import libssh-0.9.0-4.el8

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/libssh-0.8.5.tar.xz
+SOURCES/libssh-0.9.0.tar.xz
 SOURCES/libssh.keyring

.libssh.metadata

@@ -1,2 +1,2 @@
-b5564774f986e396a7288a593595455bf10d9ce8 SOURCES/libssh-0.8.5.tar.xz
+570bffef68af6c1211673bc9a8036c9265935b2b SOURCES/libssh-0.9.0.tar.xz
 3f2ab0bca02893402ba0ad172a6bd44456a65f86 SOURCES/libssh.keyring

SOURCES/libssh-0.8.5-allow-kex-init.patch

@@ -1,39 +0,0 @@
-From e6e8335847d4870c99c07f511b4a24ae9e053326 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Thu, 15 Nov 2018 11:03:56 +0100
-Subject: [PATCH] packet: Adjust the packet filter to allow client-initialized
- rekey
-
-If the rekey is initialized by client, it sends the first KEXINIT
-message, changes to the INIT_SENT state and waits for the KEXINIT
-message from the server. This was not covered in the current filter.
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Daiki Ueno <dueno@redhat.com>
----
- src/packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/packet.c b/src/packet.c
-index 9b7b9b8f..86314961 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -292,6 +292,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
-          * - session_state == SSH_SESSION_STATE_AUTHENTICATED
-          *   or session_state == SSH_SESSION_STATE_INITIAL_KEX
-          * - dh_handshake_state == DH_STATE_INIT
-+         *   or dh_handshake_state == DH_STATE_INIT_SENT (re-exchange)
-          *   or dh_handshake_state == DH_STATE_FINISHED (re-exchange)
-          *
-          * Transitions:
-@@ -310,6 +311,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
-         }
- 
-         if ((session->dh_handshake_state != DH_STATE_INIT) &&
-+            (session->dh_handshake_state != DH_STATE_INIT_SENT) &&
-             (session->dh_handshake_state != DH_STATE_FINISHED))
-         {
-             rc = SSH_PACKET_DENIED;
--- 
-2.19.1
-

