OpenSSH Rebase to 9.0p1

Related: rhbz#2057466
2022-08-11 14:54:03 +02:00 · 2022-08-11 14:54:03 +02:00 · 03150f6281
commit 03150f6281
parent 9fd6981674
24 changed files with 168 additions and 811 deletions
--- a/.gitignore
+++ b/.gitignore
@ -54,3 +54,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.7p1.tar.gz.asc
 /openssh-8.8p1.tar.gz
 /openssh-8.8p1.tar.gz.asc
 /openssh-9.0p1.tar.gz
 /openssh-9.0p1.tar.gz.asc
--- a/openssh-5.8p2-sigpipe.patch
+++ b/openssh-5.8p2-sigpipe.patch
@ -1,12 +1,14 @@
 diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
 --- openssh-5.8p2/ssh-keyscan.c.sigpipe	2011-08-23 18:30:33.873025916 +0200
 +++ openssh-5.8p2/ssh-keyscan.c	2011-08-23 18:32:24.574025362 +0200
-@@ -715,6 +715,8 @@ main(int argc, char **argv)
+@@ -715,6 +715,9 @@ main(int argc, char **argv)
 	if (maxfd > fdlim_get(0))
 		fdlim_set(maxfd);
 	fdcon = xcalloc(maxfd, sizeof(con));
- 
+ 
 +	signal(SIGPIPE, SIG_IGN);
 +
- 	read_wait_nfdset = howmany(maxfd, NFDBITS);
+	read_wait = xcalloc(maxfd, sizeof(struct pollfd));
- 	read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
+	for (j = 0; j < maxfd; j++)
 		read_wait[j].fd = -1;
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -207,8 +207,8 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
 -sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 +sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
 {
- 	fd_set *rset, *wset;
+	int i, r, in, out, ch, skipargs = 0, log_stderr = 0;
- 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
+	ssize_t len, olen;
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
 	extern char *__progname;
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -1,37 +1,3 @@
 diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
 --- openssh-8.5p1/addr.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/addr.c	2021-03-24 12:03:33.782968159 +0100
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
 	if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
 		return -1;
 -	if (ai == NULL || ai->ai_addr == NULL)
 +	if (ai == NULL || ai->ai_addr == NULL) {
 +		freeaddrinfo(ai);
 		return -1;
 +	}
 	if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
 	    n) == -1) {
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
 	if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
 		return -1;
 -	if (ai == NULL || ai->ai_addr == NULL)
 +	if (ai == NULL || ai->ai_addr == NULL) {
 +		freeaddrinfo(ai);
 		return -1;
 +	}
 	if (sa != NULL) {
 -		if (slen < ai->ai_addrlen)
 +		if (slen < ai->ai_addrlen) {
 +			freeaddrinfo(ai);
 			return -1;
 +		}
 		memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
 	}
 diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
 --- openssh-8.5p1/auth-krb5.c.coverity	2021-03-24 12:03:33.724967756 +0100
 +++ openssh-8.5p1/auth-krb5.c	2021-03-24 12:03:33.782968159 +0100
@ -65,15 +31,6 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
 diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
 --- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
 +++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
 		debug("channel %d: connection failed: %s",
 		    c->self, strerror(err));
 		/* Try next address, if any */
 -		if ((sock = connect_next(&c->connect_ctx)) > 0) {
 +		if ((sock = connect_next(&c->connect_ctx)) >= 0) {
 			close(c->sock);
 			c->sock = c->rfd = c->wfd = sock;
 			channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
 {
@ -411,30 +368,6 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
 				continue;
 			}
 			lname = ls_file(fname, g.gl_statv[i], 1,
 diff --git a/sftp-client.c b/sftp-client.c
 index 9de9afa20f..ea98d9f8d0 100644
 --- a/sftp-client.c
 +++ b/sftp-client.c
@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous,
 		(*nreqsp)--;
 	}
 	debug3_f("done: %u outstanding replies", *nreqsp);
 +	sshbuf_free(msg);
 }
 int
 diff --git a/sftp-server.c b/sftp-server.c
 index 18d1949112..6380c4dd23 100644
 --- a/sftp-server.c
 +++ b/sftp-server.c
@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id)
 			npath = xstrdup(path + 2);
 			free(path);
 			xasprintf(&path, "%s/%s", cwd, npath);
 +			free(npath);
 		} else {
 			/* ~user expansions */
 			if (tilde_expand(path, pw->pw_uid, &npath) != 0) {
 diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
 --- openssh-8.5p1/sk-usbhid.c.coverity	2021-03-02 11:31:47.000000000 +0100
 +++ openssh-8.5p1/sk-usbhid.c	2021-03-24 12:03:33.786968187 +0100
@ -494,16 +427,6 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 		return 0;
 	}
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
 			explicit_bzero(rnd, sizeof(rnd));
 		}
 	}
 +
 +	if (fdset != NULL)
 +		free(fdset);
 }
 /*
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
 	if (newstr)
--- a/openssh-7.3p1-x11-max-displays.patch
+++ b/openssh-7.3p1-x11-max-displays.patch
@ -10,8 +10,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 +/* Minimum port number for X11 forwarding */
 +#define X11_PORT_MIN 6000
- /* Per-channel callback for pre/post select() actions */
+ /* Per-channel callback for pre/post IO actions */
- typedef void chan_fn(struct ssh *, Channel *c,
+ typedef void chan_fn(struct ssh *, Channel *c);
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
  */
 int
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@ -729,7 +729,7 @@ diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c
 --- openssh-8.6p1/auth2.c.audit	2021-04-19 16:47:35.682061561 +0200
 +++ openssh-8.6p1/auth2.c	2021-04-19 16:47:35.754062114 +0200
@@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32
- 		} else {
+			authctxt->valid = 0;
 			/* Invalid user, fake password information */
 			authctxt->pw = fakepw();
 -#ifdef SSH_AUDIT_EVENTS
@ -1195,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
 -	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
 -	    sigalg, ssh->compat, &sig_details);
-	debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
+	debug3_f("%s %s signature using %s %s%s%s", auth_method,
 	    sshkey_type(key), sigalg == NULL ? "default" : sigalg,
 	    (ret == 0) ? "verified" : "unverified",
 	    (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
 }
@ -2040,7 +2040,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
 static char *listener_proctitle;
@@ -279,6 +280,15 @@ close_listen_socks(void)
- 	num_listen_socks = -1;
+ 	num_listen_socks = 0;
 }
 +/*
@ -2049,14 +2049,14 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
 + */
 +int listening_for_clients(void)
 +{
-+	return num_listen_socks >= 0;
+	return num_listen_socks > 0;
 +}
 +
 static void
 close_startup_pipes(void)
 {
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
- 	}
+	    ssh_remote_port(the_active_state));
 }
 -/* Destroy the host and server keys.  They will no longer be needed. */
@ -2196,8 +2196,8 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
 -server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
 +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
 {
- 	fd_set *fdset;
+	struct pollfd *pfd = NULL;
- 	int i, j, ret, maxfd;
+	int i, j, ret, npfd;
@@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
 		if (received_sigterm) {
 			logit("Received signal %d; terminating.",
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -321,7 +321,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 --- openssh-8.6p1/sshd.c.fips	2021-04-19 16:53:03.060577831 +0200
 +++ openssh-8.6p1/sshd.c	2021-04-19 16:57:45.827769340 +0200
@@ -66,6 +66,7 @@
- #include <grp.h>
+ #endif
 #include <pwd.h>
 #include <signal.h>
 +#include <syslog.h>
--- a/openssh-7.8p1-UsePAM-warning.patch
+++ b/openssh-7.8p1-UsePAM-warning.patch
@ -3,7 +3,7 @@ diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
 +++ openssh-8.6p1/sshd.c	2021-04-19 14:03:21.140920974 +0200
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
- 	    cfg, &includes, NULL);
+ 	    cfg, &includes, NULL, rexeced_flag);
 +	/* 'UsePAM no' is not supported in Fedora */
 +	if (! options.use_pam)
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -93,7 +93,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
 	    (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
 +#endif
 	    (r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
- 	    (r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
+ 	    (r = sshbuf_put_cstring(b, method)) != 0 ||
 	    (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
 diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.role-mls	2018-08-22 11:14:56.816430924 +0200
@ -240,14 +240,14 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
 mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
 {
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
 {
 	struct sshbuf *b;
 	struct sshkey *hostkey = NULL;
 	const u_char *p;
 -	char *userstyle, *cp;
 +	char *userstyle, *s, *cp;
 	size_t len;
 	u_char type;
- 	int r, fail = 0;
+ 	int hostbound = 0, r, fail = 0;
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -92,7 +92,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
-@@ -1219,29 +1216,25 @@
+@@ -1219,30 +1216,25 @@
 and
 .Cm pam .
