb5.c	2021-03-24 12:03:33.782968159 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
 		umask(old_umask);
 		if (tmpfd == -1) {
 			logit("mkstemp(): %.100s", strerror(oerrno));
 +			free(ccname);
 			return oerrno;
 		}
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
 			oerrno = errno;
 			logit("fchmod(): %.100s", strerror(oerrno));
 			close(tmpfd);
 +			free(ccname);
 			return oerrno;
 		}
 		/* make sure the KRB5CCNAME is set for non-standard location */
 diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
 --- openssh-8.5p1/auth-options.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/auth-options.c	2021-03-24 12:03:33.782968159 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
 		return r;
 	}
 	/* success */
 +	sshbuf_free(b);
 	return 0;
 }
 diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
 --- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
 +++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
 		debug("channel %d: connection failed: %s",
 		    c->self, strerror(err));
 		/* Try next address, if any */
 -		if ((sock = connect_next(&c->connect_ctx)) > 0) {
 +		if ((sock = connect_next(&c->connect_ctx)) >= 0) {
 			close(c->sock);
 			c->sock = c->rfd = c->wfd = sock;
 			channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 {
 	int r, success = 0, idx = -1;
 -	char *host_to_connect, *listen_host, *listen_path;
 +	char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
 	int port_to_connect, listen_port;
 	/* Send the forward request to the remote side. */
@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
 	success = 1;
 	if (success) {
 		/* Record that connection to this host/port is permitted. */
 -		host_to_connect = listen_host = listen_path = NULL;
 		port_to_connect = listen_port = 0;
 		if (fwd->connect_path != NULL) {
 			host_to_connect = xstrdup(fwd->connect_path);
@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
 		    host_to_connect, port_to_connect,
 		    listen_host, listen_path, listen_port, NULL);
 	}
 +	free(host_to_connect);
 +	free(listen_host);
 +	free(listen_path);
 	return idx;
 }
 diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
 --- openssh-8.5p1/compat.c.coverity	2021-03-24 12:03:33.768968062 +0100
 +++ openssh-8.5p1/compat.c	2021-03-24 12:03:33.783968166 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha
 		return p;
 	debug2_f("original KEX proposal: %s", p);
 	if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
 +		/* coverity[overwrite_var : FALSE] */
 		if ((p = match_filter_denylist(p,
 		    "curve25519-sha256@libssh.org")) == NULL)
 			fatal("match_filter_denylist failed");
 	if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
 +		/* coverity[overwrite_var : FALSE] */
 		if ((p = match_filter_denylist(p,
 		    "diffie-hellman-group-exchange-sha256,"
 		    "diffie-hellman-group-exchange-sha1")) == NULL)
 diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
 --- openssh-8.5p1/dns.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/dns.c	2021-03-24 12:03:33.783968166 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
 		    &hostkey_digest, &hostkey_digest_len, hostkey)) {
 			error("Error calculating key fingerprint.");
 			freerrset(fingerprints);
 +				free(dnskey_digest);
 			return -1;
 		}
 diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
 --- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
 +++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
 			enclen = __b64_ntop(digest,
 			    ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
 			    ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
 -
 +#pragma GCC diagnostic ignored "-Wstringop-overflow"
 			cp = strncpy(s, kex, strlen(kex));
 +#pragma pop
 			for ((p = strsep(&cp, ",")); p && *p != '\0';
 				(p = strsep(&cp, ","))) {
 				if (sshbuf_len(buf) != 0 &&
 diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
 --- openssh-8.5p1/kexgssc.c.coverity	2021-03-24 12:03:33.711967665 +0100
 +++ openssh-8.5p1/kexgssc.c	2021-03-24 12:03:33.783968166 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
 	default:
 		fatal_f("Unexpected KEX type %d", kex->kex_type);
 	}
 -	if (r != 0)
 +	if (r != 0) {
 +		ssh_gssapi_delete_ctx(&ctxt);
 		return r;
 +	}
 	token_ptr = GSS_C_NO_BUFFER;
 diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
 --- openssh-8.5p1/krl.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/krl.c	2021-03-24 12:03:33.783968166 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
 	sshkey_free(key);
 	sshbuf_free(copy);
 	sshbuf_free(sect);
 +	/* coverity[leaked_storage : FALSE] */
 	return r;
 }
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
 	free(rb.blob);
 +	rb.blob = NULL; /* make coverity happy */
 	if (erb != NULL) {
 		KRL_DBG(("revoked by key SHA1"));
 		return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
 	free(rb.blob);
 +	rb.blob = NULL; /* make coverity happy */
 	if (erb != NULL) {
 		KRL_DBG(("revoked by key SHA256"));
 		return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
 		return r;
 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
 	free(rb.blob);
 +	rb.blob = NULL; /* make coverity happy */
 	if (erb != NULL) {
 		KRL_DBG(("revoked by explicit key"));
 		return SSH_ERR_KEY_REVOKED;
 diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
 --- openssh-8.5p1/loginrec.c.coverity	2021-03-24 13:18:53.793225885 +0100
 +++ openssh-8.5p1/loginrec.c	2021-03-24 13:21:27.948404751 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
 	 */
 	/* Use strncpy because we don't necessarily want null termination */
 +	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut->ut_name, li->username,
 	    MIN_SIZEOF(ut->ut_name, li->username));
 # ifdef HAVE_HOST_IN_UTMP
 +	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut->ut_host, li->hostname,
 	    MIN_SIZEOF(ut->ut_host, li->hostname));
 # endif
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
 	memset(&ut, 0, sizeof(ut));
 	/* strncpy because we don't necessarily want nul termination */
 +	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
 	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
 	ut.ut_pid = getpid();
 	/* strncpy because we don't necessarily want nul termination */
 +	/* coverity[buffer_size_warning : FALSE] */
 	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
 	if (ssh_packet_connection_is_on_socket(ssh) &&
 diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
 --- openssh-8.5p1/misc.c.coverity	2021-03-24 12:03:33.745967902 +0100
 +++ openssh-8.5p1/misc.c	2021-03-24 13:31:47.037079617 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
 	}
 	if (nullfd > STDERR_FILENO)
 		close(nullfd);
 +	/* coverity[leaked_handle : FALSE]*/
 +	/* coverity[leaked_handle : FALSE]*/
 }
 char *
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
 	}
 	if (devnull > STDERR_FILENO)
 		close(devnull);
 +	/* coverity[leaked_handle : FALSE]*/
 	return ret;
 }
 diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
 --- openssh-8.5p1/moduli.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/moduli.c	2021-03-24 12:03:33.784968173 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
 	else
 		logit("failed to write to checkpoint file '%s': %s", cpfile,
 		    strerror(errno));
 +	/* coverity[leaked_storage : FALSE] */
 }
 static unsigned long
 diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
 --- openssh-7.4p1/monitor.c.coverity	2016-12-23 16:40:26.888788688 +0100
 +++ openssh-7.4p1/monitor.c	2016-12-23 16:40:26.900788691 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
 	mm_get_keystate(ssh, pmonitor);
 	/* Drain any buffered messages from the child */
 -	while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
 +	while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
 		;
 	if (pmonitor->m_recvfd >= 0)
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
 	s->ptymaster = s->ptyfd;
 	debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
 -
 +	/* coverity[leaked_handle : FALSE] */
 	return (0);
  error:
 diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
 --- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
 +++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error_f("cannot allocate fds for pty");
 -		if (tmp1 > 0)
 +		if (tmp1 >= 0)
 			close(tmp1);
 -		if (tmp2 > 0)
 -			close(tmp2);
 +		/*DEAD CODE if (tmp2 >= 0)
 +			close(tmp2);*/
 		return 0;
 	}
 	close(tmp1);
 diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
 --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
 	u_int16_t port;
 -	socklen_t salen;
 +	socklen_t salen = sizeof(struct sockaddr_storage);
 	int i;
 	if (sa == NULL) {
 diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
 --- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity	2021-08-30 16:36:11.357288009 +0200
 +++ openssh-8.7p1/openbsd-compat/bsd-pselect.c	2021-08-30 16:37:21.791897976 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
 static void
 pselect_notify_parent(void)
 {
 -	if (notify_pipe[1] != -1)
 +	if (notify_pipe[1] >= 0)
 		(void)write(notify_pipe[1], "", 1);
 }
 static void
 pselect_notify_prepare(fd_set *readset)
 {
 -	if (notify_pipe[0] != -1)
 +	if (notify_pipe[0] >= 0)
 		FD_SET(notify_pipe[0], readset);
 }
 static void
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
 {
 	char c;
 -	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
 -		while (read(notify_pipe[0], &c, 1) != -1)
 +	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
 +		while (read(notify_pipe[0], &c, 1) >= 0)
 			debug2_f("reading");
 		FD_CLR(notify_pipe[0], readset);
 	}
 diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
 --- openssh-8.5p1/readconf.c.coverity	2021-03-24 12:03:33.778968131 +0100
 +++ openssh-8.5p1/readconf.c	2021-03-24 12:03:33.785968180 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
 			} else if (r != 0) {
 				error("%.200s line %d: glob failed for %s.",
 				    filename, linenum, arg2);
 +				free(arg2);
 				goto out;
 			}
 			free(arg2);
 diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
 --- openssh-8.7p1/scp.c.coverity	2021-08-30 16:23:35.389741329 +0200
 +++ openssh-8.7p1/scp.c	2021-08-30 16:27:04.854555296 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -186,11 +186,11 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
 -		waitpid(do_cmd_pid, NULL, 0);
 +		(void) waitpid(do_cmd_pid, NULL, 0);
 	}
 	if (do_cmd_pid2 > 1) {
 		kill(do_cmd_pid2, signo ? signo : SIGTERM);
 -		waitpid(do_cmd_pid2, NULL, 0);
 +		(void) waitpid(do_cmd_pid2, NULL, 0);
 	}
 	if (signo)
 diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
 -			if (intptr != NULL)
 -				*intptr = *intptr + 1;
 +			/* DEAD CODE intptr is still NULL ;)
 +  			 if (intptr != NULL)
 +				*intptr = *intptr + 1; */
 		}
 		break;
 diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
 --- openssh-8.7p1/serverloop.c.coverity	2021-08-20 06:03:49.000000000 +0200
 +++ openssh-8.7p1/serverloop.c	2021-08-30 16:28:22.416226981 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
 		debug_f("invalid tun");
 		goto done;
 	}
 -	if (auth_opts->force_tun_device != -1) {
 +	if (auth_opts->force_tun_device >= 0) {
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
 diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
 --- openssh-8.5p1/session.c.coverity	2021-03-24 12:03:33.777968124 +0100
 +++ openssh-8.5p1/session.c	2021-03-24 12:03:33.786968187 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
 	/* Environment specified by admin */
 	for (i = 0; i < options.num_setenv; i++) {
 		cp = xstrdup(options.setenv[i]);
 +		/* coverity[overwrite_var : FALSE] */
 		if ((value = strchr(cp, '=')) == NULL) {
 			/* shouldn't happen; vars are checked in servconf.c */
 			fatal("Invalid config SetEnv: %s", options.setenv[i]);
 		}
 		*value++ = '\0';
 		child_set_env(&env, &envsize, cp, value);
 +		free(cp);
 	}
 	/* SSH_CLIENT deprecated */
 diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 --- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -224,7 +224,7 @@ killchild(int signo)
 	pid = sshpid;
 	if (pid > 1) {
 		kill(pid, SIGTERM);
 -		waitpid(pid, NULL, 0);
 +		(void) waitpid(pid, NULL, 0);
 	}
 	_exit(1);
@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons
 			    fflag || global_fflag) == -1)
 				err = -1;
 		}
 +		free(abs_dst);
 +		abs_dst = NULL;
 	}
 out:
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
 		if (lflag & LS_LONG_VIEW) {
 			if (g.gl_statv[i] == NULL) {
 				error("no stat information for %s", fname);
 +				free(fname);
 				continue;
 			}
 			lname = ls_file(fname, g.gl_statv[i], 1,
 diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
 --- openssh-8.5p1/sk-usbhid.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/sk-usbhid.c	2021-03-24 12:03:33.786968187 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
 		freezero(rks[i], sizeof(*rks[i]));
 	}
 	free(rks);
 +	free(device);
 	return ret;
 }
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
 		if (pkcs11_uri_parse(provider, uri) != 0) {
 			error("Failed to parse PKCS#11 URI");
 +			pkcs11_uri_cleanup(uri);
 			return NULL;
 		}
 		/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	/* drop */
 -	setegid(getgid());
 -	setgid(getgid());
 +	(void) setegid(getgid());
 +	(void) setgid(getgid());
 	platform_disable_tracing(0);	/* strict=no */
 diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
 --- openssh-8.5p1/ssh.c.coverity	2021-03-24 12:03:33.779968138 +0100
 +++ openssh-8.5p1/ssh.c	2021-03-24 12:03:33.786968187 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
 		close(muxserver_sock);
 		muxserver_sock = -1;
 		options.control_master = SSHCTL_MASTER_NO;
 +		/* coverity[leaked_handle: FALSE]*/
 		muxclient(options.control_path);
 		/* muxclient() doesn't return on success. */
 		fatal("Failed to connect to new control master");
 diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 --- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
 +++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
 		privsep_preauth_child(ssh);
 		setproctitle("%s", "[net]");
 -		if (box != NULL)
 +		if (box != NULL) {
 			ssh_sandbox_child(box);
 +			free(box);
 +		}
 		return 0;
 	}
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
 			explicit_bzero(rnd, sizeof(rnd));
 		}
 	}
 +
 +	if (fdset != NULL)
 +		free(fdset);
 }
 /*
@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh)
 	if (options.rekey_limit || options.rekey_interval)
 		ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
 		    options.rekey_interval);
 -
 +	/* coverity[leaked_storage : FALSE]*/
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
 	    ssh, list_hostkey_types());
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
 	if (newstr)
 		myproposal[PROPOSAL_KEX_ALGS] = newstr;
 -	else
 +	else {
 		fatal("No supported key exchange algorithms");
 +		free(gss);
 +	     }
 +	     /* coverity[leaked_storage: FALSE]*/
 	}
 #endif
 diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
 --- openssh-8.5p1/ssh-keygen.c.coverity	2021-03-24 12:03:33.780968145 +0100
 +++ openssh-8.5p1/ssh-keygen.c	2021-03-24 12:03:33.787968194 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
 			r = ssh_krl_revoke_key_sha256(krl, blob, blen);
 			if (r != 0)
 				fatal_fr(r, "revoke key failed");
 +			freezero(blob, blen);
 +			blob = NULL;
 +			blen = 0;
 		} else {
 			if (strncasecmp(cp, "key:", 4) == 0) {
 				cp += 4;
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
 		} else if (strncmp(opts[i], "start-line=", 11) == 0) {
 			start_lineno = strtoul(opts[i]+11, NULL, 10);
 		} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
 +			free(checkpoint);
 			checkpoint = xstrdup(opts[i]+11);
 		} else if (strncmp(opts[i], "generator=", 10) == 0) {
 			generator_wanted = (u_int32_t)strtonum(
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
 #else /* WITH_OPENSSL */
 	fatal("Moduli screening is not supported");
 #endif /* WITH_OPENSSL */
 +	free(checkpoint);
 +	if (in != stdin)
 +		fclose(in);
 }
 static char *
 diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
 --- openssh-8.5p1/sshsig.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/sshsig.c	2021-03-24 12:03:33.787968194 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-coverity.patch
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
 			oerrno = errno;
 			error_f("read: %s", strerror(errno));
 			ssh_digest_free(ctx);
 +			ctx = NULL;
 			errno = oerrno;
 			r = SSH_ERR_SYSTEM_ERROR;
 			goto out;
--- a/backport-openssh-6.7p1-sftp-force-permission.patch
+++ b/backport-openssh-6.7p1-sftp-force-permission.patch
@ -1,28 +1,32 @@
 diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
 --- openssh-7.2p2/sftp-server.8.sftp-force-mode	2016-03-09 19:04:48.000000000 +0100
 +++ openssh-7.2p2/sftp-server.8	2016-06-23 16:18:20.463854117 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-sftp-force-permission.patch
@@ -38,6 +38,7 @@
- .Op Fl P Ar blacklisted_requests
+ .Op Fl P Ar denied_requests
- .Op Fl p Ar whitelisted_requests
+ .Op Fl p Ar allowed_requests
 .Op Fl u Ar umask
 +.Op Fl m Ar force_file_perms
 .Ek
 .Nm
 .Fl Q Ar protocol_feature
-@@ -138,6 +139,10 @@ Sets an explicit
+@@ -138,6 +139,12 @@ Sets an explicit
 .Xr umask 2
 to be applied to newly-created files and directories, instead of the
 user's default mask.
 +.It Fl m Ar force_file_perms
 +Sets explicit file permissions to be applied to newly-created files instead
 +of the default or client requested mode.  Numeric values include:
-+777, 755, 750, 666, 644, 640, etc.  Option -u is ineffective if -m is set.
+777, 755, 750, 666, 644, 640, etc.  Using both -m and -u switches makes the
 +umask (-u) effective only for newly created directories and explicit mode (-m)
 +for newly created files.
 .El
 .Pp
 On some systems,
 diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
 --- openssh-7.2p2/sftp-server.c.sftp-force-mode	2016-06-23 16:18:20.446854128 +0200
 +++ openssh-7.2p2/sftp-server.c	2016-06-23 16:20:37.950766082 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.7p1-sftp-force-permission.patch
@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
 /* Version of client */
 static u_int version;
@ -65,9 +69,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
 	fprintf(stderr,
 	    "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
- 	    "[-l log_level]\n\t[-P blacklisted_requests] "
+ 	    "[-l log_level]\n\t[-P denied_requests] "
-	    "[-p whitelisted_requests] [-u umask]\n"
+-	    "[-p allowed_requests] [-u umask]\n"
-+	    "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
+	    "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
 	    "       %s -Q protocol_feature\n",
 	    __progname, __progname);
 	exit(1);
--- a/backport-openssh-6.8p1-sshdT-output.patch
+++ b/backport-openssh-6.8p1-sshdT-output.patch
@ -1,6 +1,7 @@
 diff -up openssh/servconf.c.sshdt openssh/servconf.c
 --- openssh/servconf.c.sshdt	2015-06-24 11:42:29.041078704 +0200
 +++ openssh/servconf.c	2015-06-24 11:44:39.734745802 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.8p1-sshdT-output.patch
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sXAuthLocation, o->xauth_location);
 	dump_cfg_string(sCiphers, o->ciphers);
--- a/backport-openssh-7.1p2-audit-race-condition.patch
+++ b/backport-openssh-7.1p2-audit-race-condition.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
 --- openssh-7.4p1/monitor_wrap.c.audit-race	2016-12-23 16:35:52.694685771 +0100
 +++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:35:52.697685772 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.1p2-audit-race-condition.patch
@@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
 	sshbuf_free(m);
@ -13,33 +14,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
 +	struct sshbuf *m;
 +	int r, ret = 0;
 +
-+	debug3("%s: entering", __func__);
+	debug3_f("entering");
 +	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	do {
 +		blen = atomicio(read, fdin, buf, sizeof(buf));
 +		if (blen == 0) /* closed pipe */
 +			break;
 +		if (blen != sizeof(buf)) {
-+			error("%s: Failed to read the buffer from child", __func__);
+			error_f("Failed to read the buffer from child");
 +			ret = -1;
 +			break;
 +		}
 +
 +		msg_len = get_u32(buf);
 +		if (msg_len > 256 * 1024)
-+			fatal("%s: read: bad msg_len %d", __func__, msg_len);
+			fatal_f("read: bad msg_len %d", msg_len);
 +		sshbuf_reset(m);
 +		if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
-+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+			fatal_fr(r, "buffer error");
 +		if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
-+			error("%s: Failed to read the the buffer content from the child", __func__);
+			error_f("Failed to read the the buffer content from the child");
 +			ret = -1;
 +			break;
 +		}
 +		if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || 
 +		    atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
-+			error("%s: Failed to write the message to the monitor", __func__);
+			error_f("Failed to write the message to the monitor");
 +			ret = -1;
 +			break;
 +		}
@ -55,6 +56,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
 diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
 --- openssh-7.4p1/monitor_wrap.h.audit-race	2016-12-23 16:35:52.694685771 +0100
 +++ openssh-7.4p1/monitor_wrap.h	2016-12-23 16:35:52.698685772 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.1p2-audit-race-condition.patch
@@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
 void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
 void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
@ -67,6 +69,7 @@ diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
 diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 --- openssh-7.4p1/session.c.audit-race	2016-12-23 16:35:52.695685771 +0100
 +++ openssh-7.4p1/session.c	2016-12-23 16:37:26.339730596 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.1p2-audit-race-condition.patch
@@ -162,6 +162,10 @@ static Session *sessions = NULL;
 login_cap_t *lc;
 #endif
@ -137,7 +140,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 }
@@ -1538,6 +1565,34 @@ child_close_fds(void)
- 	endpwent();
+ 	log_redirect_stderr_to(NULL);
 }
 +void
--- a/backport-openssh-7.2p2-k5login_directory.patch
+++ b/backport-openssh-7.2p2-k5login_directory.patch
@ -2,6 +2,7 @@ diff --git a/auth-krb5.c b/auth-krb5.c
 index 2b02a04..19b9364 100644
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
@@ -375,5 +375,21 @@ cleanup:
 		return (krb5_cc_resolve(ctx, ccname, ccache));
 	}
@ -28,6 +29,7 @@ diff --git a/auth.h b/auth.h
 index f9d191c..c432d2f 100644
 --- a/auth.h
 +++ b/auth.h
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
@@ -222,6 +222,8 @@ int	 sys_auth_passwd(Authctxt *, const char *);
 #if defined(KRB5) && !defined(HEIMDAL)
@ -41,6 +43,7 @@ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
 index a7c0c5f..df8cc9a 100644
 --- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
 {
 	char file[MAXPATHLEN];
@ -49,7 +52,7 @@ index a7c0c5f..df8cc9a 100644
 +	int ret = 0;
 +
 +	ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
-+	debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
+	debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
 +	if (k5login_directory == NULL || ret != 0) {
 +		/* If not set, the library will look for  k5login
 +		 * files in the user's home directory, with the filename  .k5login.
@ -64,7 +67,7 @@ index a7c0c5f..df8cc9a 100644
 +			k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
 +			pw->pw_name);
 +	}
-+	debug("%s: Checking existence of file %s", __func__, file);
+	debug_f("Checking existence of file %s", file);
 -	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
 	return access(file, F_OK) == 0;
@ -74,6 +77,7 @@ diff --git a/sshd.8 b/sshd.8
 index 5c4f15b..135e290 100644
 --- a/sshd.8
 +++ b/sshd.8
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-k5login_directory.patch
@@ -806,6 +806,10 @@ rlogin/rsh.
 These files enforce GSSAPI/Kerberos authentication access control.