SOURCES/libssh-0.8.5-allow-msg-ext-info.patch

@@ -1,92 +0,0 @@
-From a6e055c42b34ec50f55606312b09ec2e14990416 Mon Sep 17 00:00:00 2001
-From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Fri, 7 Dec 2018 18:19:33 +0100
-Subject: [PATCH] packet: Allow SSH2_MSG_EXT_INFO when authenticated
-
-When the server requests rekey, it can send the SSH2_MSG_EXT_INFO.  This
-message was being filtered out by the packet filtering.  This includes a
-test to enforce the filtering rules for this packet type.
-
-Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-(cherry picked from commit fe309ba43fb904da4385fc40a338ecc7482f8388)
----
- src/packet.c                            |  6 ++++-
- tests/unittests/torture_packet_filter.c | 31 +++++++++++++++++++++++++
- 2 files changed, 36 insertions(+), 1 deletion(-)
-
-diff --git a/src/packet.c b/src/packet.c
-index 72e3c096..61a44237 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -263,13 +263,17 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se
-         /*
-          * States required:
-          * - session_state == SSH_SESSION_STATE_AUTHENTICATING
-+         *   or session->session_state == SSH_SESSION_STATE_AUTHENTICATED
-+         *   (re-exchange)
-          * - dh_handshake_state == DH_STATE_FINISHED
-          *
-          * Transitions:
-          * - None
-          * */
- 
--        if (session->session_state != SSH_SESSION_STATE_AUTHENTICATING) {
-+        if ((session->session_state != SSH_SESSION_STATE_AUTHENTICATING) &&
-+            (session->session_state != SSH_SESSION_STATE_AUTHENTICATED))
-+        {
-             rc = SSH_PACKET_DENIED;
-             break;
-         }
-diff --git a/tests/unittests/torture_packet_filter.c b/tests/unittests/torture_packet_filter.c
-index 72cbc4cd..44ee3598 100644
---- a/tests/unittests/torture_packet_filter.c
-+++ b/tests/unittests/torture_packet_filter.c
-@@ -462,6 +462,36 @@ static void torture_packet_filter_check_auth_success(void **state)
-     assert_int_equal(rc, 0);
- }
- 
-+static void torture_packet_filter_check_msg_ext_info(void **state)
-+{
-+    int rc;
-+
-+    global_state accepted[] = {
-+        {
-+            .flags = (COMPARE_SESSION_STATE |
-+                    COMPARE_DH_STATE),
-+            .session = SSH_SESSION_STATE_AUTHENTICATING,
-+            .dh = DH_STATE_FINISHED,
-+        },
-+        {
-+            .flags = (COMPARE_SESSION_STATE |
-+                    COMPARE_DH_STATE),
-+            .session = SSH_SESSION_STATE_AUTHENTICATED,
-+            .dh = DH_STATE_FINISHED,
-+        },
-+    };
-+
-+    int accepted_count = 2;
-+
-+    /* Unused */
-+    (void) state;
-+
-+    rc = check_message_in_all_states(accepted, accepted_count,
-+            SSH2_MSG_EXT_INFO);
-+
-+    assert_int_equal(rc, 0);
-+}
-+
- static void torture_packet_filter_check_channel_open(void **state)
- {
-     int rc;
-@@ -492,6 +522,7 @@ int torture_run_tests(void)
-         cmocka_unit_test(torture_packet_filter_check_auth_success),
-         cmocka_unit_test(torture_packet_filter_check_channel_open),
-         cmocka_unit_test(torture_packet_filter_check_unfiltered),
-+        cmocka_unit_test(torture_packet_filter_check_msg_ext_info)
-     };
- 
-     ssh_init();
--- 
-2.19.1
-

SOURCES/libssh-0.8.5-ensure-ssh-session-fd-writable.patch

@@ -1,47 +0,0 @@
-From 7f1d30de47d67c03cf895f0d4d4e68daf9d396c5 Mon Sep 17 00:00:00 2001
-From: Sanne Raymaekers <sraymaek@redhat.com>
-Date: Fri, 26 Oct 2018 14:58:34 +0200
-Subject: [PATCH] tests: Ensure the ssh session fd is read-/writeable in
- torture_proxycommand
-
-Signed-off-by: Sanne Raymaekers <sraymaek@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-(cherry picked from commit 03c30e9c8ad34b3fa659a70e474a9b8cb248f85b)
-(cherry picked from commit 3de34944ad11bf4e22fc981562f32cb4b3b90ba9)
----
- tests/client/torture_proxycommand.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/tests/client/torture_proxycommand.c b/tests/client/torture_proxycommand.c
-index ea1e1838..9608e663 100644
---- a/tests/client/torture_proxycommand.c
-+++ b/tests/client/torture_proxycommand.c
-@@ -9,6 +9,7 @@
- #include <sys/types.h>
- #include <pwd.h>
- #include <errno.h>
-+#include <fcntl.h>
- 
- static int sshd_setup(void **state)
- {
-@@ -61,11 +62,16 @@ static void torture_options_set_proxycommand(void **state) {
-     struct torture_state *s = *state;
-     ssh_session session = s->ssh.session;
-     int rc;
-+    socket_t fd;
- 
-     rc = ssh_options_set(session, SSH_OPTIONS_PROXYCOMMAND, "nc 127.0.0.10 22");
-     assert_int_equal(rc, 0);
-     rc = ssh_connect(session);
-     assert_ssh_return_code(session, rc);
-+    fd = ssh_get_fd(session);
-+    assert_true(fd != SSH_INVALID_SOCKET);
-+    rc = fcntl(fd, F_GETFL);
-+    assert_int_equal(rc & O_RDWR, O_RDWR);
- }
- 
- static void torture_options_set_proxycommand_notexist(void **state) {
--- 
-2.19.1
-