 .It Cm KexAlgorithms
@ -120,6 +120,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
 -default set.
 -The default is:
 -.Bd -literal -offset indent
 -sntrup761x25519-sha512@openssh.com,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -327,7 +328,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 This option only applies to connections using GSSAPI.
 .It Cm HostbasedAcceptedAlgorithms
 Specifies the signature algorithms that will be accepted for hostbased
-@@ -799,26 +794,13 @@
+@@ -799,25 +794,14 @@
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
@ -338,7 +339,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 +.Pp
 Specifies the host key signature algorithms
 that the server offers.
-The default for this option is:
+ The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
@ -348,12 +349,11 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-rsa-sha2-512,rsa-sha2-256
 -.Ed
 -.Pp
 The list of available signature algorithms may also be obtained using
@ -389,12 +389,13 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
-@@ -1010,15 +997,6 @@
+@@ -1010,16 +997,6 @@
 sntrup761x25519-sha512@openssh.com
 .El
 .Pp
 -The default is:
 -.Bd -literal -offset indent
 -sntrup761x25519-sha512@openssh.com,
 -curve25519-sha256,curve25519-sha256@libssh.org,
 -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 -diffie-hellman-group-exchange-sha256,
@ -452,7 +453,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm Match
-@@ -1548,37 +1522,25 @@
+@@ -1548,36 +1522,25 @@
 The default is
 .Cm yes .
 .It Cm PubkeyAcceptedAlgorithms
@ -488,12 +489,11 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-rsa-sha2-512,rsa-sha2-256
 -.Ed
 +built-in openssh default set.
 .Pp
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@ -16,7 +16,7 @@ index e7549470..b68c1710 100644
 	monitor.o monitor_wrap.o auth-krb5.o \
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
- 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
+ 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
 	srclimit.o sftp-server.o sftp-common.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff -up a/auth.c.gsskex b/auth.c
@ -135,7 +135,7 @@ index 9351e042..d6446c0c 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -224,7 +224,7 @@ index 9351e042..d6446c0c 100644
 +
 Authmethod method_gssapi = {
 	"gssapi-with-mic",
- 	userauth_gssapi,
+	NULL,
 diff --git a/auth2.c b/auth2.c
 index 0e776224..1c217268 100644
 --- a/auth2.c
@ -375,8 +375,8 @@ index ebd0dbca..1bdac6a4 100644
 +#include "ssh-gss.h"
 +#endif
 +
- /* import options */
+ /* Permitted RSA signature algorithms for UpdateHostkeys proofs */
- extern Options options;
+ #define HOSTKEY_PROOF_RSA_ALGS	"rsa-sha2-512,rsa-sha2-256"
@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
 			break;
@ -384,7 +384,7 @@ index ebd0dbca..1bdac6a4 100644
 		/* Do channel operations unless rekeying in progress. */
 -		if (!ssh_packet_is_rekeying(ssh))
 +		if (!ssh_packet_is_rekeying(ssh)) {
- 			channel_after_select(ssh, readset, writeset);
+			channel_after_poll(ssh, pfd, npfd_active);
 +#ifdef GSSAPI
 +			if (options.gss_renewal_rekey &&
@ -396,8 +396,8 @@ index ebd0dbca..1bdac6a4 100644
 +		}
 +
 		/* Buffer input from the connection.  */
- 		client_process_net_input(ssh, readset);
+		if (conn_in_ready)
- 
+			client_process_net_input(ssh);
 diff --git a/configure.ac b/configure.ac
 index b689db4b..efafb6bd 100644
 --- a/configure.ac
@ -1370,9 +1370,9 @@ index ce85f043..574c7609 100644
 +#ifdef GSSAPI
 +	free(kex->gss_host);
 +#endif /* GSSAPI */
 	sshbuf_free(kex->initial_sig);
 	sshkey_free(kex->initial_hostkey);
 	free(kex->failed_choice);
 	free(kex->hostkey_alg);
 	free(kex->name);
 diff --git a/kex.h b/kex.h
 index a5ae6ac0..fe714141 100644
 --- a/kex.h
@ -3011,7 +3011,7 @@ diff -up a/readconf.c.gsskex b/readconf.c
 	options->kbd_interactive_authentication = -1;
 	options->kbd_interactive_devices = NULL;
@@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
- 		options->pubkey_authentication = 1;
+ 		options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
 	if (options->gss_authentication == -1)
 		options->gss_authentication = 0;
 +	if (options->gss_keyex == -1)
@ -3886,7 +3886,7 @@ index 57995ee6..fd5b7724 100644
 --- a/sshkey.c
 +++ b/sshkey.c
@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
- 	    KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
+ #  endif /* ENABLE_SK */
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 +	{ "null", "null", NULL, KEY_NULL, 0, 0, 0 },
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@ -92,9 +92,9 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
 	rm -f regress/unittests/utf8/test_utf8
 +	rm -f regress/unittests/pkcs11/*.o
 +	rm -f regress/unittests/pkcs11/test_pkcs11
- 	(cd openbsd-compat && $(MAKE) distclean)
+	rm -f regress/misc/sk-dummy/*.o
- 	if test -d pkg ; then \
+	rm -f regress/misc/sk-dummy/*.lo
- 		rm -fr pkg ; \
+	rm -f regress/misc/sk-dummy/sk-dummy.so
@@ -513,6 +517,7 @@ regress-prep:
 	$(MKDIR_P) `pwd`/regress/unittests/sshkey
 	$(MKDIR_P) `pwd`/regress/unittests/sshsig
@ -876,22 +876,23 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
 --- openssh-8.7p1/ssh-add.c.pkcs11-uri	2021-08-20 06:03:49.000000000 +0200
 +++ openssh-8.7p1/ssh-add.c	2021-08-30 13:07:43.664700104 +0200
@@ -68,6 +68,7 @@
 #include "digest.h"
 #include "ssh-sk.h"
 #include "sk-api.h"
 #include "hostfile.h"
 +#include "ssh-pkcs11-uri.h"
 /* argv0 */
 extern char *__progname;
-@@ -229,6 +230,32 @@ delete_all(int agent_fd, int qflag)
+@@ -229,6 +230,34 @@ delete_all(int agent_fd, int qflag)
