import openssh-7.8p1-4.el8

.gitignore

@@ -0,0 +1,3 @@
+SOURCES/DJM-GPG-KEY.gpg
+SOURCES/openssh-7.8p1.tar.gz
+SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2

.openssh.metadata

@@ -0,0 +1,3 @@
+bed7240bb17840b451b8f8457791c33456814d93 SOURCES/DJM-GPG-KEY.gpg
+27e267e370315561de96577fccae563bc2c37a60 SOURCES/openssh-7.8p1.tar.gz
+a4482a050fdad1d012427e45799564136708cf6b SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2

SOURCES/openssh-4.3p2-askpass-grab-info.patch

@@ -0,0 +1,19 @@
+diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
+--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info	2016-12-23 13:31:22.645213115 +0100
++++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:40.997216691 +0100
+@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
+ 	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
+ 				     GTK_MESSAGE_ERROR,
+ 				     GTK_BUTTONS_CLOSE,
+-				     "Could not grab %s. "
+-				     "A malicious client may be eavesdropping "
+-				     "on your session.", what);
++				     "SSH password dialog could not grab the %s input.\n"
++				     "This might be caused by application such as screensaver, "
++				     "however it could also mean that someone may be eavesdropping "
++				     "on your session.\n"
++				     "Either close the application which grabs the %s or "
++				     "log out and log in again to prevent this from happening.", what, what);
+ 	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+ 
+ 	gtk_dialog_run(GTK_DIALOG(err));

SOURCES/openssh-5.1p1-askpass-progress.patch

@@ -0,0 +1,81 @@
+diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
+--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:16.545211926 +0100
+@@ -53,6 +53,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <X11/Xlib.h>
++#include <glib.h>
+ #include <gtk/gtk.h>
+ #include <gdk/gdkx.h>
+ 
+@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
+ 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ }
+ 
++static void
++move_progress(GtkWidget *entry, gpointer progress)
++{
++	gdouble step;
++	g_return_if_fail(GTK_IS_PROGRESS_BAR(progress));
++	
++	step = g_random_double_range(0.03, 0.1);
++	gtk_progress_bar_set_pulse_step(GTK_PROGRESS_BAR(progress), step);
++	gtk_progress_bar_pulse(GTK_PROGRESS_BAR(progress));
++}
++
+ static int
+ passphrase_dialog(char *message)
+ {
+ 	const char *failed;
+ 	char *passphrase, *local;
+ 	int result, grab_tries, grab_server, grab_pointer;
+-	GtkWidget *parent_window, *dialog, *entry;
++	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
+ 	GdkGrabStatus status;
+ 
+ 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
+ 					"%s",
+ 					message);
+ 
++	hbox = gtk_hbox_new(FALSE, 0);
++	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
++	    FALSE, 0);
++	gtk_widget_show(hbox);
++
+ 	entry = gtk_entry_new();
+ 	gtk_box_pack_start(
+-	    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
+-	    FALSE, FALSE, 0);
++	    GTK_BOX(hbox), entry,
++	    TRUE, FALSE, 0);
++	gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
+ 	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+ 	gtk_widget_grab_focus(entry);
+ 	gtk_widget_show(entry);
+ 
++	hbox = gtk_hbox_new(FALSE, 0);
++	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
++	    FALSE, 8);
++	gtk_widget_show(hbox);
++
++	progress = gtk_progress_bar_new();
++	
++	gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
++	gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
++	    TRUE, 5);
++	gtk_widget_show(progress);
++
+ 	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
+ 	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+ 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
+ 	gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ 	g_signal_connect(G_OBJECT(entry), "activate",
+ 			 G_CALLBACK(ok_dialog), dialog);
++	g_signal_connect(G_OBJECT(entry), "changed",
++			 G_CALLBACK(move_progress), progress);
+ 
+ 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+ 

SOURCES/openssh-5.8p2-sigpipe.patch

@@ -0,0 +1,12 @@
+diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
+--- openssh-5.8p2/ssh-keyscan.c.sigpipe	2011-08-23 18:30:33.873025916 +0200
++++ openssh-5.8p2/ssh-keyscan.c	2011-08-23 18:32:24.574025362 +0200
+@@ -715,6 +715,8 @@ main(int argc, char **argv)
+ 		fdlim_set(maxfd);
+ 	fdcon = xcalloc(maxfd, sizeof(con));
+ 
++	signal(SIGPIPE, SIG_IGN);
++
+ 	read_wait_nfdset = howmany(maxfd, NFDBITS);
+ 	read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
+ 