SOURCES/libssh-0.8.5-make-sure-both-known-hosts-ready.patch

@@ -1,37 +0,0 @@
-From bed645ed5fca3ff776fd1997ec9d5c6b9065a7eb Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Tue, 30 Oct 2018 13:55:30 +0100
-Subject: [PATCH] knownhosts: Make sure we have both knownhosts files ready
-
-If either one is missing at this point, fill it with default vaules in
-ssh_options_apply().
-
-Previously, when setting up only knownhosts, global_knownhosts file
-was left pointing to NULL and the ssh_known_hosts_read_entries()
-was trying to open NULL file which is invalid.
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-(cherry picked from commit 5159cd96e8b61c9f8f96786f70cf23167980b621)
-(cherry picked from commit a4b99eedf2f0f993f10c31d9bea0f1ad9fa7737e)
----
- src/knownhosts.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/knownhosts.c b/src/knownhosts.c
-index 23902a5f..546619aa 100644
---- a/src/knownhosts.c
-+++ b/src/knownhosts.c
-@@ -306,7 +306,8 @@ struct ssh_list *ssh_known_hosts_get_algorithms(ssh_session session)
-     int list_error = 0;
-     int rc;
- 
--    if (session->opts.knownhosts == NULL) {
-+    if (session->opts.knownhosts == NULL ||
-+        session->opts.global_knownhosts == NULL) {
-         if (ssh_options_apply(session) < 0) {
-             ssh_set_error(session,
-                           SSH_REQUEST_DENIED,
--- 
-2.19.1
-

SOURCES/libssh-0.8.5.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAlvW3ZEACgkQfuD8TcwB
-Tj0mPw/9HZty2xOzKekX8+cedyZbW2lAoG9YNVxgTvQ2+98+TBH6M8qr5EryuH/q
-mAFq/TJOrM3yccr1kJXFOm6QBw0xMTpWcosXjKmZxvJwW6iFEP33shVDkZGJWwmM
-bzr165NTdRMJiaBfk47j0e1H2U9MHyV7wKmb79+bFtMDhiJYmXR1Oxa1SjjeG42c
-XmrcH559kZ1mKmai6jKwTRUKGu3RLdWrXQIobCrdQM8FYrbSx5luZtDjdfXTRRtv
-K96alBYxuey1nsZVei1y2hJlLLLVqao997Q7iMI63+/IJpYTmEPciDnTDDu767X6
-rCXSuWbxcwk77zrt/dh7WJBOyLwh4aCFsSixBsONj4otwmFHNm/FAxV991ewcvQB
-NMHPh3DcYLfoY/aUzwf160SfZu56mdVnFPLOnPUw3ARcPdgJG4OzqP9Jmz4Us+dS
-ImZTduM62/+Af+LrODtRBRYJRSn38eBVVBYT01WsDSvvR2LaTn3gVAtY2m3Dr6wA
-6sdMmYbn2zM+MNFE1+qlsaKmF+WmyCrBKBojBB+wh5G+dStJ7KGzlXjxNQudvWeA
-VMlERLZYNBjSH1/XBH6VTnOl2xhExPv4eCUTVCXhlYUFEWjRunoxEed+b7r45iiu
-+nRT+OfQZ8RFOLkFYxhB8iQNZAZ6T46ALSxo3V8PVEPDHZWdPTU=
-=7iiz
------END PGP SIGNATURE-----