 	return ret;
 }
 +#ifdef ENABLE_PKCS11
-+static int update_card(int, int, const char *, int, char *);
+static int update_card(int, int, const char *, int, struct dest_constraint **, size_t, char *);
 +
 +int
-+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag)
+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag,
 +    struct dest_constraint **dest_constraints, size_t ndest_constraints)
 +{
 +	char *pin = NULL;
 +	struct pkcs11_uri *uri;
@ -909,19 +910,20 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
 +	}
 +	pkcs11_uri_cleanup(uri);
 +
-+	return update_card(agent_fd, adding, pkcs11_uri, qflag, pin);
+	return update_card(agent_fd, adding, pkcs11_uri, qflag, 
 +	           dest_constraints, ndest_constraints, pin);
 +}
 +#endif
 +
 static int
 add_file(int agent_fd, const char *filename, int key_only, int qflag,
-     const char *skprovider)
+     const char *skprovider, struct dest_constraint **dest_constraints,
@@ -445,12 +472,11 @@ add_file(int agent_fd, const char *filen
 }
 static int
-update_card(int agent_fd, int add, const char *id, int qflag)
+ update_card(int agent_fd, int add, const char *id, int qflag,
-+update_card(int agent_fd, int add, const char *id, int qflag, char *pin)
+-    struct dest_constraint **dest_constraints, size_t ndest_constraints)
 +    struct dest_constraint **dest_constraints, size_t ndest_constraints, char *pin)
 {
 -	char *pin = NULL;
 	int r, ret = -1;
@ -931,15 +933,16 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
 		if ((pin = read_passphrase("Enter passphrase for PKCS#11: ",
 		    RP_ALLOW_STDIN)) == NULL)
 			return -1;
-@@ -630,6 +656,13 @@ static int
+@@ -630,6 +656,14 @@ static int
- do_file(int agent_fd, int deleting, int key_only, char *file, int qflag,
+     const char *skprovider, struct dest_constraint **dest_constraints,
-     const char *skprovider)
+     size_t ndest_constraints)
 {
 +#ifdef ENABLE_PKCS11
 +	if (strlen(file) >= strlen(PKCS11_URI_SCHEME) &&
 +	    strncmp(file, PKCS11_URI_SCHEME,
 +	    strlen(PKCS11_URI_SCHEME)) == 0) {
-+		return update_pkcs11_uri(agent_fd, !deleting, file, qflag);
+		return update_pkcs11_uri(agent_fd, !deleting, file, qflag,
 +                   dest_constraints, ndest_constraints);
 +	}
 +#endif
 	if (deleting) {
@ -949,8 +952,8 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
 	}
 	if (pkcs11provider != NULL) {
 		if (update_card(agent_fd, !deleting, pkcs11provider,
-		    qflag) == -1)
+-		    qflag, dest_constraints, ndest_constraints) == -1)
-+		    qflag, NULL) == -1)
+		    qflag, dest_constraints, ndest_constraints, NULL) == -1)
 			ret = 1;
 		goto done;
 	}
@ -1080,7 +1083,7 @@ diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c
 +	free(sane_uri);
 	free(keys);
 	free(comments);
- 	send_status(e, success);
+	free_dest_constraints(dest_constraints, ndest_constraints);
@@ -918,7 +976,7 @@ send:
 static void
 process_remove_smartcard_key(SocketEntry *e)
@ -1544,7 +1547,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
 static RSA_METHOD *rsa_method;
@@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method;
 static int ec_key_idx = 0;
- #endif
+ #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
 +/*
 + * This can't be in the ssh-pkcs11-uri, becase we can not depend on
@ -1741,7 +1744,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
@@ -614,6 +764,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider
 		k11->keyid = xmalloc(k11->keyid_len);
 		memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
- 
+	}
 +	if (label_attrib->ulValueLen > 0 ) {
 +		k11->label = xmalloc(label_attrib->ulValueLen+1);
 +		memcpy(k11->label, label_attrib->pValue, label_attrib->ulValueLen);
--- a/openssh-8.7p1-host-based-auth.patch
+++ b/openssh-8.7p1-host-based-auth.patch
@ -1,151 +0,0 @@
 diff --color -rup a/sshconnect2.c b/sshconnect2.c
 --- a/sshconnect2.c	2022-07-11 17:00:02.618575727 +0200
 +++ b/sshconnect2.c	2022-07-11 17:03:05.096085690 +0200
@@ -2288,9 +2288,9 @@ userauth_hostbased(struct ssh *ssh)
 			if (authctxt->sensitive->keys[i] == NULL ||
 			    authctxt->sensitive->keys[i]->type == KEY_UNSPEC)
 				continue;
 -			if (match_pattern_list(
 +			if (!sshkey_match_keyname_to_sigalgs(
 			    sshkey_ssh_name(authctxt->sensitive->keys[i]),
 -			    authctxt->active_ktype, 0) != 1)
 +			    authctxt->active_ktype))
 				continue;
 			/* we take and free the key */
 			private = authctxt->sensitive->keys[i];
@@ -2316,7 +2316,8 @@ userauth_hostbased(struct ssh *ssh)
 		error_f("sshkey_fingerprint failed");
 		goto out;
 	}
 -	debug_f("trying hostkey %s %s", sshkey_ssh_name(private), fp);
 +	debug_f("trying hostkey %s %s using sigalg %s",
 +		sshkey_ssh_name(private), fp, authctxt->active_ktype);
 	/* figure out a name for the client host */
 	lname = get_local_name(ssh_packet_get_connection_in(ssh));
 diff --color -rup a/sshkey.c b/sshkey.c
 --- a/sshkey.c	2022-07-11 17:00:02.609575554 +0200
 +++ b/sshkey.c	2022-07-11 17:12:30.905976443 +0200
@@ -252,6 +252,29 @@ sshkey_ecdsa_nid_from_name(const char *n
 	return -1;
 }
 +int
 +sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs)
 +{
 +	int ktype;
 +
 +	if (sigalgs == NULL || *sigalgs == '\0' ||
 +	    (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
 +		return 0;
 +	else if (ktype == KEY_RSA) {
 +		return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 ||
 +		    match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 ||
 +		    match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
 +	} else if (ktype == KEY_RSA_CERT) {
