another audit improovements

2011-02-25 09:30:56 +01:00 · 2011-02-25 09:30:56 +01:00 · 48446f1f1b
commit 48446f1f1b
parent aefa65dfca
4 changed files with 68 additions and 93 deletions
--- a/openssh-5.8p1-audit1a.patch
+++ b/openssh-5.8p1-audit1a.patch
@ -1,39 +0,0 @@
-diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
--- openssh-5.8p1/audit-linux.c.audit1a	2011-02-24 13:16:51.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-24 13:17:17.000000000 +0100
-@@ -143,7 +143,7 @@ audit_connection_from(const char *host, 
- void
- audit_run_command(const char *command)
- {
-	if (!user_login_count++) 
-+	if (!user_login_count++ && !options.use_pam) 
- 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- 		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
- 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
-@@ -155,7 +155,7 @@ audit_end_command(const char *command)
- {
- 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- 	    NULL, "ssh", 1, AUDIT_USER_END);
-	if (!--user_login_count) 
-+	if (!--user_login_count && !options.use_pam) 
- 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- 		    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
- }
-@@ -163,7 +163,7 @@ audit_end_command(const char *command)
- void
- audit_session_open(struct logininfo *li)
- {
-	if (!user_login_count++) 
-+	if (!user_login_count++ && !options.use_pam) 
- 		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- 		    NULL, li->line, 1, AUDIT_USER_LOGIN);
- 	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-@@ -175,7 +175,7 @@ audit_session_close(struct logininfo *li
- {
- 	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- 	    NULL, li->line, 1, AUDIT_USER_END);
-	if (!--user_login_count) 
-+	if (!--user_login_count && !options.use_pam) 
- 		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- 		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
- }
--- a/openssh-5.8p1-fingerprint.patch
+++ b/openssh-5.8p1-fingerprint.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
 --- openssh-5.8p1/auth2-hostbased.c.fingerprint	2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c	2011-02-25 09:17:18.000000000 +0100
@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
 
 	if (host_status == HOST_OK) {
@ -29,7 +29,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbas
 	}
 diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
 --- openssh-5.8p1/auth2-pubkey.c.fingerprint	2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-02-25 09:17:18.000000000 +0100
@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
 				continue;
 			if (!key_is_cert_authority)
@ -78,7 +78,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
 	}
 diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
 --- openssh-5.8p1/auth.c.fingerprint	2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1/auth.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/auth.c	2011-02-25 09:17:18.000000000 +0100
@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
 		return 1;
 	case 1:
@ -94,7 +94,7 @@ diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
 	}
 diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
 --- openssh-5.8p1/auth-rsa.c.fingerprint	2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/auth-rsa.c	2011-02-25 09:17:18.000000000 +0100
@@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
 	 * options; this will be reset if the options cause the
 	 * authentication to be rejected.
@ -110,20 +110,23 @@ diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
 
 diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
 --- openssh-5.8p1/key.c.fingerprint	2011-02-04 01:48:34.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-24 10:33:05.000000000 +0100
-@@ -594,6 +594,32 @@ key_fingerprint(Key *k, enum fp_type dgs
+++ openssh-5.8p1/key.c	2011-02-25 09:18:16.000000000 +0100
+@@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs
 	return retval;
 }
 
-+int
+enum fp_type
 +key_fingerprint_selection(void)
 +{
+	static enum fp_type rv;
+	static char rv_defined = 0;
 +	char *env;
-+	static int rv = -1;
 +
-+	if (rv == -1) {
+	if (!rv_defined) {
 +		env = getenv("SSH_FINGERPRINT_TYPE");
-+		rv = env && !strcmp (env, "sha");
+		rv = (env && !strcmp (env, "sha")) ?
+			SSH_FP_SHA1 : SSH_FP_MD5;
+		rv_defined = 1;
 +	}
 +	return rv;
 +}
@ -131,14 +134,13 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
 +char *
 +key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
 +{
-+	return key_fingerprint(k, key_fingerprint_selection() ?
-+	    SSH_FP_SHA1 : SSH_FP_MD5, dgst_rep);
+	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
 +}
 +
 +char *
 +key_fingerprint_prefix(void)
 +{
-+	return key_fingerprint_selection() ? "sha1:" : "";
+	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
 +}
 +
 /*
@ -146,12 +148,12 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
  * the pointer.  The integer must already be initialized.  This function is
 diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
 --- openssh-5.8p1/key.h.fingerprint	2010-11-05 00:19:49.000000000 +0100
-+++ openssh-5.8p1/key.h	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/key.h	2011-02-25 09:17:18.000000000 +0100
@@ -96,6 +96,9 @@ int		 key_equal_public(const Key *, cons
 int		 key_equal(const Key *, const Key *);
 char		*key_fingerprint(Key *, enum fp_type, enum fp_rep);
 u_char		*key_fingerprint_raw(Key *, enum fp_type, u_int *);
-+int		 key_fingerprint_selection(void);
+enum fp_type	 key_fingerprint_selection(void);
 +char		*key_selected_fingerprint(Key *, enum fp_rep);
 +char		*key_fingerprint_prefix(void);
 const char	*key_type(const Key *);
@ -159,7 +161,7 @@ diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
 int		 key_write(const Key *, FILE *);
 diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
 --- openssh-5.8p1/ssh-add.c.fingerprint	2010-11-11 04:17:02.000000000 +0100
-+++ openssh-5.8p1/ssh-add.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/ssh-add.c	2011-02-25 09:17:18.000000000 +0100
@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
 		    key = ssh_get_next_identity(ac, &comment, version)) {
 			had_identities = 1;
@ -177,7 +179,7 @@ diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
 				if (!key_write(key, stdout))
 diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
 --- openssh-5.8p1/ssh-agent.c.fingerprint	2010-12-01 01:50:35.000000000 +0100
-+++ openssh-5.8p1/ssh-agent.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/ssh-agent.c	2011-02-25 09:17:18.000000000 +0100
@@ -199,9 +199,9 @@ confirm_key(Identity *id)
 	char *p;
 	int ret = -1;
@ -193,7 +195,7 @@ diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
 
 diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
 --- openssh-5.8p1/sshconnect2.c.fingerprint	2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:17:18.000000000 +0100
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
@ -220,7 +222,7 @@ diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
 	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
 diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
 --- openssh-5.8p1/sshconnect.c.fingerprint	2011-01-16 13:17:59.000000000 +0100
-+++ openssh-5.8p1/sshconnect.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/sshconnect.c	2011-02-25 09:17:18.000000000 +0100
@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
 				    "key for IP address '%.128s' to the list "
 				    "of known hosts.", type, ip);
@ -316,7 +318,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
 	xfree(fp);
 diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
 --- openssh-5.8p1/ssh-keygen.c.fingerprint	2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.c	2011-02-24 10:30:47.000000000 +0100
+++ openssh-5.8p1/ssh-keygen.c	2011-02-25 09:17:18.000000000 +0100
@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
 {
 	FILE *f;
--- a/openssh-5.8p1-fips.patch
+++ b/openssh-5.8p1-fips.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
 --- openssh-5.8p1/authfile.c.fips	2010-12-01 02:03:39.000000000 +0100
-+++ openssh-5.8p1/authfile.c	2011-02-24 10:34:41.000000000 +0100
+++ openssh-5.8p1/authfile.c	2011-02-25 09:23:19.000000000 +0100
@@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
 	/* Allocate space for the private part of the key in the buffer. */
 	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -35,8 +35,8 @@ diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
 	    buffer_ptr(blob), buffer_len(blob));
 	cipher_cleanup(&ciphercontext);
 diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
--- openssh-5.8p1/cipher.c.fips	2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/cipher.c	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/cipher.c.fips	2011-02-25 09:23:18.000000000 +0100
+++ openssh-5.8p1/cipher.c	2011-02-25 09:23:19.000000000 +0100
@@ -40,6 +40,7 @@
 #include <sys/types.h>
 
@ -123,7 +123,7 @@ diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
 /*
 diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
 --- openssh-5.8p1/cipher-ctr.c.fips	2010-10-07 13:06:42.000000000 +0200
-+++ openssh-5.8p1/cipher-ctr.c	2011-02-24 10:34:41.000000000 +0100
+++ openssh-5.8p1/cipher-ctr.c	2011-02-25 09:23:19.000000000 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -135,8 +135,8 @@ diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
 	return (&aes_ctr);
 }
 diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
--- openssh-5.8p1/cipher.h.fips	2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/cipher.h	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/cipher.h.fips	2011-02-25 09:23:18.000000000 +0100
+++ openssh-5.8p1/cipher.h	2011-02-25 09:23:19.000000000 +0100
@@ -87,7 +87,7 @@ void	 cipher_init(CipherContext *, Ciphe
     const u_char *, u_int, int);
 void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -147,8 +147,8 @@ diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
 u_int	 cipher_keylen(const Cipher *);
 u_int	 cipher_is_cbc(const Cipher *);
 diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
--- openssh-5.8p1/key.c.fips	2011-02-24 10:35:39.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-24 10:37:20.000000000 +0100
+--- openssh-5.8p1/key.c.fips	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/key.c	2011-02-25 09:24:35.000000000 +0100
@@ -40,6 +40,7 @@
 #include <sys/types.h>
 
@ -157,18 +157,26 @@ diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
 #include <openbsd-compat/openssl-compat.h>
 
 #include <stdarg.h>
-@@ -601,6 +602,8 @@ key_fingerprint_selection(void)
- 	static int rv = -1;
+@@ -602,9 +603,13 @@ key_fingerprint_selection(void)
+ 	char *env;
 