 Further details are described in
--- a/backport-openssh-7.2p2-s390-closefrom.patch
+++ b/backport-openssh-7.2p2-s390-closefrom.patch
@ -11,10 +11,12 @@ Author: Harald Freudenberger <freude@de.ibm.com>
 ---
 openbsd-compat/bsd-closefrom.c |   26 ++++++++++++++++++++++++++
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-s390-closefrom.patch
 1 file changed, 26 insertions(+)
 --- a/openbsd-compat/bsd-closefrom.c
 +++ b/openbsd-compat/bsd-closefrom.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-s390-closefrom.patch
@@ -82,7 +82,33 @@ closefrom(int lowfd)
 	    fd = strtol(dent->d_name, &endp, 10);
 	    if (dent->d_name != endp && *endp == '\0' &&
--- a/backport-openssh-7.2p2-x11.patch
+++ b/backport-openssh-7.2p2-x11.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
 --- openssh-7.2p2/channels.c.x11	2016-03-09 19:04:48.000000000 +0100
 +++ openssh-7.2p2/channels.c	2016-06-03 10:42:04.775164520 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.2p2-x11.patch
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
 }
--- a/backport-openssh-7.3p1-x11-max-displays.patch
+++ b/backport-openssh-7.3p1-x11-max-displays.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 --- openssh-7.4p1/channels.c.x11max	2016-12-23 15:46:32.071506625 +0100
 +++ openssh-7.4p1/channels.c	2016-12-23 15:46:32.139506636 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
 #define FWD_PERMIT_ANY_HOST	"*"
@ -80,6 +81,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
 --- openssh-7.4p1/channels.h.x11max	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/channels.h	2016-12-23 15:46:32.139506636 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch
@@ -293,7 +293,7 @@ int	 permitopen_port(const char *);
 void	 channel_set_x11_refuse_time(struct ssh *, u_int);
@ -92,6 +94,7 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
 diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.x11max	2016-12-23 15:46:32.133506635 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:47:27.320519121 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
 	options->print_lastlog = -1;
 	options->x11_forwarding = -1;
@ -110,8 +113,8 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 		options->x11_use_localhost = 1;
 	if (options->xauth_location == NULL)
@@ -419,7 +422,7 @@ typedef enum {
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+ 	sPasswordAuthentication,
- 	sListenAddress, sAddressFamily,
+ 	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 -	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 +	sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
@ -156,6 +159,7 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
 --- openssh-7.4p1/servconf.h.x11max	2016-12-23 15:46:32.133506635 +0100
 +++ openssh-7.4p1/servconf.h	2016-12-23 15:46:32.140506636 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch
@@ -55,6 +55,7 @@
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
@ -175,6 +179,7 @@ diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
 diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
 --- openssh-7.4p1/session.c.x11max	2016-12-23 15:46:32.136506636 +0100
 +++ openssh-7.4p1/session.c	2016-12-23 15:46:32.141506636 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
 		return 0;
 	}
@ -190,6 +195,7 @@ diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
 diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.x11max	2016-12-23 15:46:32.134506635 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 15:46:32.141506636 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.3p1-x11-max-displays.patch
@@ -1133,6 +1133,7 @@ Available keywords are
 .Cm StreamLocalBindUnlink ,
 .Cm TrustedUserCAKeys ,
--- a/backport-openssh-7.4p1-systemd.patch
+++ b/backport-openssh-7.4p1-systemd.patch
@ -8,6 +8,7 @@ diff --git a/configure.ac b/configure.ac
 index 2ffc369..162ce92 100644
 --- a/configure.ac
 +++ b/configure.ac
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.4p1-systemd.patch
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
@ -52,6 +53,7 @@ new file mode 100644
 index 0000000..e0d4923
 --- /dev/null
 +++ b/contrib/sshd.service
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.4p1-systemd.patch
@@ -0,0 +1,16 @@
 +[Unit]
 +Description=OpenSSH server daemon
@ -73,6 +75,7 @@ diff --git a/sshd.c b/sshd.c
 index 816611c..b8b9d13 100644
 --- a/sshd.c
 +++ b/sshd.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.4p1-systemd.patch
@@ -85,6 +85,10 @@
 #include <prot.h>
 #endif
--- a/backport-openssh-7.5p1-sandbox.patch
+++ b/backport-openssh-7.5p1-sandbox.patch
@ -7,12 +7,14 @@ this is only need on s390 architecture.
 Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
 ---
 sandbox-seccomp-filter.c | 6 ++++++
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
 1 file changed, 6 insertions(+)
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index ca75cc7..6e7de31 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_exit_group
 	SC_ALLOW(__NR_exit_group),
@ -43,12 +45,14 @@ Those syscalls are also needed by the distros for audit code.
 Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
 ---
 sandbox-seccomp-filter.c | 12 ++++++++++++
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
 1 file changed, 12 insertions(+)
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index 6e7de31..e86aa2c 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_getpid
 	SC_ALLOW(__NR_getpid),
@ -73,6 +77,7 @@ index 6e7de31..e86aa2c 100644
 diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
 --- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
 +++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
 #ifdef __NR_geteuid32
 	SC_ALLOW(__NR_geteuid32),
--- a/backport-openssh-7.6p1-audit.patch
+++ b/backport-openssh-7.6p1-audit.patch
--- a/backport-openssh-7.6p1-cleanup-selinux.patch
+++ b/backport-openssh-7.6p1-cleanup-selinux.patch
@ -1,10 +1,11 @@
 diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.refactor	2019-04-04 13:19:12.188821236 +0200
 +++ openssh/auth2-pubkey.c	2019-04-04 13:19:12.276822078 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -72,6 +72,9 @@
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
@ -12,62 +13,65 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
 static char *
 format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
- 
+ 	if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
 	if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
 	    ac, av, &f,
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+ 	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
-+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+-	    runas_pw, temporarily_use_uid, restore_uid)) == 0)
 +	    runas_pw, temporarily_use_uid, restore_uid,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
- 
+ 	if ((pid = subprocess("AuthorizedKeysCommand", command,
 	if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
 	    ac, av, &f,
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
-+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+-	    runas_pw, temporarily_use_uid, restore_uid)) == 0)
 +	    runas_pw, temporarily_use_uid, restore_uid,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
-diff -up openssh/auth.c.refactor openssh/auth.c
+diff -up openssh/misc.c.refactor openssh/misc.c
--- openssh/auth.c.refactor	2019-04-04 13:19:12.235821686 +0200
+--- openssh/misc.c.refactor	2019-04-04 13:19:12.235821686 +0200
-+++ openssh/auth.c	2019-04-04 13:19:12.276822078 +0200
+++ openssh/misc.c	2019-04-04 13:19:12.276822078 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
  */
 pid_t
- subprocess(const char *tag, struct passwd *pw, const char *command,
+ subprocess(const char *tag, const char *command,
-    int ac, char **av, FILE **child, u_int flags)
+     int ac, char **av, FILE **child, u_int flags,
-+    int ac, char **av, FILE **child, u_int flags, int inetd,
+-    struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
-+    void *the_authctxt)
+    struct passwd *pw, privdrop_fn *drop_privs,
 +    privrestore_fn *restore_privs, int inetd, void *the_authctxt)
 {
 	FILE *f = NULL;
 	struct stat st;
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
 			_exit(1);
 		}
 #ifdef WITH_SELINUX
 -		if (sshd_selinux_setup_env_variables() < 0) {
 +		if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
 			error ("failed to copy environment:  %s",
 			    strerror(errno));
 			_exit(127);
-diff -up openssh/auth.h.refactor openssh/auth.h
+diff -up openssh/misc.h.refactor openssh/misc.h
--- openssh/auth.h.refactor	2019-04-04 13:19:12.251821839 +0200
+--- openssh/misc.h.refactor	2019-04-04 13:19:12.251821839 +0200
-+++ openssh/auth.h	2019-04-04 13:19:12.276822078 +0200
+++ openssh/misc.h	2019-04-04 13:19:12.276822078 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
- #define	SSH_SUBPROCESS_STDOUT_CAPTURE  (1<<1)  /* Redirect stdout */
+ #define	SSH_SUBPROCESS_UNSAFE_PATH	(1<<3)	/* Don't check for safe cmd */
- #define	SSH_SUBPROCESS_STDERR_DISCARD  (1<<2)  /* Discard stderr */
+ #define	SSH_SUBPROCESS_PRESERVE_ENV	(1<<4)	/* Keep parent environment */
- pid_t	subprocess(const char *, struct passwd *,
+ pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
-    const char *, int, char **, FILE **, u_int flags);
+-    struct passwd *, privdrop_fn *, privrestore_fn *);
-+    const char *, int, char **, FILE **, u_int flags, int, void *);
+    struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
 int	 sys_auth_passwd(struct ssh *, const char *);
 typedef struct arglist arglist;
 struct arglist {
 diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.refactor	2019-04-04 13:19:12.256821887 +0200
 +++ openssh/openbsd-compat/port-linux.h	2019-04-04 13:19:12.276822078 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
 int sshd_selinux_enabled(void);
@ -82,6 +86,7 @@ diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/por
 diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
 --- openssh/openbsd-compat/port-linux-sshd.c.refactor	2019-04-04 13:19:12.256821887 +0200
 +++ openssh/openbsd-compat/port-linux-sshd.c	2019-04-04 13:19:12.276822078 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -49,11 +49,6 @@
 #include <unistd.h>
 #endif
@ -145,7 +150,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
 	char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
- 	debug3("%s: setting execution context", __func__);
+ 	debug3_f("setting execution context");
 -	ssh_selinux_get_role_level(&role, &reqlvl);
 +	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
@ -203,10 +208,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
 +		if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
 			switch (security_getenforce()) {
 			case -1:
- 				fatal("%s: security_getenforce() failed", __func__);
+ 				fatal_f("security_getenforce() failed");
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
- 	debug3("%s: setting execution context", __func__);
+ 	debug3_f("setting execution context");
 -	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
 +	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
@ -216,6 +221,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
 diff -up openssh/platform.c.refactor openssh/platform.c
 --- openssh/platform.c.refactor	2019-04-04 13:19:12.204821389 +0200
 +++ openssh/platform.c	2019-04-04 13:19:12.277822088 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -32,6 +32,9 @@
 extern int use_privsep;
@ -240,6 +246,7 @@ diff -up openssh/platform.c.refactor openssh/platform.c
 diff -up openssh/sshd.c.refactor openssh/sshd.c
 --- openssh/sshd.c.refactor	2019-04-04 13:19:12.275822068 +0200
 +++ openssh/sshd.c	2019-04-04 13:19:51.270195262 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -158,7 +158,7 @@ int debug_flag = 0;
 static int test_flag = 0;
@ -269,3 +276,16 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
 #endif
 #ifdef USE_PAM
 	if (options.use_pam) {
 diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
 --- openssh/sshconnect.c.refactor	2021-02-24 00:12:03.065325046 +0100
 +++ openssh/sshconnect.c	2021-02-24 00:12:12.126449544 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.6p1-cleanup-selinux.patch
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
 	if ((pid = subprocess(tag, command, ac, av, &f,
 	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
 -	    SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
 +	    SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
 		goto out;
 	load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
--- a/backport-openssh-7.7p1-fips.patch
+++ b/backport-openssh-7.7p1-fips.patch
@ -1,6 +1,7 @@
-diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
+diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips	2019-07-23 14:55:45.326525641 +0200
+--- openssh-8.6p1/cipher-ctr.c.fips	2021-04-19 16:53:02.994577324 +0200
-+++ openssh-8.0p1/cipher-ctr.c	2019-07-23 14:55:45.401526401 +0200
+++ openssh-8.6p1/cipher-ctr.c	2021-04-19 16:53:03.064577862 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -11,10 +12,11 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
 #endif
 	return (&aes_ctr);
 }
-diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.0p1/dh.c.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/dh.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.0p1/dh.c	2019-07-23 14:55:45.401526401 +0200
+++ openssh-8.6p1/dh.c	2021-04-19 16:58:47.750263410 +0200
-@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
 	int best, bestcount, which, linenum;
 	struct dhgroup dhg;
@ -24,10 +26,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
 +		return (dh_new_group_fallback(max));
 +	}
 +
- 	if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
+ 	if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
 		logit("WARNING: could not open %s (%s), using fixed modulus",
- 		    _PATH_DH_MODULI, strerror(errno));
+ 		    get_moduli_filename(), strerror(errno));
-@@ -489,4 +495,38 @@ dh_estimate(int bits)
+@@ -502,4 +508,38 @@ dh_estimate(int bits)
 	return 8192;
 }
@ -66,21 +68,23 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
 +}
 +
 #endif /* WITH_OPENSSL */
-diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
+diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.0p1/dh.h.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/dh.h.fips	2021-04-19 16:53:03.064577862 +0200
-+++ openssh-8.0p1/dh.h	2019-07-23 14:55:45.401526401 +0200
+++ openssh-8.6p1/dh.h	2021-04-19 16:59:31.951616078 +0200
-@@ -43,6 +43,7 @@ DH	*dh_new_group_fallback(int);
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
 int	 dh_gen_key(DH *, int);
 int	 dh_pub_is_valid(const DH *, const BIGNUM *);
 +int	 dh_is_known_group(const DH *);
 u_int	 dh_estimate(int);
- 
+ void	 dh_set_moduli_file(const char *);
-diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
+diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.0p1/kex.c.fips	2019-07-23 14:55:45.395526340 +0200
+--- openssh-8.6p1/kex.c.fips	2021-04-19 16:53:03.058577815 +0200
-+++ openssh-8.0p1/kex.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/kex.c	2021-04-19 16:53:03.065577869 +0200
-@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
 		if (kex_alg_by_name(p) == NULL) {
@ -92,9 +96,10 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
 			free(s);
 			return 0;
 		}
-diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
+diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips	2019-04-18 00:52:57.000000000 +0200
+--- openssh-8.6p1/kexgexc.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.0p1/kexgexc.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/kexgexc.c	2021-04-19 16:53:03.065577869 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -28,6 +28,7 @@
 #ifdef WITH_OPENSSL
@ -103,7 +108,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
 #include <sys/types.h>
 #include <openssl/dh.h>
-@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
+@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
@ -114,56 +119,13 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
 	p = g = NULL; /* belong to kex->dh now */
 	/* generate and send 'e', client DH public key */
-diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
+diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.0p1/Makefile.in.fips	2019-07-23 14:55:45.396526350 +0200
+--- openssh-8.6p1/myproposal.h.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.0p1/Makefile.in	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/myproposal.h	2021-04-19 16:53:03.065577869 +0200
-@@ -180,25 +180,25 @@ libssh.a: $(LIBSSH_OBJS)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
- 	$(RANLIB) $@
+@@ -57,6 +57,18 @@
- 
+ 	"rsa-sha2-512," \
- ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+ 	"rsa-sha2-256"
 -	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
 -	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
 -	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
 -	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
 -	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
 	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
 	$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
 -	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 +	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
 	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 --- openssh-8.0p1/myproposal.h.fips	2019-04-18 00:52:57.000000000 +0200
 +++ openssh-8.0p1/myproposal.h	2019-07-23 14:55:45.402526411 +0200
@@ -111,6 +111,20 @@
 	"rsa-sha2-256," \
 	"ssh-rsa"
 +#define	KEX_FIPS_PK_ALG	\
 +	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
@ -171,18 +133,16 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 +	"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
 +	"rsa-sha2-512-cert-v01@openssh.com," \
 +	"rsa-sha2-256-cert-v01@openssh.com," \
 +	"ssh-rsa-cert-v01@openssh.com," \
 +	"ecdsa-sha2-nistp256," \
 +	"ecdsa-sha2-nistp384," \
 +	"ecdsa-sha2-nistp521," \
 +	"rsa-sha2-512," \
 +	"rsa-sha2-256," \
 +	"ssh-rsa"
 +
 #define	KEX_SERVER_ENCRYPT \
 	"chacha20-poly1305@openssh.com," \
 	"aes128-ctr,aes192-ctr,aes256-ctr," \
-@@ -134,6 +142,27 @@
+@@ -78,6 +92,27 @@
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
@ -209,36 +169,38 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 +
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define	SSH_ALLOWED_CA_SIGALGS	\
- 	"ecdsa-sha2-nistp256," \
+ 	"ssh-ed25519," \
-diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
+diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.0p1/readconf.c.fips	2019-07-23 14:55:45.334525723 +0200
+--- openssh-8.6p1/readconf.c.fips	2021-04-19 16:53:02.999577362 +0200
-+++ openssh-8.0p1/readconf.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/readconf.c	2021-04-19 16:53:03.065577869 +0200
-@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
 	/* remove unsupported algos from default lists */
-	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+-	def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
-	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+-	def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
-	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+-	def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
+	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
+	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
+	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
+	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
+	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
 #define ASSEMBLE(what, defaults, all) \
 	do { \
 		if ((r = kex_assemble_names(&options->what, \
-diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
+diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips	2019-07-23 14:55:45.373526117 +0200
+--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-04-19 16:53:03.034577631 +0200
-+++ openssh-8.0p1/sandbox-seccomp-filter.c	2019-07-23 14:55:45.402526411 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-04-19 16:53:03.065577869 +0200
-@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
 #ifdef __NR_open
 	SC_DENY(__NR_open, EACCES),
 #endif
@ -248,75 +210,60 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
 #ifdef __NR_openat
 	SC_DENY(__NR_openat, EACCES),
 #endif
-diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
+diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.0p1/servconf.c.fips	2019-07-23 14:55:45.361525996 +0200
+--- openssh-8.6p1/servconf.c.fips	2021-04-19 16:53:03.027577577 +0200
-+++ openssh-8.0p1/servconf.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/servconf.c	2021-04-19 16:53:03.066577877 +0200
-@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
 	/* remove unsupported algos from default lists */
-	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+-	def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
-	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+-	def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
-	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+-	def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+-	def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	def_cipher = match_filter_whitelist((FIPS_mode() ?
+	def_cipher = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
-+	def_mac = match_filter_whitelist((FIPS_mode() ?
+	def_mac = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
-+	def_kex = match_filter_whitelist((FIPS_mode() ?
+	def_kex = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
-+	def_key = match_filter_whitelist((FIPS_mode() ?
+	def_key = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
-+	def_sig = match_filter_whitelist((FIPS_mode() ?
+	def_sig = match_filter_allowlist((FIPS_mode() ?
 +	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
 #define ASSEMBLE(what, defaults, all) \
 	do { \
 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
-diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
+diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.0p1/ssh.c.fips	2019-07-23 14:55:45.378526168 +0200
+--- openssh-8.6p1/ssh.c.fips	2021-04-19 16:53:03.038577662 +0200
-+++ openssh-8.0p1/ssh.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/ssh.c	2021-04-19 16:53:03.066577877 +0200
-@@ -76,6 +76,8 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -77,6 +77,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #endif
 +#include <openssl/crypto.h>
 +#include <fipscheck.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
-@@ -600,6 +602,16 @@ main(int ac, char **av)
+@@ -1516,6 +1517,10 @@ main(int ac, char **av)
- 	sanitise_stdfd();
+ 		exit(0);
- 
+ 	}
 	__progname = ssh_get_progname(av[0]);
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +	SSLeay_add_all_algorithms();
 +#endif
 +	if (access("/etc/system-fips", F_OK) == 0)
 +		if (! FIPSCHECK_verify(NULL, NULL)){
 +			if (FIPS_mode())
 +				fatal("FIPS integrity verification test failed.");
 +			else
 +				logit("FIPS integrity verification test failed.");
 +	}
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
@@ -614,6 +626,10 @@ main(int ac, char **av)
 	seed_rng();
 +	if (FIPS_mode()) {
 +		debug("FIPS mode initialized");
 +	}
 +
- 	/*
+ 	/* Expand SecurityKeyProvider if it refers to an environment variable */
- 	 * Discard other fds that are hanging around. These can cause problem
+ 	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
- 	 * with backgrounded ssh processes started by ControlPersist.
+ 	    strlen(options.sk_provider) > 1) {
-diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
+diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
--- openssh-8.0p1/sshconnect2.c.fips	2019-07-23 14:55:45.336525743 +0200
+--- openssh-8.6p1/sshconnect2.c.fips	2021-04-19 16:53:03.055577792 +0200
-+++ openssh-8.0p1/sshconnect2.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/sshconnect2.c	2021-04-19 16:53:03.066577877 +0200
-@@ -44,6 +44,8 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -45,6 +45,8 @@
 #include <vis.h>
 #endif
@ -325,7 +272,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
-@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
+@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
 #if defined(GSSAPI) && defined(WITH_OPENSSL)
 	if (options.gss_keyex) {
@ -333,13 +280,39 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 -		 * client to the key exchange algorithm proposal */
 -		orig = myproposal[PROPOSAL_KEX_ALGS];
 -
-		if (options.gss_server_identity)
+-		if (options.gss_server_identity) {
 -			gss_host = xstrdup(options.gss_server_identity);
-		else if (options.gss_trust_dns)
+-		} else if (options.gss_trust_dns) {
 -			gss_host = remote_hostname(ssh);
-		else
+-			/* Fall back to specified host if we are using proxy command
 -			 * and can not use DNS on that socket */
 -			if (strcmp(gss_host, "UNKNOWN") == 0) {
 -				free(gss_host);
 +		if (FIPS_mode()) {
 +			logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
 +			options.gss_keyex = 0;
 +		} else {
 +			/* Add the GSSAPI mechanisms currently supported on this
 +			 * client to the key exchange algorithm proposal */
 +			orig = myproposal[PROPOSAL_KEX_ALGS];
 +
 +			if (options.gss_server_identity) {
 +				gss_host = xstrdup(options.gss_server_identity);
 +			} else if (options.gss_trust_dns) {
 +				gss_host = remote_hostname(ssh);
 +				/* Fall back to specified host if we are using proxy command
 +				 * and can not use DNS on that socket */
 +				if (strcmp(gss_host, "UNKNOWN") == 0) {
 +					free(gss_host);
 +					gss_host = xstrdup(host);
 +				}
 +			} else {
 				gss_host = xstrdup(host);
 			}
 -		} else {
 -			gss_host = xstrdup(host);
-
+-		}
 -		gss = ssh_gssapi_client_mechanisms(gss_host,
 -		    options.gss_client_identity, options.gss_kex_algorithms);
 -		if (gss) {
@ -352,21 +325,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 -			orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
 -			xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
 -			    "%s,null", orig);
 +		if (FIPS_mode()) {
 +			logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
 +			options.gss_keyex = 0;
 +		} else {
 +			/* Add the GSSAPI mechanisms currently supported on this
 +			 * client to the key exchange algorithm proposal */
 +			orig = myproposal[PROPOSAL_KEX_ALGS];
 +
 +			if (options.gss_server_identity)
 +				gss_host = xstrdup(options.gss_server_identity);
 +			else if (options.gss_trust_dns)
 +				gss_host = remote_hostname(ssh);
 +			else
 +				gss_host = xstrdup(host);
 +
 +			gss = ssh_gssapi_client_mechanisms(gss_host,
 +			    options.gss_client_identity, options.gss_kex_algorithms);
 +			if (gss) {
@ -383,9 +341,10 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
 		}
 	}
 #endif
-diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
+diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.0p1/sshd.c.fips	2019-07-23 14:55:45.398526371 +0200
+--- openssh-8.6p1/sshd.c.fips	2021-04-19 16:53:03.060577831 +0200
-+++ openssh-8.0p1/sshd.c	2019-07-23 14:55:45.403526421 +0200
+++ openssh-8.6p1/sshd.c	2021-04-19 16:57:45.827769340 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -66,6 +66,7 @@
 #include <grp.h>
 #include <pwd.h>
@ -394,35 +353,23 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
-@@ -77,6 +78,8 @@
+@@ -77,6 +78,7 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 +#include <openssl/crypto.h>
 +#include <fipscheck.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
-@@ -1529,6 +1532,18 @@ main(int ac, char **av)
+@@ -1619,6 +1621,7 @@ main(int ac, char **av)
 #endif
 	__progname = ssh_get_progname(av[0]);
 +	OpenSSL_add_all_algorithms();
 +	if (access("/etc/system-fips", F_OK) == 0)
 +		if (! FIPSCHECK_verify(NULL, NULL)) {
 +			openlog(__progname, LOG_PID, LOG_AUTHPRIV);
 +			if (FIPS_mode()) {
 +				syslog(LOG_CRIT, "FIPS integrity verification test failed.");
 +				cleanup_exit(255);
 +			}
 +			else
 +				syslog(LOG_INFO, "FIPS integrity verification test failed.");
 +			closelog();
 +		}
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
-@@ -1992,6 +2007,10 @@ main(int ac, char **av)
+@@ -2110,6 +2113,10 @@ main(int ac, char **av)
 	/* Reinitialize the log (because of the fork above). */
 	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -430,10 +377,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 +		debug("FIPS mode initialized");
 +	}
 +
- 	/* Chdir to the root directory so that the current disk can be
+ 	/*
- 	   unmounted if desired. */
+ 	 * Chdir to the root directory so that the current disk can be
- 	if (chdir("/") == -1)
+ 	 * unmounted if desired.
