improove entropy handling

concat ldap patches
2011-05-28 22:03:43 +02:00 · 2011-05-28 22:03:43 +02:00 · 0e9135fc82
commit 0e9135fc82
parent 94df89c9a5
4 changed files with 117 additions and 178 deletions
--- a/openssh-5.8p1-entropy.patch
+++ b/openssh-5.8p1-entropy.patch
@ -1,15 +1,7 @@
-diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
--- openssh-5.8p1/entropy.c.entropy	2011-01-13 11:05:29.000000000 +0100
-+++ openssh-5.8p1/entropy.c	2011-04-01 10:23:58.318648953 +0200
-@@ -50,6 +50,7 @@
- #include "pathnames.h"
- #include "log.h"
- #include "buffer.h"
-+#include "openbsd-compat/port-linux.h"
- 
- /*
-  * Portable OpenSSH PRNG seeding:
-@@ -144,6 +145,9 @@ seed_rng(void)
+diff -up openssh-5.8p2/entropy.c.entropy openssh-5.8p2/entropy.c
+--- openssh-5.8p2/entropy.c.entropy	2011-05-03 02:00:08.000000000 +0200
+++ openssh-5.8p2/entropy.c	2011-05-28 21:13:09.302866730 +0200
+@@ -145,6 +145,9 @@ seed_rng(void)
 	memset(buf, '\0', sizeof(buf));
 
 #endif /* OPENSSL_PRNG_ONLY */
@ -19,9 +11,9 @@ diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
 	if (RAND_status() != 1)
 		fatal("PRNG is not seeded");
 }
-diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-compat/Makefile.in
--- openssh-5.8p1/openbsd-compat/Makefile.in.entropy	2010-10-07 13:19:24.000000000 +0200
-+++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-04-01 10:21:38.251648364 +0200
+diff -up openssh-5.8p2/openbsd-compat/Makefile.in.entropy openssh-5.8p2/openbsd-compat/Makefile.in
+--- openssh-5.8p2/openbsd-compat/Makefile.in.entropy	2010-10-07 13:19:24.000000000 +0200
+++ openssh-5.8p2/openbsd-compat/Makefile.in	2011-05-28 21:13:09.449924419 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -31,22 +23,10 @@ diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-
 
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-5.8p1/openbsd-compat/port-linux.h.entropy openssh-5.8p1/openbsd-compat/port-linux.h
--- openssh-5.8p1/openbsd-compat/port-linux.h.entropy	2011-04-01 10:22:10.165648950 +0200
-+++ openssh-5.8p1/openbsd-compat/port-linux.h	2011-04-01 10:22:36.965648719 +0200
-@@ -19,6 +19,8 @@
- #ifndef _PORT_LINUX_H
- #define _PORT_LINUX_H
- 
-+void linux_seed(void);
-+
- #ifdef WITH_SELINUX
- int ssh_selinux_enabled(void);
- void ssh_selinux_setup_pty(char *, const char *);
-diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/openbsd-compat/port-linux-prng.c
--- openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy	2011-04-01 10:21:38.302648133 +0200
-+++ openssh-5.8p1/openbsd-compat/port-linux-prng.c	2011-04-01 10:21:38.311648282 +0200
-@@ -0,0 +1,56 @@
+diff -up openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p2/openbsd-compat/port-linux-prng.c
+--- openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy	2011-05-28 21:13:09.540878930 +0200
+++ openssh-5.8p2/openbsd-compat/port-linux-prng.c	2011-05-28 21:13:09.547919624 +0200
+@@ -0,0 +1,59 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
 +/*
@ -90,22 +70,25 @@ diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/op
 +{
 +	int len;
 +	char *env = getenv("SSH_USE_STRONG_RNG");
-+	char *random = "/dev/urandom";
+	char *random = "/dev/random";
+	size_t ienv, randlen = 6;
 +
-+	if (env && !strcmp(env, "1"))
-+		random = "/dev/random";
+	if (!env || !strcmp(env, "0"))
+		random = "/dev/urandom";
+	else if ((ienv = atoi(env)) > 6)
+		randlen = ienv;
 +
 +	errno = 0;
-+	if ((len = RAND_load_file(random, 48)) != 48) {
+	if ((len = RAND_load_file(random, randlen)) != randlen) {
 +		if (errno)
 +			fatal ("cannot read from %s, %s", random, strerror(errno));
 +		else
 +			fatal ("EOF reading %s", random);
 +	}
 +}
-diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
--- openssh-5.8p1/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
-+++ openssh-5.8p1/ssh.1	2011-04-01 10:21:38.352648197 +0200
+diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
+--- openssh-5.8p2/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
+++ openssh-5.8p2/ssh.1	2011-05-28 21:15:27.375920967 +0200
@@ -1250,6 +1250,17 @@ For more information, see the
 .Cm PermitUserEnvironment
 option in
@ -115,39 +98,39 @@ diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
-+.Cm 1 ,
+is set to nonzero value
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.rhosts
-diff -up openssh-5.8p1/ssh-add.1.entropy openssh-5.8p1/ssh-add.1
--- openssh-5.8p1/ssh-add.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-add.1	2011-04-01 10:21:38.416648713 +0200
-@@ -157,6 +157,17 @@ to make this work.)