SOURCES/libssh-0.9.0-run-sshd-confined.patch

@@ -0,0 +1,67 @@
+--- a/tests/torture.c	2019-06-28 14:01:52.936462964 +0200
++++ b/tests/torture.c	2019-06-28 14:03:52.324325029 +0200
+@@ -854,7 +854,7 @@
+     s = *state;
+ 
+     snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
+-             "/usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
++             "runcon -t sshd_t -u system_u -r system_r /usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
+              s->srv_config, s->socket_dir, s->socket_dir);
+ 
+     rc = system(sshd_start_cmd);
+@@ -864,7 +864,7 @@
+     unsetenv("PAM_WRAPPER");
+ 
+     /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
++    rc = torture_wait_for_daemon(10);
+     assert_int_equal(rc, 0);
+ }
+ 
+@@ -904,27 +904,32 @@
+ torture_reload_sshd_server(void **state)
+ {
+     struct torture_state *s = *state;
+-    pid_t pid;
++    char sshd_start_cmd[1024];
+     int rc;
+ 
+-    /* read the pidfile */
+-    pid = torture_read_pidfile(s->srv_pidfile);
+-    assert_int_not_equal(pid, -1);
++    rc = torture_terminate_process(s->srv_pidfile);
++    if (rc != 0) {
++        fprintf(stderr, "XXXXXX Failed to terminate sshd\n");
++    }
+ 
+-    kill(pid, SIGHUP);
++    usleep(100 * 1000);
+ 
+-    /* 10 ms */
+-    usleep(10 * 1000);
++    /* Set the default interface for the server */
++    setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "10", 1);
++    setenv("PAM_WRAPPER", "1", 1);
+ 
+-    rc = kill(pid, 0);
+-    if (rc != 0) {
+-        fprintf(stderr,
+-                "ERROR: SSHD process %u died during reload!\n", pid);
+-        return SSH_ERROR;
+-    }
++    snprintf(sshd_start_cmd, sizeof(sshd_start_cmd),
++             "runcon -t sshd_t -u system_u -r system_r /usr/sbin/sshd -r -f %s -E %s/sshd/daemon.log 2> %s/sshd/cwrap.log",
++             s->srv_config, s->socket_dir, s->socket_dir);
++
++    rc = system(sshd_start_cmd);
++    assert_return_code(rc, errno);
++
++    setenv("SOCKET_WRAPPER_DEFAULT_IFACE", "21", 1);
++    unsetenv("PAM_WRAPPER");
+ 
+     /* Wait until the sshd is ready to accept connections */
+-    rc = torture_wait_for_daemon(5);
++    rc = torture_wait_for_daemon(10);
+     assert_int_equal(rc, 0);
+     return SSH_OK;
+ }

SOURCES/libssh-0.9.0-skip-1k-rsa-key-generation-test.patch

@@ -0,0 +1,59 @@
+From bf2ed2ca929e5e12279f85c930f8fbb452ada888 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Tue, 30 Jul 2019 18:22:30 +0200
+Subject: [PATCH] tests: Skip testing 1024 bits key generation in FIPS mode
+
+In torture_threads_pki_rsa, skip the test which generates 1024 bits RSA
+key pair when in FIPS mode.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+---
+ tests/unittests/torture_threads_pki_rsa.c | 28 ++++++++++++-----------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/tests/unittests/torture_threads_pki_rsa.c b/tests/unittests/torture_threads_pki_rsa.c
+index 5a841ee9..03d526cd 100644
+--- a/tests/unittests/torture_threads_pki_rsa.c
++++ b/tests/unittests/torture_threads_pki_rsa.c
+@@ -571,23 +571,25 @@ static void *thread_pki_rsa_generate_key(void *threadid)
+     session = ssh_new();
+     assert_non_null(session);
+ 
+-    rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 1024, &key);
+-    assert_ssh_return_code(session, rc);
+-    assert_non_null(key);
++    if (!ssh_fips_mode()) {
++        rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 1024, &key);
++        assert_ssh_return_code(session, rc);
++        assert_non_null(key);
+ 
+-    rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
+-    assert_int_equal(rc, SSH_OK);
+-    assert_non_null(pubkey);
++        rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
++        assert_int_equal(rc, SSH_OK);
++        assert_non_null(pubkey);
+ 
+-    sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256);
+-    assert_non_null(sign);
++        sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256);
++        assert_non_null(sign);
+ 
+-    rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20);
+-    assert_ssh_return_code(session, rc);
++        rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20);
++        assert_ssh_return_code(session, rc);
+ 
+-    ssh_signature_free(sign);
+-    SSH_KEY_FREE(key);
+-    SSH_KEY_FREE(pubkey);
++        ssh_signature_free(sign);
++        SSH_KEY_FREE(key);
++        SSH_KEY_FREE(pubkey);
++    }
+ 
+     rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 2048, &key);
+     assert_ssh_return_code(session, rc);
+-- 
+2.21.0
+

