improove entropy handling

concat ldap patches
2011-05-28 22:03:43 +02:00 · 2011-05-28 22:03:43 +02:00 · 0e9135fc82
commit 0e9135fc82
parent 94df89c9a5
4 changed files with 117 additions and 178 deletions
--- a/openssh-5.8p1-entropy.patch
+++ b/openssh-5.8p1-entropy.patch
@ -1,15 +1,7 @@
-diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
+diff -up openssh-5.8p2/entropy.c.entropy openssh-5.8p2/entropy.c
--- openssh-5.8p1/entropy.c.entropy	2011-01-13 11:05:29.000000000 +0100
+--- openssh-5.8p2/entropy.c.entropy	2011-05-03 02:00:08.000000000 +0200
-+++ openssh-5.8p1/entropy.c	2011-04-01 10:23:58.318648953 +0200
+++ openssh-5.8p2/entropy.c	2011-05-28 21:13:09.302866730 +0200
-@@ -50,6 +50,7 @@
+@@ -145,6 +145,9 @@ seed_rng(void)
 #include "pathnames.h"
 #include "log.h"
 #include "buffer.h"
 +#include "openbsd-compat/port-linux.h"
 /*
  * Portable OpenSSH PRNG seeding:
@@ -144,6 +145,9 @@ seed_rng(void)
 	memset(buf, '\0', sizeof(buf));
 #endif /* OPENSSL_PRNG_ONLY */
@ -19,9 +11,9 @@ diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
 	if (RAND_status() != 1)
 		fatal("PRNG is not seeded");
 }
-diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-compat/Makefile.in
+diff -up openssh-5.8p2/openbsd-compat/Makefile.in.entropy openssh-5.8p2/openbsd-compat/Makefile.in
--- openssh-5.8p1/openbsd-compat/Makefile.in.entropy	2010-10-07 13:19:24.000000000 +0200
+--- openssh-5.8p2/openbsd-compat/Makefile.in.entropy	2010-10-07 13:19:24.000000000 +0200
-+++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-04-01 10:21:38.251648364 +0200
+++ openssh-5.8p2/openbsd-compat/Makefile.in	2011-05-28 21:13:09.449924419 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -31,22 +23,10 @@ diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-5.8p1/openbsd-compat/port-linux.h.entropy openssh-5.8p1/openbsd-compat/port-linux.h
+diff -up openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p2/openbsd-compat/port-linux-prng.c
--- openssh-5.8p1/openbsd-compat/port-linux.h.entropy	2011-04-01 10:22:10.165648950 +0200
+--- openssh-5.8p2/openbsd-compat/port-linux-prng.c.entropy	2011-05-28 21:13:09.540878930 +0200
-+++ openssh-5.8p1/openbsd-compat/port-linux.h	2011-04-01 10:22:36.965648719 +0200
+++ openssh-5.8p2/openbsd-compat/port-linux-prng.c	2011-05-28 21:13:09.547919624 +0200
-@@ -19,6 +19,8 @@
+@@ -0,0 +1,59 @@
 #ifndef _PORT_LINUX_H
 #define _PORT_LINUX_H
 +void linux_seed(void);
 +
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/openbsd-compat/port-linux-prng.c
 --- openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy	2011-04-01 10:21:38.302648133 +0200
 +++ openssh-5.8p1/openbsd-compat/port-linux-prng.c	2011-04-01 10:21:38.311648282 +0200
@@ -0,0 +1,56 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
 +/*
@ -90,22 +70,25 @@ diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/op
 +{
 +	int len;
 +	char *env = getenv("SSH_USE_STRONG_RNG");
-+	char *random = "/dev/urandom";
+	char *random = "/dev/random";
 +	size_t ienv, randlen = 6;
 +
-+	if (env && !strcmp(env, "1"))
+	if (!env || !strcmp(env, "0"))
-+		random = "/dev/random";
+		random = "/dev/urandom";
 +	else if ((ienv = atoi(env)) > 6)
 +		randlen = ienv;
 +
 +	errno = 0;
-+	if ((len = RAND_load_file(random, 48)) != 48) {
+	if ((len = RAND_load_file(random, randlen)) != randlen) {
 +		if (errno)
 +			fatal ("cannot read from %s, %s", random, strerror(errno));
 +		else
 +			fatal ("EOF reading %s", random);
 +	}
 +}
-diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
+diff -up openssh-5.8p2/ssh.1.entropy openssh-5.8p2/ssh.1
--- openssh-5.8p1/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
+--- openssh-5.8p2/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
-+++ openssh-5.8p1/ssh.1	2011-04-01 10:21:38.352648197 +0200
+++ openssh-5.8p2/ssh.1	2011-05-28 21:15:27.375920967 +0200
@@ -1250,6 +1250,17 @@ For more information, see the
 .Cm PermitUserEnvironment
 option in
@ -115,39 +98,39 @@ diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
+is set to nonzero value
 +.Cm 1 ,
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.rhosts
-diff -up openssh-5.8p1/ssh-add.1.entropy openssh-5.8p1/ssh-add.1
+diff -up openssh-5.8p2/ssh-add.1.entropy openssh-5.8p2/ssh-add.1
--- openssh-5.8p1/ssh-add.1.entropy	2010-11-05 00:20:14.000000000 +0100
+--- openssh-5.8p2/ssh-add.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-add.1	2011-04-01 10:21:38.416648713 +0200
+++ openssh-5.8p2/ssh-add.1	2011-05-28 21:16:43.891859186 +0200
-@@ -157,6 +157,17 @@ to make this work.)
+@@ -158,6 +158,17 @@ Identifies the path of a
 Identifies the path of a
 .Ux Ns -domain
 socket used to communicate with the agent.
 .El
 +.It Ev SSH_USE_STRONG_RNG
 +The reseeding of the OpenSSL random generator is usually done from
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
+is set to nonzero value
 +.Cm 1 ,
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .El
 .Sh FILES
 .Bl -tag -width Ds
-diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
+ .It Pa ~/.ssh/identity
--- openssh-5.8p1/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
+diff -up openssh-5.8p2/ssh-agent.1.entropy openssh-5.8p2/ssh-agent.1
-+++ openssh-5.8p1/ssh-agent.1	2011-04-01 10:21:38.459648714 +0200
+--- openssh-5.8p2/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
 +++ openssh-5.8p2/ssh-agent.1	2011-05-28 21:13:10.086864993 +0200
@@ -198,6 +198,20 @@ sockets used to contain the connection t
 These sockets should only be readable by the owner.
 The sockets should get automatically removed when the agent exits.
@ -160,18 +143,18 @@ diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
+is set to nonzero value
 +.Cm 1 ,
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
+diff -up openssh-5.8p2/sshd.8.entropy openssh-5.8p2/sshd.8
--- openssh-5.8p1/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
+--- openssh-5.8p2/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/sshd.8	2011-04-01 10:21:38.505648778 +0200
+++ openssh-5.8p2/sshd.8	2011-05-28 21:13:10.241861760 +0200
@@ -937,6 +937,20 @@ concurrently for different ports, this c
 started last).
 The content of this file is not sensitive; it can be world-readable.
@ -184,19 +167,19 @@ diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
+is set to nonzero value
 +.Cm 1 ,
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
 .Xr scp 1 ,
 .Xr sftp 1 ,
-diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
+diff -up openssh-5.8p2/ssh-keygen.1.entropy openssh-5.8p2/ssh-keygen.1
--- openssh-5.8p1/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
+--- openssh-5.8p2/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.1	2011-04-01 10:21:38.554648691 +0200
+++ openssh-5.8p2/ssh-keygen.1	2011-05-28 21:13:10.389856432 +0200
-@@ -655,6 +655,20 @@ Contains Diffie-Hellman groups used for 
+@@ -655,6 +655,20 @@ Contains Diffie-Hellman groups used for
 The file format is described in
 .Xr moduli 5 .
