rebase patches to openssh-7.6p1 and make it build

2017-09-26 14:04:45 +02:00 · 2017-09-26 14:04:45 +02:00 · 5b55d0951d
commit 5b55d0951d
parent 9e46aafab9
23 changed files with 1501 additions and 2782 deletions
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -34,7 +34,7 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
 void     log_init(char *, LogLevel, SyslogFacility, int);
 +void     log_init_handler(char *, LogLevel, SyslogFacility, int, int);
- void     log_change_level(LogLevel);
+ int      log_change_level(LogLevel);
 int      log_is_on_stderr(void);
 void     log_redirect_stderr_to(const char *);
 diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
@ -123,30 +123,8 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 static int in_chroot = 0;
 +static int have_dev_log = 1;
- /* Name and directory of socket for authentication agent forwarding. */
+ /* File containing userauth info, if ExposeAuthInfo set */
- static char *auth_sock_name = NULL;
+ static char *auth_info_file = NULL;
@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
 		is_child = 1;
 		/* Child.  Reinitialize the log since the pid has changed. */
 -		log_init(__progname, options.log_level,
 -		    options.log_facility, log_stderr);
 +		log_init_handler(__progname, options.log_level,
 +		    options.log_facility, log_stderr, have_dev_log);
 		/*
 		 * Create a new session and process group since the 4.4BSD
@@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
 		close(ptymaster);
 		/* Child.  Reinitialize the log because the pid has changed. */
 -		log_init(__progname, options.log_level,
 -		    options.log_facility, log_stderr);
 +		log_init_handler(__progname, options.log_level,
 +		    options.log_facility, log_stderr, have_dev_log);
 		/* Close the master side of the pseudo tty. */
 		close(ptyfd);
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
 	int ret;
 	const char *forced = NULL, *tty = NULL;
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@ -22,22 +22,22 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
- 	options->fingerprint_hash = -1;
+ 	options->gss_strict_acceptor = -1;
- 	options->disable_forwarding = -1;
+ 	options->gss_store_rekey = -1;
 	options->use_kuserok = -1;
 +	options->enable_k5users = -1;
- }
+ 	options->password_authentication = -1;
- 
+ 	options->kbd_interactive_authentication = -1;
- /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+ 	options->challenge_response_authentication = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
- 		options->disable_forwarding = 0;
+ 		options->gss_store_rekey = 0;
 	if (options->use_kuserok == -1)
 		options->use_kuserok = 1;
 +	if (options->enable_k5users == -1)
 +		options->enable_k5users = 0;
- 
+ 	if (options->password_authentication == -1)
- 	assemble_algorithms(options);
+ 		options->password_authentication = 1;
- 
+ 	if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum {
 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
 	sHostKeyAlgorithms,
@ -80,28 +80,26 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +	M_CP_INTOPT(enable_k5users);
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
- 
+ 	M_CP_INTOPT(log_level);
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
+ 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
- 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ # endif
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
 +	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
- 
+ #endif
- 	/* string arguments */
+ #ifdef GSSAPI
- 	dump_cfg_string(sPidFile, o->pid_file);
+ 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
 diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
 --- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
 +++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
-@@ -174,7 +174,8 @@ typedef struct {
+@@ -174,6 +174,7 @@ typedef struct {
- 
+ 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
- 	int	num_permitted_opens;
+ 						 * authenticated with Kerberos. */
- 
+ 	int	use_kuserok;
 -	int	use_kuserok;
 +	int		use_kuserok;
 +	int		enable_k5users;
- 	char   *chroot_directory;
+ 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
- 	char   *revoked_keys_file;
+ 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
- 	char   *trusted_user_ca_keys;
+ 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
 diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@ -20,7 +20,7 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
 	ssh_api.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
 ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
- 	$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
+ 	$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
 +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
--- a/openssh-6.6p1-entropy.patch
+++ b/openssh-6.6p1-entropy.patch
@ -16,7 +16,7 @@ diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-
 +++ openssh-7.4p1/openbsd-compat/Makefile.in	2016-12-23 18:35:15.890769493 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
 -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
 +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
@ -123,26 +123,6 @@ diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
 .Sh FILES
 .Bl -tag -width Ds -compact
 .It Pa ~/.rhosts
 diff -up openssh-7.4p1/ssh-add.0.entropy openssh-7.4p1/ssh-add.0
 --- openssh-7.4p1/ssh-add.0.entropy	2016-12-19 06:21:21.000000000 +0100
 +++ openssh-7.4p1/ssh-add.0	2016-12-23 18:34:27.770753571 +0100
@@ -88,6 +88,16 @@ ENVIRONMENT
              Identifies the path of a UNIX-domain socket used to communicate
              with the agent.
 +     SSH_USE_STRONG_RNG
 +             The reseeding of the OpenSSL random generator is usually done
 +             from /dev/urandom.  If the SSH_USE_STRONG_RNG environment vari-
 +             able is set to value other than 0 the OpenSSL random generator is
 +             reseeded from /dev/random.  The number of bytes read is defined
 +             by the SSH_USE_STRONG_RNG value.  Minimum is 14 bytes.  This set-
 +             ting is not recommended on the computers without the hardware
 +             random generator because insufficient entropy causes the connec-
 +             tion to be blocked until enough entropy is available.
 +
 FILES
      ~/.ssh/identity
              Contains the protocol version 1 RSA authentication identity of
 diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
 --- openssh-7.4p1/ssh-add.1.entropy	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-add.1	2016-12-23 18:34:27.770753571 +0100
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@ -1,6 +1,6 @@
-diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c
+diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/auth2-pubkey.c.keycat	2015-06-24 10:57:50.158849606 +0200
+--- openssh/misc.c.keycat	2015-06-24 10:57:50.158849606 +0200
-+++ openssh/auth2-pubkey.c	2015-06-24 11:04:23.989868638 +0200
+++ openssh/misc.c	2015-06-24 11:04:23.989868638 +0200
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
 			_exit(1);
 		}
@ -65,7 +65,7 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
-+	$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
+	$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
 +
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -175,23 +175,23 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
 diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.kuserok	2016-12-23 14:36:07.630465944 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:11:52.278133344 +0100
-@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
+@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
- 	options->version_addendum = NULL;
+ 	options->gss_cleanup_creds = -1;
- 	options->fingerprint_hash = -1;
+ 	options->gss_strict_acceptor = -1;
- 	options->disable_forwarding = -1;
+ 	options->gss_store_rekey = -1;
 +	options->use_kuserok = -1;
- }
+ 	options->password_authentication = -1;
- 
+ 	options->kbd_interactive_authentication = -1;
- /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+ 	options->challenge_response_authentication = -1;
-@@ -342,6 +343,8 @@ fill_default_server_options(ServerOption
+@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ 		options->gss_strict_acceptor = 1;
- 	if (options->disable_forwarding == -1)
+ 	if (options->gss_store_rekey == -1)
- 		options->disable_forwarding = 0;
+ 		options->gss_store_rekey = 0;
 +	if (options->use_kuserok == -1)
 +		options->use_kuserok = 1;
- 
+ 	if (options->password_authentication == -1)
- 	assemble_algorithms(options);
+ 		options->password_authentication = 1;
- 
+ 	if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
@ -233,26 +233,26 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 +	M_CP_INTOPT(use_kuserok);
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
- 
+ 	M_CP_INTOPT(log_level);
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
+ # ifdef USE_AFS
- 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
+ 	dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
- 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ # endif
 +	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
- 
+ #endif
- 	/* string arguments */
+ #ifdef GSSAPI
- 	dump_cfg_string(sPidFile, o->pid_file);
+	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
 diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
 --- openssh-7.4p1/servconf.h.kuserok	2016-12-23 14:36:07.630465944 +0100
 +++ openssh-7.4p1/servconf.h	2016-12-23 14:36:07.645465936 +0100
-@@ -174,6 +174,7 @@ typedef struct {
+@@ -118,6 +118,7 @@ typedef struct {
- 
+ 						 * file on logout. */
- 	int	num_permitted_opens;
+ 	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
- 
+ 						 * authenticated with Kerberos. */
 +	int	use_kuserok;
- 	char   *chroot_directory;
+ 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
- 	char   *revoked_keys_file;
+ 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
- 	char   *trusted_user_ca_keys;
+ 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
 diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.kuserok	2016-12-23 14:36:07.637465940 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 15:14:03.117162222 +0100
@ -272,9 +272,9 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
 +.Cm KerberosUseKuserok ,
 .Cm LogLevel ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
 --- openssh-7.4p1/sshd_config.kuserok	2016-12-23 14:36:07.631465943 +0100
 +++ openssh-7.4p1/sshd_config	2016-12-23 14:36:07.646465935 +0100
--- a/openssh-6.6p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@ -107,7 +107,7 @@ diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
 +#endif
 +
 	/* Demote the child */
- 	if (getuid() == 0 || geteuid() == 0) {
+ 	if (privsep_chroot) {
 		/* Change our root directory */
@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
 {
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@ -2,7 +2,7 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
 --- openssh-7.4p1/auth2.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth2.c	2016-12-23 12:19:58.587459379 +0100
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
- 	Authctxt *authctxt = ctxt;
+ 	Authctxt *authctxt = ssh->authctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 +#ifdef WITH_SELINUX
@ -44,7 +44,7 @@ diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
 --- openssh-7.4p1/auth2-gss.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth2-gss.c	2016-12-23 12:19:58.586459382 +0100
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
- 	Authctxt *authctxt = ctxt;
+ 	Authctxt *authctxt = ssh->authctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
 +	char *micuser;
@ -74,34 +74,35 @@ diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
 +		free(micuser);
 	free(mic.value);
- 	authctxt->postponed = 0;
+ 	if ((!use_privsep || mm_is_monitor()) &&
 diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
 --- openssh-7.4p1/auth2-hostbased.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth2-hostbased.c	2016-12-23 12:19:58.586459382 +0100
-@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
+@@ -121,7 +121,16 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
- 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
+ 	if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
-	buffer_put_cstring(&b, authctxt->user);
+ 	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 -	    (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
 +#ifdef WITH_SELINUX
-+	if (authctxt->role) {
+	    (authctxt->role
-+		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+	    ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
-+		buffer_append(&b, authctxt->user, strlen(authctxt->user));
+	        (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
-+		buffer_put_char(&b, '/');
+	        (r = sshbuf_put_u8(b, '/') != 0) ||
-+		buffer_append(&b, authctxt->role, strlen(authctxt->role));
+	        (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
-+	} else 
+	    : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
 +#else
 +	    (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
 +#endif
-+		buffer_put_cstring(&b, authctxt->user);
+ 	    (r = sshbuf_put_cstring(b, service)) != 0 ||
- 	buffer_put_cstring(&b, service);
+ 	    (r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
- 	buffer_put_cstring(&b, "hostbased");
+ 	    (r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
 	buffer_put_string(&b, pkalg, alen);
 diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
 --- openssh-7.4p1/auth2-pubkey.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth2-pubkey.c	2016-12-23 12:19:58.587459379 +0100
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
 				    __func__, ssh_err(r));
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -		xasprintf(&userstyle, "%s%s%s", authctxt->user,
 +		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
 		    authctxt->style ? ":" : "",
@ -113,9 +114,9 @@ diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
 +#else
 +		    "", "");
 +#endif
- 		buffer_put_cstring(&b, userstyle);
+ 		if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
- 		free(userstyle);
+ 		    (r = sshbuf_put_cstring(b, userstyle)) != 0 ||
- 		buffer_put_cstring(&b,
+ 		    (r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?
 diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
 --- openssh-7.4p1/auth.h.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth.h	2016-12-23 12:19:43.478510375 +0100
@ -126,9 +127,9 @@ diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
 +#ifdef WITH_SELINUX
 +	char		*role;
 +#endif
- 	void		*kbdintctxt;
+ 
- 	char		*info;		/* Extra info for next auth_log */
+ 	/* Method lists for multiple authentication */
- #ifdef BSD_AUTH
+ 	char		**auth_methods;	/* modified from server config */
 diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
 --- openssh-7.4p1/auth-pam.c.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/auth-pam.c	2016-12-23 12:19:43.477510378 +0100
@ -320,8 +321,8 @@ diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
 --- openssh-7.4p1/monitor_wrap.h.role-mls	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/monitor_wrap.h	2016-12-23 12:19:58.588459376 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
- DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
- int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
+     const char *);
 void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);
@ -334,7 +335,7 @@ diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd
 +++ openssh-7.4p1/openbsd-compat/Makefile.in	2016-12-23 12:24:06.042643938 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
 -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
@ -863,3 +864,16 @@ diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
 #ifdef USE_PAM
 	if (options.use_pam) {
 		do_pam_setcred(1);
 --- openssh/configure.ac.role-mls	2017-09-27 12:54:52.926425979 +0200
 +++ openssh/configure.ac	2017-09-27 12:57:06.854224956 +0200
@@ -4158,10 +4158,7 @@
 			  LIBS="$LIBS -lselinux"
 			],
 			AC_MSG_ERROR([SELinux support requires libselinux library]))
 -		SSHLIBS="$SSHLIBS $LIBSELINUX"
 -		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
 		AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
 -		LIBS="$save_LIBS"
 	fi ]
 )
 AC_SUBST([SSHLIBS])
--- a/openssh-6.8p1-memory-problems.patch
+++ b/openssh-6.8p1-memory-problems.patch
@ -21,4 +21,4 @@ diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
 +			dst->n[dst->num_n] = src->n[dst->num_n]; \
 	} \
 } while(0)
- 
+ #define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
--- a/openssh-7.0p1-gssKexAlgorithms.patch
+++ b/openssh-7.0p1-gssKexAlgorithms.patch
@ -245,9 +245,9 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
 	options->gss_strict_acceptor = -1;
 	options->gss_store_rekey = -1;
 +	options->gss_kex_algorithms = NULL;
 	options->use_kuserok = -1;
 	options->enable_k5users = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
 		options->gss_strict_acceptor = 1;
 	if (options->gss_store_rekey == -1)
@ -256,9 +256,9 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
 +	if (options->gss_kex_algorithms == NULL)
 +		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
 +#endif
- 	if (options->password_authentication == -1)
+ 	if (options->use_kuserok == -1)
- 		options->password_authentication = 1;
+ 		options->use_kuserok = 1;
- 	if (options->kbd_interactive_authentication == -1)
+ 	if (options->enable_k5users == -1)
@@ -427,7 +431,7 @@ typedef enum {
 	sHostKeyAlgorithms,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
--- a/openssh-7.0p1-show-more-fingerprints.patch
+++ b/openssh-7.0p1-show-more-fingerprints.patch
@ -1,7 +1,7 @@
-diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
+diff -up openssh/clientloop.c.fingerprint openssh/clientloop.c
--- openssh-7.4p1/clientloop.c.fingerprint	2016-12-23 15:38:50.520432387 +0100
+--- openssh/clientloop.c.fingerprint	2017-09-26 15:21:22.582477729 +0200
-+++ openssh-7.4p1/clientloop.c	2016-12-23 15:38:50.564432394 +0100
+++ openssh/clientloop.c	2017-09-26 15:21:22.620477932 +0200
-@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
+@@ -1854,7 +1854,7 @@ update_known_hosts(struct hostkeys_updat
 		if (ctx->keys_seen[i] != 2)
 			continue;
 		if ((fp = sshkey_fingerprint(ctx->keys[i],
@ -10,7 +10,7 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
 			fatal("%s: sshkey_fingerprint failed", __func__);
 		do_log2(loglevel, "Learned new hostkey: %s %s",
 		    sshkey_type(ctx->keys[i]), fp);
-@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
+@@ -1862,7 +1862,7 @@ update_known_hosts(struct hostkeys_updat
 	}
 	for (i = 0; i < ctx->nold; i++) {
 		if ((fp = sshkey_fingerprint(ctx->old_keys[i],
@ -19,7 +19,7 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
 			fatal("%s: sshkey_fingerprint failed", __func__);
 		do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
 		    sshkey_type(ctx->old_keys[i]), fp);
-@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
+@@ -1905,7 +1905,7 @@ update_known_hosts(struct hostkeys_updat
 	    (r = hostfile_replace_entries(options.user_hostfiles[0],
 	    ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
 	    options.hash_known_hosts, 0,
@ -28,7 +28,7 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
 		error("%s: hostfile_replace_entries failed: %s",
 		    __func__, ssh_err(r));
 }
-@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
+@@ -2038,7 +2038,7 @@ client_input_hostkeys(void)
 			error("%s: parse key: %s", __func__, ssh_err(r));
 			goto out;
 		}
@ -37,10 +37,10 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
 		    SSH_FP_DEFAULT);
 		debug3("%s: received %s key %s", __func__,
 		    sshkey_type(key), fp);
-diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
+diff -up openssh/readconf.c.fingerprint openssh/readconf.c
--- openssh-7.4p1/readconf.c.fingerprint	2016-12-23 15:38:50.559432393 +0100
+--- openssh/readconf.c.fingerprint	2017-09-26 15:21:22.618477921 +0200
-+++ openssh-7.4p1/readconf.c	2016-12-23 15:38:50.565432394 +0100
+++ openssh/readconf.c	2017-09-26 15:21:22.621477937 +0200
-@@ -1668,16 +1668,18 @@ parse_keytypes:
+@@ -1681,16 +1681,18 @@ parse_keytypes:
 		goto parse_string;
 	case oFingerprintHash:
@ -69,7 +69,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
 		break;
 	case oUpdateHostkeys:
-@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
+@@ -1917,7 +1919,7 @@ initialize_options(Options * options)
 	options->canonicalize_fallback_local = -1;
 	options->canonicalize_hostname = -1;
 	options->revoked_host_keys = NULL;
@ -78,7 +78,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
 	options->update_hostkeys = -1;
 	options->hostbased_key_types = NULL;
 	options->pubkey_key_types = NULL;
-@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
+@@ -2096,8 +2098,10 @@ fill_default_options(Options * options)
 		options->canonicalize_fallback_local = 1;
 	if (options->canonicalize_hostname == -1)
 		options->canonicalize_hostname = SSH_CANONICALISE_NO;
@ -91,7 +91,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
 	if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
-@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
+@@ -2474,6 +2478,17 @@ dump_cfg_strarray(OpCodes code, u_int co
 }
 static void
@ -109,7 +109,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
 dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
 {
 	u_int i;
-@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
+@@ -2549,7 +2564,6 @@ dump_client_config(Options *o, const cha
 	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
 	dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
 	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
@ -117,7 +117,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
 	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
 	dump_cfg_fmtint(oForwardX11, o->forward_x11);
 	dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
-@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
+@@ -2618,6 +2632,7 @@ dump_client_config(Options *o, const cha
 	dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