SOURCES/libssh-0.9.0.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAl0VtfEACgkQfuD8TcwB
+Tj0cthAApYglGlE2+f06uKvPUc8LvzVkRFJA5ycm7uMddrMbSJ+ElScEu1a6q/qV
+xPK3w49WdDpbYcz3s/GtdhGkSTye49Zav2PJzDFWvac+PoXVOwt7C5JzlPSq7kfa
+0i6k1/7YSiPcFCo7467v2fpg0t80OHgS+Tbc1mwI0KtRzPA2pjqHsnu+RVNc6EA1
+paUf1QMhjPFIQwcqJcQGAHZBqpx4JBspzBpC7wDxQKFh5FfMbVOxPG3qvgeOYDqd
+cbfsJkdOJQ0rAxyNBB6xbz8XktJyK4Bjg5eT9GEz+zpsjh8jtfJMhNEemaBLXkug
++4wb4DU2uhEuOoOFh0YOgLcRLm2INNhVSTcizasmA8X1YcvAUmKB7fUMuYwOQOPZ
+bsSkJ8kg7v76Y8w/pUger99pVYg0iiLi9KI6a2t7qTSibZewv38IV6eSJqORnZja
+SLeswZUAAtHK/nTf7ohZ8Blnhx3UE5M6vyuli+KMmHAxTOzHhyWJvYDYJ2oJ7+tR
+N49U1O77VE0WYY7HoyEXYkvSwWLb+MYK6ueaJTVBEbq7ZdpzQBQtPLoyCXUdQwZ2
+DyZaaZnhkn9FYvsJp/twHra3XlQ359EXdMwflISaKgFUpfaluLIu1xRGrYH4XPNm
+FHZRPCj34PY1uDOKHXiRl/xUdaR4CSIKPgofhxzy/mLZepJR9vU=
+=xGD9
+-----END PGP SIGNATURE-----

SOURCES/libssh_client.config

@@ -0,0 +1,4 @@
+# Parse system-wide crypto configuration file
+Include /etc/crypto-policies/back-ends/libssh.config
+# Parse OpenSSH configuration file for consistency
+Include /etc/ssh/ssh_config

SOURCES/libssh_server.config

@@ -0,0 +1,4 @@
+# Parse system-wide crypto configuration file
+Include /etc/crypto-policies/back-ends/libssh.config
+# Parse OpenSSH configuration file for consistency
+Include /etc/ssh/sshd_config

SPECS/libssh.spec

@@ -1,18 +1,19 @@
 Name:           libssh
-Version:        0.8.5
-Release:        2%{?dist}
+Version:        0.9.0
+Release:        4%{?dist}
 Summary:        A library implementing the SSH protocol
 License:        LGPLv2+
 URL:            http://www.libssh.org
 
-Source0:        https://www.libssh.org/files/0.8/%{name}-%{version}.tar.xz
-Source1:        https://www.libssh.org/files/0.8/%{name}-%{version}.tar.xz.asc
+Source0:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz
+Source1:        https://www.libssh.org/files/0.9/%{name}-%{version}.tar.xz.asc
 Source2:        https://cryptomilk.org/gpgkey-8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D.gpg#/%{name}.keyring
+Source3:        libssh_client.config
+Source4:        libssh_server.config
 