-@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
 	if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
 		orig = NULL;
@ -452,9 +399,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
-diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
+diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips	2019-07-23 14:55:45.398526371 +0200
+--- openssh-8.6p1/sshkey.c.fips	2021-04-19 16:53:03.061577838 +0200
-+++ openssh-8.0p1/sshkey.c	2019-07-23 14:55:45.404526431 +0200
+++ openssh-8.6p1/sshkey.c	2021-04-19 16:53:03.067577885 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -34,6 +34,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -471,19 +419,20 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
 #include "ssh-sk.h"
 #ifdef WITH_XMSS
-@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
+@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
 	}
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
 +			if (FIPS_mode())
-+				logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
+				logit_f("the key length might be unsupported by FIPS mode approved key generation method");
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
-diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
+diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips	2019-07-23 14:55:45.391526300 +0200
+--- openssh-8.6p1/ssh-keygen.c.fips	2021-04-19 16:53:03.038577662 +0200
-+++ openssh-8.0p1/ssh-keygen.c	2019-07-23 14:57:54.118830056 +0200
+++ openssh-8.6p1/ssh-keygen.c	2021-04-19 16:53:03.068577892 +0200
-@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-fips.patch
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
 #endif
 	}
 #ifdef WITH_OPENSSL
@ -496,7 +445,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
 	switch (type) {
 	case KEY_DSA:
 		if (*bitsp != 1024)
-@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 			first = 1;
 			printf("%s: generating new host keys: ", __progname);
 		}
@ -513,5 +462,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
 		fflush(stdout);
 -		type = sshkey_type_from_name(key_types[i].key_type);
 		if ((fd = mkstemp(prv_tmp)) == -1) {
- 			error("Could not save your public key in %s: %s",
+ 			error("Could not save your private key in %s: %s",
 			    prv_tmp, strerror(errno));
--- a/backport-openssh-7.7p1-gssapi-new-unique.patch
+++ b/backport-openssh-7.7p1-gssapi-new-unique.patch
@ -1,7 +1,28 @@
-diff --git a/auth-krb5.c b/auth-krb5.c
+diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
-index a5a81ed2..63f877f2 100644
+--- openssh-8.6p1/auth.h.ccache_name	2021-04-19 14:05:10.820744325 +0200
--- a/auth-krb5.c
+++ openssh-8.6p1/auth.h	2021-04-19 14:05:10.853744569 +0200
-+++ b/auth-krb5.c
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
@@ -83,6 +83,7 @@ struct Authctxt {
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
 	char		*krb5_ccname;
 +	int		 krb5_set_env;
 #endif
 	struct sshbuf	*loginmsg;
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
 int	 sys_auth_passwd(struct ssh *, const char *);
 #if defined(KRB5) && !defined(HEIMDAL)
 -krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
 +krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
 #endif
 #endif /* AUTH_H */
 diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
 --- openssh-8.6p1/auth-krb5.c.ccache_name	2021-04-16 05:55:25.000000000 +0200
 +++ openssh-8.6p1/auth-krb5.c	2021-04-19 14:40:55.142832954 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
@@ -51,6 +51,7 @@
 #include <unistd.h>
 #include <string.h>
@ -10,7 +31,7 @@ index a5a81ed2..63f877f2 100644
 extern ServerOptions	 options;
-@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
 #endif
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
@ -19,24 +40,18 @@ index a5a81ed2..63f877f2 100644
 	char *client, *platform_client;
 	const char *errmsg;
-@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
 		goto out;
 	}
-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
+-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
 -	    &authctxt->krb5_fwd_ccache);
 +	problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
 +	     &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
 	if (problem)
 		goto out;
-@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
 -	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 +	problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 				 &creds);
 	if (problem)
 		goto out;
 #endif
@ -57,7 +72,7 @@ index a5a81ed2..63f877f2 100644
 		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
 #endif
-@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
 void
 krb5_cleanup_proc(Authctxt *authctxt)
 {
@ -113,7 +128,7 @@ index a5a81ed2..63f877f2 100644
 	if (authctxt->krb5_user) {
 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 		authctxt->krb5_user = NULL;
-@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
+@@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
 	}
 }
@ -151,7 +166,7 @@ index a5a81ed2..63f877f2 100644
 +ssh_krb5_expand_template(char **result, const char *template) {
 +	char *p_n, *p_o, *r, *tmp_template;
 +
-+	debug3("%s: called, template = %s", __func__, template);
+	debug3_f("called, template = %s", template);
 +	if (template == NULL)
 +		return -1;
 +
@ -179,7 +194,7 @@ index a5a81ed2..63f877f2 100644
 +		} else {
 +			p_o = strchr(p_n, '}') + 1;
 +			*p_o = '\0';
-+			debug("%s: unsupported token %s in %s", __func__, p_n, template);
+			debug_f("unsupported token %s in %s", p_n, template);
 +			/* unknown token, fallback to the default */
 +			goto cleanup;
 +		}
@ -198,16 +213,13 @@ index a5a81ed2..63f877f2 100644
 +	return -1;
 +}
 +
- krb5_error_code
+krb5_error_code
 -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 -	int tmpfd, ret, oerrno;
 -	char ccname[40];
 +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
 +	profile_t p;
 +	int ret = 0;
 +	char *value = NULL;
 +
-+	debug3("%s: called", __func__);
+	debug3_f("called");
 +	ret = krb5_get_profile(ctx, &p);
 +	if (ret)
 +		return ret;
@ -218,11 +230,14 @@ index a5a81ed2..63f877f2 100644
 +
 +	ret = ssh_krb5_expand_template(ccname, value);
 +
-+	debug3("%s: returning with ccname = %s", __func__, *ccname);
+	debug3_f("returning with ccname = %s", *ccname);
 +	return ret;
 +}
 +
-+krb5_error_code
+ krb5_error_code
 -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
 -	int tmpfd, ret, oerrno;
 -	char ccname[40];
 +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
 +	int tmpfd, ret, oerrno, type_len;
 +	char *ccname = NULL;
@ -242,7 +257,7 @@ index a5a81ed2..63f877f2 100644
 -		logit("mkstemp(): %.100s", strerror(oerrno));
 -		return oerrno;
 -	}
-+	debug3("%s: called", __func__);
+	debug3_f("called");
 +	if (need_environment)
 +		*need_environment = 0;
 +	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
@ -283,7 +298,7 @@ index a5a81ed2..63f877f2 100644
 -	close(tmpfd);
 -	return (krb5_cc_resolve(ctx, ccname, ccache));
-+	debug3("%s: setting default ccname to %s", __func__, ccname);
+	debug3_f("setting default ccname to %s", ccname);
 +	/* set the default with already expanded user IDs */
 +	ret = krb5_cc_set_default_name(ctx, ccname);
 +	if (ret)
@ -304,13 +319,13 @@ index a5a81ed2..63f877f2 100644
 +	 * a primary cache for this collection, if it supports that (non-FILE)
 +	 */
 +	if (krb5_cc_support_switch(ctx, type)) {
-+		debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
+		debug3_f("calling cc_new_unique(%s)", ccname);
 +		ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
 +		free(type);
 +		if (ret)
 +			return ret;
 +
-+		debug3("%s: calling cc_switch()", __func__);
+		debug3_f("calling cc_switch()");
 +		return krb5_cc_switch(ctx, *ccache);
 +	} else {
 +		/* Otherwise, we can not create a unique ccname here (either
@ -318,36 +333,49 @@ index a5a81ed2..63f877f2 100644
 +		 * collections
 +		 */
 +		free(type);
-+		debug3("%s: calling cc_resolve(%s)", __func__, ccname);
+		debug3_f("calling cc_resolve(%s)", ccname);
 +		return (krb5_cc_resolve(ctx, ccname, ccache));
 +	}
 }
 #endif /* !HEIMDAL */
 #endif /* KRB5 */
-diff --git a/auth.h b/auth.h
+diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
-index 29491df9..fdab5040 100644
+--- openssh-8.6p1/gss-serv.c.ccache_name	2021-04-19 14:05:10.844744503 +0200
--- a/auth.h
+++ openssh-8.6p1/gss-serv.c	2021-04-19 14:05:10.854744577 +0200
-+++ b/auth.h
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
-@@ -82,6 +82,7 @@ struct Authctxt {
+@@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
- 	krb5_principal	 krb5_user;
+ }
 	char		*krb5_ticket_file;
 	char		*krb5_ccname;
 +	int		 krb5_set_env;
 #endif
 	struct sshbuf	*loginmsg;
-@@ -238,7 +239,7 @@ int	 sys_auth_passwd(struct ssh *, const char *);
+ /* As user */
- int	 sys_auth_passwd(struct ssh *, const char *);
+-void
 +int
 ssh_gssapi_storecreds(void)
 {
 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
 -		(*gssapi_client.mech->storecreds)(&gssapi_client);
 +		return (*gssapi_client.mech->storecreds)(&gssapi_client);
 	} else
 		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
 +
 +	return 0;
 }
- #if defined(KRB5) && !defined(HEIMDAL)
+ /* This allows GSSAPI methods to do things to the child's environment based
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+@@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
-+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
+ 	char *envstr;
 #endif
- #endif /* AUTH_H */
+-	if (gssapi_client.store.filename == NULL &&
-diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
+-	    gssapi_client.store.envval == NULL &&
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name	2019-03-01 15:17:42.708611802 +0100
+-	    gssapi_client.store.envvar == NULL)
-+++ openssh-7.9p1/gss-serv-krb5.c	2019-03-01 15:17:42.713611844 +0100
+	if (gssapi_client.store.envval == NULL)
 		return;
 	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
 diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
 --- openssh-8.6p1/gss-serv-krb5.c.ccache_name	2021-04-19 14:05:10.852744562 +0200
 +++ openssh-8.6p1/gss-serv-krb5.c	2021-04-19 14:05:10.854744577 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
@ -450,7 +478,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
 		do_pam_putenv(client->store.envvar, client->store.envval);
 #endif
-@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
+@@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
 	client->store.data = krb_context;
@ -459,43 +487,11 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
 }
 int
-diff --git a/gss-serv.c b/gss-serv.c
+diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
-index 6cae720e..16e55cbc 100644
+--- openssh-8.6p1/servconf.c.ccache_name	2021-04-19 14:05:10.848744532 +0200
--- a/gss-serv.c
+++ openssh-8.6p1/servconf.c	2021-04-19 14:05:10.854744577 +0200
-+++ b/gss-serv.c
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
-@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
 }
 /* As user */
 -void
 +int
 ssh_gssapi_storecreds(void)
 {
 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
 -		(*gssapi_client.mech->storecreds)(&gssapi_client);
 +		return (*gssapi_client.mech->storecreds)(&gssapi_client);
 	} else
 		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
 +
 +	return 0;
 }
 /* This allows GSSAPI methods to do things to the childs environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
 	char *envstr;
 #endif
 -	if (gssapi_client.store.filename == NULL &&
 -	    gssapi_client.store.envval == NULL &&
 -	    gssapi_client.store.envvar == NULL)
 +	if (gssapi_client.store.envval == NULL)
 		return;
 	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
 diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 --- openssh-7.9p1/servconf.c.ccache_name	2019-03-01 15:17:42.704611768 +0100
 +++ openssh-7.9p1/servconf.c	2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
 	options->kerberos_or_local_passwd = -1;
 	options->kerberos_ticket_cleanup = -1;
 	options->kerberos_get_afs_token = -1;
@ -503,7 +499,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	options->gss_authentication=-1;
 	options->gss_keyex = -1;
 	options->gss_cleanup_creds = -1;
-@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
 		options->kerberos_ticket_cleanup = 1;
 	if (options->kerberos_get_afs_token == -1)
 		options->kerberos_get_afs_token = 0;
@ -512,17 +508,17 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
 	if (options->gss_keyex == -1)
-@@ -447,7 +450,8 @@ typedef enum {
+@@ -506,7 +509,8 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
+	sPort, sHostKeyFile, sLoginGraceTime,
- 	sRhostsRSAAuthentication, sRSAAuthentication,
+	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
- 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-	sKerberosGetAFSToken, sChallengeResponseAuthentication,
+-	sKerberosGetAFSToken, sPasswordAuthentication,
 +	sKerberosGetAFSToken, sKerberosUniqueCCache,
-+	sChallengeResponseAuthentication,
+	sPasswordAuthentication,
- 	sPasswordAuthentication, sKbdInteractiveAuthentication,
+	sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
- 	sListenAddress, sAddressFamily,
+	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
-@@ -526,11 +530,13 @@ static struct {
+@@ -593,11 +597,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -536,7 +532,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
 		intptr = &options->kerberos_get_afs_token;
 		goto parse_flag;
@ -547,7 +543,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 	case sGssAuthentication:
 		intptr = &options->gss_authentication;
 		goto parse_flag;
-@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
+@@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
 # ifdef USE_AFS
 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
 # endif
@ -555,11 +551,11 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 #endif
 #ifdef GSSAPI
 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
-diff --git a/servconf.h b/servconf.h
+diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
-index db8362c6..4fa42d64 100644
+--- openssh-8.6p1/servconf.h.ccache_name	2021-04-19 14:05:10.848744532 +0200
--- a/servconf.h
+++ openssh-8.6p1/servconf.h	2021-04-19 14:05:10.855744584 +0200
-+++ b/servconf.h
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
-@@ -123,6 +123,8 @@ typedef struct {
+@@ -140,6 +140,8 @@ typedef struct {
 						 * file on logout. */
 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
 						 * authenticated with Kerberos. */
@ -568,13 +564,13 @@ index db8362c6..4fa42d64 100644
 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
-diff --git a/session.c b/session.c
+diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
-index 85df6a27..480a5ead 100644
+--- openssh-8.6p1/session.c.ccache_name	2021-04-19 14:05:10.852744562 +0200
--- a/session.c
+++ openssh-8.6p1/session.c	2021-04-19 14:05:10.855744584 +0200
-+++ b/session.c
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
-@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+@@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
 	/* Allow any GSSAPI methods that we've used to alter
- 	 * the childs environment as they see fit
+ 	 * the child's environment as they see fit
 	 */
 -	ssh_gssapi_do_child(&env, &envsize);
 +	if (s->authctxt->krb5_set_env)
@ -582,7 +578,7 @@ index 85df6a27..480a5ead 100644
 #endif
 	/* Set basic environment. */
-@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+@@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
 	}
 #endif
 #ifdef KRB5
@ -591,33 +587,11 @@ index 85df6a27..480a5ead 100644
 		child_set_env(&env, &envsize, "KRB5CCNAME",
 		    s->authctxt->krb5_ccname);
 #endif
-diff --git a/ssh-gss.h b/ssh-gss.h
+diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
-index 6593e422..245178af 100644
+--- openssh-8.6p1/sshd.c.ccache_name	2021-04-19 14:05:10.849744540 +0200
--- a/ssh-gss.h
+++ openssh-8.6p1/sshd.c	2021-04-19 14:05:10.855744584 +0200
-+++ b/ssh-gss.h
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
-@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
+@@ -2284,7 +2284,7 @@ main(int ac, char **av)
 	int (*dochild) (ssh_gssapi_client *);
 	int (*userok) (ssh_gssapi_client *, char *);
 	int (*localname) (ssh_gssapi_client *, char **);
 -	void (*storecreds) (ssh_gssapi_client *);
 +	int (*storecreds) (ssh_gssapi_client *);
 	int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
 } ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
 -void ssh_gssapi_storecreds(void);
 +int ssh_gssapi_storecreds(void);
 const char *ssh_gssapi_displayname(void);
 char *ssh_gssapi_server_mechanisms(void);
 diff --git a/sshd.c b/sshd.c
 index edbe815c..89514e8a 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
 #ifdef GSSAPI
 	if (options.gss_authentication) {
 		temporarily_use_uid(authctxt->pw);
@ -626,11 +600,11 @@ index edbe815c..89514e8a 100644
 		restore_uid();
 	}
 #endif
-diff --git a/sshd_config.5 b/sshd_config.5
+diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
-index c0683d4a..2349f477 100644
+--- openssh-8.6p1/sshd_config.5.ccache_name	2021-04-19 14:05:10.849744540 +0200
--- a/sshd_config.5
+++ openssh-8.6p1/sshd_config.5	2021-04-19 14:05:10.856744592 +0200
-+++ b/sshd_config.5
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
-@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
+@@ -939,6 +939,14 @@ Specifies whether to automatically destr
 file on logout.
 The default is
 .Cm yes .
@ -645,3 +619,25 @@ index c0683d4a..2349f477 100644
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
 --- openssh-8.6p1/ssh-gss.h.ccache_name	2021-04-19 14:05:10.852744562 +0200
 +++ openssh-8.6p1/ssh-gss.h	2021-04-19 14:05:10.855744584 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1-gssapi-new-unique.patch
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
 	int (*dochild) (ssh_gssapi_client *);
 	int (*userok) (ssh_gssapi_client *, char *);
 	int (*localname) (ssh_gssapi_client *, char **);
 -	void (*storecreds) (ssh_gssapi_client *);
 +	int (*storecreds) (ssh_gssapi_client *);
 	int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
 } ssh_gssapi_mech;
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
 -void ssh_gssapi_storecreds(void);
 +int ssh_gssapi_storecreds(void);
 const char *ssh_gssapi_displayname(void);
 char *ssh_gssapi_server_mechanisms(void);
--- a/backport-openssh-7.7p1.patch
+++ b/backport-openssh-7.7p1.patch
@ -1,17 +1,22 @@
 diff -up openssh/ssh_config.redhat openssh/ssh_config
 --- openssh/ssh_config.redhat	2020-02-11 23:28:35.000000000 +0100
 +++ openssh/ssh_config	2020-02-13 18:13:39.180641839 +0100
-@@ -43,3 +43,7 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch
- #   VisualHostKey no
+@@ -43,3 +43,10 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 +#
-+# To modify the system-wide ssh configuration, create a  *.conf  file under
+# This system is following system-wide crypto policy.
-+#  /etc/ssh/ssh_config.d/  which will be automatically included below
+# To modify the crypto properties (Ciphers, MACs, ...), create a  *.conf
 +#  file under  /etc/ssh/ssh_config.d/  which will be automatically
 +# included below. For more information, see manual page for
 +#  update-crypto-policies(8)  and  ssh_config(5).
 +Include /etc/ssh/ssh_config.d/*.conf
 diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
 --- openssh/ssh_config_redhat.redhat	2020-02-13 18:13:39.180641839 +0100
 +++ openssh/ssh_config_redhat	2020-02-13 18:13:39.180641839 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch
@@ -0,0 +1,21 @@
 +# The options here are in the "Match final block" to be applied as the last
 +# options and could be potentially overwritten by the user configuration
@ -37,6 +42,7 @@ diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
 diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
 --- openssh/sshd_config.0.redhat	2020-02-12 14:30:04.000000000 +0100
 +++ openssh/sshd_config.0	2020-02-13 18:13:39.181641855 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch
@@ -970,9 +970,9 @@ DESCRIPTION
      SyslogFacility
@ -53,6 +59,7 @@ diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
 diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
 --- openssh/sshd_config.5.redhat	2020-02-11 23:28:35.000000000 +0100
 +++ openssh/sshd_config.5	2020-02-13 18:13:39.181641855 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
@ -65,10 +72,15 @@ diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
 diff -up openssh/sshd_config.redhat openssh/sshd_config
 --- openssh/sshd_config.redhat	2020-02-11 23:28:35.000000000 +0100
 +++ openssh/sshd_config	2020-02-13 18:20:16.349913681 +0100
-@@ -10,6 +10,10 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch
@@ -10,6 +10,14 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
- 
+
 +# To modify the system-wide sshd configuration, create a  *.conf  file under
 +#  /etc/ssh/sshd_config.d/  which will be automatically included below
 +Include /etc/ssh/sshd_config.d/*.conf
 +
 +# If you want to change the port on a SELinux system, you have to tell
 +# SELinux about this change.
 +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
@ -76,30 +88,20 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -114,3 +118,7 @@ Subsystem	sftp	/usr/libexec/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 +
 +# To modify the system-wide ssh configuration, create a  *.conf  file under
 +#  /etc/ssh/sshd_config.d/  which will be automatically included below
 +Include /etc/ssh/sshd_config.d/*.conf
 diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
 --- openssh/sshd_config_redhat.redhat	2020-02-13 18:14:02.268006439 +0100
 +++ openssh/sshd_config_redhat	2020-02-13 18:19:20.765035947 +0100
-@@ -0,0 +1,31 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.7p1.patch
-+# System-wide Crypto policy:
+@@ -0,0 +1,28 @@
 +# This system is following system-wide crypto policy. The changes to
-+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
-+# effect here. They will be overridden by command-line options passed on
+# this or following included files. To override some configuration option,
-+# the server start up.
+# write it before this block or include it before this file.
-+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
-+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+Include /etc/crypto-policies/back-ends/opensshserver.config
 +# For more information, see manual page for update-crypto-policies(8).
