improve reseeding and seed source (cocumentation)

openssh-5.8p1-keycat.patch

@@ -25,7 +25,7 @@ diff -up openssh-5.8p1/HOWTO.ssh-keycat.keycat openssh-5.8p1/HOWTO.ssh-keycat
 +polyinstantiation of home directories and SELinux MLS policy enabled.
 +
 +To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
-+        AuthorizedKeysCommand "/usr/libexec/openssh/ssh-keycat"
++        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
 +        AuthorizedKeysCommandRunAs root
 +
 +Do not forget to enable public key authentication:

openssh-5.8p1-reseed.patch

@@ -1,53 +0,0 @@
-diff -up openssh-5.8p1/sshd.c.reseed openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.reseed	2011-03-16 15:48:47.870648161 +0100
-+++ openssh-5.8p1/sshd.c	2011-03-16 18:55:52.998648933 +0100
-@@ -225,6 +225,8 @@ static volatile sig_atomic_t key_do_rege
- static volatile sig_atomic_t received_sighup = 0;
- static volatile sig_atomic_t received_sigterm = 0;
- 
-+static volatile int need_reseed = 0;
-+
- /* session identifier, used by RSA-auth */
- u_char session_id[16];
- 
-@@ -396,6 +398,9 @@ generate_ephemeral_server_key(void)
- 	arc4random_stir();
- }
- 
-+/*
-+ * Signal handler for the alarm in the accept loop.
-+ */
- /*ARGSUSED*/
- static void
- key_regeneration_alarm(int sig)
-@@ -405,6 +410,7 @@ key_regeneration_alarm(int sig)
- 	signal(SIGALRM, SIG_DFL);
- 	errno = save_errno;
- 	key_do_regen = 1;
-+	need_reseed = 1;
- }
- 
- static void
-@@ -1277,6 +1285,13 @@ server_accept_loop(int *sock_in, int *so
- 			 * the child process the connection. The
- 			 * parent continues listening.
- 			 */
-+			if (need_reseed) {
-+				seed_rng();
-+				logit("random reseeded");
-+				need_reseed = 0;
-+				signal(SIGALRM, key_regeneration_alarm);
-+				alarm(options.key_regeneration_time);
-+			}
- 			platform_pre_fork();
- 			if ((pid = fork()) == 0) {
- 				/*
-@@ -1836,6 +1852,8 @@ main(int ac, char **av)
- 		signal(SIGCHLD, main_sigchld_handler);
- 		signal(SIGTERM, sigterm_handler);
- 		signal(SIGQUIT, sigterm_handler);
-+		signal(SIGALRM, key_regeneration_alarm);
-+		alarm(options.key_regeneration_time);
- 
- 		/*
- 		 * Write out the pid file after the sigterm handler

openssh-5.8p1-reseed2.patch

@@ -1,15 +0,0 @@
-diff -up openssh-5.8p1/sshd_config.5.reseed2 openssh-5.8p1/sshd_config.5
---- openssh-5.8p1/sshd_config.5.reseed2	2011-03-27 19:51:00.881648385 +0200
-+++ openssh-5.8p1/sshd_config.5	2011-03-27 20:01:31.608759007 +0200
-@@ -618,7 +618,10 @@ The default is
- .Dq diffie-hellman-group14-sha1 ,
- .Dq diffie-hellman-group1-sha1 .
- .It Cm KeyRegenerationInterval
--In protocol version 1, the ephemeral server key is automatically regenerated
-+The time interval between the OpenSSL random generator reseedings. The generator is reseeded
-+to prevent the possibility of estimation the next random values. The rancom generator 
-+is not reseeded in the case, that there are no connections.
-+Additionally in protocol version 1, the ephemeral server key is automatically regenerated
- after this many seconds (if it has been used).
- The purpose of regeneration is to prevent
- decrypting captured sessions by later breaking into the machine and

openssh.spec

@@ -115,9 +115,6 @@ Patch104: openssh-5.8p1-audit4a.patch
 Patch5: openssh-5.8p1-audit5.patch
 Patch105: openssh-5.8p1-audit5a.patch
 #?
-Patch6: openssh-5.8p1-reseed.patch
-Patch106: openssh-5.8p1-reseed2.patch
-#?
 Patch7: openssh-5.8p1-entropy.patch
 Patch107: openssh-5.8p1-entropy2.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@@ -340,8 +337,6 @@ The module is most useful for su and sudo service stacks.
 %patch104 -p1 -b .audit4a
 %patch5 -p1 -b .audit5
 %patch105 -p1 -b .audit5a
-%patch6 -p1 -b .reseed
-%patch106 -p1 -b .reseed2
 %patch7 -p1 -b .entropy
 %patch107 -p1 -b .entropy2
 %patch9 -p1 -b .vendor