another audit improovements

openssh-5.8p1-audit1a.patch

@@ -1,39 +0,0 @@
-diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit1a	2011-02-24 13:16:51.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-02-24 13:17:17.000000000 +0100
-@@ -143,7 +143,7 @@ audit_connection_from(const char *host, 
- void
- audit_run_command(const char *command)
- {
--	if (!user_login_count++) 
-+	if (!user_login_count++ && !options.use_pam) 
- 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- 		    NULL, "ssh", 1, AUDIT_USER_LOGIN);
- 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
-@@ -155,7 +155,7 @@ audit_end_command(const char *command)
- {
- 	linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- 	    NULL, "ssh", 1, AUDIT_USER_END);
--	if (!--user_login_count) 
-+	if (!--user_login_count && !options.use_pam) 
- 		linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
- 		    NULL, "ssh", 1, AUDIT_USER_LOGOUT);
- }
-@@ -163,7 +163,7 @@ audit_end_command(const char *command)
- void
- audit_session_open(struct logininfo *li)
- {
--	if (!user_login_count++) 
-+	if (!user_login_count++ && !options.use_pam) 
- 		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- 		    NULL, li->line, 1, AUDIT_USER_LOGIN);
- 	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
-@@ -175,7 +175,7 @@ audit_session_close(struct logininfo *li
- {
- 	linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- 	    NULL, li->line, 1, AUDIT_USER_END);
--	if (!--user_login_count) 
-+	if (!--user_login_count && !options.use_pam) 
- 		linux_audit_user_logxxx(li->uid, NULL, li->hostname,
- 		    NULL, li->line, 1, AUDIT_USER_LOGOUT);
- }

openssh-5.8p1-fingerprint.patch

@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c
 --- openssh-5.8p1/auth2-hostbased.c.fingerprint	2010-08-05 05:04:50.000000000 +0200
-+++ openssh-5.8p1/auth2-hostbased.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth2-hostbased.c	2011-02-25 09:17:18.000000000 +0100
 @@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
  
  	if (host_status == HOST_OK) {
@@ -29,7 +29,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbas
  	}
 diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
 --- openssh-5.8p1/auth2-pubkey.c.fingerprint	2010-12-01 01:50:14.000000000 +0100
-+++ openssh-5.8p1/auth2-pubkey.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth2-pubkey.c	2011-02-25 09:17:18.000000000 +0100
 @@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key
  				continue;
  			if (!key_is_cert_authority)
@@ -78,7 +78,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c
  	}
 diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
 --- openssh-5.8p1/auth.c.fingerprint	2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1/auth.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth.c	2011-02-25 09:17:18.000000000 +0100
 @@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key)
  		return 1;
  	case 1:
@@ -94,7 +94,7 @@ diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c
  	}
 diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
 --- openssh-5.8p1/auth-rsa.c.fingerprint	2010-12-04 23:01:47.000000000 +0100
-+++ openssh-5.8p1/auth-rsa.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/auth-rsa.c	2011-02-25 09:17:18.000000000 +0100
 @@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
  	 * options; this will be reset if the options cause the
  	 * authentication to be rejected.
@@ -110,20 +110,23 @@ diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c
  
 diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
 --- openssh-5.8p1/key.c.fingerprint	2011-02-04 01:48:34.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-24 10:33:05.000000000 +0100
++++ openssh-5.8p1/key.c	2011-02-25 09:18:16.000000000 +0100
-@@ -594,6 +594,32 @@ key_fingerprint(Key *k, enum fp_type dgs
+@@ -594,6 +594,34 @@ key_fingerprint(Key *k, enum fp_type dgs
  	return retval;
  }
  