 +
 +SyslogFacility AUTHPRIV
 +
 +PasswordAuthentication yes
 +ChallengeResponseAuthentication no
 +
 +GSSAPIAuthentication yes
--- a/backport-openssh-7.8p1-UsePAM-warning.patch
+++ b/backport-openssh-7.8p1-UsePAM-warning.patch
@ -0,0 +1,28 @@
 diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
 --- openssh-8.6p1/sshd.c.log-usepam-no	2021-04-19 14:00:45.099735129 +0200
 +++ openssh-8.6p1/sshd.c	2021-04-19 14:03:21.140920974 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-UsePAM-warning.patch
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    cfg, &includes, NULL);
 +	/* 'UsePAM no' is not supported in Fedora */
 +	if (! options.use_pam)
 +		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
 +
 #ifdef WITH_OPENSSL
 	if (options.moduli_file != NULL)
 		dh_set_moduli_file(options.moduli_file);
 diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
 --- openssh-8.6p1/sshd_config.log-usepam-no	2021-04-19 14:00:45.098735121 +0200
 +++ openssh-8.6p1/sshd_config	2021-04-19 14:00:45.099735129 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-UsePAM-warning.patch
@@ -87,6 +87,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
 +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 +# problems.
 #UsePAM no
 #AllowAgentForwarding yes
--- a/backport-openssh-7.8p1-role-mls.patch
+++ b/backport-openssh-7.8p1-role-mls.patch
@ -1,6 +1,7 @@
 diff -up openssh/auth2.c.role-mls openssh/auth2.c
 --- openssh/auth2.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth2.c	2018-08-22 11:14:56.815430916 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ssh->authctxt;
 	Authmethod *m = NULL;
@ -43,6 +44,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
 diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 --- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ssh->authctxt;
 	Gssctxt *gssctxt;
@ -52,7 +54,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 	gss_buffer_desc mic, gssbuf;
 	const char *displayname;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 	mic.value = p;
 	mic.length = len;
 -	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
@ -63,7 +65,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 +#endif
 +		micuser = authctxt->user;
 +	ssh_gssapi_buildmic(b, micuser, authctxt->service,
- 	    "gssapi-with-mic");
+ 	    "gssapi-with-mic", ssh->kex->session_id);
 	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
@ -78,9 +80,10 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
 --- openssh/auth2-hostbased.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth2-hostbased.c	2018-08-22 11:14:56.816430924 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
 	/* reconstruct packet */
- 	if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
+ 	if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
 	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 +#ifdef WITH_SELINUX
 +	    (authctxt->role
@ -98,6 +101,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
 diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.role-mls	2018-08-22 11:14:56.816430924 +0200
 +++ openssh/auth2-pubkey.c	2018-08-22 11:17:07.331483958 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
 			goto done;
 		}
@ -120,6 +124,7 @@ diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
 diff -up openssh/auth.h.role-mls openssh/auth.h
 --- openssh/auth.h.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth.h	2018-08-22 11:14:56.816430924 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -65,6 +65,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
@ -133,6 +138,7 @@ diff -up openssh/auth.h.role-mls openssh/auth.h
 diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
 --- openssh/auth-pam.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth-pam.c	2018-08-22 11:14:56.816430924 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
@ -145,6 +151,7 @@ diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
 diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
 --- openssh/auth-pam.h.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth-pam.h	2018-08-22 11:14:56.817430932 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
 void do_pam_session(struct ssh *);
 void do_pam_setcred(int );
@ -154,23 +161,10 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 diff -up openssh/configure.ac.role-mls openssh/configure.ac
 --- openssh/configure.ac.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/configure.ac	2018-08-22 11:14:56.820430957 +0200
@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
 			  LIBS="$LIBS -lselinux"
 			],
 			AC_MSG_ERROR([SELinux support requires libselinux library]))
 -		SSHLIBS="$SSHLIBS $LIBSELINUX"
 -		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
 -		LIBS="$save_LIBS"
 	fi ]
 )
 AC_SUBST([SSHLIBS])
 diff -up openssh/misc.c.role-mls openssh/misc.c
 --- openssh/misc.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/misc.c	2018-08-22 11:14:56.817430932 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -542,6 +542,7 @@ char *
 colon(char *cp)
 {
@ -193,10 +187,11 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
 	}
 	return NULL;
 }
-diff -up openssh/monitor.c.role-mls openssh/monitor.c
+diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
--- openssh/monitor.c.role-mls	2018-08-20 07:57:29.000000000 +0200
+--- openssh-8.6p1/monitor.c.role-mls	2021-04-16 05:55:25.000000000 +0200
-+++ openssh/monitor.c	2018-08-22 11:19:56.006844867 +0200
+++ openssh-8.6p1/monitor.c	2021-05-21 14:21:56.719414087 +0200
-@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
 int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
 int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
 int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@ -206,7 +201,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
 int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
 int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -216,7 +211,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
+@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
 	/* Allow service/style information on the auth context */
 	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -226,7 +221,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 #ifdef USE_PAM
-@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
+@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
 	return found;
 }
@ -238,8 +233,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 +	monitor_permit_authentications(1);
 +
 +	if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_f("buffer error: %s", ssh_err(r));
-+	debug3("%s: role=%s", __func__, authctxt->role);
+	debug3_f("role=%s", authctxt->role);
 +
 +	if (strlen(authctxt->role) == 0) {
 +		free(authctxt->role);
@ -253,7 +248,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 int
 mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
 {
-@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
 {
 	struct sshbuf *b;
 	const u_char *p;
@ -262,16 +257,16 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	size_t len;
 	u_char type;
 	int r, fail = 0;
-@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse userstyle");
 +	if ((s = strchr(cp, '/')) != NULL)
 +		*s = '\0';
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
 	    authctxt->style ? authctxt->style : "");
-@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
 {
 	struct sshbuf *b;
 	const u_char *p;
@ -280,11 +275,11 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 	size_t len;
 	int r, fail = 0;
 	u_char type;
-@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse userstyle");
-+	if ((s = strchr(p, '/')) != NULL)
+	if ((s = strchr(cp, '/')) != NULL)
 +		*s = '\0';
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
 	    authctxt->style ? ":" : "",
@ -292,6 +287,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 diff -up openssh/monitor.h.role-mls openssh/monitor.h
 --- openssh/monitor.h.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/monitor.h	2018-08-22 11:14:56.818430941 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -55,6 +55,10 @@ enum monitor_reqtype {
 	MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
 	MONITOR_REQ_TERM = 50,
@ -306,6 +302,7 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
 diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
 --- openssh/monitor_wrap.c.role-mls	2018-08-22 11:14:56.818430941 +0200
 +++ openssh/monitor_wrap.c	2018-08-22 11:21:47.938747968 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
 	sshbuf_free(m);
 }
@ -319,12 +316,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
 +	int r;
 +	struct sshbuf *m;
 +
-+	debug3("%s entering", __func__);
+	debug3_f("entering");
 +
 +	if ((m = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_f("buffer error: %s", ssh_err(r));
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
 +
 +	sshbuf_free(m);
@ -337,9 +334,10 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
 diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 --- openssh/monitor_wrap.h.role-mls	2018-08-22 11:14:56.818430941 +0200
 +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
+     const u_char *, size_t, const char *, const char *,
-     const u_char *, size_t, const char *, const char *, u_int compat);
+     const char *, u_int compat);
 void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);
@ -350,8 +348,9 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
 --- openssh/openbsd-compat/Makefile.in.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/openbsd-compat/Makefile.in	2018-08-22 11:14:56.819430949 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -92,7 +92,8 @@ PORTS=	port-aix.o \
- 	port-linux.o \
+ 	port-prngd.o \
 	port-solaris.o \
 	port-net.o \
 -	port-uw.o
@ -363,6 +362,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
 diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
 --- openssh/openbsd-compat/port-linux.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/openbsd-compat/port-linux.c	2018-08-22 11:14:56.819430949 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
 	return sc;
 }
@ -371,7 +371,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
 -void
 -ssh_selinux_setup_exec_context(char *pwname)
 -{
-	security_context_t user_ctx = NULL;
+-	char *user_ctx = NULL;
 -
 -	if (!ssh_selinux_enabled())
 -		return;
@ -407,7 +407,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
 -	user_ctx = ssh_selinux_getctxbyname(pwname);
 +	if (getexeccon(&user_ctx) != 0) {
-+		error("%s: getexeccon: %s", __func__, strerror(errno));
+		error_f("getexeccon: %s", strerror(errno));
 +		goto out;
 +	}
 +
@ -417,6 +417,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
 diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/openbsd-compat/port-linux.h	2018-08-22 11:14:56.819430949 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -20,9 +20,10 @@
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
@ -432,7 +433,8 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
 diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
 --- openssh/openbsd-compat/port-linux-sshd.c.role-mls	2018-08-22 11:14:56.819430949 +0200
 +++ openssh/openbsd-compat/port-linux-sshd.c	2018-08-22 11:14:56.819430949 +0200
-@@ -0,0 +1,425 @@
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -0,0 +1,421 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
 + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -544,7 +546,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	access_vector_t bit;
 +	security_class_t class;
 +
-+	debug("%s: src:%s dst:%s", __func__, src, dst);
+	debug_f("src:%s dst:%s", src, dst);
 +	class = string_to_security_class("context");
 +	if (!class) {
 +		error("string_to_security_class failed to translate security class context");
@ -706,7 +708,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +			    /* we actually don't change level */
 +			    reqlvl = "";
 +
-+			debug("%s: current connection level '%s'", __func__, reqlvl);
+			debug_f("current connection level '%s'", reqlvl);
 +
 +		}
 +
@ -734,8 +736,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +		}
 +	}
 +	if (r != 0) {
-+		error("%s: Failed to get default SELinux security "
+		error_f("Failed to get default SELinux security "
-+		    "context for %s", __func__, pwname);
+		    "context for %s", pwname);
 +	}
 +
 +#ifdef HAVE_GETSEUSERBYNAME
@ -760,7 +762,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	char *use_current;
 +	int rv;
 +
-+	debug3("%s: setting execution context", __func__);
+	debug3_f("setting execution context");
 +
 +	ssh_selinux_get_role_level(&role, &reqlvl);
 +
@ -797,32 +799,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +		if (sshd_selinux_setup_pam_variables()) {
 +			switch (security_getenforce()) {
 +			case -1:
-+				fatal("%s: security_getenforce() failed", __func__);
+				fatal_f("security_getenforce() failed");
 +			case 0:
-+				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+				error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
 +				    __func__);
 +			break;
 +			default:
-+				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+				fatal_f("SELinux PAM variable setup failure. Aborting connection.");
 +				    __func__);
 +			}
 +		}
 +		return;
 +	}
 +
-+	debug3("%s: setting execution context", __func__);
+	debug3_f("setting execution context");
 +
 +	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
 +	if (r >= 0) {
 +		r = setexeccon(user_ctx);
 +		if (r < 0) {
-+			error("%s: Failed to set SELinux execution context %s for %s",
+			error_f("Failed to set SELinux execution context %s for %s",
-+			    __func__, user_ctx, pwname);
+			    user_ctx, pwname);
 +		}
 +#ifdef HAVE_SETKEYCREATECON
 +		else if (setkeycreatecon(user_ctx) < 0) {
-+			error("%s: Failed to set SELinux keyring creation context %s for %s",
+			error_f("Failed to set SELinux keyring creation context %s for %s",
-+			    __func__, user_ctx, pwname);
+			    user_ctx, pwname);
 +		}
 +#endif
 +	}
@ -837,14 +837,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	if (r < 0) {
 +		switch (security_getenforce()) {
 +		case -1:
-+			fatal("%s: security_getenforce() failed", __func__);
+			fatal_f("security_getenforce() failed");
 +		case 0:
-+			error("%s: SELinux failure. Continuing in permissive mode.",
+			error_f("ELinux failure. Continuing in permissive mode.");
 +			    __func__);
 +			break;
 +		default:
-+			fatal("%s: SELinux failure. Aborting connection.",
+			fatal_f("SELinux failure. Aborting connection.");
 +			    __func__);
 +		}
 +	}
 +	if (user_ctx != NULL && user_ctx != default_ctx)
@ -852,7 +850,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	if (default_ctx != NULL)
 +		freecon(default_ctx);
 +
-+	debug3("%s: done", __func__);
+	debug3_f("done");
 +}
 +
 +#endif
@ -861,6 +859,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 diff -up openssh/platform.c.role-mls openssh/platform.c
 --- openssh/platform.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/platform.c	2018-08-22 11:14:56.819430949 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
 	}
 #endif /* HAVE_SETPCRED */
@ -873,6 +872,7 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
 diff -up openssh/sshd.c.role-mls openssh/sshd.c
 --- openssh/sshd.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/sshd.c	2018-08-22 11:14:56.820430957 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-role-mls.patch
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
--- a/backport-openssh-7.8p1-scp-ipv6.patch
+++ b/backport-openssh-7.8p1-scp-ipv6.patch
@ -2,6 +2,7 @@ diff --git a/scp.c b/scp.c
 index 60682c68..9344806e 100644
 --- a/scp.c
 +++ b/scp.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.8p1-scp-ipv6.patch
@@ -714,7 +714,9 @@ toremote(int argc, char **argv)
 			addargs(&alist, "%s", host);
 			addargs(&alist, "%s", cmd);
--- a/backport-openssh-8.0p1-crypto-policies.patch
+++ b/backport-openssh-8.0p1-crypto-policies.patch
@ -0,0 +1,503 @@
 diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
 --- openssh-8.7p1/ssh_config.5.crypto-policies	2021-08-30 13:29:00.174292872 +0200
 +++ openssh-8.7p1/ssh_config.5	2021-08-30 13:31:32.009548808 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-crypto-policies.patch
@@ -373,17 +373,13 @@ or
 causes no CNAMEs to be considered for canonicalization.
 This is the default behaviour.
 .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
 -ssh-ed25519,ecdsa-sha2-nistp256,
 -ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
 If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
@@ -445,20 +441,25 @@ If the option is set to
 (the default),
 the check will not be executed.
 .It Cm Ciphers
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the ciphers allowed and their order of preference.
 Multiple ciphers must be comma-separated.
 If the specified list begins with a
 .Sq +
 -character, then the specified ciphers will be appended to the default set
 -instead of replacing them.
 +character, then the specified ciphers will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified ciphers will be placed at the head of the
 -default set.
 +built-in openssh default set.
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
@@ -474,13 +475,6 @@ aes256-gcm@openssh.com
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -chacha20-poly1305@openssh.com,
 -aes128-ctr,aes192-ctr,aes256-ctr,
 -aes128-gcm@openssh.com,aes256-gcm@openssh.com
 -.Ed
 -.Pp
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClearAllForwardings
@@ -874,6 +868,11 @@ command line will be passed untouched to
 The default is
 .Dq no .
 .It Cm GSSAPIKexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 The list of key exchange algorithms that are offered for GSSAPI
 key exchange. Possible values are
 .Bd -literal -offset 3n
@@ -886,10 +885,8 @@ gss-nistp256-sha256-,
 gss-curve25519-sha256-
 .Ed
 .Pp
 -The default is
 -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
 -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 This option only applies to connections using GSSAPI.
 +.Pp
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
@@ -1219,29 +1216,25 @@ it may be zero or more of:
 and
 .Cm pam .
 .It Cm KexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
 +character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default is:
 -.Bd -literal -offset indent
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
 -diffie-hellman-group16-sha512,
 -diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256
 -.Ed
 +built-in openssh default set.
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
@@ -1351,37 +1344,33 @@ function, and all code in the
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the MAC (message authentication code) algorithms
 in order of preference.
 The MAC algorithm is used for data integrity protection.
 Multiple algorithms must be comma-separated.
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
 +character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 +built-in openssh default set.
 .Pp
 The algorithms that contain
 .Qq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 -hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
 -hmac-sha1-etm@openssh.com,
 -umac-64@openssh.com,umac-128@openssh.com,
 -hmac-sha2-256,hmac-sha2-512,hmac-sha1
 -.Ed
 -.Pp
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
 The default is
 .Cm no .
 .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the signature algorithms that will be used for public key
 authentication as a comma-separated list of patterns.
 If the specified list begins with a
 .Sq +
 -character, then the algorithms after it will be appended to the default
 -instead of replacing it.
 +character, then the algorithms after it will be appended to the built-in
 +openssh default instead of replacing it.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 +built-in openssh default set.
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
 diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
 --- openssh-8.7p1/sshd_config.5.crypto-policies	2021-08-30 13:29:00.157292731 +0200
 +++ openssh-8.7p1/sshd_config.5	2021-08-30 13:32:16.263918533 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-crypto-policies.patch
@@ -373,17 +373,13 @@ If the argument is
 then no banner is displayed.
 By default, no banner is displayed.
 .It Cm CASignatureAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
 -ssh-ed25519,ecdsa-sha2-nistp256,
 -ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
 If the specified list begins with a
 .Sq +
 character, then the specified algorithms will be appended to the default set
@@ -450,20 +446,25 @@ The default is
 indicating not to
 .Xr chroot 2 .
 .It Cm Ciphers
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the ciphers allowed.
 Multiple ciphers must be comma-separated.
 If the specified list begins with a
 .Sq +
 -character, then the specified ciphers will be appended to the default set
 -instead of replacing them.
 +character, then the specified ciphers will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified ciphers will be placed at the head of the
 -default set.
 +built-in openssh default set.
 .Pp
 The supported ciphers are:
 .Pp
@@ -490,13 +491,6 @@ aes256-gcm@openssh.com
 chacha20-poly1305@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -chacha20-poly1305@openssh.com,
 -aes128-ctr,aes192-ctr,aes256-ctr,
 -aes128-gcm@openssh.com,aes256-gcm@openssh.com
 -.Ed
 -.Pp
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClientAliveCountMax
@@ -685,21 +679,22 @@ For this to work
 .Cm GSSAPIKeyExchange
 needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIKexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 The list of key exchange algorithms that are accepted by GSSAPI
 key exchange. Possible values are
 .Bd -literal -offset 3n
 -gss-gex-sha1-,
 -gss-group1-sha1-,
 -gss-group14-sha1-,
 -gss-group14-sha256-,
 -gss-group16-sha512-,
 -gss-nistp256-sha256-,
 +gss-gex-sha1-
 +gss-group1-sha1-
 +gss-group14-sha1-
 +gss-group14-sha256-
 +gss-group16-sha512-
 +gss-nistp256-sha256-
 gss-curve25519-sha256-
 .Ed
 -.Pp
 -The default is
 -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
 -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedAlgorithms
 Specifies the signature algorithms that will be accepted for hostbased
@@ -799,26 +794,13 @@ is specified, the location of the socket
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the host key signature algorithms
 that the server offers.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 -.Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
 The default is
 .Cm yes .
 .It Cm KexAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
 Alternately if the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
 +character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 +built-in openssh default set.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
 -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256
 -.Ed
 -.Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q KexAlgorithms .
 .It Cm ListenAddress
@@ -1104,21 +1082,26 @@ function, and all code in the
 file.
 This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used for data integrity protection.
 Multiple algorithms must be comma-separated.
 If the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
 +character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 +built-in openssh default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
 umac-128-etm@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 -hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
 -hmac-sha1-etm@openssh.com,
 -umac-64@openssh.com,umac-128@openssh.com,
 -hmac-sha2-256,hmac-sha2-512,hmac-sha1
 -.Ed
 -.Pp
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm Match
@@ -1548,37 +1522,25 @@ or equivalent.)
 The default is
 .Cm yes .
 .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 Specifies the signature algorithms that will be accepted for public key
 authentication as a list of comma-separated patterns.
 Alternately if the specified list begins with a
 .Sq +
 -character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
 +character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
 character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 +built-in openssh default set.
 .Pp
 The list of available signature algorithms may also be obtained using
 .Qq ssh -Q PubkeyAcceptedAlgorithms .