 .El
@ -208,18 +191,18 @@ diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
+is set to nonzero value
 +.Cm 1 ,
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
-diff -up openssh-5.8p1/ssh-keysign.8.entropy openssh-5.8p1/ssh-keysign.8
+diff -up openssh-5.8p2/ssh-keysign.8.entropy openssh-5.8p2/ssh-keysign.8
--- openssh-5.8p1/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
+--- openssh-5.8p2/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1/ssh-keysign.8	2011-04-01 10:21:38.606648660 +0200
+++ openssh-5.8p2/ssh-keysign.8	2011-05-28 21:17:32.399856797 +0200
@@ -78,6 +78,20 @@ must be set-uid root if host-based authe
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
@ -232,10 +215,10 @@ diff -up openssh-5.8p1/ssh-keysign.8.entropy openssh-5.8p1/ssh-keysign.8
 +.Cm /dev/urandom .
 +If the 
 +.Cm SSH_USE_STRONG_RNG
-+is set to
+is set to nonzero value
 +.Cm 1 ,
 +the OpenSSL random generator is reseeded from
 +.Cm /dev/random .
 +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. Minimum is 6 bytes.
 +This setting is not recommended on the computers without the hardware
 +random generator. Insuifficient entropy causes the blocking conection.
 .Sh SEE ALSO
--- a/openssh-5.8p1-ldap.patch
+++ b/openssh-5.8p1-ldap.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
+diff -up openssh-5.8p2/configure.ac.ldap openssh-5.8p2/configure.ac
--- openssh-5.8p1/configure.ac.ldap	2011-04-01 09:01:18.559688927 +0200
+--- openssh-5.8p2/configure.ac.ldap	2011-05-28 21:03:47.808925111 +0200
-+++ openssh-5.8p1/configure.ac	2011-04-01 09:01:18.972717095 +0200
+++ openssh-5.8p2/configure.ac	2011-05-28 21:03:48.797857317 +0200
@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
 	]
 )
@ -108,9 +108,9 @@ diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS( \
 	arc4random \
-diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
+diff -up openssh-5.8p2/HOWTO.ldap-keys.ldap openssh-5.8p2/HOWTO.ldap-keys
--- openssh-5.8p1/HOWTO.ldap-keys.ldap	2011-04-01 09:01:19.000648742 +0200
+--- openssh-5.8p2/HOWTO.ldap-keys.ldap	2011-05-28 21:03:48.914981834 +0200
-+++ openssh-5.8p1/HOWTO.ldap-keys	2011-04-01 09:01:19.564648857 +0200
+++ openssh-5.8p2/HOWTO.ldap-keys	2011-05-28 21:03:48.922914614 +0200
@@ -0,0 +1,108 @@
 +
 +HOW TO START
@ -220,9 +220,9 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
 +5) Author
 +    Jan F. Chadima <jchadima@redhat.com>
 +
-diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
+diff -up openssh-5.8p2/ldapbody.c.ldap openssh-5.8p2/ldapbody.c
--- openssh-5.8p1/ldapbody.c.ldap	2011-04-01 09:01:19.024648747 +0200
+--- openssh-5.8p2/ldapbody.c.ldap	2011-05-28 21:03:48.984982387 +0200
-+++ openssh-5.8p1/ldapbody.c	2011-04-01 09:01:19.032648722 +0200
+++ openssh-5.8p2/ldapbody.c	2011-05-28 21:03:48.994983833 +0200
@@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -718,9 +718,9 @@ diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
 +	return;
 +}
 +
-diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