-+int
++enum fp_type
 +key_fingerprint_selection(void)
 +{
++	static enum fp_type rv;
++	static char rv_defined = 0;
 +	char *env;
-+	static int rv = -1;
 +
-+	if (rv == -1) {
++	if (!rv_defined) {
 +		env = getenv("SSH_FINGERPRINT_TYPE");
-+		rv = env && !strcmp (env, "sha");
++		rv = (env && !strcmp (env, "sha")) ?
++			SSH_FP_SHA1 : SSH_FP_MD5;
++		rv_defined = 1;
 +	}
 +	return rv;
 +}
@@ -131,14 +134,13 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
 +char *
 +key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
 +{
-+	return key_fingerprint(k, key_fingerprint_selection() ?
++	return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
-+	    SSH_FP_SHA1 : SSH_FP_MD5, dgst_rep);
 +}
 +
 +char *
 +key_fingerprint_prefix(void)
 +{
-+	return key_fingerprint_selection() ? "sha1:" : "";
++	return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
 +}
 +
  /*
@@ -146,12 +148,12 @@ diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c
   * the pointer.  The integer must already be initialized.  This function is
 diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
 --- openssh-5.8p1/key.h.fingerprint	2010-11-05 00:19:49.000000000 +0100
-+++ openssh-5.8p1/key.h	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/key.h	2011-02-25 09:17:18.000000000 +0100
 @@ -96,6 +96,9 @@ int		 key_equal_public(const Key *, cons
  int		 key_equal(const Key *, const Key *);
  char		*key_fingerprint(Key *, enum fp_type, enum fp_rep);
  u_char		*key_fingerprint_raw(Key *, enum fp_type, u_int *);
-+int		 key_fingerprint_selection(void);
++enum fp_type	 key_fingerprint_selection(void);
 +char		*key_selected_fingerprint(Key *, enum fp_rep);
 +char		*key_fingerprint_prefix(void);
  const char	*key_type(const Key *);
@@ -159,7 +161,7 @@ diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h
  int		 key_write(const Key *, FILE *);
 diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
 --- openssh-5.8p1/ssh-add.c.fingerprint	2010-11-11 04:17:02.000000000 +0100
-+++ openssh-5.8p1/ssh-add.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/ssh-add.c	2011-02-25 09:17:18.000000000 +0100
 @@ -280,10 +280,10 @@ list_identities(AuthenticationConnection
  		    key = ssh_get_next_identity(ac, &comment, version)) {
  			had_identities = 1;
@@ -177,7 +179,7 @@ diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c
  				if (!key_write(key, stdout))
 diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
 --- openssh-5.8p1/ssh-agent.c.fingerprint	2010-12-01 01:50:35.000000000 +0100
-+++ openssh-5.8p1/ssh-agent.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/ssh-agent.c	2011-02-25 09:17:18.000000000 +0100
 @@ -199,9 +199,9 @@ confirm_key(Identity *id)
  	char *p;
  	int ret = -1;
@@ -193,7 +195,7 @@ diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c
  
 diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
 --- openssh-5.8p1/sshconnect2.c.fingerprint	2010-12-01 02:21:51.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:17:18.000000000 +0100
 @@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
  		    key->type, pktype);
  		goto done;
@@ -220,7 +222,7 @@ diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c
  	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
 diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
 --- openssh-5.8p1/sshconnect.c.fingerprint	2011-01-16 13:17:59.000000000 +0100
-+++ openssh-5.8p1/sshconnect.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/sshconnect.c	2011-02-25 09:17:18.000000000 +0100
 @@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so
  				    "key for IP address '%.128s' to the list "
  				    "of known hosts.", type, ip);
@@ -316,7 +318,7 @@ diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c
  	xfree(fp);
 diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c
 --- openssh-5.8p1/ssh-keygen.c.fingerprint	2011-01-11 07:20:31.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.c	2011-02-24 10:30:47.000000000 +0100
++++ openssh-5.8p1/ssh-keygen.c	2011-02-25 09:17:18.000000000 +0100
 @@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw)
  {
  	FILE *f;