--- a/backport-openssh-8.0p1-gssapi-keyex.patch
+++ b/backport-openssh-8.0p1-gssapi-keyex.patch
--- a/backport-openssh-8.0p1-keygen-strip-doseol.patch
+++ b/backport-openssh-8.0p1-keygen-strip-doseol.patch
@ -0,0 +1,13 @@
 diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
 --- openssh-8.0p1/ssh-keygen.c.strip-doseol	2021-03-18 17:41:34.472404994 +0100
 +++ openssh-8.0p1/ssh-keygen.c	2021-03-18 17:41:55.255538761 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-keygen-strip-doseol.patch
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
 	while (getline(&line, &linesize, f) != -1) {
 		lnum++;
 		cp = line;
 -		cp[strcspn(cp, "\n")] = '\0';
 +		cp[strcspn(cp, "\r\n")] = '\0';
 		/* Trim leading space and comments */
 		cp = line + strspn(line, " \t");
 		if (*cp == '#' || *cp == '\0')
--- a/backport-openssh-8.0p1-openssl-evp.patch
+++ b/backport-openssh-8.0p1-openssl-evp.patch
@ -5,11 +5,16 @@ Subject: [PATCH] Use high-level OpenSSL API for signatures
 ---
 digest-openssl.c |  16 ++++
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
 digest.h         |   6 ++
 ssh-dss.c        |  65 ++++++++++------
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
 ssh-ecdsa.c      |  69 ++++++++++-------
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
 ssh-rsa.c        | 193 +++++++++--------------------------------------
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
 sshkey.c         |  77 +++++++++++++++++++
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
 sshkey.h         |   4 +
 7 files changed, 221 insertions(+), 209 deletions(-)
@ -17,6 +22,7 @@ diff --git a/digest-openssl.c b/digest-openssl.c
 index da7ed72bc..6a21d8adb 100644
 --- a/digest-openssl.c
 +++ b/digest-openssl.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
 	{ -1,			NULL,		0,	NULL },
 };
@ -44,6 +50,7 @@ diff --git a/digest.h b/digest.h
 index 274574d0e..c7ceeb36f 100644
 --- a/digest.h
 +++ b/digest.h
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -32,6 +32,12 @@
 struct sshbuf;
 struct ssh_digest_ctx;
@ -61,6 +68,7 @@ diff --git a/ssh-dss.c b/ssh-dss.c
 index a23c383dc..ea45e7275 100644
 --- a/ssh-dss.c
 +++ b/ssh-dss.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -52,11 +52,15 @@ int
 ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
     const u_char *data, size_t datalen, u_int compat)
@ -191,6 +199,7 @@ diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
 index 599c7199d..b036796e8 100644
 --- a/ssh-ecdsa.c
 +++ b/ssh-ecdsa.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -50,11 +50,13 @@ int
 ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
     const u_char *data, size_t datalen, u_int compat)
@ -328,6 +337,7 @@ diff --git a/ssh-rsa.c b/ssh-rsa.c
 index 9b14f9a9a..8ef3a6aca 100644
 --- a/ssh-rsa.c
 +++ b/ssh-rsa.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -37,7 +37,7 @@
 #include "openbsd-compat/openssl-compat.h"
@ -618,6 +628,7 @@ diff --git a/sshkey.c b/sshkey.c
 index ad1957762..b95ed0b10 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
 }
@ -706,6 +717,7 @@ diff --git a/sshkey.h b/sshkey.h
 index a91e60436..270901a87 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-evp.patch
@@ -179,6 +179,10 @@ const char	*sshkey_ssh_name(const struct sshkey *);
 const char	*sshkey_ssh_name_plain(const struct sshkey *);
 int		 sshkey_names_valid2(const char *, int);
--- a/backport-openssh-8.0p1-openssl-kdf.patch
+++ b/backport-openssh-8.0p1-openssl-kdf.patch
@ -8,6 +8,7 @@ diff --git a/configure.ac b/configure.ac
 index 2a455e4e..e01c3d43 100644
 --- a/configure.ac
 +++ b/configure.ac
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-kdf.patch
@@ -2712,6 +2712,7 @@ if test "x$openssl" = "xyes" ; then
 		HMAC_CTX_init \
 		RSA_generate_key_ex \
@ -20,6 +21,7 @@ diff --git a/kex.c b/kex.c
 index b6f041f4..1fbce2bb 100644
 --- a/kex.c
 +++ b/kex.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-openssl-kdf.patch
@@ -38,6 +38,9 @@
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
@ -96,7 +98,7 @@ index b6f041f4..1fbce2bb 100644
 +		goto out;
 +	}
 +	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
-+	    kex->session_id, kex->session_id_len);
+	    sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
 +	if (r != 1) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
--- a/backport-openssh-8.0p1-pkcs11-uri.patch
+++ b/backport-openssh-8.0p1-pkcs11-uri.patch
--- a/backport-openssh-8.0p1-preserve-pam-errors.patch
+++ b/backport-openssh-8.0p1-preserve-pam-errors.patch
@ -0,0 +1,45 @@
 diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
 --- openssh-8.0p1/auth-pam.c.preserve-pam-errors	2021-03-31 17:03:15.618592347 +0200
 +++ openssh-8.0p1/auth-pam.c	2021-03-31 17:06:58.115220014 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.0p1-preserve-pam-errors.patch
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
 		goto auth_fail;
 	if (!do_pam_account()) {
 -		sshpam_err = PAM_ACCT_EXPIRED;
 +		/* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
 +		 * Backward compatibility for other errors. */
 +		if (sshpam_err != PAM_PERM_DENIED
 +			&& sshpam_err != PAM_USER_UNKNOWN)
 +			sshpam_err = PAM_ACCT_EXPIRED;
 		goto auth_fail;
 	}
 	if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
 	    pam_strerror(sshpam_handle, sshpam_err))) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	/* XXX - can't do much about an error here */
 -	if (sshpam_err == PAM_ACCT_EXPIRED)
 -		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
 +	if (sshpam_err == PAM_PERM_DENIED
 +		|| sshpam_err == PAM_USER_UNKNOWN
 +		|| sshpam_err == PAM_ACCT_EXPIRED)
 +		ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
 	else if (sshpam_maxtries_reached)
 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
 	else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
 			plen++;
 			free(msg);
 			break;
 +		case PAM_USER_UNKNOWN:
 +		case PAM_PERM_DENIED:
 		case PAM_ACCT_EXPIRED:
 +			sshpam_account_status = 0;
 +			/* FALLTHROUGH */
 		case PAM_MAXTRIES:
 -			if (type == PAM_ACCT_EXPIRED)
 -				sshpam_account_status = 0;
 			if (type == PAM_MAXTRIES)
 				sshpam_set_maxtries_reached(1);
 			/* FALLTHROUGH */
--- a/backport-openssh-8.2p1-visibility.patch
+++ b/backport-openssh-8.2p1-visibility.patch
@ -2,6 +2,7 @@ diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
 index dca158de..afdcb1d2 100644
 --- a/regress/misc/sk-dummy/sk-dummy.c
 +++ b/regress/misc/sk-dummy/sk-dummy.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.2p1-visibility.patch
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
 #endif
 }
@ -26,7 +27,7 @@ index dca158de..afdcb1d2 100644
 -int
 +int __attribute__((visibility("default")))
- sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
+ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
     const char *application, const uint8_t *key_handle, size_t key_handle_len,
     uint8_t flags, const char *pin, struct sk_option **options,
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
--- a/backport-openssh-8.2p1-x11-without-ipv6.patch
+++ b/backport-openssh-8.2p1-x11-without-ipv6.patch
@ -0,0 +1,31 @@
 diff --git a/channels.c b/channels.c
 --- a/channels.c
 +++ b/channels.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.2p1-x11-without-ipv6.patch
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
 			if (ai->ai_family == AF_INET6)
 				sock_set_v6only(sock);
 			if (x11_use_localhost)
 				set_reuseaddr(sock);
 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
 				debug2_f("bind port %d: %.100s", port,
 				    strerror(errno));
 				close(sock);
 +
 +				/* do not remove successfully opened
 +				 * sockets if the request failed because
 +				 * the protocol IPv4/6 is not available
 +				 * (e.g. IPv6 may be disabled while being
 +				 * supported)
 +				 */
 +				if (EADDRNOTAVAIL == errno)
 +    					continue;
 +
 				for (n = 0; n < num_socks; n++)
 					close(socks[n]);
 				num_socks = 0;
 				break;
 			}
 			socks[num_socks++] = sock;
 			if (num_socks == NUM_SOCKS)
 				break;
--- a/backport-openssh-8.7p1-scp-kill-switch.patch
+++ b/backport-openssh-8.7p1-scp-kill-switch.patch
@ -0,0 +1,49 @@
 diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
 --- openssh-8.7p1/pathnames.h.kill-scp	2021-09-16 11:37:57.240171687 +0200
 +++ openssh-8.7p1/pathnames.h	2021-09-16 11:42:29.183427917 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.7p1-scp-kill-switch.patch
@@ -42,6 +42,7 @@
 #define _PATH_HOST_XMSS_KEY_FILE	SSHDIR "/ssh_host_xmss_key"
 #define _PATH_HOST_RSA_KEY_FILE		SSHDIR "/ssh_host_rsa_key"
 #define _PATH_DH_MODULI			SSHDIR "/moduli"
 +#define _PATH_SCP_KILL_SWITCH		SSHDIR "/disable_scp"
 #ifndef _PATH_SSH_PROGRAM
 #define _PATH_SSH_PROGRAM		"/usr/bin/ssh"
 diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
 --- openssh-8.7p1/scp.1.kill-scp	2021-09-16 12:09:02.646714578 +0200
 +++ openssh-8.7p1/scp.1	2021-09-16 12:26:49.978628226 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.7p1-scp-kill-switch.patch
@@ -278,6 +278,13 @@ to print debugging messages about their
 This is helpful in
 debugging connection, authentication, and configuration problems.
 .El
 +.Pp
 +Usage of SCP protocol can be blocked by creating a world-readable
 +.Ar /etc/ssh/disable_scp
 +file. If this file exists, when SCP protocol is in use (either remotely or 
 +via the
 +.Fl O
 +option), the program will exit.
 .Sh EXIT STATUS
 .Ex -std scp
 .Sh SEE ALSO
 diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
 --- openssh-8.7p1/scp.c.kill-scp	2021-09-16 11:42:56.013650519 +0200
 +++ openssh-8.7p1/scp.c	2021-09-16 11:53:03.249713836 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-8.7p1-scp-kill-switch.patch
@@ -596,6 +596,14 @@ main(int argc, char **argv)
 	if (iamremote)
 		mode = MODE_SCP;
 +	if (mode == MODE_SCP) {
 +		FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
 +		if (f != NULL) {
 +			fclose(f);
 +			fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
 +		}
 +	}
 +
 	if ((pwd = getpwuid(userid = getuid())) == NULL)
 		fatal("unknown user %u", (u_int) userid);
--- a/backport-pam_ssh_agent_auth-0.10.2-compat.patch
+++ b/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@ -1,6 +1,7 @@
-diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c
--- openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c	2020-02-07 10:43:05.011757956 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -27,6 +27,7 @@
  * or implied, of Jamie Beverly.
  */
@ -9,7 +10,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
 #include <stdio.h>
 #include <errno.h>
 #include <string.h>
-@@ -65,8 +66,8 @@ proc_pid_cmdline(char *** inargv)
+@@ -66,8 +67,8 @@ proc_pid_cmdline(char *** inargv)
                 case EOF:
                 case '\0':
                     if (len > 0) { 
@ -20,7 +21,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
                         strncpy(argv[count++], argbuf, len);
                         memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
                         len = 0;
-@@ -105,9 +106,9 @@ pamsshagentauth_free_command_line(char *
+@@ -106,9 +107,9 @@ pamsshagentauth_free_command_line(char *
 {
     size_t i;
     for (i = 0; i < n_args; i++)
@ -32,9 +33,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openss
     return;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/identity.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2020-02-07 10:43:05.011757956 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -30,8 +30,8 @@
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
@ -55,9 +57,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-compat openssh/pam_ss
     char    *filename;      /* comment for agent-only keys */
     int tried;
     int isprivate;      /* key points to the private key */
-diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat	2020-02-07 10:43:05.009757925 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat	2020-09-23 10:52:16.421001434 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -36,8 +36,8 @@
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
@ -285,10 +288,11 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat
     EVP_cleanup();
     return retval;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat	2020-02-07 10:43:05.010757940 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat	2020-09-23 10:52:16.423001461 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c	2020-09-23 10:53:10.631727657 +0200
-@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
+Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -106,7 +106,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
  * a patch 8-)
  */
 #if ! HAVE___PROGNAME || HAVE_BUNDLE
@ -297,7 +301,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
 #endif
     for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
-@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -132,11 +132,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
 #endif
     }
@ -311,7 +315,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
     if(ruser_ptr) {
         strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
-@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -151,12 +151,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
 #ifdef ENABLE_SUDO_HACK
         if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
             strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
@ -326,7 +330,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
                 goto cleanexit;
             }
             strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
-@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -165,11 +165,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
     /* Might as well explicitely confirm the user exists here */
     if(! getpwnam(ruser) ) {
@ -340,7 +344,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
         goto cleanexit;
     }
-@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -179,8 +179,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
          */
         parse_authorized_key_file(user, authorized_keys_file_input);
     } else {
@ -351,7 +355,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
     }
     /*
-@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
+@@ -189,7 +189,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
      */
     if(user && strlen(ruser) > 0) {
@ -359,11 +363,26 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
 +        verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
         /*
          * Attempt to read data from the sshd if we're being called as an auth agent.
@@ -197,10 +197,10 @@ pam_sm_authenticate(pam_handle_t * pamh,
         const char* ssh_user_auth = pam_getenv(pamh, "SSH_AUTH_INFO_0");
         int sshd_service = strncasecmp(servicename, sshd_service_name, sizeof(sshd_service_name) - 1);
         if (sshd_service == 0 && ssh_user_auth != NULL) {
 -            pamsshagentauth_verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
 +            verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
             if (userauth_pubkey_from_pam(ruser, ssh_user_auth) > 0) {
                 retval = PAM_SUCCESS;
 -                pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
 +                logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
                 goto cleanexit;
             }
         }
@@ -208,13 +208,13 @@ pam_sm_authenticate(pam_handle_t * pamh,
          * this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
          */
         if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
-            pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+-            pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
-+            logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
+            logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
             retval = PAM_SUCCESS;
         } else {
 -            pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
@ -375,9 +394,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat open
     }
 cleanexit:
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -66,8 +66,8 @@
 #include "xmalloc.h"
 #include "match.h"
@ -442,9 +462,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compa
 {
     return
         pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -32,7 +32,7 @@
 #define _PAM_USER_KEY_ALLOWED_H
@ -454,9 +475,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.h.psaa-compa
 void parse_authorized_key_file(const char *, const char *);
 #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -45,44 +45,46 @@
 #include "xmalloc.h"
 #include "ssh.h"
@ -731,9 +753,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat o
 +    restore_uid();
     return found_key;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -32,7 +32,7 @@
 #define _PAM_USER_KEY_ALLOWED_H
@ -744,9 +767,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.h.psaa-compat o
 +int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
 #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c
--- openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c	2020-02-07 10:43:05.012757972 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -53,8 +53,8 @@
 #include "xmalloc.h"
 #include "match.h"
@ -788,9 +812,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh
 			    buf);
 			break;
 		}
-diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2020-02-07 10:43:23.520048960 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -37,10 +37,11 @@
 #include "xmalloc.h"
 #include "ssh.h"
@ -887,9 +912,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat
     CRYPTO_cleanup_all_ex_data();
     return authenticated;
 }
-diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h	2020-02-07 10:43:05.013757988 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -31,7 +31,7 @@
 #ifndef _USERAUTH_PUBKEY_FROM_ID_H
 #define _USERAUTH_PUBKEY_FROM_ID_H
@ -900,9 +926,10 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.h.psaa-compat
 +int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
 #endif
-diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-0.10.3/uuencode.c
+diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c
--- openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat	2016-11-13 04:24:32.000000000 +0100
+--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat	2019-07-08 18:36:13.000000000 +0200
-+++ openssh/pam_ssh_agent_auth-0.10.3/uuencode.c	2020-02-07 10:43:05.013757988 +0100
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c	2020-09-23 10:52:16.424001475 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
 	/* and remove trailing whitespace because __b64_pton needs this */
 	*p = '\0';
@ -928,3 +955,51 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh/pam_ss
 -	pamsshagentauth_xfree(buf);
 +	free(buf);
 }
 --- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c.compat	2020-09-23 11:32:30.783695267 +0200
 +++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c	2020-09-23 11:33:21.383389036 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-compat.patch
@@ -33,7 +33,8 @@
 #include <string.h>
 #include "defines.h"
 -#include "key.h"
 +#include <includes.h>
 +#include "sshkey.h"
 #include "log.h"
 #include "pam_user_authorized_keys.h"
@@ -42,28 +42,28 @@
     int authenticated = 0;
     const char method[] = "publickey ";
 -    char* ai = pamsshagentauth_xstrdup(ssh_auth_info);
 +    char* ai = xstrdup(ssh_auth_info);
     char* saveptr;
     char* auth_line = strtok_r(ai, "\n", &saveptr);
     while (auth_line != NULL) {
         if (strncmp(auth_line, method, sizeof(method) - 1) == 0) {
             char* key_str = auth_line + sizeof(method) - 1;
 -            Key* key = pamsshagentauth_key_new(KEY_UNSPEC);
 +            struct sshkey* key = sshkey_new(KEY_UNSPEC);
             if (key == NULL) {
                 continue;
             }
 -            int r = pamsshagentauth_key_read(key, &key_str);
 +            int r = sshkey_read(key, &key_str);
             if (r == 1) {
                 if (pam_user_key_allowed(ruser, key)) {
                     authenticated = 1;
 -                    pamsshagentauth_key_free(key);
 +                    sshkey_free(key);
                     break;
                 }
             } else {
 -                pamsshagentauth_verbose("Failed to create key for %s: %d", auth_line, r);
 +                verbose("Failed to create key for %s: %d", auth_line, r);
             }
 -            pamsshagentauth_key_free(key);
 +            sshkey_free(key);
         }
         auth_line = strtok_r(NULL, "\n", &saveptr);
     }
--- a/backport-pam_ssh_agent_auth-0.10.2-dereference.patch
+++ b/backport-pam_ssh_agent_auth-0.10.2-dereference.patch
@ -1,6 +1,7 @@
 diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
 --- a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
 +++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.2-dereference.patch
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
 int
 pam_user_key_allowed(const char *ruser, struct sshkey * key)
--- a/backport-pam_ssh_agent_auth-0.10.3-seteuid.patch
+++ b/backport-pam_ssh_agent_auth-0.10.3-seteuid.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
 --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid	2017-02-07 15:41:53.172334151 +0100
 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-02-07 15:41:53.174334149 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.10.3-seteuid.patch
@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui
 	}
--- a/backport-pam_ssh_agent_auth-0.9.2-visibility.patch
+++ b/backport-pam_ssh_agent_auth-0.9.2-visibility.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c
 --- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c.psaa-visibility	2014-03-31 19:35:17.000000000 +0200
 +++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/pam_ssh_agent_auth.c	2016-01-22 15:22:40.984469774 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.2-visibility.patch
@@ -72,7 +72,7 @@ char           *__progname;
 extern char    *__progname;
 #endif
--- a/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
+++ b/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
@ -1,6 +1,7 @@
 diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
 --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent	2016-11-13 04:24:32.000000000 +0100
 +++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2017-09-27 14:25:49.421739027 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
@@ -38,6 +38,12 @@
 typedef struct identity Identity;
 typedef struct idlist Idlist;
@ -17,6 +18,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh
 diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
 --- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent	2017-09-27 14:25:49.420739021 +0200
 +++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-09-27 14:25:49.421739027 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
@@ -39,6 +39,7 @@
 #include "sshbuf.h"
 #include "sshkey.h"
@ -85,6 +87,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
 diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
 --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent	2017-09-27 14:25:49.420739021 +0200
 +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2017-09-27 14:25:49.422739032 +0200
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
         (r = sshbuf_put_string(b, pkblob, blen)) != 0)
         fatal("%s: buffer error: %s", __func__, ssh_err(r));
--- a/backport-pam_ssh_agent_auth-0.9.3-build.patch
+++ b/backport-pam_ssh_agent_auth-0.9.3-build.patch
@ -1,6 +1,7 @@
 diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
 --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build	2016-11-13 04:24:32.000000000 +0100
 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-02-07 14:29:41.626116675 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-build.patch
@@ -43,12 +43,31 @@
 #include <openssl/evp.h>
 #include "ssh2.h"
@ -150,6 +151,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-b
 diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in
 --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build	2016-11-13 04:24:32.000000000 +0100
 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in	2017-02-07 14:40:14.407566921 +0100
 Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-pam_ssh_agent_auth-0.9.3-build.patch
@@ -52,7 +52,7 @@ PATHS=
 CC=@CC@
 LD=@LD@
@ -174,8 +176,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
 ED25519OBJS=ed25519-donna/ed25519.o
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
+-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
-+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
 MANPAGES_IN	= pam_ssh_agent_auth.pod
--- a/backport-upstream-Remove-debug-message-from-sigchld-handler.patch
+++ b/backport-upstream-Remove-debug-message-from-sigchld-handler.patch
@ -1,32 +0,0 @@
 From a35d3e911e193a652bd09eed40907e3e165b0a7b Mon Sep 17 00:00:00 2001
 From: "dtucker@openbsd.org" <dtucker@openbsd.org>
 Date: Fri, 5 Feb 2021 02:20:23 +0000
 Subject: upstream: Remove debug message from sigchld handler. While this
 works on OpenBSD it can cause problems on other platforms. From kircherlike
 at outlook.com via bz#3259, ok djm@
 OpenBSD-Commit_ID: 3e241d7ac1ee77e3de3651780b5dc47b283a7668
 Conflict:NA
 Reference:https://anongit.mindrot.org/openssh.git/commit/?id=a35d3e911e193a652bd09eed40907e3e165b0a7b
 ---
 sshd.c | 2 --
 1 file changed, 2 deletions(-)
 diff --git a/sshd.c b/sshd.c
 index c291a5e..23fb202 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -364,8 +364,6 @@ main_sigchld_handler(int sig)
 	pid_t pid;
 	int status;
 -	debug("main_sigchld_handler: %s", strsignal(sig));
 -
 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
 	    (pid == -1 && errno == EINTR))
 		;
 -- 
 1.8.3.1
--- a/bugfix-debug3-to-verbose-in-command.patch
+++ b/bugfix-debug3-to-verbose-in-command.patch
@ -1,25 +0,0 @@
 From ed070c21ae68170e1cead6f5be16482d4f73ae2b Mon Sep 17 00:00:00 2001
 From: kircher <majun65@huawei.com>
 Date: Thu, 5 Mar 2020 21:02:06 +0800
 Subject: [PATCH] d2v
 ---
 monitor_wrap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/monitor_wrap.c b/monitor_wrap.c
 index 7f5a8fa..6ebcda1 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
@@ -928,7 +928,7 @@ mm_audit_run_command(const char *command)
 	int r;
 	int handle;
 -	debug3("%s entering command %s", __func__, command);
 +	verbose("%s entering command %s", __func__, command);
 	if ((m = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
 -- 
 2.19.1
--- a/bugfix-openssh-6.6p1-log-usepam-no.patch
+++ b/bugfix-openssh-6.6p1-log-usepam-no.patch
@ -22,8 +22,8 @@ index c6c03ae..c291a5e 100644
 -		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
 +		logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems.");
- 	/* Fill in default values for those options not explicitly set. */
+ #ifdef WITH_OPENSSL
- 	fill_default_server_options(&options);
+ 	if (options.moduli_file != NULL)
 diff --git a/sshd_config b/sshd_config
 index e125992..ebc28b3 100644
 --- a/sshd_config
@ -31,7 +31,7 @@ index e125992..ebc28b3 100644
@@ -87,7 +87,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
 -# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 +# WARNING: 'UsePAM no' is not supported in openEuler and may cause several