 	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
 	dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
@ -125,9 +125,9 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
 	/* Special cases */
-diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
+diff -up openssh/readconf.h.fingerprint openssh/readconf.h
--- openssh-7.4p1/readconf.h.fingerprint	2016-12-23 15:38:50.559432393 +0100
+--- openssh/readconf.h.fingerprint	2017-09-26 15:21:22.618477921 +0200
-+++ openssh-7.4p1/readconf.h	2016-12-23 15:38:50.565432394 +0100
+++ openssh/readconf.h	2017-09-26 15:21:22.621477937 +0200
@@ -21,6 +21,7 @@
 #define MAX_SEND_ENV		256
 #define SSH_MAX_HOSTS_FILES	32
@ -136,7 +136,7 @@ diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
 #define PATH_MAX_SUN		(sizeof((struct sockaddr_un *)0)->sun_path)
 struct allowed_cname {
-@@ -162,7 +163,8 @@ typedef struct {
+@@ -157,7 +158,8 @@ typedef struct {
 	char	*revoked_host_keys;
@ -146,10 +146,10 @@ diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
 	int	 update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
-diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
+diff -up openssh/ssh_config.5.fingerprint openssh/ssh_config.5
--- openssh-7.4p1/ssh_config.5.fingerprint	2016-12-23 15:38:50.565432394 +0100
+--- openssh/ssh_config.5.fingerprint	2017-09-26 15:21:22.618477921 +0200
-+++ openssh-7.4p1/ssh_config.5	2016-12-23 15:40:03.754444166 +0100
+++ openssh/ssh_config.5	2017-09-26 15:21:22.621477937 +0200
-@@ -652,12 +652,13 @@ or
+@@ -624,12 +624,13 @@ or
 .Cm no
 (the default).
 .It Cm FingerprintHash
@ -166,10 +166,10 @@ diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
 .It Cm ForwardAgent
 Specifies whether the connection to the authentication agent (if any)
 will be forwarded to the remote machine.
-diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
+diff -up openssh/sshconnect2.c.fingerprint openssh/sshconnect2.c
--- openssh-7.4p1/sshconnect2.c.fingerprint	2016-12-23 15:38:50.561432394 +0100
+--- openssh/sshconnect2.c.fingerprint	2017-09-26 15:21:22.619477926 +0200
-+++ openssh-7.4p1/sshconnect2.c	2016-12-23 15:38:50.566432394 +0100
+++ openssh/sshconnect2.c	2017-09-26 15:21:50.677628003 +0200
-@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -679,7 +679,7 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
 	}
@ -178,7 +178,7 @@ diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
 	    SSH_FP_DEFAULT)) == NULL)
 		goto done;
 	debug2("input_userauth_pk_ok: fp %s", fp);
-@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
+@@ -1198,7 +1198,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	int matched, ret = -1, have_sig = 1;
 	char *fp;
@ -187,7 +187,16 @@ diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
 	    SSH_FP_DEFAULT)) == NULL)
 		return 0;
 	debug3("%s: %s %s", __func__, key_type(id->key), fp);
-@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
+@@ -1620,7 +1620,7 @@ userauth_pubkey(Authctxt *authctxt)
 		if (id->key != NULL) {
 			if (try_identity(id)) {
 				if ((fp = sshkey_fingerprint(id->key,
 -				    options.fingerprint_hash,
 +				    options.fingerprint_hash[0],
 				    SSH_FP_DEFAULT)) == NULL) {
 					error("%s: sshkey_fingerprint failed",
 					    __func__);
@@ -1914,7 +1914,7 @@ userauth_hostbased(Authctxt *authctxt)
 		goto out;
 	}
@ -196,10 +205,10 @@ diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
 	    SSH_FP_DEFAULT)) == NULL) {
 		error("%s: sshkey_fingerprint failed", __func__);
 		goto out;
-diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
+diff -up openssh/sshconnect.c.fingerprint openssh/sshconnect.c
--- openssh-7.4p1/sshconnect.c.fingerprint	2016-12-19 05:59:41.000000000 +0100
+--- openssh/sshconnect.c.fingerprint	2017-09-25 01:48:10.000000000 +0200
-+++ openssh-7.4p1/sshconnect.c	2016-12-23 15:38:50.566432394 +0100
+++ openssh/sshconnect.c	2017-09-26 15:21:22.622477943 +0200
-@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
+@@ -861,9 +861,9 @@ check_host_key(char *hostname, struct so
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
 			fp = sshkey_fingerprint(host_key,
@ -211,7 +220,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 			if (fp == NULL || ra == NULL)
 				fatal("%s: sshkey_fingerprint fail", __func__);
 			logit("Host key fingerprint is %s\n%s", fp, ra);
-@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
+@@ -907,12 +907,6 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
@ -224,7 +233,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
-@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
+@@ -926,16 +920,28 @@ check_host_key(char *hostname, struct so
 			}
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
@ -262,7 +271,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 			if (!confirm(msg))
 				goto fail;
 			hostkey_trusted = 1; /* user explicitly confirmed */
-@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
+@@ -1192,7 +1198,7 @@ verify_host_key(char *host, struct socka
 	struct sshkey *plain = NULL;
 	if ((fp = sshkey_fingerprint(host_key,
@ -271,7 +280,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 		error("%s: fingerprint host key: %s", __func__, ssh_err(r));
 		r = -1;
 		goto out;
-@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
+@@ -1200,7 +1206,7 @@ verify_host_key(char *host, struct socka
 	if (sshkey_is_cert(host_key)) {
 		if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
@ -280,7 +289,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 			error("%s: fingerprint CA key: %s",
 			    __func__, ssh_err(r));
 			r = -1;
-@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
+@@ -1369,9 +1375,9 @@ show_other_keys(struct hostkeys *hostkey
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
 		fp = sshkey_fingerprint(found->key,
@ -292,7 +301,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 		if (fp == NULL || ra == NULL)
 			fatal("%s: sshkey_fingerprint fail", __func__);
 		logit("WARNING: %s key found for host %s\n"
-@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
+@@ -1394,7 +1400,7 @@ warn_changed_key(struct sshkey *host_key
 {
 	char *fp;
@ -301,9 +310,9 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
 	    SSH_FP_DEFAULT);
 	if (fp == NULL)
 		fatal("%s: sshkey_fingerprint fail", __func__);
-diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
+diff -up openssh/ssh-keysign.c.fingerprint openssh/ssh-keysign.c
--- openssh-7.4p1/ssh-keysign.c.fingerprint	2016-12-19 05:59:41.000000000 +0100
+--- openssh/ssh-keysign.c.fingerprint	2017-09-25 01:48:10.000000000 +0200
-+++ openssh-7.4p1/ssh-keysign.c	2016-12-23 15:38:50.566432394 +0100
+++ openssh/ssh-keysign.c	2017-09-26 15:21:22.622477943 +0200
@@ -285,7 +285,7 @@ main(int argc, char **argv)
 		}
 	}
--- a/openssh-7.1p2-audit-race-condition.patch
+++ b/openssh-7.1p2-audit-race-condition.patch
@ -92,7 +92,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 +		child_destory_sensitive_data();
 +
 		/* Do processing for the child (exec command etc). */
- 		do_child(s, command);
+ 		do_child(ssh, s, command);
 		/* NOTREACHED */
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
 		/* Close the extra descriptor for the pseudo tty. */
@ -112,7 +112,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 +		fatal("pipe: %s", strerror(errno));
 #endif
 	if (s->ttyfd != -1)
- 		ret = do_exec_pty(s, command);
+ 		ret = do_exec_pty(ssh, s, command);
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
 	 */
 	buffer_clear(&loginmsg);
@ -134,7 +134,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 	return ret;
 }
-@@ -1538,6 +1565,33 @@ child_close_fds(void)
+@@ -1538,6 +1565,34 @@ child_close_fds(void)
 	endpwent();
 }
@ -157,23 +157,25 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
 +	 * which we can't do using one-way pipe.