 +		return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
 +		    sigalgs, 0) == 1 ||
 +		    match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
 +		    sigalgs, 0) == 1 ||
 +		    match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
 +		    sigalgs, 0) == 1;
 +	} else
 +		return match_pattern_list(keyname, sigalgs, 0) == 1;
 +}
 +
 char *
 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
 {
 diff --color -rup a/sshkey.h b/sshkey.h
 --- a/sshkey.h	2022-07-11 17:00:02.603575438 +0200
 +++ b/sshkey.h	2022-07-11 17:13:01.052556879 +0200
@@ -194,6 +194,10 @@ int	 sshkey_is_cert(const struct sshkey
 int	 sshkey_is_sk(const struct sshkey *);
 int	 sshkey_type_is_cert(int);
 int	 sshkey_type_plain(int);
 +
 +/* Returns non-zero if key name match sigalgs pattern list. (handles RSA) */
 +int	 sshkey_match_keyname_to_sigalgs(const char *, const char *);
 +
 int	 sshkey_to_certified(struct sshkey *);
 int	 sshkey_drop_cert(struct sshkey *);
 int	 sshkey_cert_copy(const struct sshkey *, struct sshkey *);
 diff --color -rup a/ssh-keysign.c b/ssh-keysign.c
 --- a/ssh-keysign.c	2021-08-20 06:03:49.000000000 +0200
 +++ b/ssh-keysign.c	2022-07-11 17:00:23.306973667 +0200
@@ -62,7 +62,7 @@
 extern char *__progname;
 static int
 -valid_request(struct passwd *pw, char *host, struct sshkey **ret,
 +valid_request(struct passwd *pw, char *host, struct sshkey **ret, char **pkalgp,
     u_char *data, size_t datalen)
 {
 	struct sshbuf *b;
@@ -75,6 +75,8 @@ valid_request(struct passwd *pw, char *h
 	if (ret != NULL)
 		*ret = NULL;
 +	if (pkalgp != NULL)
 +		*pkalgp = NULL;
 	fail = 0;
 	if ((b = sshbuf_from(data, datalen)) == NULL)
@@ -122,8 +124,6 @@ valid_request(struct passwd *pw, char *h
 		fail++;
 	} else if (key->type != pktype)
 		fail++;
 -	free(pkalg);
 -	free(pkblob);
 	/* client host name, handle trailing dot */
 	if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
@@ -154,8 +154,19 @@ valid_request(struct passwd *pw, char *h
 	if (fail)
 		sshkey_free(key);
 -	else if (ret != NULL)
 -		*ret = key;
 +	else {
 +		if (ret != NULL) {
 +			*ret = key;
 +			key = NULL;
 +		}
 +		if (pkalgp != NULL) {
 +			*pkalgp = pkalg;
 +			pkalg = NULL;
 +		}
 +	}
 +	sshkey_free(key);
 +	free(pkalg);
 +	free(pkblob);
 	return (fail ? -1 : 0);
 }
@@ -170,7 +181,7 @@ main(int argc, char **argv)
 	struct passwd *pw;
 	int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
 	u_char *signature, *data, rver;
 -	char *host, *fp;
 +	char *host, *fp, *pkalg;
 	size_t slen, dlen;
 	if (pledge("stdio rpath getpw dns id", NULL) != 0)
@@ -258,7 +269,7 @@ main(int argc, char **argv)
 	if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
 		fatal_r(r, "%s: buffer error", __progname);
 -	if (valid_request(pw, host, &key, data, dlen) < 0)
 +	if (valid_request(pw, host, &key, &pkalg, data, dlen) < 0)
 		fatal("%s: not a valid request", __progname);
 	free(host);
@@ -279,7 +290,7 @@ main(int argc, char **argv)
 	}
 	if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen,
 -	    NULL, NULL, NULL, 0)) != 0)
 +	    pkalg, NULL, NULL, 0)) != 0)
 		fatal_r(r, "%s: sshkey_sign failed", __progname);
 	free(data);
--- a/openssh-8.7p1-ibmca.patch
+++ b/openssh-8.7p1-ibmca.patch
@ -4,9 +4,8 @@
 #include "includes.h"
-#ifndef HAVE_CLOSEFROM
+-#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM)
-+#if (!defined HAVE_CLOSEFROM) || (defined __s390__)
+#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) || (defined __s390__)
 #include <sys/types.h>
- #include <sys/param.h>
+ #include <unistd.h>
--- a/openssh-8.7p1-minimize-sha1-use.patch
+++ b/openssh-8.7p1-minimize-sha1-use.patch
@ -1,194 +0,0 @@
 diff --color -ru a/clientloop.c b/clientloop.c
 --- a/clientloop.c	2022-06-29 16:35:06.677597259 +0200
 +++ b/clientloop.c	2022-06-29 16:40:29.737926205 +0200
@@ -116,6 +116,9 @@
 #include "ssh-gss.h"
 #endif
 +/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
 +#define HOSTKEY_PROOF_RSA_ALGS	"rsa-sha2-512,rsa-sha2-256"
 +
 /* import options */
 extern Options options;
@@ -2110,8 +2113,10 @@
 	struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
 	size_t i, ndone;
 	struct sshbuf *signdata;
 -	int r, kexsigtype, use_kexsigtype;
 +	int r, plaintype;
 	const u_char *sig;
 +	const char *rsa_kexalg = NULL;
 +	char *alg = NULL;
 	size_t siglen;
 	if (ctx->nnew == 0)
@@ -2122,9 +2127,9 @@
 		hostkeys_update_ctx_free(ctx);
 		return;
 	}
 -	kexsigtype = sshkey_type_plain(
 -	    sshkey_type_from_name(ssh->kex->hostkey_alg));
 -
 +	if (sshkey_type_plain(sshkey_type_from_name(
 +	    ssh->kex->hostkey_alg)) == KEY_RSA)
 +		rsa_kexalg = ssh->kex->hostkey_alg;
 	if ((signdata = sshbuf_new()) == NULL)
 		fatal_f("sshbuf_new failed");
 	/*
@@ -2135,6 +2140,7 @@
 	for (ndone = i = 0; i < ctx->nkeys; i++) {
 		if (ctx->keys_match[i])
 			continue;
 +		plaintype = sshkey_type_plain(ctx->keys[i]->type);
 		/* Prepare data to be signed: session ID, unique string, key */
 		sshbuf_reset(signdata);
 		if ( (r = sshbuf_put_cstring(signdata,
@@ -2148,19 +2154,33 @@
 			error_fr(r, "parse sig");
 			goto out;
 		}
 +		if ((r = sshkey_get_sigtype(sig, siglen, &alg)) != 0) {
 +			error_fr(r, "server gave unintelligible signature "
 +				"for %s key %zu", sshkey_type(ctx->keys[i]), i);
 +			goto out;
 +		}
 		/*
 -		 * For RSA keys, prefer to use the signature type negotiated
 -		 * during KEX to the default (SHA1).
 +		 * Special case for RSA keys: if a RSA hostkey was negotiated,
 +		 * then use its signature type for verification of RSA hostkey
 +		 * proofs. Otherwise, accept only RSA-SHA256/512 signatures.