+diff -up openssh-5.8p2/ldapbody.h.ldap openssh-5.8p2/ldapbody.h
--- openssh-5.8p1/ldapbody.h.ldap	2011-04-01 09:01:19.047648768 +0200
+--- openssh-5.8p2/ldapbody.h.ldap	2011-05-28 21:03:49.063861457 +0200
-+++ openssh-5.8p1/ldapbody.h	2011-04-01 09:01:19.057648739 +0200
+++ openssh-5.8p2/ldapbody.h	2011-05-28 21:03:49.070983552 +0200
@@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -759,9 +759,9 @@ diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
+diff -up openssh-5.8p2/ldapconf.c.ldap openssh-5.8p2/ldapconf.c
--- openssh-5.8p1/ldapconf.c.ldap	2011-04-01 09:01:19.073648744 +0200
+--- openssh-5.8p2/ldapconf.c.ldap	2011-05-28 21:03:49.145860570 +0200
-+++ openssh-5.8p1/ldapconf.c	2011-04-01 09:01:19.082648746 +0200
+++ openssh-5.8p2/ldapconf.c	2011-05-28 21:03:49.154983297 +0200
@@ -0,0 +1,682 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1445,9 +1445,9 @@ diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
 +	dump_cfg_string(lSSH_Filter, options.ssh_filter);
 +}
 +
-diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
+diff -up openssh-5.8p2/ldapconf.h.ldap openssh-5.8p2/ldapconf.h
--- openssh-5.8p1/ldapconf.h.ldap	2011-04-01 09:01:19.097648717 +0200
+--- openssh-5.8p2/ldapconf.h.ldap	2011-05-28 21:03:49.222855494 +0200
-+++ openssh-5.8p1/ldapconf.h	2011-04-01 09:01:19.107648734 +0200
+++ openssh-5.8p2/ldapconf.h	2011-05-28 21:03:49.230857403 +0200
@@ -0,0 +1,71 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1520,9 +1520,9 @@ diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
+diff -up openssh-5.8p2/ldap.conf.ldap openssh-5.8p2/ldap.conf
--- openssh-5.8p1/ldap.conf.ldap	2011-04-01 09:01:19.122648724 +0200
+--- openssh-5.8p2/ldap.conf.ldap	2011-05-28 21:03:49.286865328 +0200
-+++ openssh-5.8p1/ldap.conf	2011-04-01 09:01:19.131648759 +0200
+++ openssh-5.8p2/ldap.conf	2011-05-28 21:03:49.294861823 +0200
@@ -0,0 +1,88 @@
 +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
 +#
@ -1612,9 +1612,9 @@ diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
 +#tls_cert
 +#tls_key
 +
-diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
+diff -up openssh-5.8p2/ldap-helper.c.ldap openssh-5.8p2/ldap-helper.c
--- openssh-5.8p1/ldap-helper.c.ldap	2011-04-01 09:01:19.145658994 +0200
+--- openssh-5.8p2/ldap-helper.c.ldap	2011-05-28 21:03:49.355862289 +0200
-+++ openssh-5.8p1/ldap-helper.c	2011-04-01 09:01:19.608648889 +0200
+++ openssh-5.8p2/ldap-helper.c	2011-05-28 21:03:49.364861642 +0200
@@ -0,0 +1,155 @@
 +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1771,9 +1771,9 @@ diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
 +void   *buffer_get_string(Buffer *b, u_int *l) {}
 +void    buffer_put_string(Buffer *b, const void *f, u_int l) {}
 +
-diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
+diff -up openssh-5.8p2/ldap-helper.h.ldap openssh-5.8p2/ldap-helper.h
--- openssh-5.8p1/ldap-helper.h.ldap	2011-04-01 09:01:19.168648731 +0200
+--- openssh-5.8p2/ldap-helper.h.ldap	2011-05-28 21:03:49.446856183 +0200
-+++ openssh-5.8p1/ldap-helper.h	2011-04-01 09:01:19.177648726 +0200