- Identifies the path of a
+diff -up openssh-5.8p2/ssh-add.1.entropy openssh-5.8p2/ssh-add.1
+--- openssh-5.8p2/ssh-add.1.entropy	2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p2/ssh-add.1	2011-05-28 21:16:43.891859186 +0200
+@@ -158,6 +158,17 @@ Identifies the path of a
 .Ux Ns -domain
 socket used to communicate with the agent.
+ .El
 +.It Ev SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
-+.Cm 1 ,
+is set to nonzero value
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
- .El
 .Sh FILES
 .Bl -tag -width Ds
-diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
--- openssh-5.8p1/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
-+++ openssh-5.8p1/ssh-agent.1	2011-04-01 10:21:38.459648714 +0200
+ .It Pa ~/.ssh/identity
+diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
+--- openssh-5.8p2/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
+++ openssh-5.8p2/ssh-agent.1	2011-05-28 21:13:10.086864993 +0200
@@ -198,6 +198,20 @@ sockets used to contain the connection t
 These sockets should only be readable by the owner.
 The sockets should get automatically removed when the agent exits.
@ -160,18 +143,18 @@ diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
-+.Cm 1 ,
+is set to nonzero value
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
--- openssh-5.8p1/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/sshd.8	2011-04-01 10:21:38.505648778 +0200
+diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
+--- openssh-5.8p2/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p2/sshd.8	2011-05-28 21:13:10.241861760 +0200
@@ -937,6 +937,20 @@ concurrently for different ports, this c
 started last).
 The content of this file is not sensitive; it can be world-readable.
@ -184,19 +167,19 @@ diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
-+.Cm 1 ,
+is set to nonzero value
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
-diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
--- openssh-5.8p1/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.1	2011-04-01 10:21:38.554648691 +0200
-@@ -655,6 +655,20 @@ Contains Diffie-Hellman groups used for 
+diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
+--- openssh-5.8p2/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.8p2/ssh-keygen.1	2011-05-28 21:13:10.389856432 +0200
+@@ -655,6 +655,20 @@ Contains Diffie-Hellman groups used for
 The file format is described in
 .Xr moduli 5 .