 +	 */
 +	packet_destroy_all(0, 1);
 +	/* XXX this will clean the rest but should not audit anymore */
 +	/* packet_clear_keys(); */
 +
 +#ifdef SSH_AUDIT_EVENTS
 +	/* Notify parent that we are done */
 +	close(pparent);
 +#endif
 +
 +}
 +
 /*
  * Performs common processing for the child, such as setting up the
  * environment, closing extra file descriptors, setting the user and group
-@@ -1554,12 +1608,6 @@ do_child(Session *s, const char *command
+@@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command
 	struct passwd *pw = s->pw;
 	int r = 0;
 -	/* remove hostkey from the child's memory */
 -	destroy_sensitive_data(1);
 -	packet_clear_keys();
 -	/* Don't audit this - both us and the parent would be talking to the
 -	   monitor over a single socket, with no synchronization. */
 -	packet_destroy_all(0, 1);
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -10,22 +10,29 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
-@@ -116,6 +118,20 @@ static const struct sshcipher ciphers[]
+@@ -116,6 +118,27 @@ static const struct sshcipher ciphers[]
- 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+ 	{ NULL,			0, 0, 0, 0, 0, NULL }
 };
 +static const struct sshcipher fips_ciphers[] = {
-+	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+#ifdef WITH_OPENSSL
-+	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
-+	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
-+	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
-+	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
 +	{ "rijndael-cbc@lysator.liu.se",
-+			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+				16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
-+	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+	{ "aes128-ctr",		16, 16, 0, 0, 0, EVP_aes_128_ctr },
-+	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+	{ "aes192-ctr",		16, 24, 0, 0, 0, EVP_aes_192_ctr },
-+	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+	{ "aes256-ctr",		16, 32, 0, 0, 0, EVP_aes_256_ctr },
-+	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+#else
 +	{ "aes128-ctr",		16, 16, 0, 0, CFLAG_AESCTR, NULL },
 +	{ "aes192-ctr",		16, 24, 0, 0, CFLAG_AESCTR, NULL },
 +	{ "aes256-ctr",		16, 32, 0, 0, CFLAG_AESCTR, NULL },
 +#endif
 +	{ "none",		8, 0, 0, 0, CFLAG_NONE, NULL },
 +
 +	{ NULL,			0, 0, 0, 0, 0, NULL }
 +};
 +
 /*--*/
@ -37,7 +44,7 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
 -	for (c = ciphers; c->name != NULL; c++) {
 +	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
- 		if (c->number != SSH_CIPHER_SSH2)
+ 		if ((c->flags & CFLAG_INTERNAL) != 0)
 			continue;
 		if (auth_only && c->auth_len == 0)
@@ -222,7 +238,7 @@ const struct sshcipher *
@ -49,24 +56,6 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
 		if (strcmp(c->name, name) == 0)
 			return c;
 	return NULL;
@@ -232,7 +248,7 @@ const struct sshcipher *
 cipher_by_number(int id)
 {
 	const struct sshcipher *c;
 -	for (c = ciphers; c->name != NULL; c++)
 +	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
 		if (c->number == id)
 			return c;
 	return NULL;
@@ -273,7 +289,7 @@ cipher_number(const char *name)
 	const struct sshcipher *c;
 	if (name == NULL)
 		return -1;
 -	for (c = ciphers; c->name != NULL; c++)
 +	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
 		if (strcasecmp(c->name, name) == 0)
 			return c->number;
 	return -1;
 diff -up openssh-7.5p1/cipher-ctr.c.fips openssh-7.5p1/cipher-ctr.c
 --- openssh-7.5p1/cipher-ctr.c.fips	2017-06-30 12:06:36.386713974 +0200
 +++ openssh-7.5p1/cipher-ctr.c	2017-06-30 12:06:36.465713761 +0200
@ -394,7 +383,7 @@ diff -up openssh-7.5p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips op
 +            fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
 +				SSH_FP_HEX);
             logit("Found matching %s key: %s",
-                                   key_type(found), fp);
+                                   sshkey_type(found), fp);
             free(fp);
 diff -up openssh-7.5p1/readconf.c.fips openssh-7.5p1/readconf.c
 --- openssh-7.5p1/readconf.c.fips	2017-06-30 12:06:36.468713753 +0200
@ -492,16 +481,6 @@ diff -up openssh-7.5p1/ssh.c.fips openssh-7.5p1/ssh.c
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
@@ -609,6 +619,9 @@ main(int ac, char **av)
 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
 +			if (FIPS_mode()) {
 +				fatal("Protocol 1 not allowed in the FIPS mode.");
 +			}
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
@@ -964,7 +977,6 @@ main(int ac, char **av)
 	host_arg = xstrdup(host);
@ -521,19 +500,6 @@ diff -up openssh-7.5p1/ssh.c.fips openssh-7.5p1/ssh.c
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
@@ -1263,6 +1279,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
 +	if (FIPS_mode()) {
 +		options.protocol &= SSH_PROTO_2;
 +		if (options.protocol == 0)
 +			fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
 +	}
 +
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, addrs, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts,
 diff -up openssh-7.5p1/sshconnect2.c.fips openssh-7.5p1/sshconnect2.c
 --- openssh-7.5p1/sshconnect2.c.fips	2017-06-30 12:06:36.439713831 +0200
 +++ openssh-7.5p1/sshconnect2.c	2017-06-30 12:06:36.469713750 +0200
@ -707,9 +673,9 @@ diff -up openssh-7.5p1/sshkey.c.fips openssh-7.5p1/sshkey.c
 #include "crypto_api.h"
@@ -58,6 +59,7 @@
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
 #include "match.h"
 #include "xmalloc.h"
 +#include "log.h"
 /* openssh private key file format */
@ -736,6 +702,6 @@ diff -up openssh-7.5p1/ssh-keygen.c.fips openssh-7.5p1/ssh-keygen.c
 +		if (type == KEY_ED25519)
 +			fatal("ED25519 keys are not allowed in FIPS mode");
 +	}
- 	if (type == KEY_DSA && *bitsp != 1024)
+ 	switch (type) {
- 		fatal("DSA keys must be 1024 bits");
+ 	case KEY_DSA:
- 	else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
+ 		if (*bitsp != 1024)
--- a/openssh-7.2p1-gsskex.patch
+++ b/openssh-7.2p1-gsskex.patch
--- a/openssh-7.2p2-expose-pam.patch
+++ b/openssh-7.2p2-expose-pam.patch
@ -1,517 +0,0 @@
 diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
 --- openssh-7.4p1/auth2.c.expose-pam	2016-12-23 15:40:26.768447868 +0100
 +++ openssh-7.4p1/auth2.c	2016-12-23 15:40:26.818447876 +0100
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	char *methods;
 +	char *prev_auth_details;
 	int partial = 0;
 	if (!authctxt->valid && authenticated)
@@ -340,6 +341,18 @@ userauth_finish(Authctxt *authctxt, int
 	if (authctxt->postponed)
 		return;
 +	if (authenticated || partial) {
 +		prev_auth_details = authctxt->auth_details;
 +		xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
 +		    prev_auth_details ? prev_auth_details : "",
 +		    prev_auth_details ? ", " : "", method,
 +		    authctxt->last_details ? ": " : "",
 +		    authctxt->last_details ? authctxt->last_details : "");
 +		free(prev_auth_details);
 +	}
 +	free(authctxt->last_details);
 +	authctxt->last_details = NULL;
 +
 #ifdef USE_PAM
 	if (options.use_pam && authenticated) {
 		if (!PRIVSEP(do_pam_account())) {
 diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
 --- openssh-7.4p1/auth2-gss.c.expose-pam	2016-12-23 15:40:26.769447868 +0100
 +++ openssh-7.4p1/auth2-gss.c	2016-12-23 15:40:26.818447876 +0100
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
 	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
 	    authctxt->pw));
 +	if (authenticated)
 +		authctxt->last_details = ssh_gssapi_get_displayname();
 +
 	authctxt->postponed = 0;
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
@@ -322,6 +325,9 @@ input_gssapi_mic(int type, u_int32_t ple
 	else
 		logit("GSSAPI MIC check failed");
 +	if (authenticated)
 +		authctxt->last_details = ssh_gssapi_get_displayname();
 +
 	buffer_free(&b);
 	if (micuser != authctxt->user)
 		free(micuser);
 diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
 --- openssh-7.4p1/auth2-hostbased.c.expose-pam	2016-12-23 15:40:26.731447862 +0100
 +++ openssh-7.4p1/auth2-hostbased.c	2016-12-23 15:40:26.818447876 +0100
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
 -	char *pkalg, *cuser, *chost, *service;
 +	char *pkalg, *cuser, *chost, *service, *pubkey;
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int pktype;
@@ -140,15 +140,21 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_dump(&b);
 #endif
 -	pubkey_auth_info(authctxt, key,
 -	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
 +	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
 +	auth_info(authctxt,
 +	    "%s, client user \"%.100s\", client host \"%.100s\"",
 +	    pubkey, cuser, chost);
 	/* test for allowed key and correct signature */
 	authenticated = 0;
 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
 	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
 -			buffer_len(&b))) == 1)
 +			buffer_len(&b))) == 1) {
 		authenticated = 1;
 +		authctxt->last_details = pubkey;
 +	} else {
 +		free(pubkey);
 +	}
 	buffer_free(&b);
 done:
 diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
 --- openssh-7.4p1/auth2-pubkey.c.expose-pam	2016-12-23 15:40:26.746447864 +0100
 +++ openssh-7.4p1/auth2-pubkey.c	2016-12-23 15:40:26.819447876 +0100
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
 -	char *pkalg, *userstyle, *fp = NULL;
 +	char *pkalg, *userstyle, *pubkey, *fp = NULL;
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int have_sig, pktype;
@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
 #ifdef DEBUG_PK
 		buffer_dump(&b);
 #endif
 -		pubkey_auth_info(authctxt, key, NULL);
 +		pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
 +		auth_info(authctxt, "%s", pubkey);
 		/* test for correct signature */
 		authenticated = 0;
@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
 		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