+++ openssh-5.8p2/ldap-helper.h	2011-05-28 21:03:49.453861731 +0200
@@ -0,0 +1,32 @@
 +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1807,9 +1807,9 @@ diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
 +extern int config_warning_config_file;
 +
 +#endif /* LDAP_HELPER_H */
-diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
+diff -up openssh-5.8p2/ldapincludes.h.ldap openssh-5.8p2/ldapincludes.h
--- openssh-5.8p1/ldapincludes.h.ldap	2011-04-01 09:01:19.192648737 +0200
+--- openssh-5.8p2/ldapincludes.h.ldap	2011-05-28 21:03:49.513856874 +0200
-+++ openssh-5.8p1/ldapincludes.h	2011-04-01 09:01:19.202648683 +0200
+++ openssh-5.8p2/ldapincludes.h	2011-05-28 21:03:49.520855810 +0200
@@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1852,9 +1852,9 @@ diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
+diff -up openssh-5.8p2/ldapmisc.c.ldap openssh-5.8p2/ldapmisc.c
--- openssh-5.8p1/ldapmisc.c.ldap	2011-04-01 09:01:19.216648692 +0200
+--- openssh-5.8p2/ldapmisc.c.ldap	2011-05-28 21:03:49.590855991 +0200
-+++ openssh-5.8p1/ldapmisc.c	2011-04-01 09:01:19.225648767 +0200
+++ openssh-5.8p2/ldapmisc.c	2011-05-28 21:03:49.597856040 +0200
@@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@ -1935,9 +1935,9 @@ diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
 +}
 +#endif
 +
-diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
+diff -up openssh-5.8p2/ldapmisc.h.ldap openssh-5.8p2/ldapmisc.h
--- openssh-5.8p1/ldapmisc.h.ldap	2011-04-01 09:01:19.240648724 +0200
+--- openssh-5.8p2/ldapmisc.h.ldap	2011-05-28 21:03:49.664857820 +0200
-+++ openssh-5.8p1/ldapmisc.h	2011-04-01 09:01:19.249648718 +0200
+++ openssh-5.8p2/ldapmisc.h	2011-05-28 21:03:49.671861203 +0200
@@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@ -1974,10 +1974,9 @@ diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
 +
 +#endif /* LDAPMISC_H */
 +
-diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
+diff -up openssh-5.8p2/Makefile.in.ldap openssh-5.8p2/Makefile.in
-diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
+--- openssh-5.8p2/Makefile.in.ldap	2011-05-28 21:03:37.758857361 +0200
--- openssh-5.8p1/Makefile.in.ldap	2011-04-01 09:01:15.209648708 +0200
+++ openssh-5.8p2/Makefile.in	2011-05-28 21:03:49.775856441 +0200
 +++ openssh-5.8p1/Makefile.in	2011-04-01 09:01:19.307648329 +0200
@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
 SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -2063,9 +2062,9 @@ diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 tests interop-tests:	$(TARGETS)
-diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
+diff -up openssh-5.8p2/openssh-lpk-openldap.schema.ldap openssh-5.8p2/openssh-lpk-openldap.schema
--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap	2011-04-01 09:01:19.333648708 +0200
+--- openssh-5.8p2/openssh-lpk-openldap.schema.ldap	2011-05-28 21:03:49.871872045 +0200
-+++ openssh-5.8p1/openssh-lpk-openldap.schema	2011-04-01 09:01:19.343648766 +0200