 .El
@ -208,18 +191,18 @@ diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
-+.Cm 1 ,
+is set to nonzero value
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-diff -up openssh-5.8p1/ssh-keysign.8.entropy openssh-5.8p1/ssh-keysign.8
--- openssh-5.8p1/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1/ssh-keysign.8	2011-04-01 10:21:38.606648660 +0200
+diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
+--- openssh-5.8p2/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.8p2/ssh-keysign.8	2011-05-28 21:17:32.399856797 +0200
@@ -78,6 +78,20 @@ must be set-uid root if host-based authe
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
@ -232,10 +215,10 @@ diff -up openssh-5.8p1/ssh-keysign.8.entropy openssh-5.8p1/ssh-keysign.8
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
-+.Cm 1 ,
+is set to nonzero value
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
--- a/openssh-5.8p1-ldap.patch
+++ b/openssh-5.8p1-ldap.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
--- openssh-5.8p1/configure.ac.ldap	2011-04-01 09:01:18.559688927 +0200
-+++ openssh-5.8p1/configure.ac	2011-04-01 09:01:18.972717095 +0200
+diff -up openssh-5.8p2/configure.ac.ldap openssh-5.8p2/configure.ac
+--- openssh-5.8p2/configure.ac.ldap	2011-05-28 21:03:47.808925111 +0200
+++ openssh-5.8p2/configure.ac	2011-05-28 21:03:48.797857317 +0200
@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
 	]
 )
@ -108,9 +108,9 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
-diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
--- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-04-01 09:01:19.000648742 +0200
-+++ openssh-5.8p1/HOWTO.ldap-keys	2011-04-01 09:01:19.564648857 +0200
+diff -up openssh-5.8p2/HOWTO.ldap-keys.ldap openssh-5.8p2/HOWTO.ldap-keys
+--- openssh-5.8p2/HOWTO.ldap-keys.ldap	2011-05-28 21:03:48.914981834 +0200
+++ openssh-5.8p2/HOWTO.ldap-keys	2011-05-28 21:03:48.922914614 +0200
@@ -0,0 +1,108 @@
 +
 +HOW TO START
@ -220,9 +220,9 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
 +5) Author
 +    Jan F. Chadima <jchadima@redhat.com>
 +
-diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
--- openssh-5.8p1/ldapbody.c.ldap	2011-04-01 09:01:19.024648747 +0200
-+++ openssh-5.8p1/ldapbody.c	2011-04-01 09:01:19.032648722 +0200
+diff -up openssh-5.8p2/ldapbody.c.ldap openssh-5.8p2/ldapbody.c
+--- openssh-5.8p2/ldapbody.c.ldap	2011-05-28 21:03:48.984982387 +0200
+++ openssh-5.8p2/ldapbody.c	2011-05-28 21:03:48.994983833 +0200
@@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -718,9 +718,9 @@ diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
 +	return;
 +}
 +
-diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
--- openssh-5.8p1/ldapbody.h.ldap	2011-04-01 09:01:19.047648768 +0200
-+++ openssh-5.8p1/ldapbody.h	2011-04-01 09:01:19.057648739 +0200
+diff -up openssh-5.8p2/ldapbody.h.ldap openssh-5.8p2/ldapbody.h
+--- openssh-5.8p2/ldapbody.h.ldap	2011-05-28 21:03:49.063861457 +0200
+++ openssh-5.8p2/ldapbody.h	2011-05-28 21:03:49.070983552 +0200
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -759,9 +759,9 @@ diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
--- openssh-5.8p1/ldapconf.c.ldap	2011-04-01 09:01:19.073648744 +0200
-+++ openssh-5.8p1/ldapconf.c	2011-04-01 09:01:19.082648746 +0200
+diff -up openssh-5.8p2/ldapconf.c.ldap openssh-5.8p2/ldapconf.c
+--- openssh-5.8p2/ldapconf.c.ldap	2011-05-28 21:03:49.145860570 +0200
+++ openssh-5.8p2/ldapconf.c	2011-05-28 21:03:49.154983297 +0200
@@ -0,0 +1,682 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1445,9 +1445,9 @@ diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
 +	dump_cfg_string(lSSH_Filter, options.ssh_filter);
 +}
 +
-diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
--- openssh-5.8p1/ldapconf.h.ldap	2011-04-01 09:01:19.097648717 +0200