-Patch1:         libssh-0.8.5-make-sure-both-known-hosts-ready.patch
-Patch2:         libssh-0.8.5-ensure-ssh-session-fd-writable.patch
-Patch3:         libssh-0.8.5-allow-msg-ext-info.patch
-Patch4:         libssh-0.8.5-allow-kex-init.patch
+Patch0:         libssh-0.9.0-run-sshd-confined.patch
+Patch1:         libssh-0.9.0-do-not-ignore-known-hosts-keys.patch
+Patch2:         libssh-0.9.0-skip-1k-rsa-key-generation-test.patch
 
 BuildRequires:  cmake
 BuildRequires:  doxygen
@@ -24,6 +25,9 @@ BuildRequires:  zlib-devel
 BuildRequires:  krb5-devel
 BuildRequires:  libcmocka-devel
 
+Requires:       crypto-policies
+Requires:       %{name}-config = %{version}-%{release}
+
 %ifarch aarch64 ppc64 ppc64le s390x x86_64
 Provides: libssh_threads.so()(64bit)
 Provides: libssh_threads.so.4()(64bit)
@@ -48,6 +52,14 @@ Requires:       %{name}%{?_isa} = %{version}-%{release}
 The %{name}-devel package contains libraries and header files for developing
 applications that use %{name}.
 
+%package config
+Summary:        Configuration files for %{name}
+BuildArch:      noarch
+Obsoletes:      %{name} < 0.9.0-1
+
+%description config
+The %{name}-config package provides the default configuration files for %{name}.
+
 %prep
 gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
 %autosetup -p1
@@ -59,7 +71,10 @@ fi
 pushd obj
 
 %cmake .. \
-    -DUNIT_TESTING=ON
+    -DUNIT_TESTING=ON \
+    -DGLOBAL_CLIENT_CONFIG="%{_sysconfdir}/libssh/libssh_client.config" \
+    -DGLOBAL_BIND_CONFIG="%{_sysconfdir}/libssh/libssh_server.config"
+
 
 %make_build VERBOSE=1
 make docs
@@ -68,6 +83,9 @@ popd
 
 %install
 make DESTDIR=%{buildroot} install/fast -C obj
+install -d -m755 %{buildroot}%{_sysconfdir}/libssh
+install -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/libssh/libssh_client.config
+install -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/libssh/libssh_server.config
 
 #
 # Workaround for the removal of libssh_threads.so
@@ -109,7 +127,35 @@ popd
 %{_libdir}/pkgconfig/libssh.pc
 %{_libdir}/libssh.so
 
+%files config
+%attr(0755,root,root) %dir %{_sysconfdir}/libssh
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_client.config
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config
+
 %changelog
+* Mon Aug 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-4
+- Skip 1024 bits RSA key generation test in FIPS mode (#1734485)
+
+* Thu Jul 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-3
+- Add Obsoletes in libssh-config to avoid conflict with old libssh which
+  installed the configuration files.
+
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-2
+- Eliminate circular dependency with libssh-config subpackage
+
+* Wed Jul 10 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.9.0-1
+- Update to version 0.9.0
+  https://www.libssh.org/2019/06/28/libssh-0-9-0/
+- Added explicit Requires for crypto-policies
+- Do not ignore known_hosts keys when SSH_OPTIONS_HOSTKEYS is set
+- Provide the configuration files in a separate libssh-config subpackage
+
+* Mon Jun 17 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.8.91-0.1
+- Update to 0.9.0 pre release version (0.8.91)
+- Added default configuration files for client and server
+- Removed unused patch files left behind
+- Fixed issues found to run upstream test suite with SELinux
+
 * Fri Dec 14 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.8.5-2
 - Fix more regressions introduced by the fixes for CVE-2018-10933