 		 */
 -		use_kexsigtype = kexsigtype == KEY_RSA &&
 -		    sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA;
 -		debug3_f("verify %s key %zu using %s sigalg",
 -		    sshkey_type(ctx->keys[i]), i,
 -		    use_kexsigtype ? ssh->kex->hostkey_alg : "default");
 +		if (plaintype == KEY_RSA && rsa_kexalg == NULL &&
 +		    match_pattern_list(alg, HOSTKEY_PROOF_RSA_ALGS, 0) != 1) {
 +			debug_f("server used untrusted RSA signature algorithm "
 +				"%s for key %zu, disregarding", alg, i);
 +			free(alg);
 +			/* zap the key from the list */
 +			sshkey_free(ctx->keys[i]);
 +			ctx->keys[i] = NULL;
 +			ndone++;
 +			continue;
 +		}
 +		debug3_f("verify %s key %zu using sigalg %s",
 +			sshkey_type(ctx->keys[i]), i, alg);
 +		free(alg);
 		if ((r = sshkey_verify(ctx->keys[i], sig, siglen,
 		    sshbuf_ptr(signdata), sshbuf_len(signdata),
 -		    use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0,
 -		    NULL)) != 0) {
 +		    plaintype == KEY_RSA ? rsa_kexalg : NULL, 0, NULL)) != 0) {
 			error_fr(r, "server gave bad signature for %s key %zu",
 			    sshkey_type(ctx->keys[i]), i);
 			goto out;
 diff --color -ru a/kex.c b/kex.c
 --- a/kex.c	2022-06-29 16:35:06.775599179 +0200
 +++ b/kex.c	2022-06-29 16:42:00.839710940 +0200
@@ -959,6 +959,18 @@
 	return (1);
 }
 +/* returns non-zero if proposal contains any algorithm from algs */
 +static int
 +has_any_alg(const char *proposal, const char *algs)
 +{
 +	char *cp;
 +
 +	if ((cp = match_list(proposal, algs, NULL)) == NULL)
 +		return 0;
 +	free(cp);
 +	return 1;
 +}
 +
 static int
 kex_choose_conf(struct ssh *ssh)
 {
@@ -994,6 +1006,16 @@
 		free(ext);
 	}
 +	/* Check whether client supports rsa-sha2 algorithms */
 +	if (kex->server && (kex->flags & KEX_INITIAL)) {
 +		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
 +		    "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
 +			kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
 +		if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
 +		    "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
 +			kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
 +	}
 +
 	/* Algorithm Negotiation */
 	if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
 	    sprop[PROPOSAL_KEX_ALGS])) != 0) {
 diff --color -ru a/kex.h b/kex.h
 --- a/kex.h	2022-06-29 16:35:06.766599003 +0200
 +++ b/kex.h	2022-06-29 16:42:24.199168567 +0200
@@ -116,6 +116,8 @@
 #define KEX_INIT_SENT	0x0001
 #define KEX_INITIAL	0x0002
 +#define KEX_RSA_SHA2_256_SUPPORTED      0x0008 /* only set in server for now */
 +#define KEX_RSA_SHA2_512_SUPPORTED      0x0010 /* only set in server for now */
 struct sshenc {
 	char	*name;
 diff --color -ru a/serverloop.c b/serverloop.c
 --- a/serverloop.c	2021-08-20 06:03:49.000000000 +0200
 +++ b/serverloop.c	2022-06-29 16:45:05.902336428 +0200
@@ -684,16 +684,18 @@
 	struct sshbuf *resp = NULL;
 	struct sshbuf *sigbuf = NULL;
 	struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL;
 -	int r, ndx, kexsigtype, use_kexsigtype, success = 0;
 +	int r, ndx, success = 0;
 	const u_char *blob;
 +	const char *sigalg, *kex_rsa_sigalg = NULL;
 	u_char *sig = 0;
 	size_t blen, slen;
 	if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL)
 		fatal_f("sshbuf_new");
 -	kexsigtype = sshkey_type_plain(
 -	    sshkey_type_from_name(ssh->kex->hostkey_alg));
 +	if (sshkey_type_plain(sshkey_type_from_name(
 +	    ssh->kex->hostkey_alg)) == KEY_RSA)
 +		kex_rsa_sigalg = ssh->kex->hostkey_alg;
 	while (ssh_packet_remaining(ssh) > 0) {
 		sshkey_free(key);
 		key = NULL;
@@ -726,16 +728,24 @@
 		 * For RSA keys, prefer to use the signature type negotiated
 		 * during KEX to the default (SHA1).
 		 */
 -		use_kexsigtype = kexsigtype == KEY_RSA &&
 -		    sshkey_type_plain(key->type) == KEY_RSA;
 +		sigalg = NULL;
 +		if (sshkey_type_plain(key->type) == KEY_RSA) {
 +			if (kex_rsa_sigalg != NULL)
 +				sigalg = kex_rsa_sigalg;
 +			else if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED)
 +				sigalg = "rsa-sha2-512";
 +			else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
 +				sigalg = "rsa-sha2-256";
 +		}
 +		debug3_f("sign %s key (index %d) using sigalg %s",
 +		sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
 		if ((r = sshbuf_put_cstring(sigbuf,
 		    "hostkeys-prove-00@openssh.com")) != 0 ||
 		    (r = sshbuf_put_stringb(sigbuf,
 		    ssh->kex->session_id)) != 0 ||
 		    (r = sshkey_puts(key, sigbuf)) != 0 ||
 		    (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,
 -		    sshbuf_ptr(sigbuf), sshbuf_len(sigbuf),
 -		    use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 ||
 +		    sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), sigalg)) != 0 ||
 		    (r = sshbuf_put_string(resp, sig, slen)) != 0) {
 			error_fr(r, "assemble signature");
 			goto out;
--- a/openssh-8.7p1-minrsabits.patch
+++ b/openssh-8.7p1-minrsabits.patch
@ -204,22 +204,25 @@ index a926cc007..cd13fb879 100644
 		break;
 	case SSH_ERR_INTERNAL_ERROR:
 	case SSH_ERR_ALLOC_FAIL:
-@@ -1557,12 +1565,13 @@ main(int ac, char **av)
+@@ -1565,7 +1573,7 @@ main(int ac, char **av)
 	if ((o) >= sensitive_data.nkeys) \
 		fatal_f("pubkey out of array bounds"); \
 	check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \
 -	    p, "pubkey"); \
 +	    &(sensitive_data.keys[o]), p, "pubkey"); \
- } while (0)
+	if (sensitive_data.keys[o] != NULL) \
 		debug2("hostbased key %d: %s key from \"%s\"", o, \
 		    sshkey_ssh_name(sensitive_data.keys[o]), p); \
@@ -1573,7 +1581,8 @@ main(int ac, char **av)
 #define L_CERT(p,o) do { \
 	if ((o) >= sensitive_data.nkeys) \
 		fatal_f("cert out of array bounds"); \
 -	check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert"); \
 +	check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \
 +	    &(sensitive_data.keys[o]), p, "cert"); \
- } while (0)
+	if (sensitive_data.keys[o] != NULL) \
- 
+		debug2("hostbased key %d: %s cert from \"%s\"", o, \
- 		if (options.hostbased_authentication == 1) {
+		    sshkey_ssh_name(sensitive_data.keys[o]), p); \
@@ -2244,7 +2253,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo)
 		filename = default_client_percent_dollar_expand(cp, cinfo);
 		free(cp);
@ -263,8 +266,8 @@ index 67f8e0309..d050c1656 100644
 	    xxx_conn_info) == -1)
 		fatal("Host key verification failed.");
@@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
-		close(agent_fd);
+	/* list of keys supported by the agent */
-	} else {
+	if ((r = get_agent_identities(ssh, &agent_fd, &idlist)) == 0) {
 		for (j = 0; j < idlist->nkeys; j++) {
 +			if ((r = sshkey_check_rsa_length(idlist->keys[j],
 +			    options.rsa_min_size)) != 0) {
--- a/openssh-8.7p1-negotiate-supported-algs.patch
+++ b/openssh-8.7p1-negotiate-supported-algs.patch
@ -2,8 +2,8 @@ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
 --- a/regress/hostkey-agent.sh	2021-08-20 06:03:49.000000000 +0200
 +++ b/regress/hostkey-agent.sh	2022-07-14 11:58:12.172786060 +0200
@@ -13,8 +13,12 @@ r=$?
- grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
+ 
- echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
+ ${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
 +PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
 +    grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
@ -13,17 +13,17 @@ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
 -for k in $SSH_KEYTYPES ; do
 +for k in $SSH_ACCEPTED_KEYTYPES ; do
 	${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
- 	(
+	${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
- 		printf 'localhost-with-alias,127.0.0.1,::1 '
+		-I localhost-with-alias $OBJ/agent-key.$k.pub || \
@@ -31,7 +35,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_host
 unset SSH_AUTH_SOCK
- for ps in yes; do
+-for k in $SSH_KEYTYPES ; do
-	for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
-+	for k in $SSH_ACCEPTED_KEYTYPES ; do
+	verbose "key type $k"
 		verbose "key type $k privsep=$ps"
 	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
- 		echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+	echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
 diff --color -rup a/sshconnect2.c b/sshconnect2.c
 --- a/sshconnect2.c	2022-07-14 10:10:07.262975710 +0200
 +++ b/sshconnect2.c	2022-07-14 10:10:32.068452067 +0200
--- a/openssh-8.7p1-recursive-scp.patch
+++ b/openssh-8.7p1-recursive-scp.patch
@ -7,9 +7,9 @@ diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
 		if (upload_dir(conn, src, abs_dst, pflag,
 -		    SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
 +		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
- 			error("failed to upload directory %s to %s",
+			error("failed to upload directory %s to %s", src, targ);
 				src, abs_dst);
 			errs = 1;
 		}
 diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 --- openssh-8.7p1/sftp-client.c.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
 +++ openssh-8.7p1/sftp-client.c	2022-02-07 12:47:59.117516131 +0100
@ -22,11 +22,13 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 {
 	struct sshbuf *msg;
 	u_int expected_id, count, id;
-@@ -1012,9 +1012,38 @@ do_realpath_expand(struct sftp_conn *con
+@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
- 
+ 		if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
- 		if ((r = sshbuf_get_u32(msg, &status)) != 0)
+ 		    (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
 			fatal_fr(r, "parse status");
-		error("Couldn't canonicalize: %s", fx2txt(status));
+-		error("%s %s: %s", expand ? "expand" : "realpath",
 -		    path, *errmsg == '\0' ? fx2txt(status) : errmsg);
 -		free(errmsg);
 -		sshbuf_free(msg);
 -		return NULL;
 +		if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir)  {
@ -35,7 +37,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 +				sshbuf_free(msg);
 +				return NULL;
 +			}
-+
+			debug2("Sending SSH2_FXP_REALPATH \"%s\" - create dir", path);
 +			send_string_request(conn, id, SSH2_FXP_REALPATH,
 +					path, strlen(path));
 +
@ -48,16 +50,21 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 +				fatal("ID mismatch (%u != %u)", id, expected_id);
 +
 +			if (type == SSH2_FXP_STATUS) {
-+				u_int status;
+				free(errmsg);
 +
-+				if ((r = sshbuf_get_u32(msg, &status)) != 0)
+				if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
 +				    (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
 +					fatal_fr(r, "parse status");
-+				error("Couldn't canonicalize: %s", fx2txt(status));
+				error("%s %s: %s", expand ? "expand" : "realpath",
 +				    path, *errmsg == '\0' ? fx2txt(status) : errmsg);
 +				free(errmsg);
 +				sshbuf_free(msg);
 +				return NULL;
 +			}
 +		} else {
-+			error("Couldn't canonicalize: %s", fx2txt(status));
+			error("%s %s: %s", expand ? "expand" : "realpath",
 +			    path, *errmsg == '\0' ? fx2txt(status) : errmsg);
 +			free(errmsg);
 +			sshbuf_free(msg);
 +			return NULL;
 +		}
@ -94,7 +101,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 -	if ((src_canon = do_realpath(conn, src)) == NULL) {
 +	if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
- 		error("Unable to canonicalize path \"%s\"", src);
+		error("download \"%s\": path canonicalization failed", src);
 		return -1;
 	}
@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
@ -109,7 +116,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 -	if ((dst_canon = do_realpath(conn, dst)) == NULL) {
 +	if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
- 		error("Unable to canonicalize path \"%s\"", dst);
+		error("upload \"%s\": path canonicalization failed", dst);
 		return -1;
 	}
@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
@ -118,9 +125,9 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
 -	if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
 +	if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
- 		error("Unable to canonicalize path \"%s\"", from_path);
+		error("crossload \"%s\": path canonicalization failed",
 		    from_path);
 		return -1;
 	}
 diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
 --- openssh-8.7p1/sftp-client.h.scp-sftpdirs	2021-08-20 06:03:49.000000000 +0200
 +++ openssh-8.7p1/sftp-client.h	2022-02-07 12:31:07.410740433 +0100
--- a/openssh-8.7p1-scp-clears-file.patch
+++ b/openssh-8.7p1-scp-clears-file.patch
@ -1,19 +1,18 @@
 diff --color -rup a/scp.c b/scp.c
 --- a/scp.c	2022-07-26 14:51:40.560120817 +0200
 +++ b/scp.c	2022-07-26 14:52:37.118213004 +0200
-@@ -1324,12 +1324,12 @@ source_sftp(int argc, char *src, char *t
+@@ -1324,11 +1324,11 @@ source_sftp(int argc, char *src, char *t
 	if (src_is_dir && iamrecursive) {
 		if (upload_dir(conn, src, abs_dst, pflag,
 -		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
 +		    SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
- 			error("failed to upload directory %s to %s",
+			error("failed to upload directory %s to %s", src, targ);
 				src, abs_dst);
 			errs = 1;
 		}
 -	} else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) {
 +	} else if (do_upload(conn, src, abs_dst, pflag, 0, 0, 1) != 0) {
- 		error("failed to upload file %s to %s", src, abs_dst);
+		error("failed to upload file %s to %s", src, targ);
 		errs = 1;
 	}
@@ -1566,11 +1566,11 @@ sink_sftp(int argc, char *dst, const cha
@ -84,8 +83,8 @@ diff --color -rup a/sftp-client.c b/sftp-client.c
 +	local_fd = open(local_path, O_WRONLY | O_CREAT |
 +	((resume_flag || inplace_flag) ? 0 : O_TRUNC), mode | S_IWUSR);
 	if (local_fd == -1) {
- 		error("Couldn't open local file \"%s\" for writing: %s",
+		error("open local \"%s\": %s", local_path, strerror(errno));
- 		    local_path, strerror(errno));
+		goto fail;
@@ -1661,8 +1661,11 @@ do_download(struct sftp_conn *conn, cons
 	/* Sanity check */
 	if (TAILQ_FIRST(&requests) != NULL)
@ -217,8 +216,8 @@ diff --color -rup a/sftp-client.c b/sftp-client.c
 +	}
 +
 	if (close(local_fd) == -1) {
- 		error("Couldn't close local file \"%s\": %s", local_path,
+		error("close local \"%s\": %s", local_path, strerror(errno));
- 		    strerror(errno));
+		status = SSH2_FX_FAILURE;
@@ -2041,7 +2063,7 @@ do_upload(struct sftp_conn *conn, const
 static int
 upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
@ -241,7 +240,7 @@ diff --color -rup a/sftp-client.c b/sftp-client.c
 -			    preserve_flag, resume, fsync_flag) == -1) {
 +			    preserve_flag, resume, fsync_flag,
 +			    inplace_flag) == -1) {
- 				error("Uploading of file %s to %s failed!",
+				error("upload \"%s\" to \"%s\" failed",
 				    new_src, new_dst);
 				ret = -1;
@@ -2144,7 +2167,7 @@ upload_dir_internal(struct sftp_conn *co
--- a/openssh-8.7p1-sftp-default-protocol.patch
+++ b/openssh-8.7p1-sftp-default-protocol.patch
@ -1,87 +0,0 @@
 diff --git a/scp.1 b/scp.1
 index 68aac04b..a96e95ad 100644
 --- a/scp.1
 +++ b/scp.1
@@ -18,7 +18,7 @@
 .Nd OpenSSH secure file copy
 .Sh SYNOPSIS
 .Nm scp
 -.Op Fl 346ABCOpqRrsTv
 +.Op Fl 346ABCOpqRrTv
 .Op Fl c Ar cipher
 .Op Fl D Ar sftp_server_path
 .Op Fl F Ar ssh_config
@@ -79,7 +76,9 @@ The options are as follows:
 Copies between two remote hosts are transferred through the local host.