-+++ openssh-5.8p1/ldapconf.h	2011-04-01 09:01:19.107648734 +0200
+diff -up openssh-5.8p2/ldapconf.h.ldap openssh-5.8p2/ldapconf.h
+--- openssh-5.8p2/ldapconf.h.ldap	2011-05-28 21:03:49.222855494 +0200
+++ openssh-5.8p2/ldapconf.h	2011-05-28 21:03:49.230857403 +0200
@@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1520,9 +1520,9 @@ diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
--- openssh-5.8p1/ldap.conf.ldap	2011-04-01 09:01:19.122648724 +0200
-+++ openssh-5.8p1/ldap.conf	2011-04-01 09:01:19.131648759 +0200
+diff -up openssh-5.8p2/ldap.conf.ldap openssh-5.8p2/ldap.conf
+--- openssh-5.8p2/ldap.conf.ldap	2011-05-28 21:03:49.286865328 +0200
+++ openssh-5.8p2/ldap.conf	2011-05-28 21:03:49.294861823 +0200
@@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -1612,9 +1612,9 @@ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
 +#tls_cert
 +#tls_key
 +
-diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
--- openssh-5.8p1/ldap-helper.c.ldap	2011-04-01 09:01:19.145658994 +0200
-+++ openssh-5.8p1/ldap-helper.c	2011-04-01 09:01:19.608648889 +0200
+diff -up openssh-5.8p2/ldap-helper.c.ldap openssh-5.8p2/ldap-helper.c
+--- openssh-5.8p2/ldap-helper.c.ldap	2011-05-28 21:03:49.355862289 +0200
+++ openssh-5.8p2/ldap-helper.c	2011-05-28 21:03:49.364861642 +0200
@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1771,9 +1771,9 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
 +void   *buffer_get_string(Buffer *b, u_int *l) {}
 +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 +
-diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
--- openssh-5.8p1/ldap-helper.h.ldap	2011-04-01 09:01:19.168648731 +0200
-+++ openssh-5.8p1/ldap-helper.h	2011-04-01 09:01:19.177648726 +0200
+diff -up openssh-5.8p2/ldap-helper.h.ldap openssh-5.8p2/ldap-helper.h
+--- openssh-5.8p2/ldap-helper.h.ldap	2011-05-28 21:03:49.446856183 +0200
+++ openssh-5.8p2/ldap-helper.h	2011-05-28 21:03:49.453861731 +0200
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1807,9 +1807,9 @@ diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
--- openssh-5.8p1/ldapincludes.h.ldap	2011-04-01 09:01:19.192648737 +0200
-+++ openssh-5.8p1/ldapincludes.h	2011-04-01 09:01:19.202648683 +0200
+diff -up openssh-5.8p2/ldapincludes.h.ldap openssh-5.8p2/ldapincludes.h
+--- openssh-5.8p2/ldapincludes.h.ldap	2011-05-28 21:03:49.513856874 +0200
+++ openssh-5.8p2/ldapincludes.h	2011-05-28 21:03:49.520855810 +0200
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1852,9 +1852,9 @@ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
--- openssh-5.8p1/ldapmisc.c.ldap	2011-04-01 09:01:19.216648692 +0200
-+++ openssh-5.8p1/ldapmisc.c	2011-04-01 09:01:19.225648767 +0200
+diff -up openssh-5.8p2/ldapmisc.c.ldap openssh-5.8p2/ldapmisc.c
+--- openssh-5.8p2/ldapmisc.c.ldap	2011-05-28 21:03:49.590855991 +0200
+++ openssh-5.8p2/ldapmisc.c	2011-05-28 21:03:49.597856040 +0200
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -1935,9 +1935,9 @@ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
 +}
 +#endif
 +
-diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
--- openssh-5.8p1/ldapmisc.h.ldap	2011-04-01 09:01:19.240648724 +0200
-+++ openssh-5.8p1/ldapmisc.h	2011-04-01 09:01:19.249648718 +0200
+diff -up openssh-5.8p2/ldapmisc.h.ldap openssh-5.8p2/ldapmisc.h
+--- openssh-5.8p2/ldapmisc.h.ldap	2011-05-28 21:03:49.664857820 +0200
+++ openssh-5.8p2/ldapmisc.h	2011-05-28 21:03:49.671861203 +0200
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1974,10 +1974,9 @@ diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
 +
 +#endif /* LDAPMISC_H */
 +
-diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
-diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
--- openssh-5.8p1/Makefile.in.ldap	2011-04-01 09:01:15.209648708 +0200