openssh-5.8p1-fips.patch

@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
 --- openssh-5.8p1/authfile.c.fips	2010-12-01 02:03:39.000000000 +0100
-+++ openssh-5.8p1/authfile.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/authfile.c	2011-02-25 09:23:19.000000000 +0100
 @@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
  	/* Allocate space for the private part of the key in the buffer. */
  	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -35,8 +35,8 @@ diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
  	    buffer_ptr(blob), buffer_len(blob));
  	cipher_cleanup(&ciphercontext);
 diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
---- openssh-5.8p1/cipher.c.fips	2011-02-24 10:34:40.000000000 +0100
+--- openssh-5.8p1/cipher.c.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/cipher.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/cipher.c	2011-02-25 09:23:19.000000000 +0100
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -123,7 +123,7 @@ diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
  /*
 diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
 --- openssh-5.8p1/cipher-ctr.c.fips	2010-10-07 13:06:42.000000000 +0200
-+++ openssh-5.8p1/cipher-ctr.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/cipher-ctr.c	2011-02-25 09:23:19.000000000 +0100
 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
  	aes_ctr.do_cipher = ssh_aes_ctr;
  #ifndef SSH_OLD_EVP
@@ -135,8 +135,8 @@ diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
  	return (&aes_ctr);
  }
 diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
---- openssh-5.8p1/cipher.h.fips	2011-02-24 10:34:40.000000000 +0100
+--- openssh-5.8p1/cipher.h.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/cipher.h	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/cipher.h	2011-02-25 09:23:19.000000000 +0100
 @@ -87,7 +87,7 @@ void	 cipher_init(CipherContext *, Ciphe
      const u_char *, u_int, int);
  void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@@ -147,8 +147,8 @@ diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
  u_int	 cipher_keylen(const Cipher *);
  u_int	 cipher_is_cbc(const Cipher *);
 diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
---- openssh-5.8p1/key.c.fips	2011-02-24 10:35:39.000000000 +0100
+--- openssh-5.8p1/key.c.fips	2011-02-25 09:23:19.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-24 10:37:20.000000000 +0100
++++ openssh-5.8p1/key.c	2011-02-25 09:24:35.000000000 +0100
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -157,18 +157,26 @@ diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
  #include <openbsd-compat/openssl-compat.h>
  
  #include <stdarg.h>
-@@ -601,6 +602,8 @@ key_fingerprint_selection(void)
+@@ -602,9 +603,13 @@ key_fingerprint_selection(void)
- 	static int rv = -1;
+ 	char *env;
  
- 	if (rv == -1) {
+ 	if (!rv_defined) {
+-		env = getenv("SSH_FINGERPRINT_TYPE");
+-		rv = (env && !strcmp (env, "sha")) ?
+-			SSH_FP_SHA1 : SSH_FP_MD5;
 +		if (FIPS_mode())
-+			return (rv = 1);
++			rv = SSH_FP_SHA1;
- 		env = getenv("SSH_FINGERPRINT_TYPE");
++		else {
- 		rv = env && !strcmp (env, "sha");
++			env = getenv("SSH_FINGERPRINT_TYPE");
++			rv = (env && !strcmp (env, "sha")) ?
++				SSH_FP_SHA1 : SSH_FP_MD5;
++		}
+ 		rv_defined = 1;
  	}
+ 	return rv;
 diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
---- openssh-5.8p1/mac.c.fips	2011-02-24 10:34:40.000000000 +0100
+--- openssh-5.8p1/mac.c.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/mac.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/mac.c	2011-02-25 09:23:19.000000000 +0100
 @@ -28,6 +28,7 @@
  #include <sys/types.h>
  
@@ -219,8 +227,8 @@ diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
  	for (i = 0; macs[i].name; i++) {
  		if (strcmp(name, macs[i].name) == 0) {
 diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
---- openssh-5.8p1/Makefile.in.fips	2011-02-24 10:34:40.000000000 +0100
+--- openssh-5.8p1/Makefile.in.fips	2011-02-25 09:23:19.000000000 +0100
-+++ openssh-5.8p1/Makefile.in	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/Makefile.in	2011-02-25 09:23:19.000000000 +0100
 @@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
@@ -264,7 +272,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
  	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
 --- openssh-5.8p1/myproposal.h.fips	2011-01-13 12:00:22.000000000 +0100
-+++ openssh-5.8p1/myproposal.h	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/myproposal.h	2011-02-25 09:23:19.000000000 +0100
 @@ -81,7 +81,12 @@
  	"hmac-sha1-96,hmac-md5-96"
  #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
@@ -281,7 +289,7 @@ diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
  	KEX_DEFAULT_KEX,
 diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-02-25 09:23:19.000000000 +0100
 @@ -39,6 +39,7 @@
  static int rc4_ready = 0;
  static RC4_KEY rc4;
@@ -325,7 +333,7 @@ diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbs
  #ifndef HAVE_ARC4RANDOM_BUF
 diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
 --- openssh-5.8p1/ssh.c.fips	2011-02-04 01:42:15.000000000 +0100
-+++ openssh-5.8p1/ssh.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/ssh.c	2011-02-25 09:23:19.000000000 +0100
 @@ -73,6 +73,8 @@
  