+++ openssh-5.8p2/openssh-lpk-openldap.schema	2011-05-28 21:03:49.878856149 +0200
@@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2088,9 +2087,9 @@ diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lp
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
+diff -up openssh-5.8p2/openssh-lpk-sun.schema.ldap openssh-5.8p2/openssh-lpk-sun.schema
--- openssh-5.8p1/openssh-lpk-sun.schema.ldap	2011-04-01 09:01:19.358648705 +0200
+--- openssh-5.8p2/openssh-lpk-sun.schema.ldap	2011-05-28 21:03:49.934856078 +0200
-+++ openssh-5.8p1/openssh-lpk-sun.schema	2011-04-01 09:01:19.368648739 +0200
+++ openssh-5.8p2/openssh-lpk-sun.schema	2011-05-28 21:03:49.941856158 +0200
@@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@ -2115,11 +2114,10 @@ diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
+diff -up openssh-5.8p2/ssh-ldap.conf.5.ldap openssh-5.8p2/ssh-ldap.conf.5
-diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
+--- openssh-5.8p2/ssh-ldap.conf.5.ldap	2011-05-28 21:03:50.013873320 +0200
--- openssh-5.8p1/ssh-ldap.conf.5.ldap	2011-04-01 09:01:19.408648714 +0200
+++ openssh-5.8p2/ssh-ldap.conf.5	2011-05-28 21:03:50.333857346 +0200
-+++ openssh-5.8p1/ssh-ldap.conf.5	2011-04-01 09:01:19.418648733 +0200
+@@ -0,0 +1,376 @@
@@ -0,0 +1,373 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
 +.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
@ -2163,6 +2161,7 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +may be incorrect, as the quotes would become part of the value.
 +The possible keywords and their meanings are as follows (note that
 +keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
 +.Bl -tag -width Ds
 +.It Cm URI
 +The argument(s) are in the form
 +.Pa ldap[si]://[name[:port]]
@ -2330,7 +2329,7 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +are the aliases for
 +.Dq no .
 +If
-+.Dqstart_tls
+.Dq start_tls
 +is specified then StartTLS is used rather than raw LDAP over SSL.
 +The default for ldap:// is
 +.Dq start_tls ,
@ -2479,11 +2478,13 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +.It Cm SSH_Filter
 +Specifies the user filter applied on the LDAP serch.
 +The default is no filter.
 +.El
 +.Sh FILES
 +.Bl -tag -width Ds
 +.It Pa  /etc/ssh/ldap.conf
 +Ldap configuration file for
 +.Xr ssh-ldap-helper 8 .
 +.El
 +.Sh "SEE ALSO"
 +.Xr ldap.conf 5 ,
 +.Xr ssh-ldap-helper 8
@ -2493,9 +2494,9 @@ diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
+diff -up openssh-5.8p2/ssh-ldap-helper.8.ldap openssh-5.8p2/ssh-ldap-helper.8
--- openssh-5.8p1/ssh-ldap-helper.8.ldap	2011-04-01 09:01:19.432648735 +0200
+--- openssh-5.8p2/ssh-ldap-helper.8.ldap	2011-05-28 21:03:50.088856725 +0200
-+++ openssh-5.8p1/ssh-ldap-helper.8	2011-04-01 09:01:19.709648247 +0200
+++ openssh-5.8p2/ssh-ldap-helper.8	2011-05-28 21:03:50.462857758 +0200
@@ -0,0 +1,79 @@
 +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@ -2565,7 +2566,7 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 +.It Fl w
 +.Nm
 +writes warnings about unknown items in the ldap.conf configuration file.