 		    buffer_len(&b))) == 1) {
 			authenticated = 1;
 +			authctxt->last_details = pubkey;
 			/* Record the successful key to prevent reuse */
 			auth2_record_userkey(authctxt, key);
 			key = NULL; /* Don't free below */
 +		} else {
 +			free(pubkey);
 		}
 		buffer_free(&b);
 		free(sig);
@@ -228,7 +232,7 @@ done:
 void
 pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
 {
 -	char *fp, *extra;
 +	char *extra, *pubkey;
 	va_list ap;
 	int i;
@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
 		i = vasprintf(&extra, fmt, ap);
 		va_end(ap);
 		if (i < 0 || extra == NULL)
 -			fatal("%s: vasprintf failed", __func__);	
 +			fatal("%s: vasprintf failed", __func__);
 	}
 -	if (key_is_cert(key)) {
 -		fp = sshkey_fingerprint(key->cert->signature_key,
 -		    options.fingerprint_hash, SSH_FP_DEFAULT);
 -		auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", 
 -		    key_type(key), key->cert->key_id,
 -		    (unsigned long long)key->cert->serial,
 -		    key_type(key->cert->signature_key),
 -		    fp == NULL ? "(null)" : fp,
 -		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
 -		free(fp);
 -	} else {
 -		fp = sshkey_fingerprint(key, options.fingerprint_hash,
 -		    SSH_FP_DEFAULT);
 -		auth_info(authctxt, "%s %s%s%s", key_type(key),
 -		    fp == NULL ? "(null)" : fp,
 -		    extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
 -		free(fp);
 -	}
 +	pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
 +	auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
 +	    extra == NULL ? "" : extra);
 +	free(pubkey);
 	free(extra);
 }
 diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
 --- openssh-7.4p1/auth.h.expose-pam	2016-12-23 15:40:26.782447870 +0100
 +++ openssh-7.4p1/auth.h	2016-12-23 15:40:26.819447876 +0100
@@ -84,6 +84,9 @@ struct Authctxt {
 	struct sshkey	**prev_userkeys;
 	u_int		 nprev_userkeys;
 +
 +	char		*last_details;
 +	char		*auth_details;
 };
 /*
  * Every authentication method has to handle authentication requests for
 diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
 --- openssh-7.4p1/auth-pam.c.expose-pam	2016-12-23 15:40:26.731447862 +0100
 +++ openssh-7.4p1/auth-pam.c	2016-12-23 15:40:26.819447876 +0100
@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
 		return (NULL);
 	}
 +	/* Notify PAM about any already successful auth methods */
 +	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
 +			authctxt->auth_details)
 +		do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
 +
 	ctxt = xcalloc(1, sizeof *ctxt);
 	/* Start the authentication thread */
 diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
 --- openssh-7.4p1/gss-serv.c.expose-pam	2016-12-23 15:40:26.808447874 +0100
 +++ openssh-7.4p1/gss-serv.c	2016-12-23 15:40:26.819447876 +0100
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
 }
 /* Privileged */
 +char*
 +ssh_gssapi_get_displayname(void)
 +{
 +	if (gssapi_client.displayname.length != 0 &&
 +	    gssapi_client.displayname.value != NULL)
 +		return strdup((char *)gssapi_client.displayname.value);
 +	return NULL;
 +}
 +
 +/* Privileged */
 int
 ssh_gssapi_userok(char *user, struct passwd *pw)
 {
 diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
 --- openssh-7.4p1/monitor.c.expose-pam	2016-12-23 15:40:26.794447872 +0100
 +++ openssh-7.4p1/monitor.c	2016-12-23 15:41:16.473455863 +0100
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
 	struct ssh *ssh = active_state;	/* XXX */
 	struct mon_table *ent;
 	int authenticated = 0, partial = 0;
 +	char *prev_auth_details;
 	debug3("preauth child monitor started");
@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
 		auth_submethod = NULL;
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
 +		if (authenticated) {
 +			prev_auth_details = authctxt->auth_details;
 +			xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
 +			    prev_auth_details ? prev_auth_details : "",
 +			    prev_auth_details ? ", " : "", auth_method,
 +			    authctxt->last_details ? ": " : "",
 +			    authctxt->last_details ? authctxt->last_details : "");
 +			free(prev_auth_details);
 +		}
 +		free(authctxt->last_details);
 +		authctxt->last_details = NULL;
 +
 		/* Special handling for multiple required authentications */
 		if (options.num_auth_methods != 0) {
 			if (authenticated &&
@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
 	debug3("%s: key %p signature %s",
 	    __func__, key, (verified == 1) ? "verified" : "unverified");
 +	if (verified == 1)
 +		authctxt->last_details = sshkey_format_oneline(key,
 +		    options.fingerprint_hash);
 +
 	/* If auth was successful then record key to ensure it isn't reused */
 	if (verified == 1 && key_blobtype == MM_USERKEY)
 		auth2_record_userkey(authctxt, key);
@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
 	auth_method = "gssapi-with-mic";
 +	if (authenticated)
 +		authctxt->last_details = ssh_gssapi_get_displayname();
 +
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
 }
 diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.expose-pam	2016-12-23 15:40:26.810447875 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:44:04.691482920 +0100
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
 	options->disable_forwarding = -1;
 	options->use_kuserok = -1;
 	options->enable_k5users = -1;
 +	options->expose_auth_methods = -1;
 }
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
 		options->use_kuserok = 1;
 	if (options->enable_k5users == -1)
 		options->enable_k5users = 0;
 +	if (options->expose_auth_methods == -1)
 +		options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
 	assemble_algorithms(options);
@@ -439,6 +442,7 @@ typedef enum {
 	sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
 	sStreamLocalBindMask, sStreamLocalBindUnlink,
 	sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
 +	sExposeAuthenticationMethods,
 	sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
@@ -595,6 +599,7 @@ static struct {
 	{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
 +	{ "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
@@ -984,6 +989,12 @@ static const struct multistate multistat
 	{ "local",			FORWARD_LOCAL },
 	{ NULL, -1 }
 };
 +static const struct multistate multistate_exposeauthmeth[] = {
 +	{ "never",			EXPOSE_AUTHMETH_NEVER },
 +	{ "pam-only",			EXPOSE_AUTHMETH_PAMONLY },
 +	{ "pam-and-env",		EXPOSE_AUTHMETH_PAMENV },
 +	{ NULL, -1}
 +};
 int
 process_server_config_line(ServerOptions *options, char *line,
@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
 			options->fingerprint_hash = value;
 		break;
 +	case sExposeAuthenticationMethods:
 +		intptr = &options->expose_auth_methods;
 +		multistate_ptr = multistate_exposeauthmeth;
 +		goto parse_multistate;
 +
 	case sDeprecated:
 	case sIgnore:
 	case sUnsupported:
@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(enable_k5users);
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
 +	M_CP_INTOPT(expose_auth_methods);
 	/*
 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
 		return fmt_multistate_int(val, multistate_tcpfwd);
 	case sFingerprintHash:
 		return ssh_digest_alg_name(val);
 +	case sExposeAuthenticationMethods:
 +		return fmt_multistate_int(val, multistate_exposeauthmeth);
 	default:
 		switch (val) {
 		case 0:
@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
 	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
 +	dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
 diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
 --- openssh-7.4p1/servconf.h.expose-pam	2016-12-23 15:40:26.810447875 +0100
 +++ openssh-7.4p1/servconf.h	2016-12-23 15:40:26.821447876 +0100
@@ -48,6 +48,11 @@
 #define FORWARD_LOCAL		(1<<1)
 #define FORWARD_ALLOW		(FORWARD_REMOTE|FORWARD_LOCAL)
 +/* Expose AuthenticationMethods */
 +#define EXPOSE_AUTHMETH_NEVER   0
 +#define EXPOSE_AUTHMETH_PAMONLY 1
 +#define EXPOSE_AUTHMETH_PAMENV  2
 +
 #define DEFAULT_AUTH_FAIL_MAX	6	/* Default for MaxAuthTries */
 #define DEFAULT_SESSIONS_MAX	10	/* Default for MaxSessions */
@@ -195,6 +200,8 @@ typedef struct {
 	char   *auth_methods[MAX_AUTH_METHODS];
 	int	fingerprint_hash;
 +
 +	int	expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
 }       ServerOptions;
 /* Information about the incoming connection as used by Match */
 diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
 --- openssh-7.4p1/session.c.expose-pam	2016-12-23 15:40:26.794447872 +0100
 +++ openssh-7.4p1/session.c	2016-12-23 15:40:26.821447876 +0100
@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
 		}
 		*var_val++ = '\0';
 +		if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
 +				strcmp(var_name, "SSH_USER_AUTH") == 0) {
 +			free(var_name);
 +			continue;
 +		}
 +
 		debug3("Copy environment: %s=%s", var_name, var_val);
 		child_set_env(env, envsize, var_name, var_val);
@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
 	}
 #endif /* USE_PAM */
 +	if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
 +			s->authctxt->auth_details)
 +		child_set_env(&env, &envsize, "SSH_USER_AUTH",
 +		     s->authctxt->auth_details);
 +
 	if (auth_sock_name != NULL)
 		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
 		    auth_sock_name);
@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
 	if (authctxt == NULL)
 		return;
 +	free(authctxt->auth_details);
 +	authctxt->auth_details = NULL;
 +
 #ifdef USE_PAM
 	if (options.use_pam) {
 		sshpam_cleanup();
 diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
 --- openssh-7.4p1/ssh.1.expose-pam	2016-12-23 15:40:26.810447875 +0100
 +++ openssh-7.4p1/ssh.1	2016-12-23 15:40:26.822447877 +0100
@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
 This variable contains the original command line if a forced command
 is executed.