-+++ openssh-5.8p1/Makefile.in	2011-04-01 09:01:19.307648329 +0200
+diff -up openssh-5.8p2/Makefile.in.ldap openssh-5.8p2/Makefile.in
+--- openssh-5.8p2/Makefile.in.ldap	2011-05-28 21:03:37.758857361 +0200
+++ openssh-5.8p2/Makefile.in	2011-05-28 21:03:49.775856441 +0200
@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -2063,9 +2062,9 @@ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
 tests interop-tests:	$(TARGETS)
-diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-04-01 09:01:19.333648708 +0200
-+++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-04-01 09:01:19.343648766 +0200
+diff -up openssh-5.8p2/openssh-lpk-openldap.schema.ldap openssh-5.8p2/openssh-lpk-openldap.schema
+--- openssh-5.8p2/openssh-lpk-openldap.schema.ldap	2011-05-28 21:03:49.871872045 +0200
+++ openssh-5.8p2/openssh-lpk-openldap.schema	2011-05-28 21:03:49.878856149 +0200
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2088,9 +2087,9 @@ diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lp
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
--- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-04-01 09:01:19.358648705 +0200
-+++ openssh-5.8p1/openssh-lpk-sun.schema	2011-04-01 09:01:19.368648739 +0200
+diff -up openssh-5.8p2/openssh-lpk-sun.schema.ldap openssh-5.8p2/openssh-lpk-sun.schema
+--- openssh-5.8p2/openssh-lpk-sun.schema.ldap	2011-05-28 21:03:49.934856078 +0200
+++ openssh-5.8p2/openssh-lpk-sun.schema	2011-05-28 21:03:49.941856158 +0200
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2115,11 +2114,10 @@ diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
-diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
--- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-04-01 09:01:19.408648714 +0200
-+++ openssh-5.8p1/ssh-ldap.conf.5	2011-04-01 09:01:19.418648733 +0200
-@@ -0,0 +1,373 @@
+diff -up openssh-5.8p2/ssh-ldap.conf.5.ldap openssh-5.8p2/ssh-ldap.conf.5
+--- openssh-5.8p2/ssh-ldap.conf.5.ldap	2011-05-28 21:03:50.013873320 +0200
+++ openssh-5.8p2/ssh-ldap.conf.5	2011-05-28 21:03:50.333857346 +0200
+@@ -0,0 +1,376 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
 +.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
@ -2163,6 +2161,7 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +may be incorrect, as the quotes would become part of the value.
 +The possible keywords and their meanings are as follows (note that
 +keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
+.Bl -tag -width Ds
 +.It Cm URI
 +The argument(s) are in the form
 +.Pa ldap[si]://[name[:port]]
@ -2330,7 +2329,7 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +are the aliases for
 +.Dq no .
 +If
-+.Dqstart_tls
+.Dq start_tls
 +is specified then StartTLS is used rather than raw LDAP over SSL.
 +The default for ldap:// is
 +.Dq start_tls ,
@ -2479,11 +2478,13 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +.It Cm SSH_Filter
 +Specifies the user filter applied on the LDAP serch.
 +The default is no filter.
+.El
 +.Sh FILES
 +.Bl -tag -width Ds
 +.It Pa  /etc/ssh/ldap.conf
 +Ldap configuration file for
 +.Xr ssh-ldap-helper 8 .
+.El
 +.Sh "SEE ALSO"
 +.Xr ldap.conf 5 ,
 +.Xr ssh-ldap-helper 8
@ -2493,9 +2494,9 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
--- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-04-01 09:01:19.432648735 +0200
-+++ openssh-5.8p1/ssh-ldap-helper.8	2011-04-01 09:01:19.709648247 +0200
+diff -up openssh-5.8p2/ssh-ldap-helper.8.ldap openssh-5.8p2/ssh-ldap-helper.8
+--- openssh-5.8p2/ssh-ldap-helper.8.ldap	2011-05-28 21:03:50.088856725 +0200
+++ openssh-5.8p2/ssh-ldap-helper.8	2011-05-28 21:03:50.462857758 +0200
@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2565,7 +2566,7 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 +.It Fl w
 +.Nm
 +writes warnings about unknown items in the ldap.conf configuration file.