 Without this option the data is copied directly between the two remote
 hosts.
 -Note that, when using the original SCP protocol (the default), this option
 +Note that, when using the original SCP protocol (via the
 +.Fl O
 +flag), this option
 selects batch mode for the second host as
 .Nm
 cannot ask for passwords or passphrases for both hosts.
@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s.
 wildcard patterns and for expanding paths with a
 .Sq ~
 prefix for older SFTP servers.
 -This mode is the default.
 .It Fl o Ar ssh_option
 Can be used to pass options to
 .Nm ssh
@@ -258,8 +258,6 @@ to use for the encrypted connection.
 The program must understand
 .Xr ssh 1
 options.
 -.It Fl s
 -Use the SFTP protocol for transfers rather than the original scp protocol.
 .It Fl T
 Disable strict filename checking.
 By default when copying files from a remote host to a local directory
@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
 .Xr ssh_config 5 ,
 .Xr sftp-server 8 ,
 .Xr sshd 8
 +.Sh CAVEATS
 +The original scp protocol (selected by the
 +.Fl O
 +flag) requires execution of the remote user's shell to perform
 +.Xr glob 3
 +pattern matching.
 +This requires careful quoting of any characters that have special meaning to
 +the remote shell, such as quote characters.
 .Sh HISTORY
 .Nm
 is based on the rcp program in
 .Bx
 source code from the Regents of the University of California.
 +.Pp
 +Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
 +.Nm
 +has use the SFTP protocol for transfers by default.
 .Sh AUTHORS
 .An Timo Rinne Aq Mt tri@iki.fi
 .An Tatu Ylonen Aq Mt ylo@cs.hut.fi
 diff --git a/scp.c b/scp.c
 index e039350c..c7cf7529 100644
 --- a/scp.c
 +++ b/scp.c
@@ -448,7 +448,7 @@ main(int argc, char **argv)
 	const char *errstr;
 	extern char *optarg;
 	extern int optind;
 -	enum scp_mode_e mode = MODE_SCP;
 +	enum scp_mode_e mode = MODE_SFTP;
 	char *sftp_direct = NULL;
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -1983,7 +1983,7 @@ void
 usage(void)
 {
 	(void) fprintf(stderr,
 -	    "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
 +	    "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
 	    "           [-i identity_file] [-J destination] [-l limit]\n"
 	    "           [-o ssh_option] [-P port] [-S program] source ... target\n");
 	exit(1);
--- a/openssh-8.7p1-sftpscp-dir-create.patch
+++ b/openssh-8.7p1-sftpscp-dir-create.patch
@ -1,135 +0,0 @@
 diff -up openssh-8.7p1/scp.c.sftpdirs openssh-8.7p1/scp.c
 --- openssh-8.7p1/scp.c.sftpdirs	2022-02-02 14:11:12.553447509 +0100
 +++ openssh-8.7p1/scp.c	2022-02-02 14:12:56.081316414 +0100
@@ -130,6 +130,7 @@
 #include "misc.h"
 #include "progressmeter.h"
 #include "utf8.h"
 +#include "sftp.h"
 #include "sftp-common.h"
 #include "sftp-client.h"
@@ -1264,13 +1265,18 @@ tolocal(int argc, char **argv, enum scp_
 static char *
 prepare_remote_path(struct sftp_conn *conn, const char *path)
 {
 +	size_t nslash;
 +
 	/* Handle ~ prefixed paths */
 -	if (*path != '~')
 -		return xstrdup(path);
 	if (*path == '\0' || strcmp(path, "~") == 0)
 		return xstrdup(".");
 -	if (strncmp(path, "~/", 2) == 0)
 -		return xstrdup(path + 2);
 +	if (*path != '~')
 +		return xstrdup(path);
 +	if (strncmp(path, "~/", 2) == 0) {
 +		if ((nslash = strspn(path + 2, "/")) == strlen(path + 2))
 +			return xstrdup(".");
 +		return xstrdup(path + 2 + nslash);
 +	}
 	if (can_expand_path(conn))
 		return do_expand_path(conn, path);
 	/* No protocol extension */
@@ -1282,10 +1288,16 @@ void
 source_sftp(int argc, char *src, char *targ, struct sftp_conn *conn)
 {
 	char *target = NULL, *filename = NULL, *abs_dst = NULL;
 -	int target_is_dir;
 -
 +	int src_is_dir, target_is_dir;
 +	Attrib a;
 +	struct stat st;
 +
 +	memset(&a, '\0', sizeof(a));
 +	if (stat(src, &st) != 0)
 +		fatal("stat local \"%s\": %s", src, strerror(errno));
 +	src_is_dir = S_ISDIR(st.st_mode);
 	if ((filename = basename(src)) == NULL)
 -		fatal("basename %s: %s", src, strerror(errno));
 +		fatal("basename \"%s\": %s", src, strerror(errno));
 	/*
 	 * No need to glob here - the local shell already took care of
@@ -1295,8 +1307,12 @@ source_sftp(int argc, char *src, char *t
 		cleanup_exit(255);
 	target_is_dir = remote_is_dir(conn, target);
 	if (targetshouldbedirectory && !target_is_dir) {
 -		fatal("Target is not a directory, but more files selected "
 -		    "for upload");
 +		debug("target directory \"%s\" does not exist", target);
 +		a.flags = SSH2_FILEXFER_ATTR_PERMISSIONS;
 +		a.perm = st.st_mode | 0700; /* ensure writable */
 +		if (do_mkdir(conn, target, &a, 1) != 0)
 +			cleanup_exit(255); /* error already logged */
 +		target_is_dir = 1;
 	}
 	if (target_is_dir)
 		abs_dst = path_append(target, filename);
@@ -1306,7 +1322,7 @@ source_sftp(int argc, char *src, char *t
 	}
 	debug3_f("copying local %s to remote %s", src, abs_dst);
 -	if (local_is_dir(src) && iamrecursive) {
 +	if (src_is_dir && iamrecursive) {
 		if (upload_dir(conn, src, abs_dst, pflag,
 		    SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
 			error("failed to upload directory %s to %s",
@@ -1487,14 +1506,15 @@ sink_sftp(int argc, char *dst, const cha
 	char *abs_dst = NULL;
 	glob_t g;
 	char *filename, *tmp = NULL;
 -	int i, r, err = 0;
 +	int i, r, err = 0, dst_is_dir;
 +	struct stat st;
 	memset(&g, 0, sizeof(g));
 +
 	/*
 	 * Here, we need remote glob as SFTP can not depend on remote shell
 	 * expansions
 	 */
 -
 	if ((abs_src = prepare_remote_path(conn, src)) == NULL) {
 		err = -1;
 		goto out;
@@ -1510,11 +1530,24 @@ sink_sftp(int argc, char *dst, const cha
 		goto out;
 	}
 -	if (g.gl_matchc > 1 && !local_is_dir(dst)) {
 -		error("Multiple files match pattern, but destination "
 -		    "\"%s\" is not a directory", dst);
 -		err = -1;
 -		goto out;
 +	if ((r = stat(dst, &st)) != 0)