 It can be used to extract the original arguments.
 +.It Ev SSH_USER_AUTH
 +This variable contains, for SSH2 only, a comma-separated list of authentication
 +methods that were successfuly used to authenticate. When possible, these
 +methods are extended with detailed information on the credential used.
 .It Ev SSH_TTY
 This is set to the name of the tty (path to the device) associated
 with the current shell or command.
 diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
 --- openssh-7.4p1/sshd_config.5.expose-pam	2016-12-23 15:40:26.822447877 +0100
 +++ openssh-7.4p1/sshd_config.5	2016-12-23 15:45:22.411495421 +0100
@@ -570,6 +570,21 @@ Disables all forwarding features, includ
 TCP and StreamLocal.
 This option overrides all other forwarding-related options and may
 simplify restricted configurations.
 +.It Cm ExposeAuthenticationMethods
 +When using SSH2, this option controls the exposure of the list of
 +successful authentication methods to PAM during the authentication
 +and to the shell environment via the
 +.Cm SSH_USER_AUTH
 +variable. See the description of this variable for more details.
 +Valid options are:
 +.Cm never
 +(Do not expose successful authentication methods),
 +.Cm pam-only
 +(Only expose them to PAM during authentication, not afterwards),
 +.Cm pam-and-env
 +(Expose them to PAM and keep them in the shell environment).
 +The default is
 +.Cm never .
 .It Cm FingerprintHash
 Specifies the hash algorithm used when logging key fingerprints.
 Valid options are:
 diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
 --- openssh-7.4p1/ssh-gss.h.expose-pam	2016-12-23 15:40:26.811447875 +0100
 +++ openssh-7.4p1/ssh-gss.h	2016-12-23 15:40:26.823447877 +0100
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
     const char *);
 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 int ssh_gssapi_userok(char *name, struct passwd *);
 +char* ssh_gssapi_get_displayname(void);
 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_do_child(char ***, u_int *);
 void ssh_gssapi_cleanup_creds(void);
 diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
 --- openssh-7.4p1/sshkey.c.expose-pam	2016-12-23 15:40:26.777447869 +0100
 +++ openssh-7.4p1/sshkey.c	2016-12-23 15:40:26.823447877 +0100
@@ -57,6 +57,7 @@
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
 #include "match.h"
 +#include "xmalloc.h"
 /* openssh private key file format */
 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
 	return retval;
 }
 +char *
 +sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
 +{
 +	char *fp, *result;
 +
 +	if (sshkey_is_cert(key)) {
 +		fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
 +		    SSH_FP_DEFAULT);
 +		xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
 +		    sshkey_type(key), key->cert->key_id,
 +		    (unsigned long long)key->cert->serial,
 +		    sshkey_type(key->cert->signature_key),
 +		    fp == NULL ? "(null)" : fp);
 +		free(fp);
 +	} else {
 +		fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
 +		xasprintf(&result, "%s %s", sshkey_type(key),
 +		    fp == NULL ? "(null)" : fp);
 +		free(fp);
 +	}
 +
 +	return result;
 +}
 +
 #ifdef WITH_SSH1
 /*
  * Reads a multiple-precision integer in decimal from the buffer, and advances
 diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
 --- openssh-7.4p1/sshkey.h.expose-pam	2016-12-23 15:40:26.777447869 +0100
 +++ openssh-7.4p1/sshkey.h	2016-12-23 15:40:26.823447877 +0100
@@ -124,6 +124,7 @@ char		*sshkey_fingerprint(const struct s
     int, enum sshkey_fp_rep);
 int		 sshkey_fingerprint_raw(const struct sshkey *k,
     int, u_char **retp, size_t *lenp);
 +char		*sshkey_format_oneline(const struct sshkey *k, int dgst_alg);
 const char	*sshkey_type(const struct sshkey *);
 const char	*sshkey_cert_type(const struct sshkey *);
 int		 sshkey_write(const struct sshkey *, FILE *);
--- a/openssh-7.3p1-openssl-1.1.0.patch
+++ b/openssh-7.3p1-openssl-1.1.0.patch
--- a/openssh-7.3p1-x11-max-displays.patch
+++ b/openssh-7.3p1-x11-max-displays.patch
@ -2,26 +2,25 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 --- openssh-7.4p1/channels.c.x11max	2016-12-23 15:46:32.071506625 +0100
 +++ openssh-7.4p1/channels.c	2016-12-23 15:46:32.139506636 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
 #define FWD_PERMIT_ANY_HOST	"*"
 /* -- X11 forwarding */
 -/* Maximum number of fake X11 displays to try. */
 -#define MAX_DISPLAYS  1000
 +/* Minimum port number for X11 forwarding */
 +#define X11_PORT_MIN 6000
- /* Saved X11 local (client) display. */
+ /*
- static char *x11_saved_display = NULL;
+  * Data structure for storing which hosts are permitted for forward requests.
-@@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
+@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
  */
 int
- x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
+ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
-    int single_connection, u_int *display_numberp, int **chanids)
+-    int x11_use_localhost, int single_connection,
-+    int x11_max_displays, int single_connection, u_int *display_numberp,
+    int x11_use_localhost, int x11_max_displays, int single_connection,
-+    int **chanids)
+     u_int *display_numberp, int **chanids)
 {
 	Channel *nc = NULL;
 	int display_number, sock;
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
 	if (chanids == NULL)
 		return -1;
@ -38,7 +37,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 +		if (port < X11_PORT_MIN) /* overflow */
 +			break;
 		memset(&hints, 0, sizeof(hints));
- 		hints.ai_family = IPv4or6;
+ 		hints.ai_family = ssh->chanctxt->IPv4or6;
 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
 		if (num_socks > 0)
@ -51,7 +50,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 	}
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
 	memset(&hints, 0, sizeof(hints));
- 	hints.ai_family = IPv4or6;
+ 	hints.ai_family = ssh->chanctxt->IPv4or6;
 	hints.ai_socktype = SOCK_STREAM;
 -	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
 +	snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
@ -71,8 +70,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
 	}
 	freeaddrinfo(aitop);
 	if (!ai) {
-		error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
+-		error("connect %.100s port %u: %.100s", buf,
-		    strerror(errno));
+-		    6000 + display_number, strerror(errno));
 +		error("connect %.100s port %u: %.100s", buf,
 +		    X11_PORT_MIN + display_number, strerror(errno));
 		return -1;
@ -83,13 +82,13 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
 +++ openssh-7.4p1/channels.h	2016-12-23 15:46:32.139506636 +0100
@@ -293,7 +293,7 @@ int	 permitopen_port(const char *);
- void	 channel_set_x11_refuse_time(u_int);
+ void	 channel_set_x11_refuse_time(struct ssh *, u_int);
- int	 x11_connect_display(void);
+ int	 x11_connect_display(struct ssh *);
-int	 x11_create_display_inet(int, int, int, u_int *, int **);
+-int	 x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
-+int	 x11_create_display_inet(int, int, int, int, u_int *, int **);
+int	 x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
- int      x11_input_open(int, u_int32_t, void *);
+ void	 x11_request_forwarding_with_spoofing(struct ssh *, int,
- void	 x11_request_forwarding_with_spoofing(int, const char *, const char *,
+ 	    const char *, const char *, const char *, int);
- 	     const char *, int);
+ 
 diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.x11max	2016-12-23 15:46:32.133506635 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 15:47:27.320519121 +0100
@ -179,7 +178,7 @@ diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
 		return 0;
 	}
- 	if (x11_create_display_inet(options.x11_display_offset,
+	if (x11_create_display_inet(ssh, options.x11_display_offset,
 -	    options.x11_use_localhost, s->single_connection,
 -	    &s->display_number, &s->x11_chanids) == -1) {
 +	    options.x11_use_localhost, options.x11_max_displays,
--- a/openssh-7.5p1-gss-environment.patch
+++ b/openssh-7.5p1-gss-environment.patch
@ -62,8 +62,8 @@ index 954a0dd..0819483 100644
 	char		*krb5_ccname;
 +	int		 krb5_set_env;
 #endif
- 	Buffer		*loginmsg;
+ 	struct sshbuf	*loginmsg;
- 	void		*methoddata;
+ 
@@ -220,7 +221,7 @@ int	 sys_auth_passwd(Authctxt *, const char *);
 #if defined(KRB5) && !defined(HEIMDAL)
@ -240,9 +240,9 @@ index 6f2b0ac..73ef2c2 100644
 void ssh_gssapi_cleanup_creds(void);
 -void ssh_gssapi_storecreds(void);
 +int ssh_gssapi_storecreds(void);
 const char *ssh_gssapi_displayname(void);
 char *ssh_gssapi_server_mechanisms(void);
 int ssh_gssapi_oid_table_ok();
 diff --git a/sshd.c b/sshd.c
 index ce2e374..3c4e13e 100644
 --- a/sshd.c
--- a/openssh-7.5p1-sandbox.patch
+++ b/openssh-7.5p1-sandbox.patch
@ -1,28 +1,3 @@
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index 3a1aedce72c2..a8d472a63ccb 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -50,6 +50,9 @@
 #include <elf.h>
 #include <asm/unistd.h>
 +#ifdef __s390__
 +#include <asm/zcrypt.h>
 +#endif
 #include <errno.h>
 #include <signal.h>
@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
 	 * x86-64 syscall under some circumstances, e.g.