 # problems.
--- a/bugfix-openssh-add-option-check-username-splash.patch
+++ b/bugfix-openssh-add-option-check-username-splash.patch
@ -97,14 +97,14 @@ index ebc28b3..b121450 100644
 --- a/sshd_config
 +++ b/sshd_config
@@ -125,6 +125,8 @@ Subsystem	sftp	/usr/libexec/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 +#CheckUserSplash yes
 +
 # To modify the system-wide ssh configuration, create a  *.conf  file under
 #  /etc/ssh/sshd_config.d/  which will be automatically included below
 Include /etc/ssh/sshd_config.d/*.conf
 -- 
 2.23.0
--- a/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
+++ b/feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
@ -6,8 +6,8 @@ Subject: [PATCH] sync patch, add new judgement and
 Signed-off-by: s00467541 <shenyining@huawei.com>
 ---
- sftp-server.c | 702 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ sftp-server.c | 703 +++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 691 insertions(+), 11 deletions(-)
+ 1 file changed, 691 insertions(+), 12 deletions(-)
 diff --git a/sftp-server.c b/sftp-server.c
 index 01d6f8f..682c19a 100644
@ -43,7 +43,7 @@ index 01d6f8f..682c19a 100644
 +
 char *sftp_realpath(const char *, char *); /* sftp-realpath.c */
- /* Our verbosity */
+ /* Maximum data read that we are willing to accept */
@@ -89,6 +106,452 @@ struct Stat {
 	Attrib attrib;
 };
@ -500,7 +500,7 @@ index 01d6f8f..682c19a 100644
@@ -695,6 +1158,15 @@ process_open(u_int32_t id)
 	    (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
 	    (r = decode_attrib(iqueue, &a)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	/* add begin 2013/10/12 SR-0000287268 */
 +	if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP))
 +	{
@ -524,7 +524,7 @@ index 01d6f8f..682c19a 100644
@@ -759,6 +1233,17 @@ process_read(u_int32_t id)
 	    (r = sshbuf_get_u32(iqueue, &len)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	/* add begin 2013/10/12 SR-0000287268*/
 +	char *path = NULL;
@ -537,12 +537,12 @@ index 01d6f8f..682c19a 100644
 +	}
 +	/* add end 2013/10/12 SR-0000287268*/
 +
- 	debug("request %u: read \"%s\" (handle %d) off %llu len %d",
+ 	debug("request %u: read \"%s\" (handle %d) off %llu len %u",
 	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
- 	if (len > sizeof buf) {
+ 	if ((fd = handle_to_fd(handle)) == -1)
@@ -800,6 +1285,18 @@ process_write(u_int32_t id)
 	    (r = sshbuf_get_string(iqueue, &data, &len)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	/* add begin 2013/10/12 SR-0000287268*/
 +	char *path = NULL;
@ -559,19 +559,20 @@ index 01d6f8f..682c19a 100644
 	debug("request %u: write \"%s\" (handle %d) off %llu len %zu",
 	    id, handle_to_name(handle), handle, (unsigned long long)off, len);
 	fd = handle_to_fd(handle);
-@@ -813,16 +1310,30 @@ process_write(u_int32_t id)
+@@ -813,17 +1310,30 @@ process_write(u_int32_t id)
- 			error("process_write: seek failed");
+ 			    strerror(errno));
 		} else {
 /* XXX ATOMICIO ? */
 -			ret = write(fd, data, len);
 -			if (ret == -1) {
 -				error("process_write: write failed");
 -				status = errno_to_portable(errno);
 -				error_f("write \"%.100s\": %s",
 -				    handle_to_name(handle), strerror(errno));
 -			} else if ((size_t)ret == len) {
 -				status = SSH2_FX_OK;
 -				handle_update_write(handle, ret);
 -			} else {
-				debug2("nothing at all written");
+-				debug2_f("nothing at all written");
 +                        /* add begin sftp oom fix */
 +                        if (storage_flag == 1)
 +                                debug("cflag is %d",cflag);
@ -601,7 +602,7 @@ index 01d6f8f..682c19a 100644
 	}
@@ -841,6 +1352,16 @@ process_do_stat(u_int32_t id, int do_lstat)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	/* add begin  2013/10/12 SR-0000287268 */
 +	if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP))
@ -619,7 +620,7 @@ index 01d6f8f..682c19a 100644
@@ -877,6 +1398,16 @@ process_fstat(u_int32_t id)
 	if ((r = get_handle(iqueue, &handle)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +
 +	char *path = NULL;
 +	path = handle_to_name(handle);
@ -635,7 +636,7 @@ index 01d6f8f..682c19a 100644
 	fd = handle_to_fd(handle);
@@ -929,6 +1460,14 @@ process_setstat(u_int32_t id)
 	    (r = decode_attrib(iqueue, &a)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR))
 +	{
@ -664,7 +665,7 @@ index 01d6f8f..682c19a 100644
 			    name, (unsigned long long)a.size);
@@ -1040,6 +1586,14 @@ process_opendir(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP))
 +	{
@ -690,7 +691,7 @@ index 01d6f8f..682c19a 100644
 			stats[count].long_name = ls_file(dp->d_name, &st, 0, 0);
@@ -1125,6 +1683,14 @@ process_remove(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR))
 +	{
@ -705,7 +706,7 @@ index 01d6f8f..682c19a 100644
 	r = unlink(name);
@@ -1144,6 +1710,14 @@ process_mkdir(u_int32_t id)
 	    (r = decode_attrib(iqueue, &a)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if (RETURN_OK != path_permition_check(name,FLAG_PERMITOP))
 +	{
@ -720,7 +721,7 @@ index 01d6f8f..682c19a 100644
 	debug3("request %u: mkdir", id);
@@ -1163,6 +1737,14 @@ process_rmdir(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if (RETURN_OK != path_permition_check(name,FLAG_PROTECTDIR))
 +	{
@ -750,7 +751,7 @@ index 01d6f8f..682c19a 100644
 		attrib_clear(&s.attrib);
@@ -1209,6 +1795,16 @@ process_rename(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
 +		|| (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -767,7 +768,7 @@ index 01d6f8f..682c19a 100644
 	status = SSH2_FX_FAILURE;
@@ -1268,6 +1864,14 @@ process_readlink(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP))
 +	{
@ -782,7 +783,7 @@ index 01d6f8f..682c19a 100644
 	if ((len = readlink(path, buf, sizeof(buf) - 1)) == -1)
@@ -1293,6 +1897,16 @@ process_symlink(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
 +		|| (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -799,7 +800,7 @@ index 01d6f8f..682c19a 100644
 	/* this will fail if 'newpath' exists */
@@ -1313,6 +1927,16 @@ process_extended_posix_rename(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
 +		|| (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -817,7 +818,7 @@ index 01d6f8f..682c19a 100644
@@ -1331,6 +1955,15 @@ process_extended_statvfs(u_int32_t id)
 	if ((r = sshbuf_get_cstring(iqueue, &path, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +
 +	if (RETURN_OK != path_permition_check(path,FLAG_PERMITOP))
 +	{
@ -833,7 +834,7 @@ index 01d6f8f..682c19a 100644
@@ -1349,6 +1982,17 @@ process_extended_fstatvfs(u_int32_t id)
 	if ((r = get_handle(iqueue, &handle)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +
 +	char *path = NULL;
 +	path = handle_to_name(handle);
@ -850,7 +851,7 @@ index 01d6f8f..682c19a 100644
 	if ((fd = handle_to_fd(handle)) < 0) {
@@ -1371,6 +2015,15 @@ process_extended_hardlink(u_int32_t id)
 	    (r = sshbuf_get_cstring(iqueue, &newpath, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +	if ((RETURN_OK != path_permition_check(oldpath,FLAG_PROTECTDIR))
 +		|| (RETURN_OK != path_permition_check(newpath,FLAG_PROTECTDIR)))
@ -867,7 +868,7 @@ index 01d6f8f..682c19a 100644
@@ -1387,6 +2040,17 @@ process_extended_fsync(u_int32_t id)
 	if ((r = get_handle(iqueue, &handle)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
 +
 +	char *path = NULL;
 +	path = handle_to_name(handle);
--- a/openssh-4.3p2-askpass-grab-info.patch
+++ b/openssh-4.3p2-askpass-grab-info.patch
@ -1,19 +0,0 @@
 diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info	2016-12-23 13:31:22.645213115 +0100
 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:40.997216691 +0100
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
 	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
 				     GTK_MESSAGE_ERROR,
 				     GTK_BUTTONS_CLOSE,
 -				     "Could not grab %s. "
 -				     "A malicious client may be eavesdropping "
 -				     "on your session.", what);
 +				     "SSH password dialog could not grab the %s input.\n"
 +				     "This might be caused by application such as screensaver, "
 +				     "however it could also mean that someone may be eavesdropping "
 +				     "on your session.\n"
 +				     "Either close the application which grabs the %s or "
 +				     "log out and log in again to prevent this from happening.", what, what);
 	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
 	gtk_dialog_run(GTK_DIALOG(err));
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@ -1,257 +0,0 @@
 diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
 --- openssh-6.8p1/Makefile.in.ctr-cavs	2015-03-18 11:22:05.493289018 +0100
 +++ openssh-6.8p1/Makefile.in	2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 SSH_KEYCAT=$(libexecdir)/ssh-keycat
 +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
 .SUFFIXES: .lo
 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
 ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
 	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
 +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 +
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files:
 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 	fi
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
 --- openssh-6.8p1/ctr-cavstest.c.ctr-cavs	2015-03-18 11:22:05.521288952 +0100
 +++ openssh-6.8p1/ctr-cavstest.c	2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,215 @@
 +/*
 + *
 + * invocation (all of the following are equal):
 + * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
 + * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
 + * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
 + */
 +
 +#include "includes.h"
 +
 +#include <sys/types.h>
 +#include <sys/param.h>
 +#include <stdarg.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +#include <ctype.h>
 +
 +#include "xmalloc.h"
 +#include "log.h"
 +#include "ssherr.h"
 +#include "cipher.h"
 +
 +/* compatibility with old or broken OpenSSL versions */
 +#include "openbsd-compat/openssl-compat.h"
 +
 +void usage(void) {
 +        fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
 +                        "                    --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
 +                        "                    [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
 +                        "Hexadecimal output is printed to stdout.\n"
 +                        "Hexadecimal input data can be alternatively read from stdin.\n");
 +        exit(1);
 +}
 +
 +void *fromhex(char *hex, size_t *len)
 +{
 +        unsigned char *bin;
 +        char *p;
 +        size_t n = 0;
 +        int shift = 4;
 +        unsigned char out = 0;
 +        unsigned char *optr;
 +
 +        bin = xmalloc(strlen(hex)/2);
 +        optr = bin;
 +
 +        for (p = hex; *p != '\0'; ++p) {
 +                unsigned char c;
 +
 +                c = *p;
 +                if (isspace(c))
 +                        continue;
 +
 +                if (c >= '0' && c <= '9') {
 +                        c = c - '0';
 +                } else if (c >= 'A' && c <= 'F') {
 +                        c = c - 'A' + 10;
 +                } else if (c >= 'a' && c <= 'f') {
 +                        c = c - 'a' + 10;
 +                } else {
 +                        /* truncate on nonhex cipher */
 +                        break;
 +                }
 +
 +                out |= c << shift;
 +                shift = (shift + 4) % 8;
 +
 +                if (shift) {
 +                        *(optr++) = out;
 +                        out = 0;
 +                        ++n;
 +                }
 +        }
 +
 +        *len = n;
 +        return bin;
 +}
 +
 +#define READ_CHUNK 4096
 +#define MAX_READ_SIZE 1024*1024*100
 +char *read_stdin(void)
 +{
 +        char *buf;
 +        size_t n, total = 0;
 +
 +        buf = xmalloc(READ_CHUNK);
 +
 +        do {
 +                n = fread(buf + total, 1, READ_CHUNK, stdin);
 +                if (n < READ_CHUNK) /* terminate on short read */
 +                        break;
 +
 +                total += n;
 +                buf = xreallocarray(buf, total + READ_CHUNK, 1);
 +        } while(total < MAX_READ_SIZE);
 +        return buf;
 +}
 +
 +int main (int argc, char *argv[])
 +{
 +
 +        const struct sshcipher *c;
 +        struct sshcipher_ctx *cc;
 +        char *algo = "aes128-ctr";
 +        char *hexkey = NULL;
 +        char *hexiv = "00000000000000000000000000000000";
 +        char *hexdata = NULL;
 +        char *p;
 +        int i, r;
 +        int encrypt = 1;
 +        void *key;
 +        size_t keylen;
 +        void *iv;
 +        size_t ivlen;
 +        void *data;
 +        size_t datalen;
 +        void *outdata;
 +
 +        for (i = 1; i < argc; ++i) {
 +                if (strcmp(argv[i], "--algo") == 0) {
 +                        algo = argv[++i];
 +                } else if (strcmp(argv[i], "--key") == 0) {
 +                        hexkey = argv[++i];
 +                } else if (strcmp(argv[i], "--mode") == 0) {
 +                        ++i;
 +                        if (argv[i] == NULL) {
 +                                usage();
 +                        }
 +                        if (strncmp(argv[i], "enc", 3) == 0) {
 +                                encrypt = 1;
 +                        } else if (strncmp(argv[i], "dec", 3) == 0) {
 +                                encrypt = 0;
 +                        } else {
 +                                usage();
 +                        }
 +                } else if (strcmp(argv[i], "--iv") == 0) {
 +                        hexiv = argv[++i];
 +                } else if (strcmp(argv[i], "--data") == 0) {
 +                        hexdata = argv[++i];
 +                }
 +        }
 +
 +        if (hexkey == NULL || algo == NULL) {
 +                usage();
 +        }
 +
 +	OpenSSL_add_all_algorithms();
 +
 +	c = cipher_by_name(algo);
 +	if (c == NULL) {
 +		fprintf(stderr, "Error: unknown algorithm\n");
 +		return 2;
 +	}
 +
 +        if (hexdata == NULL) {
 +                hexdata = read_stdin();
 +        } else {
 +                hexdata = xstrdup(hexdata);
 +        }
 +
 +        key = fromhex(hexkey, &keylen);
 +
 +	if (keylen != 16 && keylen != 24 && keylen == 32) {
 +		fprintf(stderr, "Error: unsupported key length\n");
 +		return 2;
 +	}
 +
 +        iv = fromhex(hexiv, &ivlen);
 +
 +        if (ivlen != 16) {
 +		fprintf(stderr, "Error: unsupported iv length\n");
 +		return 2;
 +        }
 +
 +        data = fromhex(hexdata, &datalen);
 +
 +	if (data == NULL || datalen == 0) {
 +		fprintf(stderr, "Error: no data to encrypt/decrypt\n");
 +		return 2;
 +	}
 +
 +	if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
 +		fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
 +		return 2;
 +	}
 +
 +	free(key);
 +	free(iv);
 +
 +	outdata = malloc(datalen);
 +	if(outdata == NULL) {
 +		fprintf(stderr, "Error: memory allocation failure\n");
 +		return 2;
 +	}
 +
 +	if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
 +		fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
 +		return 2;
 +	}
 +
 +	free(data);
 +
 +	cipher_free(cc);
 +
 +        for (p = outdata; datalen > 0; ++p, --datalen) {
 +		printf("%02X", (unsigned char)*p);
 +	}
 +
 +        free(outdata);
 +
 +        printf("\n");
 +        return 0;
 +}
 +
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -1,185 +0,0 @@
 diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
 --- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
 +++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
 	/* enable nonblocking mode */
 	if (nonblock) {
 -		if (rfd != -1)
 +		if (rfd >= 0)
 			set_nonblock(rfd);
 -		if (wfd != -1)
 +		if (wfd >= 0)
 			set_nonblock(wfd);
 -		if (efd != -1)
 +		if (efd >= 0)
 			set_nonblock(efd);
 	}
 }
 diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
 --- openssh-7.4p1/monitor.c.coverity	2016-12-23 16:40:26.888788688 +0100
 +++ openssh-7.4p1/monitor.c	2016-12-23 16:40:26.900788691 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
 	mm_get_keystate(ssh, pmonitor);
 	/* Drain any buffered messages from the child */
 -	while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
 +	while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
 		;
 	if (pmonitor->m_recvfd >= 0)
 diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
 --- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
 +++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error("%s: cannot allocate fds for pty", __func__);
 -		if (tmp1 > 0)
 +		if (tmp1 >= 0)
 			close(tmp1);
 -		if (tmp2 > 0)
 -			close(tmp2);
 +		/*DEAD CODE if (tmp2 >= 0)
 +			close(tmp2);*/
 		return 0;
 	}
 	close(tmp1);
 diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
 --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/openbsd-compat/bindresvport.c	2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
 	u_int16_t port;
 -	socklen_t salen;
 +	socklen_t salen = sizeof(struct sockaddr_storage);
 	int i;
 	if (sa == NULL) {
 diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
 --- openssh-7.4p1/scp.c.coverity	2016-12-23 16:40:26.856788681 +0100
 +++ openssh-7.4p1/scp.c	2016-12-23 16:40:26.901788691 +0100
@@ -157,7 +157,7 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
 -		waitpid(do_cmd_pid, NULL, 0);
 +		(void) waitpid(do_cmd_pid, NULL, 0);
 	}
 	if (signo)
 diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
 			fatal("%s line %d: Missing subsystem name.",
 			    filename, linenum);
 		if (!*activep) {
 -			arg = strdelim(&cp);
 +			/*arg =*/ (void) strdelim(&cp);
 			break;
 		}
 		for (i = 0; i < options->num_subsystems; i++)
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
 -			if (intptr != NULL)
 -				*intptr = *intptr + 1;
 +			/* DEAD CODE intptr is still NULL ;)
 +  			 if (intptr != NULL)
 +				*intptr = *intptr + 1; */
 		}
 		break;
 diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
 --- openssh-7.4p1/serverloop.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/serverloop.c	2016-12-23 16:40:26.902788691 +0100
@@ -125,13 +125,13 @@ notify_setup(void)
 static void
 notify_parent(void)
 {
 -	if (notify_pipe[1] != -1)
 +	if (notify_pipe[1] >= 0)
 		(void)write(notify_pipe[1], "", 1);
 }
 static void
 notify_prepare(fd_set *readset)
 {
 -	if (notify_pipe[0] != -1)
 +	if (notify_pipe[0] >= 0)
 		FD_SET(notify_pipe[0], readset);
 }
 static void
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
 {
 	char c;
 -	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
 -		while (read(notify_pipe[0], &c, 1) != -1)
 +	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
 +		while (read(notify_pipe[0], &c, 1) >= 0)
 			debug2("%s: reading", __func__);
 }
@@ -518,7 +518,7 @@ server_request_tun(void)
 		debug("%s: invalid tun", __func__);
 		goto done;
 	}
 -	if (auth_opts->force_tun_device != -1) {
 +	if (auth_opts->force_tun_device >= 0) {
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
 diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 --- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
 	pid = sshpid;
 	if (pid > 1) {
 		kill(pid, SIGTERM);
 -		waitpid(pid, NULL, 0);
 +		(void) waitpid(pid, NULL, 0);
 	}
 	_exit(1);
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	/* drop */
 -	setegid(getgid());
 -	setgid(getgid());
 +	(void) setegid(getgid());
 +	(void) setgid(getgid());
 	platform_disable_tracing(0);	/* strict=no */
 diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 --- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
 +++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
 		privsep_preauth_child(ssh);
 		setproctitle("%s", "[net]");
 -		if (box != NULL)
 +		if (box != NULL) {
 			ssh_sandbox_child(box);
 +			free(box);
 +		}
 		return 0;
 	}
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
 			explicit_bzero(rnd, sizeof(rnd));
 		}
 	}
 +
 +	if (fdset != NULL)
 +		free(fdset);
 }
 /*
--- a/openssh-6.7p1-kdf-cavs.patch
+++ b/openssh-6.7p1-kdf-cavs.patch
@ -1,618 +0,0 @@
 diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
 --- openssh-6.8p1/Makefile.in.kdf-cavs	2015-03-18 11:23:46.346049359 +0100
 +++ openssh-6.8p1/Makefile.in	2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
 SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 SSH_KEYCAT=$(libexecdir)/ssh-keycat
 CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 +SSH_CAVS=$(libexecdir)/ssh-cavs
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
 .SUFFIXES: .lo
 -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
 ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
 +	$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files:
 	fi
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
 --- openssh-6.8p1/ssh-cavs.c.kdf-cavs	2015-03-18 11:23:46.348049354 +0100
 +++ openssh-6.8p1/ssh-cavs.c	2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,387 @@
 +/*
 + * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, and the entire permission notice in its entirety,
 + *    including the disclaimer of warranties.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + * 3. The name of the author may not be used to endorse or promote
 + *    products derived from this software without specific prior
 + *    written permission.
 + *
 + * ALTERNATIVELY, this product may be distributed under the terms of
 + * the GNU General Public License, in which case the provisions of the GPL2
 + * are required INSTEAD OF the above restrictions.  (This clause is
 + * necessary due to a potential bad interaction between the GPL and
 + * the restrictions contained in a BSD-style copyright.)
 + *
 + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
 + * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
 + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
 + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 + * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
 + * DAMAGE.