  #include <openssl/evp.h>
@@ -389,8 +397,8 @@ diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
 diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
---- openssh-5.8p1/sshconnect2.c.fips	2011-02-24 10:34:40.000000000 +0100
+--- openssh-5.8p1/sshconnect2.c.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:23:19.000000000 +0100
 @@ -44,6 +44,8 @@
  #include <vis.h>
  #endif
@@ -424,8 +432,8 @@ diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
  		    options.hostkeyalgorithms;
 diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.fips	2011-02-24 10:34:41.000000000 +0100
+--- openssh-5.8p1/sshd.c.fips	2011-02-25 09:23:19.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-24 10:34:41.000000000 +0100
++++ openssh-5.8p1/sshd.c	2011-02-25 09:23:19.000000000 +0100
 @@ -76,6 +76,8 @@
  #include <openssl/bn.h>
  #include <openssl/md5.h>
@@ -435,7 +443,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  #include "openbsd-compat/openssl-compat.h"
  
  #ifdef HAVE_SECUREWARE
-@@ -1363,6 +1365,12 @@ main(int ac, char **av)
+@@ -1364,6 +1366,12 @@ main(int ac, char **av)
  	(void)set_auth_parameters(ac, av);
  #endif
  	__progname = ssh_get_progname(av[0]);
@@ -448,7 +456,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	init_rng();
  
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1524,8 +1532,6 @@ main(int ac, char **av)
+@@ -1525,8 +1533,6 @@ main(int ac, char **av)
  	else
  		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
  
@@ -457,7 +465,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	/*
  	 * Force logging to stderr until we have loaded the private host
  	 * key (unless started from inetd)
-@@ -1644,6 +1650,10 @@ main(int ac, char **av)
+@@ -1645,6 +1651,10 @@ main(int ac, char **av)
  		debug("private host key: #%d type %d %s", i, key->type,
  		    key_type(key));
  	}
@@ -468,7 +476,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
-@@ -1808,6 +1818,10 @@ main(int ac, char **av)
+@@ -1809,6 +1819,10 @@ main(int ac, char **av)
  	/* Initialize the random number generator. */
  	arc4random_stir();
  
@@ -479,7 +487,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	/* Chdir to the root directory so that the current disk can be
  	   unmounted if desired. */
  	chdir("/");
-@@ -2349,6 +2363,9 @@ do_ssh2_kex(void)
+@@ -2350,6 +2364,9 @@ do_ssh2_kex(void)
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -489,7 +497,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	}
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2358,6 +2375,9 @@ do_ssh2_kex(void)
+@@ -2359,6 +2376,9 @@ do_ssh2_kex(void)
  	if (options.macs != NULL) {
  		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
  		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

openssh.spec

@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.8p1
-%define openssh_rel 8
+%define openssh_rel 9
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 30
 
@@ -619,11 +619,15 @@ fi
 %endif
 
 %changelog
-* Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30
+* Fri Feb 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-9 + 0.9.2-30
 - another audit improovements
 
+* Thu Feb 24 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-8 + 0.9.2-30
+- another audit improovements
+- switchable fingerprint mode
+
 * Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
-- improve audit of server ket management
+- improve audit of server key management
 
 * Wed Feb 16 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-3 + 0.9.2-30
 - improve audit of logins and auths