-+
+.El
 +.Sh SEE ALSO
 +.Xr sshd 8 ,
 +.Xr sshd_config 5 ,
@ -2576,9 +2577,9 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
--- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-04-01 09:01:19.456648676 +0200
-+++ openssh-5.8p1/ssh-ldap-wrapper	2011-04-01 09:01:19.464648753 +0200
+diff -up openssh-5.8p2/ssh-ldap-wrapper.ldap openssh-5.8p2/ssh-ldap-wrapper
+--- openssh-5.8p2/ssh-ldap-wrapper.ldap	2011-05-28 21:03:50.155857193 +0200
+++ openssh-5.8p2/ssh-ldap-wrapper	2011-05-28 21:03:50.161873358 +0200
@@ -0,0 +1,4 @@
 +#!/bin/sh
 +
--- a/openssh-5.8p1-ldap2.patch
+++ b/openssh-5.8p1-ldap2.patch
@ -1,46 +0,0 @@
-diff -up openssh-5.8p2/ssh-ldap.conf.5.ldap2 openssh-5.8p2/ssh-ldap.conf.5
--- openssh-5.8p2/ssh-ldap.conf.5.ldap2	2011-05-24 18:21:31.851167623 +0200
-+++ openssh-5.8p2/ssh-ldap.conf.5	2011-05-24 18:28:20.301116545 +0200
-@@ -41,6 +41,7 @@ Quoting values that contain blanks
- may be incorrect, as the quotes would become part of the value.
- The possible keywords and their meanings are as follows (note that
- keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
-+.Bl -tag -width Ds
- .It Cm URI
- The argument(s) are in the form
- .Pa ldap[si]://[name[:port]]
-@@ -208,7 +209,7 @@ and
- are the aliases for
- .Dq no .
- If
-.Dqstart_tls
-+.Dq start_tls
- is specified then StartTLS is used rather than raw LDAP over SSL.
- The default for ldap:// is
- .Dq start_tls ,
-@@ -357,11 +358,13 @@ There is no default.
- .It Cm SSH_Filter
- Specifies the user filter applied on the LDAP serch.
- The default is no filter.
-+.El
- .Sh FILES
- .Bl -tag -width Ds
- .It Pa  /etc/ssh/ldap.conf
- Ldap configuration file for
- .Xr ssh-ldap-helper 8 .
-+.El
- .Sh "SEE ALSO"
- .Xr ldap.conf 5 ,
- .Xr ssh-ldap-helper 8
-diff -up openssh-5.8p2/ssh-ldap-helper.8.ldap2 openssh-5.8p2/ssh-ldap-helper.8
--- openssh-5.8p2/ssh-ldap-helper.8.ldap2	2011-05-24 18:29:33.476168165 +0200
-+++ openssh-5.8p2/ssh-ldap-helper.8	2011-05-24 18:30:47.030173237 +0200
-@@ -66,7 +66,7 @@ increases verbosity.
- .It Fl w
- .Nm
- writes warnings about unknown items in the ldap.conf configuration file.
-
-+.El
- .Sh SEE ALSO
- .Xr sshd 8 ,
- .Xr sshd_config 5 ,
--- a/openssh.spec
+++ b/openssh.spec
@ -74,7 +74,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p2
-%define openssh_rel 3
+%define openssh_rel 4
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 31

@ -132,7 +132,6 @@ Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch
 Patch20: openssh-5.8p1-authorized-keys-command.patch
 #?-- unwanted child :(
 Patch21: openssh-5.8p1-ldap.patch
-Patch121: openssh-5.8p1-ldap2.patch
 # #-mail-conf
 # Patch22: openssh-5.8p1-selinux.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
@ -158,7 +157,6 @@ Patch35: openssh-5.8p1-glob.patch
 Patch36: openssh-5.8p1-pwchange.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1893
 Patch37: openssh-5.8p1-keyperm.patch
-
 #?
 Patch50: openssh-5.8p1-fips.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1789
@ -361,7 +359,6 @@ popd
 %patch20 -p1 -b .akc
 %if %{ldap}
 %patch21 -p1 -b .ldap
-%patch121 -p1 -b .ldap2
 %endif
 %if %{WITH_SELINUX}
 #SELinux
@ -742,6 +739,10 @@ exit 0
 %endif

 %changelog
+* Fri May 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-4 + 0.9.2-31
+- improove entropy handling
+- concat ldap patches
+
 * Tue May 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-3 + 0.9.2-31
 - improove ldap manuals