 + */
 +
 +#include "includes.h"
 +
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <errno.h>
 +#include <sys/types.h>
 +#include <string.h>
 +
 +#include <openssl/bn.h>
 +
 +#include "xmalloc.h"
 +#include "sshbuf.h"
 +#include "sshkey.h"
 +#include "cipher.h"
 +#include "kex.h"
 +#include "packet.h"
 +#include "digest.h"
 +
 +static int bin_char(unsigned char hex)
 +{
 +	if (48 <= hex && 57 >= hex)
 +		return (hex - 48);
 +	if (65 <= hex && 70 >= hex)
 +		return (hex - 55);
 +	if (97 <= hex && 102 >= hex)
 +		return (hex - 87);
 +	return 0;
 +}
 +
 +/*
 + * Convert hex representation into binary string
 + * @hex input buffer with hex representation
 + * @hexlen length of hex
 + * @bin output buffer with binary data
 + * @binlen length of already allocated bin buffer (should be at least
 + *	   half of hexlen -- if not, only a fraction of hexlen is converted)
 + */
 +static void hex2bin(const char *hex, size_t hexlen,
 +		    unsigned char *bin, size_t binlen)
 +{
 +	size_t i = 0;
 +	size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
 +
 +	for (i = 0; i < chars; i++) {
 +		bin[i] = bin_char(hex[(i*2)]) << 4;
 +		bin[i] |= bin_char(hex[((i*2)+1)]);
 +	}
 +}
 +
 +/*
 + * Allocate sufficient space for binary representation of hex
 + * and convert hex into bin
 + *
 + * Caller must free bin
 + * @hex input buffer with hex representation
 + * @hexlen length of hex
 + * @bin return value holding the pointer to the newly allocated buffer
 + * @binlen return value holding the allocated size of bin
 + *
 + * return: 0 on success, !0 otherwise
 + */
 +static int hex2bin_alloc(const char *hex, size_t hexlen,
 +			 unsigned char **bin, size_t *binlen)
 +{
 +	unsigned char *out = NULL;
 +	size_t outlen = 0;
 +
 +	if (!hexlen)
 +		return -EINVAL;
 +
 +	outlen = (hexlen + 1) / 2;
 +
 +	out = calloc(1, outlen);
 +	if (!out)
 +		return -errno;
 +
 +	hex2bin(hex, hexlen, out, outlen);
 +	*bin = out;
 +	*binlen = outlen;
 +	return 0;
 +}
 +
 +static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
 +				 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
 +static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
 +				 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
 +static char hex_char(unsigned int bin, int u)
 +{
 +	if (bin < sizeof(hex_char_map_l))
 +		return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
 +	return 'X';
 +}
 +
 +/*
 + * Convert binary string into hex representation
 + * @bin input buffer with binary data
 + * @binlen length of bin
 + * @hex output buffer to store hex data
 + * @hexlen length of already allocated hex buffer (should be at least
 + *	   twice binlen -- if not, only a fraction of binlen is converted)
 + * @u case of hex characters (0=>lower case, 1=>upper case)
 + */
 +static void bin2hex(const unsigned char *bin, size_t binlen,
 +		    char *hex, size_t hexlen, int u)
 +{
 +	size_t i = 0;
 +	size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
 +
 +	for (i = 0; i < chars; i++) {
 +		hex[(i*2)] = hex_char((bin[i] >> 4), u);
 +		hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
 +	}
 +}
 +
 +struct kdf_cavs {
 +	unsigned char *K;
 +	size_t Klen;
 +	unsigned char *H;
 +	size_t Hlen;
 +	unsigned char *session_id;
 +	size_t session_id_len;
 +
 +	unsigned int iv_len;
 +	unsigned int ek_len;
 +	unsigned int ik_len;
 +};
 +
 +static int sshkdf_cavs(struct kdf_cavs *test)
 +{
 +	int ret = 0;
 +	struct kex kex;
 +	struct sshbuf *Kb = NULL;
 +	BIGNUM *Kbn = NULL;
 +	int mode = 0;
 +	struct newkeys *ctoskeys;
 +	struct newkeys *stockeys;
 +	struct ssh *ssh = NULL;
 +
 +#define HEXOUTLEN 500
 +	char hex[HEXOUTLEN];
 +
 +	memset(&kex, 0, sizeof(struct kex));
 +
 +	Kbn = BN_new();
 +	BN_bin2bn(test->K, test->Klen, Kbn);
 +	if (!Kbn) {
 +		printf("cannot convert K into bignum\n");
 +		ret = 1;
 +		goto out;
 +	}
 +	Kb = sshbuf_new();
 +	if (!Kb) {
 +		printf("cannot convert K into sshbuf\n");
 +		ret = 1;
 +		goto out;
 +	}
 +	sshbuf_put_bignum2(Kb, Kbn);
 +
 +	kex.session_id = test->session_id;
 +	kex.session_id_len = test->session_id_len;
 +
 +	/* setup kex */
 +
 +	/* select the right hash based on struct ssh_digest digests */
 +	switch (test->ik_len) {
 +		case 20:
 +			kex.hash_alg = SSH_DIGEST_SHA1;
 +			break;
 +		case 32:
 +			kex.hash_alg = SSH_DIGEST_SHA256;
 +			break;
 +		case 48:
 +			kex.hash_alg = SSH_DIGEST_SHA384;
 +			break;
 +		case 64:
 +			kex.hash_alg = SSH_DIGEST_SHA512;
 +			break;
 +		default:
 +			printf("Wrong hash type %u\n", test->ik_len);
 +			ret = 1;
 +			goto out;
 +	}
 +
 +	/* implement choose_enc */
 +	for (mode = 0; mode < 2; mode++) {
 +		kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
 +		if (!kex.newkeys[mode]) {
 +			printf("allocation of newkeys failed\n");
 +			ret = 1;
 +			goto out;
 +		}
 +		kex.newkeys[mode]->enc.iv_len = test->iv_len;
 +		kex.newkeys[mode]->enc.key_len = test->ek_len;
 +		kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
 +		kex.newkeys[mode]->mac.key_len = test->ik_len;
 +	}
 +
 +	/* implement kex_choose_conf */
 +	kex.we_need = kex.newkeys[0]->enc.key_len;
 +	if (kex.we_need < kex.newkeys[0]->enc.block_size)
 +		kex.we_need = kex.newkeys[0]->enc.block_size;
 +	if (kex.we_need < kex.newkeys[0]->enc.iv_len)
 +		kex.we_need = kex.newkeys[0]->enc.iv_len;
 +	if (kex.we_need < kex.newkeys[0]->mac.key_len)
 +		kex.we_need = kex.newkeys[0]->mac.key_len;
 +
 +	/* MODE_OUT (1) -> server to client
 +	 * MODE_IN (0) -> client to server */
 +	kex.server = 1;
 +
 +	/* do it */
 +	if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
 +		printf("Allocation error\n");
 +		goto out;
 +	}
 +	ssh->kex = &kex;
 +	kex_derive_keys(ssh, test->H, test->Hlen, Kb);
 +
 +	ctoskeys = kex.newkeys[0];
 +	stockeys = kex.newkeys[1];
 +
 +	/* get data */
 +	memset(hex, 0, HEXOUTLEN);
 +	bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
 +		hex, HEXOUTLEN, 0);
 +	printf("Initial IV (client to server) = %s\n", hex);
 +	memset(hex, 0, HEXOUTLEN);
 +	bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
 +		hex, HEXOUTLEN, 0);
 +	printf("Initial IV (server to client) = %s\n", hex);
 +
 +	memset(hex, 0, HEXOUTLEN);
 +	bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
 +		hex, HEXOUTLEN, 0);
 +	printf("Encryption key (client to server) = %s\n", hex);
 +	memset(hex, 0, HEXOUTLEN);
 +	bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
 +		hex, HEXOUTLEN, 0);
 +	printf("Encryption key (server to client) = %s\n", hex);
 +
 +	memset(hex, 0, HEXOUTLEN);
 +	bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
 +		hex, HEXOUTLEN, 0);
 +	printf("Integrity key (client to server) = %s\n", hex);
 +	memset(hex, 0, HEXOUTLEN);
 +	bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
 +		hex, HEXOUTLEN, 0);
 +	printf("Integrity key (server to client) = %s\n", hex);
 +
 +out:
 +	if (Kbn)
 +		BN_free(Kbn);
 +	if (Kb)
 +		sshbuf_free(Kb);
 +	if (ssh)
 +		ssh_packet_close(ssh);
 +	return ret;
 +}
 +
 +static void usage(void)
 +{
 +	fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
 +	fprintf(stderr, "Usage:\n");
 +	fprintf(stderr, "\t-K\tShared secret string\n");
 +	fprintf(stderr, "\t-H\tHash string\n");
 +	fprintf(stderr, "\t-s\tSession ID string\n");
 +	fprintf(stderr, "\t-i\tIV length to be generated\n");
 +	fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
 +	fprintf(stderr, "\t-m\tMAC key length to be generated\n");
 +}
 +
 +/*
 + * Test command example:
 + * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
 + *
 + * Initial IV (client to server) = 4bb320d1679dfd3a
 + * Initial IV (server to client) = 43dea6fdf263a308
 + * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
 + * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
 + * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
 + * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
 + */
 +int main(int argc, char *argv[])
 +{
 +	struct kdf_cavs test;
 +	int ret = 1;
 +	int opt = 0;
 +
 +	memset(&test, 0, sizeof(struct kdf_cavs));
 +	while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
 +	{
 +		size_t len = 0;
 +		switch(opt)
 +		{
 +			/*
 +			 * CAVS K is MPINT
 +			 * we want a hex (i.e. the caller must ensure the
 +			 * following transformations already happened):
 +			 * 	1. cut off first four bytes
 +			 * 	2. if most significant bit of value is
 +			 *	   1, prepend 0 byte
 +			 */
 +			case 'K':
 +				len = strlen(optarg);
 +				ret = hex2bin_alloc(optarg, len,
 +						    &test.K, &test.Klen);
 +				if (ret)
 +					goto out;
 +				break;
 +			case 'H':
 +				len = strlen(optarg);
 +				ret = hex2bin_alloc(optarg, len,
 +						    &test.H, &test.Hlen);
 +				if (ret)
 +					goto out;
 +				break;
 +			case 's':
 +				len = strlen(optarg);
 +				ret = hex2bin_alloc(optarg, len,
 +						    &test.session_id,
 +						    &test.session_id_len);
 +				if (ret)
 +					goto out;
 +				break;
 +			case 'i':
 +				test.iv_len = strtoul(optarg, NULL, 10);
 +				break;
 +			case 'e':
 +				test.ek_len = strtoul(optarg, NULL, 10);
 +				break;
 +			case 'm':
 +				test.ik_len = strtoul(optarg, NULL, 10);
 +				break;
 +			default:
 +				usage();
 +				goto out;
 +		}
 +	}
 +
 +	ret = sshkdf_cavs(&test);
 +
 +out:
 +	if (test.session_id)
 +		free(test.session_id);
 +	if (test.K)
 +		free(test.K);
 +	if (test.H)
 +		free(test.H);
 +	return ret;
 +
 +}
 diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
 --- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs	2015-03-18 11:23:46.348049354 +0100
 +++ openssh-6.8p1/ssh-cavs_driver.pl	2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,184 @@
 +#!/usr/bin/env perl
 +#
 +# CAVS test driver for OpenSSH
 +#
 +# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
 +#
 +# Permission is hereby granted, free of charge, to any person obtaining a copy
 +# of this software and associated documentation files (the "Software"), to deal
 +# in the Software without restriction, including without limitation the rights
 +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 +# copies of the Software, and to permit persons to whom the Software is
 +# furnished to do so, subject to the following conditions:
 +#
 +# The above copyright notice and this permission notice shall be included in
 +# all copies or substantial portions of the Software.
 +#
 +#                            NO WARRANTY
 +#
 +#    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 +#    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
 +#    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
 +#    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
 +#    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 +#    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
 +#    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
 +#    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
 +#    REPAIR OR CORRECTION.
 +#
 +#    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 +#    WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
 +#    REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 +#    INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
 +#    OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
 +#    TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
 +#    YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 +#    PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 +#    POSSIBILITY OF SUCH DAMAGES.
 +#
 +use strict;
 +use warnings;
 +use IPC::Open2;
 +
 +# Executing a program by feeding STDIN and retrieving
 +# STDOUT
 +# $1: data string to be piped to the app on STDIN
 +# rest: program and args
 +# returns: STDOUT of program as string
 +sub pipe_through_program($@) {
 +	my $in = shift;
 +	my @args = @_;
 +
 +	my ($CO, $CI);
 +	my $pid = open2($CO, $CI, @args);
 +
 +	my $out = "";
 +	my $len = length($in);
 +	my $first = 1;
 +	while (1) {
 +		my $rin = "";
 +		my $win = "";
 +		# Output of prog is FD that we read
 +		vec($rin,fileno($CO),1) = 1;
 +		# Input of prog is FD that we write
 +		# check for $first is needed because we can have NULL input
 +		# that is to be written to the app
 +		if ( $len > 0 || $first) {
 +			(vec($win,fileno($CI),1) = 1);
 +			$first=0;
 +		}
 +		# Let us wait for 100ms
 +		my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
 +		if ( $wout ) {
 +			my $written = syswrite($CI, $in, $len);
 +			die "broken pipe" if !defined $written;
 +			$len -= $written;
 +			substr($in, 0, $written) = "";
 +			if ($len <= 0) {
 +				close $CI or die "broken pipe: $!";
 +			}
 +		}
 +		if ( $rout ) {
 +			my $tmp_out = "";
 +			my $bytes_read = sysread($CO, $tmp_out, 4096);
 +			$out .= $tmp_out;
 +			last if ($bytes_read == 0);
 +		}
 +	}
 +	close $CO or die "broken pipe: $!";
 +	waitpid $pid, 0;
 +
 +	return $out;
 +}
 +
 +# Parser of CAVS test vector file
 +# $1: Test vector file
 +# $2: Output file for test results
 +# return: nothing
 +sub parse($$) {
 +	my $infile = shift;
 +	my $outfile = shift;
 +
 +	my $out = "";
 +
 +	my $K = "";
 +	my $H = "";
 +	my $session_id = "";
 +	my $ivlen = 0;
 +	my $eklen = "";
 +	my $iklen = "";
 +
 +	open(IN, "<$infile");
 +	while(<IN>) {
 +
 +		my $line = $_;
 +		chomp($line);
 +		$line =~ s/\r//;
 +
 +		if ($line =~ /\[SHA-1\]/) {
 +			$iklen = 20;
 +		} elsif ($line =~ /\[SHA-256\]/) {
 +			$iklen = 32;
 +		} elsif ($line =~ /\[SHA-384\]/) {
 +			$iklen = 48;
 +		} elsif ($line =~ /\[SHA-512\]/) {
 +			$iklen = 64;
 +		} elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
 +			$ivlen = $1;
 +			$ivlen = $ivlen / 8;
 +		} elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
 +			$eklen = $1;
 +			$eklen = $eklen / 8;
 +		} elsif ($line =~ /^K\s*=\s*(.*)/) {
 +			$K = $1;
 +			$K = substr($K, 8);
 +			$K = "00" . $K;
 +		} elsif ($line =~ /^H\s*=\s*(.*)/) {
 +			$H = $1;
 +		} elsif ($line =~ /^session_id\s*=\s*(.*)/) {
 +			$session_id = $1;
 +		}
 +		$out .= $line . "\n";
 +
 +		if ($K ne "" && $H ne "" && $session_id ne "" &&
 +		    $ivlen ne "" && $eklen ne "" && $iklen > 0) {
 +			$out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
 +
 +			$K = "";
 +			$H = "";
 +			$session_id = "";
 +		}
 +	}
 +	close IN;
 +	$out =~ s/\n/\r\n/g; # make it a dos file
 +	open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
 +	print OUT $out;
 +	close OUT;
 +}
 +
 +############################################################
 +#
 +# let us pretend to be C :-)
 +sub main() {
 +
 +	my $infile=$ARGV[0];
 +	die "Error: Test vector file $infile not found" if (! -f $infile);
 +
 +	my $outfile = $infile;
 +	# let us add .rsp regardless whether we could strip .req
 +	$outfile =~ s/\.req$//;
 +	$outfile .= ".rsp";
 +	if (-f $outfile) {
 +		die "Output file $outfile could not be removed: $?"
 +			unless unlink($outfile);
 +	}
 +	print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
 +
 +	# Do the job
 +	parse($infile, $outfile);
 +}
 +
 +###########################################
 +# Call it
 +main();
 +1;
--- a/openssh-6.7p1-ldap.patch
+++ b/openssh-6.7p1-ldap.patch
--- a/openssh-7.8p1-UsePAM-warning.patch
+++ b/openssh-7.8p1-UsePAM-warning.patch
@ -1,26 +0,0 @@
 diff --git a/sshd.c b/sshd.c
 --- a/sshd.c
 +++ b/sshd.c
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
 	    cfg, &includes, NULL);
 +	/* 'UsePAM no' is not supported in Fedora */
 +	if (! options.use_pam)
 +		logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
 +
 	/* Fill in default values for those options not explicitly set. */
 	fill_default_server_options(&options);
 diff --git a/sshd_config b/sshd_config
 --- a/sshd_config
 +++ b/sshd_config
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
 +# problems.
 #UsePAM no
 #AllowAgentForwarding yes
--- a/openssh-7.9p1-ssh-copy-id.patch
+++ b/openssh-7.9p1-ssh-copy-id.patch
@ -1,31 +0,0 @@
 diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
 --- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id	2018-10-17 02:01:20.000000000 +0200
 +++ openssh-7.9p1/contrib/ssh-copy-id	2019-01-23 20:49:30.513393667 +0100
@@ -112,7 +112,8 @@ do
         usage
   }
 -  OPT= OPTARG=
 +  OPT=
 +  OPTARG=
   # implement something like getopt to avoid Solaris pain
   case "$1" in
     -i?*|-o?*|-p?*)
@@ -261,7 +262,7 @@ populate_new_ids() {
   fi
   if [ -z "$NEW_IDS" ] ; then
     printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
 -    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
 +    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
     exit 0
   fi
   printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
     # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
     #     'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
     [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
 -      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
 +      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
       || exit 1
     ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
     ;;
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -1,267 +0,0 @@
 diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
 --- openssh/ssh_config.5.crypto-policies	2020-02-07 15:05:55.665451715 +0100
 +++ openssh/ssh_config.5	2020-02-07 15:07:11.632641922 +0100
@@ -361,15 +361,15 @@ domains.
 .It Cm CASignatureAlgorithms
 Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 -.Pp
 .Xr ssh 1
 will not accept host certificates signed using algorithms other than those
 specified.
 +.Pp
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 .It Cm CertificateFile
 Specifies a file from which the user's certificate is read.
 A corresponding private key must be provided separately in order
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com
 chacha20-poly1305@openssh.com
 .Ed
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -chacha20-poly1305@openssh.com,
 -aes128-ctr,aes192-ctr,aes256-ctr,
 -aes128-gcm@openssh.com,aes256-gcm@openssh.com
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
@@ -824,8 +822,10 @@ gss-nistp256-sha256-,
 gss-curve25519-sha256-
 .Ed
 .Pp
 -The default is
 -.Dq gss-gex-sha1-,gss-group14-sha1- .
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
@@ -1162,15 +1162,10 @@ If the specified list begins with a
 .Sq ^
 character, then the specified methods will be placed at the head of the
 default set.
 -The default is:
 -.Bd -literal -offset indent
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
 -diffie-hellman-group16-sha512,
 -diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
@@ -1252,14 +1247,10 @@ The algorithms that contain
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 -hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
 -hmac-sha1-etm@openssh.com,
 -umac-64@openssh.com,umac-128@openssh.com,
 -hmac-sha2-256,hmac-sha2-512,hmac-sha1
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
@@ -1407,22 +1398,10 @@ If the specified list begins with a
 .Sq ^
 character, then the specified key types will be placed at the head of the
 default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ssh-ed25519-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q PubkeyAcceptedKeyTypes .
 diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
 --- openssh/sshd_config.5.crypto-policies	2020-02-07 15:05:55.639451308 +0100
 +++ openssh/sshd_config.5	2020-02-07 15:05:55.672451825 +0100
@@ -377,14 +377,14 @@ By default, no banner is displayed.
 .It Cm CASignatureAlgorithms
 Specifies which algorithms are allowed for signing of certificates
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 -.Pp
 Certificates signed using other algorithms will not be accepted for
 public key or host-based authentication.
 +.Pp
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
 PAM or through authentication styles supported in
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com
 chacha20-poly1305@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -chacha20-poly1305@openssh.com,
 -aes128-ctr,aes192-ctr,aes256-ctr,
 -aes128-gcm@openssh.com,aes256-gcm@openssh.com
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
@@ -693,8 +691,10 @@ gss-nistp256-sha256-,
 gss-curve25519-sha256-
 .Ed
 .Pp
 -The default is
 -.Dq gss-gex-sha1-,gss-group14-sha1- .
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HostbasedAcceptedKeyTypes
 Specifies the key types that will be accepted for hostbased authentication
@@ -794,22 +794,10 @@ environment variable.
 .It Cm HostKeyAlgorithms
 Specifies the host key algorithms
 that the server offers.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ssh-ed25519-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
@@ -987,14 +975,10 @@ ecdh-sha2-nistp521
 sntrup4591761x25519-sha512@tinyssh.org
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
 -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
 -diffie-hellman-group14-sha256
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q KexAlgorithms .
@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
 umac-128-etm@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 -hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
 -hmac-sha1-etm@openssh.com,
 -umac-64@openssh.com,umac-128@openssh.com,
 -hmac-sha2-256,hmac-sha2-512,hmac-sha1
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
@@ -1492,22 +1472,10 @@ If the specified list begins with a
 .Sq ^
 character, then the specified key types will be placed at the head of the
 default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ssh-ed25519-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 .Pp
 The list of available key types may also be obtained using
 .Qq ssh -Q PubkeyAcceptedKeyTypes .