 	 * https://bugs.debian.org/849923
 	 */
 -	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
 +	SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
 #endif
 	/* Default deny */
 In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
 and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
 implementation) which calls the libraries that will communicate with the
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
--- a/openssh-7.6p1-cleanup-selinux.patch
+++ b/openssh-7.6p1-cleanup-selinux.patch
@ -0,0 +1,253 @@
 diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.refactor	2017-09-27 13:10:19.556830609 +0200
 +++ openssh/auth2-pubkey.c	2017-09-27 13:10:19.677831274 +0200
@@ -72,6 +72,9 @@
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
 static int
 userauth_pubkey(struct ssh *ssh)
@@ -432,7 +435,8 @@ match_principals_command(struct passwd *
 	if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command,
 	    ac, av, &f,
 -	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
 +	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
@@ -762,7 +766,8 @@ user_key_command_allowed2(struct passwd
 	if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
 	    ac, av, &f,
 -	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
 +	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
 diff -up openssh/misc.c.refactor openssh/misc.c
 --- openssh/misc.c.refactor	2017-09-27 13:10:19.640831071 +0200
 +++ openssh/misc.c	2017-09-27 13:10:19.678831279 +0200
@@ -1435,7 +1435,8 @@ argv_assemble(int argc, char **argv)
  */
 pid_t
 subprocess(const char *tag, struct passwd *pw, const char *command,
 -    int ac, char **av, FILE **child, u_int flags)
 +    int ac, char **av, FILE **child, u_int flags, int inetd,
 +    void *the_authctxt)
 {
 	FILE *f = NULL;
 	struct stat st;
@@ -1551,7 +1552,7 @@ subprocess(const char *tag, struct passw
 		}
 #ifdef WITH_SELINUX
 -		if (sshd_selinux_setup_env_variables() < 0) {
 +		if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
 			error ("failed to copy environment:  %s",
 			    strerror(errno));
 			_exit(127);
 diff -up openssh/misc.h.refactor openssh/misc.h
 --- openssh/misc.h.refactor	2017-09-25 01:48:10.000000000 +0200
 +++ openssh/misc.h	2017-09-27 13:10:19.678831279 +0200
@@ -144,7 +144,7 @@ int	 exited_cleanly(pid_t, const char *,
 #define SSH_SUBPROCESS_STDOUT_CAPTURE	(1<<1)	/* Redirect stdout */
 #define SSH_SUBPROCESS_STDERR_DISCARD	(1<<2)	/* Discard stderr */
 pid_t	 subprocess(const char *, struct passwd *,
 -    const char *, int, char **, FILE **, u_int flags);
 +    const char *, int, char **, FILE **, u_int flags, int, void *);
 struct stat;
 int	 safe_path(const char *, struct stat *, const char *, uid_t,
 diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.refactor	2017-09-27 13:10:19.634831038 +0200
 +++ openssh/openbsd-compat/port-linux.h	2017-09-27 13:10:54.954025248 +0200
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
 int sshd_selinux_enabled(void);
 void sshd_selinux_copy_context(void);
 -void sshd_selinux_setup_exec_context(char *);
 -int sshd_selinux_setup_env_variables(void);
 +void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
 +int sshd_selinux_setup_env_variables(int inetd, void *);
 void sshd_selinux_change_privsep_preauth_context(void);
 #endif
 diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
 --- openssh/openbsd-compat/port-linux-sshd.c.refactor	2017-09-27 13:10:19.634831038 +0200
 +++ openssh/openbsd-compat/port-linux-sshd.c	2017-09-27 13:12:06.811420371 +0200
@@ -48,11 +48,6 @@
 #include <unistd.h>
 #endif
 -extern ServerOptions options;
 -extern Authctxt *the_authctxt;
 -extern int inetd_flag;
 -extern int rexeced_flag;
 -
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
 sshd_selinux_enabled(void)
@@ -222,7 +217,8 @@ get_user_context(const char *sename, con
 }
 static void
 -ssh_selinux_get_role_level(char **role, const char **level)
 +ssh_selinux_get_role_level(char **role, const char **level,
 +    Authctxt *the_authctxt)
 {
 	*role = NULL;
 	*level = NULL;
@@ -240,8 +236,8 @@ ssh_selinux_get_role_level(char **role,
 /* Return the default security context for the given username */
 static int
 -sshd_selinux_getctxbyname(char *pwname,
 -	security_context_t *default_sc, security_context_t *user_sc)
 +sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
 +    security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
 {
 	char *sename, *lvl;
 	char *role;
@@ -249,7 +245,7 @@ sshd_selinux_getctxbyname(char *pwname,
 	int r = 0;
 	context_t con = NULL;
 -	ssh_selinux_get_role_level(&role, &reqlvl);
 +	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
 #ifdef HAVE_GETSEUSERBYNAME
 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -271,7 +267,7 @@ sshd_selinux_getctxbyname(char *pwname,
 	if (r == 0) {
 		/* If launched from xinetd, we must use current level */
 -		if (inetd_flag && !rexeced_flag) {
 +		if (inetd) {
 			security_context_t sshdsc=NULL;
 			if (getcon_raw(&sshdsc) < 0)
@@ -332,7 +328,8 @@ sshd_selinux_getctxbyname(char *pwname,
 /* Setup environment variables for pam_selinux */
 static int
 -sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
 +sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
 +    Authctxt *the_authctxt)
 {
 	const char *reqlvl;
 	char *role;
@@ -341,11 +338,11 @@ sshd_selinux_setup_variables(int(*set_it
 	debug3("%s: setting execution context", __func__);
 -	ssh_selinux_get_role_level(&role, &reqlvl);
 +	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
 	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
 -	if (inetd_flag && !rexeced_flag) {
 +	if (inetd) {
 		use_current = "1";
 	} else {
 		use_current = "";
@@ -361,9 +358,10 @@ sshd_selinux_setup_variables(int(*set_it
 }
 static int
 -sshd_selinux_setup_pam_variables(void)
 +sshd_selinux_setup_pam_variables(int inetd,
 +    int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
 {
 -	return sshd_selinux_setup_variables(do_pam_putenv);
 +	return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
 }
 static int
@@ -373,25 +371,28 @@ do_setenv(char *name, const char *value)
 }
 int
 -sshd_selinux_setup_env_variables(void)
 +sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
 {
 -	return sshd_selinux_setup_variables(do_setenv);
 +	Authctxt *authctxt = (Authctxt *) the_authctxt;
 +	return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
 }
 /* Set the execution context to the default for the specified user */
 void
 -sshd_selinux_setup_exec_context(char *pwname)
 +sshd_selinux_setup_exec_context(char *pwname, int inetd,
 +    int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
 {
 	security_context_t user_ctx = NULL;
 	int r = 0;
 	security_context_t default_ctx = NULL;
 +	Authctxt *authctxt = (Authctxt *) the_authctxt;
 	if (!sshd_selinux_enabled())
 		return;
 -	if (options.use_pam) {
 +	if (use_pam) {
 		/* do not compute context, just setup environment for pam_selinux */
 -		if (sshd_selinux_setup_pam_variables()) {
 +		if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
 			switch (security_getenforce()) {
 			case -1:
 				fatal("%s: security_getenforce() failed", __func__);
@@ -409,7 +410,7 @@ sshd_selinux_setup_exec_context(char *pw
 	debug3("%s: setting execution context", __func__);
 -	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
 +	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
 	if (r >= 0) {
 		r = setexeccon(user_ctx);
 		if (r < 0) {
 diff -up openssh/platform.c.refactor openssh/platform.c
 --- openssh/platform.c.refactor	2017-09-27 13:10:19.574830708 +0200
 +++ openssh/platform.c	2017-09-27 13:11:45.475303050 +0200
@@ -33,6 +33,9 @@
 extern int use_privsep;
 extern ServerOptions options;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
 void
 platform_pre_listen(void)
@@ -184,7 +187,9 @@ platform_setusercontext_post_groups(stru
 	}
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
 -	sshd_selinux_setup_exec_context(pw->pw_name);
 +	sshd_selinux_setup_exec_context(pw->pw_name,
 +	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
 +	    options.use_pam);
 #endif
 }
 diff -up openssh/sshd.c.refactor openssh/sshd.c