-+
+.El
 +.Sh SEE ALSO
 +.Xr sshd 8 ,
 +.Xr sshd_config 5 ,
@ -2576,9 +2577,9 @@ diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
+diff -up openssh-5.8p2/ssh-ldap-wrapper.ldap openssh-5.8p2/ssh-ldap-wrapper
--- openssh-5.8p1/ssh-ldap-wrapper.ldap	2011-04-01 09:01:19.456648676 +0200
+--- openssh-5.8p2/ssh-ldap-wrapper.ldap	2011-05-28 21:03:50.155857193 +0200
-+++ openssh-5.8p1/ssh-ldap-wrapper	2011-04-01 09:01:19.464648753 +0200
+++ openssh-5.8p2/ssh-ldap-wrapper	2011-05-28 21:03:50.161873358 +0200
@@ -0,0 +1,4 @@
 +#!/bin/sh
 +
--- a/openssh-5.8p1-ldap2.patch
+++ b/openssh-5.8p1-ldap2.patch
@ -1,46 +0,0 @@
 diff -up openssh-5.8p2/ssh-ldap.conf.5.ldap2 openssh-5.8p2/ssh-ldap.conf.5
 --- openssh-5.8p2/ssh-ldap.conf.5.ldap2	2011-05-24 18:21:31.851167623 +0200
 +++ openssh-5.8p2/ssh-ldap.conf.5	2011-05-24 18:28:20.301116545 +0200
@@ -41,6 +41,7 @@ Quoting values that contain blanks
 may be incorrect, as the quotes would become part of the value.
 The possible keywords and their meanings are as follows (note that
 keywords are case-insensitive, and arguments, on a case by case basis, may be case-sensitive).
 +.Bl -tag -width Ds
 .It Cm URI
 The argument(s) are in the form
 .Pa ldap[si]://[name[:port]]
@@ -208,7 +209,7 @@ and
 are the aliases for
 .Dq no .
 If
 -.Dqstart_tls
 +.Dq start_tls
 is specified then StartTLS is used rather than raw LDAP over SSL.
 The default for ldap:// is
 .Dq start_tls ,
@@ -357,11 +358,13 @@ There is no default.
 .It Cm SSH_Filter
 Specifies the user filter applied on the LDAP serch.
 The default is no filter.
 +.El
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa  /etc/ssh/ldap.conf
 Ldap configuration file for
 .Xr ssh-ldap-helper 8 .
 +.El
 .Sh "SEE ALSO"
 .Xr ldap.conf 5 ,
 .Xr ssh-ldap-helper 8
 diff -up openssh-5.8p2/ssh-ldap-helper.8.ldap2 openssh-5.8p2/ssh-ldap-helper.8
 --- openssh-5.8p2/ssh-ldap-helper.8.ldap2	2011-05-24 18:29:33.476168165 +0200
 +++ openssh-5.8p2/ssh-ldap-helper.8	2011-05-24 18:30:47.030173237 +0200
@@ -66,7 +66,7 @@ increases verbosity.
 .It Fl w
 .Nm
 writes warnings about unknown items in the ldap.conf configuration file.
 -
 +.El
 .Sh SEE ALSO
 .Xr sshd 8 ,
 .Xr sshd_config 5 ,
--- a/openssh.spec
+++ b/openssh.spec
@ -74,7 +74,7 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p2
-%define openssh_rel 3
+%define openssh_rel 4
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 31
@ -132,7 +132,6 @@ Patch11: pam_ssh_agent_auth-0.9.2-seteuid.patch
 Patch20: openssh-5.8p1-authorized-keys-command.patch
 #?-- unwanted child :(
 Patch21: openssh-5.8p1-ldap.patch
 Patch121: openssh-5.8p1-ldap2.patch
 # #-mail-conf
 # Patch22: openssh-5.8p1-selinux.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
@ -158,7 +157,6 @@ Patch35: openssh-5.8p1-glob.patch
 Patch36: openssh-5.8p1-pwchange.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1893
 Patch37: openssh-5.8p1-keyperm.patch
 #?
 Patch50: openssh-5.8p1-fips.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1789
@ -361,7 +359,6 @@ popd
 %patch20 -p1 -b .akc
 %if %{ldap}
 %patch21 -p1 -b .ldap
 %patch121 -p1 -b .ldap2
 %endif
 %if %{WITH_SELINUX}
 #SELinux
@ -742,6 +739,10 @@ exit 0
 %endif
 %changelog
 * Fri May 27 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-4 + 0.9.2-31
 - improove entropy handling
 - concat ldap patches
 * Tue May 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p2-3 + 0.9.2-31
 - improove ldap manuals