--- a/openssh-8.2p1.tar.gz
+++ b/openssh-8.2p1.tar.gz
--- a/openssh-8.2p1.tar.gz.asc
+++ b/openssh-8.2p1.tar.gz.asc
@ -1,14 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl5F7e8ACgkQ0+X1a22S
 DTBoGQx+Lw7zBdx+GFg4T5uDbpN3zXcscEvPRfKCP07WGVnQsSOqbfa9v0coSnAK
 thE0R1iVr/uwFQ+MsgUWFWUQ4yWmKCiIFrnmuX8rqtN3NJBa2PG2mUGi/eAYsctW
 ZFPT2B9Is264TWi94/p1dQaDM7tFxqtsLePvq+hPY5IFOu5y5bpEMFCXFHC1TNko
 nY3dP2ij3IVjeBSEfotjbE04EUaoOlLh8g65vZV1vQDSIMHoqZ9cWmdtdonK8BNf
 ql2JU5RM5+NJk69quQM6RruDfJ6W0XelDaO286u33Loyl1mDAXXT6z8ooSipryHF
 OcM2FYUgI42GLfrmpqOsUD0z6GHcUpHWD30wlQkPwX7VWRWQlXORUnVwRTF94TFs
 nMOvFOWn7oCn5SVwZXBWitgZ6DGzVdsi1E7WZZZlSbxFgXMFYqCqKL1+dSlcN66l
 lRlC/kldYgeRV+OwCM0MPHok77A8W+nwNxWMj56HNnUMJXm3rZTs1MKmKKLfksEr
 PlC6zMmFgClq6RayKqHwp14bwAxqsg==
 =t8DJ
 -----END PGP SIGNATURE-----
--- a/openssh-8.8p1.tar.gz
+++ b/openssh-8.8p1.tar.gz
--- a/openssh-8.8p1.tar.gz.asc
+++ b/openssh-8.8p1.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmFQfp8ACgkQKj9BTnNg
 YLq2SQ/8C3iOHTkyqX82FYt0SKkybebe9b2iBPr91HQOUmx+U3I+vgrSWArXabWJ
 uSu0b685RQKlcr7UjEtPk6g0cm45NoJFjju9ljvnOFfZw73V3a5qX15Lx4xRnkRx
 v1LJn6Yh12PKLWL4/A1qPQnfAObVwq/BF0BR01FfXLAOt5+lFwYvg79HpE+69b0r
 KtcIEpsyTEn2lSKSWD7q4lpe6Z/iR+XzBKfnB6JJXhKyHiDV63hlAJk9Pt3mIvS6
 tnE9/7GDawvi+Tsl018kw3wsf6aHVSQ+O+vzcDgfy0vDJVGjD6Ec9it9FvikXJh6
 3pSTBYuUJdt+CAQYvmEui73v4nrkfouHXsxqgzEDZaTwIZC4wPrvNYxUaIyirWlc
 l4/YSnxSxSiYbvPa5eYRBvXvoWbnQXjPOkuhjETxz/KTcHirQpWE9eldi0jHcKUa
 FVu9YqMPAjIUd1Jj4vC5bgH7v5cLeEMm/AetMvKsJs+rhY9NZaKpiqOqU2m6Geb+
 sQSXHNTeA8uOlrHim4SmYHtmfglVbH5lIroiUqtRzjbOhMhqUb+yN9+aAxe0bwmN
 VcFMSThlbmYokb9bkQryY2I/FfXb997vxgF6v15Z8d9e8HH2zc2Irj1HYXG4Bf3o
 WCiSvd8+Tr/FxS2Gn8qj/vgSPWXT0d0Hy4zHW9JeT/jn3RtIYhU=
 =EnoG
 -----END PGP SIGNATURE-----
--- a/openssh.spec
+++ b/openssh.spec
@ -6,10 +6,10 @@
 %{?no_gtk2:%global gtk2 0}
 %global sshd_uid    74
-%global openssh_release 14
+%global openssh_release 1
 Name:           openssh
-Version:        8.2p1
+Version:        8.8p1
 Release:        %{openssh_release}
 URL:            http://www.openssh.com/portable.html
 License:        BSD
@ -18,7 +18,7 @@ Summary:        An open source implementation of SSH protocol version 2
 Source0:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1:        https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2:        sshd.pam
-Source4:        http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.tar.bz2
+Source4:        http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.4.tar.gz
 Source5:        pam_ssh_agent-rmheaders
 Source6:        ssh-keycat.pam
 Source7:        sshd.sysconfig
@ -27,82 +27,72 @@ Source10:       sshd.socket
 Source11:       sshd.service
 Source12:       sshd-keygen@.service
 Source13:       sshd-keygen
 Source14:       sshd.tmpfiles
 Source15:       sshd-keygen.target
-Patch0:         openssh-6.7p1-coverity.patch
+Source16:       ssh-agent.service
-Patch1:         openssh-7.6p1-audit.patch
+Patch0:         backport-openssh-6.7p1-coverity.patch
-Patch2:         openssh-7.1p2-audit-race-condition.patch
+Patch1:         backport-openssh-7.6p1-audit.patch
-Patch3:         pam_ssh_agent_auth-0.9.3-build.patch
+Patch2:         backport-openssh-7.1p2-audit-race-condition.patch
-Patch4:         pam_ssh_agent_auth-0.10.3-seteuid.patch
+Patch3:         backport-pam_ssh_agent_auth-0.9.3-build.patch
-Patch5:         pam_ssh_agent_auth-0.9.2-visibility.patch
+Patch4:         backport-pam_ssh_agent_auth-0.10.3-seteuid.patch
-Patch6:         pam_ssh_agent_auth-0.9.3-agent_structure.patch
+Patch5:         backport-pam_ssh_agent_auth-0.9.2-visibility.patch
-Patch7:         pam_ssh_agent_auth-0.10.2-compat.patch
+Patch6:         backport-pam_ssh_agent_auth-0.9.3-agent_structure.patch
-Patch8:         pam_ssh_agent_auth-0.10.2-dereference.patch
+Patch7:         backport-pam_ssh_agent_auth-0.10.2-compat.patch
-Patch9:         openssh-7.8p1-role-mls.patch
+Patch8:         backport-pam_ssh_agent_auth-0.10.2-dereference.patch
-Patch10:        openssh-6.6p1-privsep-selinux.patch
+Patch9:         backport-openssh-7.8p1-role-mls.patch
-Patch11:        openssh-6.7p1-ldap.patch
+Patch10:        backport-openssh-6.6p1-privsep-selinux.patch
-Patch12:        openssh-6.6p1-keycat.patch
+Patch12:        backport-openssh-6.6p1-keycat.patch
-Patch13:        openssh-6.6p1-allow-ip-opts.patch
+Patch13:        backport-openssh-6.6p1-allow-ip-opts.patch
-Patch14:        openssh-6.6p1-keyperm.patch
+Patch14:        backport-openssh-6.6p1-keyperm.patch
-Patch15:        openssh-5.9p1-ipv6man.patch
+Patch15:        backport-openssh-5.9p1-ipv6man.patch
-Patch16:        openssh-5.8p2-sigpipe.patch
+Patch16:        backport-openssh-5.8p2-sigpipe.patch
-Patch17:        openssh-7.2p2-x11.patch
+Patch17:        backport-openssh-7.2p2-x11.patch
-Patch18:        openssh-7.7p1-fips.patch
+Patch18:        backport-openssh-7.7p1-fips.patch
-Patch19:        openssh-5.1p1-askpass-progress.patch
+Patch19:        backport-openssh-5.1p1-askpass-progress.patch
-Patch20:        openssh-4.3p2-askpass-grab-info.patch
+Patch20:        backport-openssh-4.3p2-askpass-grab-info.patch
-Patch21:        openssh-7.7p1.patch
+Patch21:        backport-openssh-7.7p1.patch
-Patch22:        openssh-7.8p1-UsePAM-warning.patch
+Patch22:        backport-openssh-7.8p1-UsePAM-warning.patch
-Patch23:        openssh-6.3p1-ctr-evp-fast.patch
+Patch23:        backport-openssh-6.3p1-ctr-evp-fast.patch
-Patch24:        openssh-6.6p1-ctr-cavstest.patch
+Patch26:        backport-openssh-8.0p1-gssapi-keyex.patch
-Patch25:        openssh-6.7p1-kdf-cavs.patch
+Patch27:        backport-openssh-6.6p1-force_krb.patch
-Patch26:        openssh-8.0p1-gssapi-keyex.patch
+Patch28:        backport-openssh-6.6p1-GSSAPIEnablek5users.patch
-Patch27:        openssh-6.6p1-force_krb.patch
+Patch29:        backport-openssh-7.7p1-gssapi-new-unique.patch
-Patch28:        openssh-6.6p1-GSSAPIEnablek5users.patch
+Patch30:        backport-openssh-7.2p2-k5login_directory.patch
-Patch29:        openssh-7.7p1-gssapi-new-unique.patch
+Patch31:        backport-openssh-6.6p1-kuserok.patch
-Patch30:        openssh-7.2p2-k5login_directory.patch
+Patch32:        backport-openssh-6.4p1-fromto-remote.patch
-Patch31:        openssh-6.6p1-kuserok.patch
+Patch33:        backport-openssh-6.6.1p1-selinux-contexts.patch
-Patch32:        openssh-6.4p1-fromto-remote.patch
+Patch34:        backport-openssh-6.6.1p1-log-in-chroot.patch
-Patch33:        openssh-6.6.1p1-selinux-contexts.patch
+Patch35:        backport-openssh-6.6.1p1-scp-non-existing-directory.patch
-Patch34:        openssh-6.6.1p1-log-in-chroot.patch
+Patch36:        backport-openssh-6.8p1-sshdT-output.patch
-Patch35:        openssh-6.6.1p1-scp-non-existing-directory.patch
+Patch37:        backport-openssh-6.7p1-sftp-force-permission.patch
-Patch36:        openssh-6.8p1-sshdT-output.patch
+Patch38:        backport-openssh-7.2p2-s390-closefrom.patch
-Patch37:        openssh-6.7p1-sftp-force-permission.patch
+Patch39:        backport-openssh-7.3p1-x11-max-displays.patch
-Patch38:        openssh-7.2p2-s390-closefrom.patch
+Patch40:        backport-openssh-7.4p1-systemd.patch
-Patch39:        openssh-7.3p1-x11-max-displays.patch
+Patch41:        backport-openssh-7.6p1-cleanup-selinux.patch
-Patch40:        openssh-7.4p1-systemd.patch
+Patch42:        backport-openssh-7.5p1-sandbox.patch
-Patch41:        openssh-7.6p1-cleanup-selinux.patch
+Patch43:        backport-openssh-8.0p1-pkcs11-uri.patch
-Patch42:        openssh-7.5p1-sandbox.patch
+Patch44:        backport-openssh-7.8p1-scp-ipv6.patch
-Patch43:        openssh-8.0p1-pkcs11-uri.patch
+Patch46:        backport-openssh-8.0p1-crypto-policies.patch
-Patch44:        openssh-7.8p1-scp-ipv6.patch
+Patch47:        backport-openssh-8.0p1-openssl-evp.patch
-Patch45:        openssh-7.9p1-ssh-copy-id.patch
+Patch48:        backport-openssh-8.0p1-openssl-kdf.patch
-Patch46:        openssh-8.0p1-crypto-policies.patch
+Patch49:        backport-openssh-8.2p1-visibility.patch
-Patch47:        openssh-8.0p1-openssl-evp.patch
+Patch50:        backport-openssh-8.2p1-x11-without-ipv6.patch
-Patch48:        openssh-8.0p1-openssl-kdf.patch
+Patch51:        backport-openssh-8.0p1-keygen-strip-doseol.patch
-Patch49:        openssh-8.2p1-visibility.patch
+Patch52:        backport-openssh-8.0p1-preserve-pam-errors.patch
-Patch50:        bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
+Patch53:        backport-openssh-8.7p1-scp-kill-switch.patch
-Patch51:        bugfix-openssh-6.6p1-log-usepam-no.patch
+
-Patch52:        bugfix-openssh-add-option-check-username-splash.patch
+Patch54:        bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
-Patch53:        feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
+Patch55:        bugfix-openssh-6.6p1-log-usepam-no.patch
-Patch54:        bugfix-openssh-fix-sftpserver.patch
+Patch56:        bugfix-openssh-add-option-check-username-splash.patch
-Patch55:        bugfix-debug3-to-verbose-in-command.patch
+Patch57:        feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
-Patch56:        set-sshd-config.patch
+Patch58:        bugfix-openssh-fix-sftpserver.patch
-Patch57:        CVE-2020-12062-1.patch
+Patch59:        set-sshd-config.patch
 Patch58:        CVE-2020-12062-2.patch
 Patch59:        upstream-expose-vasnmprintf.patch
 Patch60:        CVE-2018-15919.patch
 Patch61:        CVE-2020-14145.patch
 Patch62:        add-strict-scp-check-for-CVE-2020-15778.patch
 Patch63:        backport-move-closefrom-to-before-first-malloc.patch
 Patch64:	backport-upstream-Remove-debug-message-from-sigchld-handler.patch
 Patch65:	backport-CVE-2021-41617-1.patch
 Patch66:	backport-CVE-2021-41617-2.patch
 Requires:       /sbin/nologin
 Requires:       libselinux >= 2.3-5 audit-libs >= 1.0.8
 Requires:       openssh-server = %{version}-%{release}
 BuildRequires:  gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators
-BuildRequires:  zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0
+BuildRequires:  zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel
 BuildRequires:  openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel
 BuildRequires:  libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2
@ -111,7 +101,6 @@ Recommends:     p11-kit
 %package        clients
 Summary:        An open source SSH client applications
 Requires:       openssh = %{version}-%{release}
 Requires:       fipscheck-lib%{_isa} >= 1.3.0
 Requires:       crypto-policies >= 20180306-1
 %package        server
@ -119,14 +108,9 @@ Summary:        An open source SSH server daemon
 Requires:       openssh = %{version}-%{release}
 Requires(pre):  shadow
 Requires:       pam >= 1.0.1-3
 Requires:       fipscheck-lib%{_isa} >= 1.3.0
 Requires:       crypto-policies >= 20180306-1
 %{?systemd_requires}
 %package        ldap
 Summary:        A LDAP support for open source SSH server daemon
 Requires:       openssh = %{version}-%{release}
 %package        keycat
 Summary:        A mls keycat backend for openssh
 Requires:       openssh = %{version}-%{release}
@ -134,17 +118,11 @@ Requires:       openssh = %{version}-%{release}
 %package        askpass
 Summary:        A passphrase dialog for OpenSSH and X
 Requires:       openssh = %{version}-%{release}
 Obsoletes:      openssh-askpass-gnome
 Provides:       openssh-askpass-gnome
 %package        cavs
 Summary:        CAVS tests for FIPS validation
 Requires:       openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary:        PAM module for authentication with ssh-agent
-Version:        0.10.3
+Version:        0.10.4
-Release:        9.%{openssh_release}
+Release:        4.%{openssh_release}
 License:        BSD
 %description
@ -164,10 +142,6 @@ into and executing commands on a remote machine. This package contains
 the secure shell daemon (sshd). The sshd daemon allows SSH clients to
 securely connect to your SSH server.
 %description ldap
 OpenSSH LDAP backend is a way how to distribute the authorized tokens
 among the servers in the network.
 %description keycat
 OpenSSH mls keycat is backend for using the authorized keys in the
 openssh in the mls mode.
@ -177,10 +151,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
 into and executing commands on a remote machine. This package contains
 an X11 passphrase dialog for OpenSSH.
 %description cavs
 This package contains test binaries and scripts to make FIPS validation
 easier. Now contains CTR and KDF CAVS test driver.
 %description -n pam_ssh_agent_auth
 Provides PAM module for the use of authentication with ssh-agent. Through the use of the\
 forwarding of ssh-agent connection it also allows to authenticate with remote ssh-agent \
@ -191,7 +161,7 @@ instance. The module is most useful for su and sudo service stacks.
 %prep
 %setup -q -a 4
-pushd pam_ssh_agent_auth-0.10.3
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 %patch3 -p2 -b .psaa-build
 %patch4 -p2 -b .psaa-seteuid
 %patch5 -p2 -b .psaa-visibility
@ -204,7 +174,6 @@ popd
 %patch9 -p1 -b .role-mls
 %patch10 -p1 -b .privsep-selinux
 %patch11 -p1 -b .ldap
 %patch12 -p1 -b .keycat
 %patch13 -p1 -b .ip-opts
 %patch14 -p1 -b .keyperm
@ -216,8 +185,6 @@ popd
 %patch21 -p1
 %patch22 -p1 -b .log-usepam-no
 %patch23 -p1 -b .evp-ctr
 %patch24 -p1 -b .ctr-cavs
 %patch25 -p1 -b .kdf-cavs
 %patch26 -p1 -b .gsskex
 %patch27 -p1 -b .force_krb
 %patch29 -p1 -b .ccache_name
@ -237,36 +204,28 @@ popd
 %patch42 -p1 -b .sandbox
 %patch43 -p1 -b .pkcs11-uri
 %patch44 -p1 -b .scp-ipv6
 %patch45 -p1 -b .ssh-copy-id
 %patch46 -p1 -b .crypto-policies
 %patch47 -p1 -b .openssl-evp
 %patch48 -p1 -b .openssl-kdf
 %patch49 -p1 -b .visibility
 %patch50 -p1 -b .x11-ipv6
 %patch51 -p1 -b .keygen-strip-doseol
 %patch52 -p1 -b .preserve-pam-errors
 %patch53 -p1 -b .kill-scp
 %patch1 -p1 -b .audit
 %patch2 -p1 -b .audit-race
 %patch18 -p1 -b .fips
 %patch0 -p1 -b .coverity
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
 %patch56 -p1
 %patch57 -p1
 %patch58 -p1
 %patch59 -p1
 %patch60 -p1
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 %patch64 -p1
 %patch65 -p1
 %patch66 -p1
 autoreconf
-pushd pam_ssh_agent_auth-0.10.3
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 autoreconf
 popd
@ -306,7 +265,7 @@ fi
    --with-privsep-path=%{_var}/empty/sshd --disable-strip \
    --without-zlib-version-check --with-ssl-engine --with-ipaddr-display \
    --with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \
-    --with-ldap --with-pam --with-selinux --with-audit=linux \
+    --with-pam --with-selinux --with-audit=linux --with-security-key-buildin=yes \
 %ifnarch riscv64	
     --with-sandbox=seccomp_filter \
 %endif
@ -327,18 +286,13 @@ else
 fi
 popd
-pushd pam_ssh_agent_auth-0.10.3
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 LDFLAGS="$SAVE_LDFLAGS"
 %configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man \
    --without-openssl-header-check
 make
 popd
 %global __spec_install_post \
    %%{?__debug_package:%%{__debug_install_post}} %%{__arch_install_post} %%{__os_install_post} \
    fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
 %{nil}
 %check
 #to run tests use "--with check"
 %if %{?_with_check:1}%{!?_with_check:0}
@ -353,12 +307,9 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
 %make_install
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
 install -d $RPM_BUILD_ROOT/etc/pam.d/
 install -d $RPM_BUILD_ROOT/etc/sysconfig/
 install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
 install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
 install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
 install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
 install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
@ -369,10 +320,11 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
 install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
 install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
 install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
 install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
 install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
 install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
 install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
 install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
 ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
@ -382,7 +334,7 @@ install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
-pushd pam_ssh_agent_auth-0.10.3
+pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
 make install DESTDIR=$RPM_BUILD_ROOT
 popd
@ -415,7 +367,6 @@ getent passwd sshd >/dev/null || \
 %files clients
 %attr(0755,root,root) %{_bindir}/ssh
 %attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
 %attr(0755,root,root) %{_bindir}/scp
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf
@ -426,11 +377,11 @@ getent passwd sshd >/dev/null || \
 %attr(0755,root,root) %{_bindir}/ssh-copy-id
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
 %attr(0755,root,root) %{_userunitdir}/ssh-agent.service
 %files server
 %dir %attr(0711,root,root) %{_var}/empty/sshd
 %attr(0755,root,root) %{_sbindir}/sshd
 %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
 %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
 %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
@ -441,11 +392,6 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_unitdir}/sshd.socket
 %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
 %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
 %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
 %files ldap
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
 %files keycat
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
@ -456,18 +402,13 @@ getent passwd sshd >/dev/null || \
 %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
 %files cavs
 %attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
 %attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
 %files -n pam_ssh_agent_auth
-%license pam_ssh_agent_auth-0.10.3/OPENSSH_LICENSE
+%license pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/OPENSSH_LICENSE
 %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
 %files help
-%doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO openssh-lpk-openldap.schema
+%doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO
-%doc openssh-lpk-sun.schema ldap.conf openssh-lpk-openldap.ldif openssh-lpk-sun.ldif HOWTO.ssh-keycat HOWTO.ldap-keys
+%doc HOWTO.ssh-keycat
 %attr(0644,root,root) %{_mandir}/man1/scp.1*
 %attr(0644,root,root) %{_mandir}/man1/ssh*.1*
 %attr(0644,root,root) %{_mandir}/man1/sftp.1*
@ -478,6 +419,12 @@ getent passwd sshd >/dev/null || \
 %attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
 %changelog
 * Wed Dec 8 2021 renmingshuai<renmingshuai@huawei.com> - 8.8P1-1
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC:update to openssh-8.8p1
 * Fri Oct 29 2021 kircher<majun65@huawei.com> - 8.2P1-14
 - Type:CVE
 - CVE:CVE-2021-41617
--- a/1
+++ b/1
@ -9,7 +9,6 @@ buffer.c
 cleanup.c
 cipher.h
 compat.h
 defines.h
 entropy.c
 entropy.h
 fatal.c
--- a/pam_ssh_agent_auth-0.10.3.tar.bz2
+++ b/pam_ssh_agent_auth-0.10.3.tar.bz2
--- a/pam_ssh_agent_auth-0.10.4.tar.gz
+++ b/pam_ssh_agent_auth-0.10.4.tar.gz
--- a/set-sshd-config.patch
+++ b/set-sshd-config.patch
@ -1,17 +1,26 @@
-From 8f2d1c4f30dd88e36ed4c9b5771c92c878378125 Mon Sep 17 00:00:00 2001
+From ca0b2bcd17a2c0e1682b8125960ac81e08d0f6dd Mon Sep 17 00:00:00 2001
-From: kircher <majun65@huawei.com>
+From: kircher <kircherlike@outlook.com>
-Date: Thu, 16 Apr 2020 19:25:27 +0800
+Date: Wed, 27 Oct 2021 16:51:41 +0800
-Subject: [PATCH] sshd_config
+Subject: [PATCH] set
 ---
- sshd_config | 28 ++++++++++++++++++----------
+ sshd_config | 32 +++++++++++++++++++-------------
- 1 file changed, 18 insertions(+), 10 deletions(-)
+ 1 file changed, 19 insertions(+), 13 deletions(-)
 diff --git a/sshd_config b/sshd_config
-index b121450..e8e6299 100644
+index 42ecf9b..67739b2 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -19,21 +19,22 @@
+@@ -12,7 +12,7 @@
 # To modify the system-wide sshd configuration, create a  *.conf  file under
 #  /etc/ssh/sshd_config.d/  which will be automatically included below
 -Include /etc/ssh/sshd_config.d/*.conf
 +#Include /etc/ssh/sshd_config.d/*.conf
 # If you want to change the port on a SELinux system, you have to tell
 # SELinux about this change.
@@ -23,21 +23,22 @@ Include /etc/ssh/sshd_config.d/*.conf
 #ListenAddress 0.0.0.0
 #ListenAddress ::
@ -38,19 +47,21 @@ index b121450..e8e6299 100644
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
-@@ -60,9 +61,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -62,11 +63,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
- #PasswordAuthentication yes
+-#PasswordAuthentication yes
 #PermitEmptyPasswords no
 +PasswordAuthentication yes
 #PermitEmptyPasswords no
 # Change to no to disable s/key passwords
- #ChallengeResponseAuthentication yes
+-#KbdInteractiveAuthentication yes
-+ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 # Kerberos options
 #KerberosAuthentication no
-@@ -72,8 +75,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -76,8 +77,8 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #KerberosUseKuserok yes
 # GSSAPI options
@ -61,8 +72,8 @@ index b121450..e8e6299 100644
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 #GSSAPIEnablek5users no
-@@ -89,16 +92,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -93,16 +94,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
- # and ChallengeResponseAuthentication to 'no'.
+ # and KbdInteractiveAuthentication to 'no'.
 # WARNING: 'UsePAM no' is not supported in openEuler and may cause several
 # problems.
 -#UsePAM no
@ -81,7 +92,7 @@ index b121450..e8e6299 100644
 #PrintLastLog yes
 #TCPKeepAlive yes
 #PermitUserEnvironment no
-@@ -115,6 +118,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -119,8 +120,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # no default banner path
 #Banner none
@ -91,14 +102,11 @@ index b121450..e8e6299 100644
 +AcceptEnv XMODIFIERS
 +
 # override default of no subsystems
- Subsystem	sftp	/usr/libexec/sftp-server
+-Subsystem	sftp	/usr/libexec/sftp-server
 +Subsystem	sftp	/usr/libexec/openssh/sftp-server
-@@ -129,4 +137,4 @@ Subsystem	sftp	/usr/libexec/sftp-server
+ # Example of overriding settings on a per-user basis
- 
+ #Match User anoncvs
 # To modify the system-wide ssh configuration, create a  *.conf  file under
 #  /etc/ssh/sshd_config.d/  which will be automatically included below
 -Include /etc/ssh/sshd_config.d/*.conf
 +#Include /etc/ssh/sshd_config.d/*.conf
 -- 
-2.19.1
+1.8.3.1
--- a/ssh-agent.service
+++ b/ssh-agent.service
@ -0,0 +1,14 @@
 # Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
 # set in environment, handled for example in plasma via
 # /etc/xdg/plasma-workspace/env/ssh-agent.sh
 [Unit]
 ConditionEnvironment=!SSH_AGENT_PID
 Description=OpenSSH key agent
 Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
 [Service]
 Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
 ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
 PassEnvironment=SSH_AGENT_PID
 SuccessExitStatus=2
 Type=forking
--- a/sshd.service
+++ b/sshd.service
@ -6,10 +6,8 @@ Wants=sshd-keygen.target
 [Service]
 Type=notify
 EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
 EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
+ExecStart=/usr/sbin/sshd -D $OPTIONS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@ -5,7 +5,3 @@
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
 # System-wide crypto policy:
 # To opt-out, uncomment the following line
 # CRYPTO_POLICY=
--- a/sshd.tmpfiles
+++ b/sshd.tmpfiles
@ -1 +0,0 @@
 d /var/empty/sshd 711 root root -
--- a/sshd@.service
+++ b/sshd@.service
@ -5,8 +5,6 @@ Wants=sshd-keygen.target
 After=sshd-keygen.target
 [Service]
 EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
 EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
 EnvironmentFile=-/etc/sysconfig/sshd
-ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
+ExecStart=-/usr/sbin/sshd -i $OPTIONS
 StandardInput=socket
--- a/upstream-expose-vasnmprintf.patch
+++ b/upstream-expose-vasnmprintf.patch
@ -1,59 +0,0 @@
 From 31909696c4620c431dd55f6cd15db65c4e9b98da Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 1 May 2020 06:28:52 +0000
 Subject: [PATCH] upstream: expose vasnmprintf(); ok (as part of other commit)
 markus
 deraadt
 OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5
 ---
 utf8.c | 5 ++---
 utf8.h | 3 ++-
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/utf8.c b/utf8.c
 index f83401996..7f63b25ae 100644
 --- a/utf8.c
 +++ b/utf8.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: utf8.c,v 1.8 2018/08/21 13:56:27 schwarze Exp $ */
 +/* $OpenBSD: utf8.c,v 1.11 2020/05/01 06:28:52 djm Exp $ */
 /*
  * Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
  *
@@ -43,7 +43,6 @@
 static int	 dangerous_locale(void);
 static int	 grow_dst(char **, size_t *, size_t, char **, size_t);
 -static int	 vasnmprintf(char **, size_t, int *, const char *, va_list);
 /*
@@ -101,7 +100,7 @@ grow_dst(char **dst, size_t *sz, size_t maxsz, char **dp, size_t need)
  * written is returned in *wp.
  */
 -static int
 +int
 vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap)
 {
 	char	*src;	/* Source string returned from vasprintf. */
 diff --git a/utf8.h b/utf8.h
 index 20a11dc59..9d6d9a32c 100644
 --- a/utf8.h
 +++ b/utf8.h
@@ -1,4 +1,4 @@
 -/* $OpenBSD: utf8.h,v 1.1 2016/05/25 23:48:45 schwarze Exp $ */
 +/* $OpenBSD: utf8.h,v 1.3 2020/05/01 06:28:52 djm Exp $ */
 /*
  * Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
  *
@@ -15,6 +15,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 +int	 vasnmprintf(char **, size_t, int *, const char *, va_list);
 int	 mprintf(const char *, ...)
 	     __attribute__((format(printf, 1, 2)));
 int	 fmprintf(FILE *, const char *, ...)