 --- openssh/sshd.c.refactor	2017-09-27 13:10:19.674831257 +0200
 +++ openssh/sshd.c	2017-09-27 13:12:01.635391909 +0200
@@ -2135,7 +2135,9 @@ main(int ac, char **av)
 	}
 #endif
 #ifdef WITH_SELINUX
 -	sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
 +	sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
 +	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
 +	    options.use_pam);
 #endif
 #ifdef USE_PAM
 	if (options.use_pam) {
--- a/openssh.spec
+++ b/openssh.spec
@ -65,10 +65,10 @@
 %endif
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 7.5p1
+%global openssh_ver 7.6p1
-%global openssh_rel 6
+%global openssh_rel 1
 %global pam_ssh_agent_ver 0.10.3
-%global pam_ssh_agent_rel 2
+%global pam_ssh_agent_rel 3
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
@ -107,7 +107,7 @@ Patch104: openssh-7.3p1-openssl-1.1.0.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 # https://bugzilla.redhat.com/show_bug.cgi?id=1171248
 # record pfs= field in CRYPTO_SESSION audit event
-Patch200: openssh-7.2p1-audit.patch
+Patch200: openssh-7.6p1-audit.patch
 # Audit race condition in forked child (#1310684)
 Patch201: openssh-7.1p2-audit-race-condition.patch
@ -223,15 +223,14 @@ Patch932: openssh-7.0p1-gssKexAlgorithms.patch
 Patch933: openssh-7.0p1-show-more-fingerprints.patch
 # make s390 use /dev/ crypto devices -- ignore closefrom
 Patch939: openssh-7.2p2-s390-closefrom.patch
 # expose more information to PAM
 # https://github.com/openssh/openssh-portable/pull/47
 Patch940: openssh-7.2p2-expose-pam.patch
 # Move MAX_DISPLAYS to a configuration option (#1341302)
 Patch944: openssh-7.3p1-x11-max-displays.patch
 # Help systemd to track the running service
 Patch948: openssh-7.4p1-systemd.patch
-# Fix typo in sandbox code; missing header for s390
+# Pass inetd flags for SELinux down to openbsd compat level
-Patch949: openssh-7.5p1-sandbox.patch
+Patch949: openssh-7.6p1-cleanup-selinux.patch
 # Sandbox adjustments for s390 and audit
 Patch950: openssh-7.5p1-sandbox.patch
 License: BSD
@ -451,11 +450,11 @@ popd
 %patch932 -p1 -b .gsskexalg
 %patch933 -p1 -b .fingerprint
 %patch939 -p1 -b .s390-dev
 %patch940 -p1 -b .expose-pam
 %patch944 -p1 -b .x11max
 %patch948 -p1 -b .systemd
 %patch949 -p1 -b .sandbox
 %patch807 -p1 -b .gsskex-ec
 %patch949 -p1 -b .refactor
 %patch950 -p1 -b .sandbox
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
--- a/pam_ssh_agent_auth-0.9.3-agent_structure.patch
+++ b/pam_ssh_agent_auth-0.9.3-agent_structure.patch
@ -1,6 +1,6 @@
-diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h
+diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent	2014-03-31 19:35:16.000000000 +0200
+--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent	2016-11-13 04:24:32.000000000 +0100
-+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h	2016-01-22 15:47:15.999919059 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h	2017-09-27 14:25:49.421739027 +0200
@@ -38,6 +38,12 @@
 typedef struct identity Identity;
 typedef struct idlist Idlist;
@ -14,9 +14,9 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7
 struct identity {
     TAILQ_ENTRY(identity) next;
     AuthenticationConnection *ac;   /* set if agent supports key */
-diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
+diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent	2016-01-22 15:47:15.998919060 +0100
+--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent	2017-09-27 14:25:49.420739021 +0200
-+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c	2016-01-22 15:53:38.427768239 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c	2017-09-27 14:25:49.421739027 +0200
@@ -39,6 +39,7 @@
 #include "buffer.h"
 #include "key.h"
@ -25,7 +25,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
 #include <stdio.h>
 #include <openssl/evp.h>
 #include "ssh2.h"
-@@ -285,36 +286,44 @@ pamsshagentauth_find_authorized_keys(con
+@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
 {
     Buffer session_id2 = { 0 };
     Identity *id;
@ -44,8 +44,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
     if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
         verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
 -        for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) 
-+		if ((r = ssh_fetch_identitylist(ac->fd, 2,
+		if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
 +		    &idlist)) != 0) {
 +			if (r != SSH_ERR_AGENT_NO_IDENTITIES)
 +				fprintf(stderr, "error fetching identities for "
 +				    "protocol %d: %s\n", 2, ssh_err(r));
@ -79,10 +78,60 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
     }
     else {
         verbose("No ssh-agent could be contacted");
-diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
+diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent	2016-01-22 15:47:15.995919061 +0100
+--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent	2017-09-27 14:26:04.277820716 +0200
-+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c	2016-01-22 16:06:20.611464261 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c	2017-09-27 14:26:34.426986497 +0200
-@@ -55,10 +55,11 @@ extern uint8_t  session_id_len;
+@@ -70,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
     char *fp;
     found_key = 0;
 -    found = key_new(key->type);
 +    found = sshkey_new(key->type);
     while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
         char *cp = NULL; /* *key_options = NULL; */
@@ -80,7 +80,7 @@ pamsshagentauth_check_authkeys_file(FILE
         if(!*cp || *cp == '\n' || *cp == '#')
             continue;
 -        if(key_read(found, &cp) != 1) {
 +        if(sshkey_read(found, &cp) != 0) {
             /* no key? check if there are options for this key */
             int quoted = 0;
@@ -94,24 +94,24 @@ pamsshagentauth_check_authkeys_file(FILE
             }
             /* Skip remaining whitespace. */
             for(; *cp == ' ' || *cp == '\t'; cp++);
 -            if(key_read(found, &cp) != 1) {
 +            if(sshkey_read(found, &cp) != 0) {
                 verbose("user_key_allowed: advance: '%s'", cp);
                 /* still no key? advance to next line */
                 continue;
             }
         }
 -        if(key_equal(found, key)) {
 +        if(sshkey_equal(found, key)) {
             found_key = 1;
             logit("matching key found: file/command %s, line %lu", file,
                                   linenum);
             fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
             logit("Found matching %s key: %s",
 -                                  key_type(found), fp);
 +                                  sshkey_type(found), fp);
             free(fp);
             break;
         }
     }
 -    key_free(found);
 +    sshkey_free(found);
     if(!found_key)
         verbose("key not found");
     return found_key;
 diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
 --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent	2017-09-27 14:25:49.420739021 +0200
 +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c	2017-09-27 14:25:49.422739032 +0200
@@ -57,10 +57,11 @@ extern uint8_t  session_id_len;
 int
 userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
 {
@ -96,25 +145,12 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-
     int             authenticated = 0;
     pkalg = (char *) key_ssh_name(id->key);
-@@ -82,7 +83,7 @@ userauth_pubkey_from_id(const char *ruse
+@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
     buffer_put_cstring(&b, pkalg);
     buffer_put_string(&b, pkblob, blen);
 -    if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
 +    if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
         goto user_auth_clean_exit;
     /* test for correct signature */
 diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
 --- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
 +++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
     buffer_put_cstring(&b, pkalg);
     buffer_put_string(&b, pkblob, blen);
 -    if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
 +    if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
         goto user_auth_clean_exit;
     /* test for correct signature */