- 	if (rv == -1) {
+ 	if (!rv_defined) {
+-		env = getenv("SSH_FINGERPRINT_TYPE");
+-		rv = (env && !strcmp (env, "sha")) ?
+-			SSH_FP_SHA1 : SSH_FP_MD5;
 +		if (FIPS_mode())
-+			return (rv = 1);
- 		env = getenv("SSH_FINGERPRINT_TYPE");
- 		rv = env && !strcmp (env, "sha");
+			rv = SSH_FP_SHA1;
+		else {
+			env = getenv("SSH_FINGERPRINT_TYPE");
+			rv = (env && !strcmp (env, "sha")) ?
+				SSH_FP_SHA1 : SSH_FP_MD5;
+		}
+ 		rv_defined = 1;
 	}
+ 	return rv;
 diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
--- openssh-5.8p1/mac.c.fips	2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/mac.c	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/mac.c.fips	2011-02-25 09:23:18.000000000 +0100
+++ openssh-5.8p1/mac.c	2011-02-25 09:23:19.000000000 +0100
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 
@ -219,8 +227,8 @@ diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
 	for (i = 0; macs[i].name; i++) {
 		if (strcmp(name, macs[i].name) == 0) {
 diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
--- openssh-5.8p1/Makefile.in.fips	2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/Makefile.in	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/Makefile.in.fips	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/Makefile.in	2011-02-25 09:23:19.000000000 +0100
@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 
@ -264,7 +272,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
 --- openssh-5.8p1/myproposal.h.fips	2011-01-13 12:00:22.000000000 +0100
-+++ openssh-5.8p1/myproposal.h	2011-02-24 10:34:41.000000000 +0100
+++ openssh-5.8p1/myproposal.h	2011-02-25 09:23:19.000000000 +0100
@@ -81,7 +81,12 @@
 	"hmac-sha1-96,hmac-md5-96"
 #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
@ -281,7 +289,7 @@ diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
 	KEX_DEFAULT_KEX,
 diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-02-24 10:34:41.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-02-25 09:23:19.000000000 +0100
@@ -39,6 +39,7 @@
 static int rc4_ready = 0;
 static RC4_KEY rc4;
@ -325,7 +333,7 @@ diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbs
 #ifndef HAVE_ARC4RANDOM_BUF
 diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
 --- openssh-5.8p1/ssh.c.fips	2011-02-04 01:42:15.000000000 +0100
-+++ openssh-5.8p1/ssh.c	2011-02-24 10:34:41.000000000 +0100
+++ openssh-5.8p1/ssh.c	2011-02-25 09:23:19.000000000 +0100
@@ -73,6 +73,8 @@
 
 #include <openssl/evp.h>
@ -389,8 +397,8 @@ diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
 	if (ssh_connect(host, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts, &timeout_ms,
 diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.fips	2011-02-24 10:34:40.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/sshconnect2.c.fips	2011-02-25 09:23:18.000000000 +0100
+++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:23:19.000000000 +0100
@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -424,8 +432,8 @@ diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    options.hostkeyalgorithms;
 diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.fips	2011-02-24 10:34:41.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/sshd.c.fips	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/sshd.c	2011-02-25 09:23:19.000000000 +0100
@@ -76,6 +76,8 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@ -435,7 +443,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 
 #ifdef HAVE_SECUREWARE
-@@ -1363,6 +1365,12 @@ main(int ac, char **av)
+@@ -1364,6 +1366,12 @@ main(int ac, char **av)
 	(void)set_auth_parameters(ac, av);
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -448,7 +456,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	init_rng();
 
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1524,8 +1532,6 @@ main(int ac, char **av)
+@@ -1525,8 +1533,6 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 
@ -457,7 +465,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	/*
 	 * Force logging to stderr until we have loaded the private host
 	 * key (unless started from inetd)
-@@ -1644,6 +1650,10 @@ main(int ac, char **av)
+@@ -1645,6 +1651,10 @@ main(int ac, char **av)
 		debug("private host key: #%d type %d %s", i, key->type,
 		    key_type(key));
 	}
@ -468,7 +476,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -1808,6 +1818,10 @@ main(int ac, char **av)
+@@ -1809,6 +1819,10 @@ main(int ac, char **av)
 	/* Initialize the random number generator. */
 	arc4random_stir();
 
@ -479,7 +487,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	chdir("/");
-@@ -2349,6 +2363,9 @@ do_ssh2_kex(void)
+@@ -2350,6 +2364,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -489,7 +497,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2358,6 +2375,9 @@ do_ssh2_kex(void)
+@@ -2359,6 +2376,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
--- a/openssh.spec
+++ b/openssh.spec
@ -71,7 +71,7 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 8
+%define openssh_rel 9
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30

@ -619,11 +619,15 @@ fi
 %endif

 %changelog
-* Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30
+* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-9 + 0.9.2-30
 - another audit improovements

+* Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30
+- another audit improovements
+- switchable fingerprint mode
+
 * Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
- improve audit of server ket management
+- improve audit of server key management

 * Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
 - improve audit of logins and auths