 +		debug2_f("stat local \"%s\": %s", dst, strerror(errno));
 +	dst_is_dir = r == 0 && S_ISDIR(st.st_mode);
 +
 +	if (g.gl_matchc > 1 && !dst_is_dir) {
 +		if (r == 0) {
 +			error("Multiple files match pattern, but destination "
 +			    "\"%s\" is not a directory", dst);
 +			err = -1;
 +			goto out;
 +		}
 +		debug2_f("creating destination \"%s\"", dst);
 +		if (mkdir(dst, 0777) != 0) {
 +			error("local mkdir \"%s\": %s", dst, strerror(errno));
 +			err = -1;
 +			goto out;
 +		}
 +		dst_is_dir = 1;
 	}
 	for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
@@ -1525,7 +1558,7 @@ sink_sftp(int argc, char *dst, const cha
 			goto out;
 		}
 -		if (local_is_dir(dst))
 +		if (dst_is_dir)
 			abs_dst = path_append(dst, filename);
 		else
 			abs_dst = xstrdup(dst);
--- a/openssh-8.8p1-skip-some-tests.patch
+++ b/openssh-8.8p1-skip-some-tests.patch
@ -2,14 +2,14 @@ diff -up openssh-8.8p1/regress/hostkey-agent.sh.redhat openssh-8.8p1/regress/hos
 --- openssh-8.8p1/regress/hostkey-agent.sh.redhat	2022-08-10 15:54:42.084777662 +0200
 +++ openssh-8.8p1/regress/hostkey-agent.sh	2022-08-10 17:01:25.651269994 +0200
@@ -36,6 +36,8 @@ unset SSH_AUTH_SOCK
 unset SSH_AUTH_SOCK
 for ps in yes; do
 for k in $SSH_ACCEPTED_KEYTYPES ; do
 +	[ "$k" == "ssh-rsa" ] && continue
 +	[ "$k" == "ssh-dss" ] && continue
- 		verbose "key type $k privsep=$ps"
+	verbose "key type $k"
 	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
- 		echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+	echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
 diff -up openssh-8.8p1/regress/hostkey-rotate.sh.redhat openssh-8.8p1/regress/hostkey-rotate.sh
 --- openssh-8.8p1/regress/hostkey-rotate.sh.redhat	2022-08-10 16:57:12.720029146 +0200
 +++ openssh-8.8p1/regress/hostkey-rotate.sh	2022-08-10 17:15:48.274923865 +0200
--- a/openssh.spec
+++ b/openssh.spec
@ -50,10 +50,10 @@
 %{?static_openssl:%global static_libcrypto 1}
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.8p1
+%global openssh_ver 9.0p1
-%global openssh_rel 4
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 6
+%global pam_ssh_agent_rel 7
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@ -195,16 +195,10 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch
 Patch974: openssh-8.0p1-keygen-strip-doseol.patch
 # sshd provides PAM an incorrect error code (#1879503)
 Patch975: openssh-8.0p1-preserve-pam-errors.patch
-# Use SFTP protocol by default for scp command
+
 Patch976: openssh-8.7p1-sftp-default-protocol.patch
 # Implement kill switch for SCP protocol
 Patch977: openssh-8.7p1-scp-kill-switch.patch
-# Create non-existent directories when scp works in sftp mode and some more minor fixes
+
 # upstream commits:
 # ba61123eef9c6356d438c90c1199a57a0d7bcb0a
 # 63670d4e9030bcee490d5a9cce561373ac5b3b23
 # ac7c9ec894ed0825d04ef69c55babb49bab1d32e
 Patch980: openssh-8.7p1-sftpscp-dir-create.patch
 # Workaround for lack of sftp_realpath in older versions of RHEL
 # https://bugzilla.redhat.com/show_bug.cgi?id=2038854
 # https://github.com/openssh/openssh-portable/pull/299
@ -218,11 +212,6 @@ Patch983: openssh-8.7p1-evpgenkey.patch
 # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
 Patch984: openssh-8.7p1-ibmca.patch
 # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
 # upstream commits:
 # 291721bc7c840d113a49518f3fca70e86248b8e8
 # 0fa33683223c76289470a954404047bc762be84c
 Patch1000: openssh-8.7p1-minimize-sha1-use.patch
 # Fix for scp clearing file when src and dest are the same (#2056884)
 # upstream commits:
 # 7b1cbcb7599d9f6a3bbad79d412604aa1203b5ee
@ -241,12 +230,7 @@ Patch1003: openssh-8.7p1-mem-leak.patch
 # upstream MR:
 # https://github.com/openssh-gsskex/openssh-gsskex/pull/21
 Patch1004: openssh-8.7p1-gssapi-auth.patch
-# Fix host-based authentication with rsa keys
+
 # upstream commits:
 # 7aa7b096cf2bafe2777085abdeed5ce00581f641
 # d9dbb5d9a0326e252d3c7bc13beb9c2434f59409
 # fdb1d58d0d3888b042e5a500f6ce524486aaf782
 Patch1005: openssh-8.7p1-host-based-auth.patch
 # Don't propose disallowed algorithms during hostkey negotiation
 # upstream MR:
 # https://github.com/openssh/openssh-portable/pull/323
@ -254,7 +238,7 @@ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
 # downstream only
 # we skip some ssh-rsa/ssh-dss tests to make native test suite pass
-Patch1100: openssh-8.8p1-skip-some-tests.patch
+#Patch1100: openssh-8.8p1-skip-some-tests.patch
 License: BSD
 Requires: /sbin/nologin
@ -432,9 +416,9 @@ popd
 %patch966 -p1 -b .x11-ipv6
 %patch974 -p1 -b .keygen-strip-doseol
 %patch975 -p1 -b .preserve-pam-errors
-%patch976 -p1 -b .sftp-by-default
+
 %patch977 -p1 -b .kill-scp
-%patch980 -p1 -b .sftpdirs
+
 %patch981 -p1 -b .scp-sftpdirs
 %patch982 -p1 -b .minrsabits
 %patch983 -p1 -b .evpgenrsa
@ -444,15 +428,14 @@ popd
 %patch201 -p1 -b .audit-race
 %patch700 -p1 -b .fips
 %patch1000 -p1 -b .minimize-sha1-use
 %patch1001 -p1 -b .scp-clears-file
 %patch1002 -p1 -b .ssh-manpage
 %patch1003 -p1 -b .mem-leak
 %patch1004 -p1 -b .gssapi-auth
-%patch1005 -p1 -b .host-based-auth
+
 %patch1006 -p1 -b .negotiate-supported-algs
-%patch1100 -p1 -b .skipsshrsadsstests
+#%patch1100 -p1 -b .skipsshrsadsstests
 %patch100 -p1 -b .coverity
@ -735,6 +718,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 %changelog
 * Thu Aug 11 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-1 + 0.10.4-7
 - Rebase OpenSSH to 9.0p1 (rhbz#2057466)
 * Wed Aug 10 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-4 + 0.10.4-6
 - Port patches from CentOS (rhbz#2117264)
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
+SHA512 (openssh-9.0p1.tar.gz) = 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
-SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
+SHA512 (openssh-9.0p1.tar.gz.asc) = 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
 SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21