SOURCES/openssh-5.9p1-ipv6man.patch

@@ -0,0 +1,24 @@
+diff -up openssh-5.9p0/ssh.1.ipv6man openssh-5.9p0/ssh.1
+--- openssh-5.9p0/ssh.1.ipv6man	2011-08-05 22:17:32.000000000 +0200
++++ openssh-5.9p0/ssh.1	2011-08-31 13:08:34.880024485 +0200
+@@ -1400,6 +1400,8 @@ manual page for more information.
+ .Nm
+ exits with the exit status of the remote command or with 255
+ if an error occurred.
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
+diff -up openssh-5.9p0/sshd.8.ipv6man openssh-5.9p0/sshd.8
+--- openssh-5.9p0/sshd.8.ipv6man	2011-08-05 22:17:32.000000000 +0200
++++ openssh-5.9p0/sshd.8	2011-08-31 13:10:34.129039094 +0200
+@@ -940,6 +940,8 @@ concurrently for different ports, this c
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
++.Sh IPV6
++IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,

SOURCES/openssh-5.9p1-wIm.patch

@@ -0,0 +1,78 @@
+diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
+--- openssh-5.9p1/Makefile.in.wIm	2011-08-05 22:15:18.000000000 +0200
++++ openssh-5.9p1/Makefile.in	2011-09-12 16:24:18.643674014 +0200
+@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
+ 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
+ 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
+ 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
+-	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
++	readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
+ 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+ 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
+ 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
+--- openssh-5.9p1/log.h.wIm	2011-06-20 06:42:23.000000000 +0200
++++ openssh-5.9p1/log.h	2011-09-12 16:34:52.984674326 +0200
+@@ -65,6 +65,8 @@ void     verbose(const char *, ...) __at
+ void     debug(const char *, ...) __attribute__((format(printf, 1, 2)));
+ void     debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
+ void     debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
++void	 _debug_wIm_body(const char *, int, const char *, const char *, int);
++#define	debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
+ 
+ 
+ void	 set_log_handler(log_handler_fn *, void *);
+diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
+--- openssh-5.9p1/sshd.c.wIm	2011-06-23 11:45:51.000000000 +0200
++++ openssh-5.9p1/sshd.c	2011-09-12 16:38:35.787816490 +0200
+@@ -140,6 +140,9 @@ int deny_severity;
+ 
+ extern char *__progname;
+ 
++/* trace of fork processes */
++extern int whereIam;
++
+ /* Server configuration options. */
+ ServerOptions options;
+ 
+@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
+ 		return 1;
+ 	} else {
+ 		/* child */
++		whereIam = 1;
+ 		close(pmonitor->m_sendfd);
+ 		close(pmonitor->m_log_recvfd);
+ 
+@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
+ 
+ 	/* child */
+ 
++	whereIam = 2;
+ 	close(pmonitor->m_sendfd);
+ 	pmonitor->m_sendfd = -1;
+ 
+@@ -1325,6 +1330,8 @@ main(int ac, char **av)
+ 	Key *key;
+ 	Authctxt *authctxt;
+ 
++	whereIam = 0;
++
+ #ifdef HAVE_SECUREWARE
+ 	(void)set_auth_parameters(ac, av);
+ #endif
+diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
+--- openssh-5.9p1/whereIam.c.wIm	2011-09-12 16:24:18.722674167 +0200
++++ openssh-5.9p1/whereIam.c	2011-09-12 16:24:18.724674418 +0200
+@@ -0,0 +1,12 @@
++
++int whereIam = -1;
++
++void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
++{
++	if (txt)
++		debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
++	else
++		debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
++}
++
++

SOURCES/openssh-6.1p1-gssapi-canohost.patch

@@ -0,0 +1,21 @@
+diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
+--- openssh-6.1p1/sshconnect2.c.canohost	2012-10-30 10:52:59.593301692 +0100
++++ openssh-6.1p1/sshconnect2.c	2012-10-30 11:01:12.870301632 +0100
+@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
+ 	static u_int mech = 0;
+ 	OM_uint32 min;
+ 	int r, ok = 0;
+-	const char *gss_host;
++	const char *gss_host = NULL;
+ 
+ 	if (options.gss_server_identity)
+ 		gss_host = options.gss_server_identity;
+-	else if (options.gss_trust_dns)
++	else if (options.gss_trust_dns) {
+ 		gss_host = get_canonical_hostname(active_state, 1);
++		if (strcmp(gss_host, "UNKNOWN") == 0)
++			gss_host = authctxt->host;
++	}
+ 	else
+ 		gss_host = authctxt->host;
+ 

SOURCES/openssh-6.2p1-vendor.patch

@@ -0,0 +1,142 @@
+diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
+--- openssh-7.4p1/configure.ac.vendor	2016-12-23 13:34:51.681253844 +0100
++++ openssh-7.4p1/configure.ac	2016-12-23 13:34:51.694253847 +0100
+@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
+ 		fi
+ 	]
+ )
++AC_ARG_ENABLE(vendor-patchlevel,
++  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
++  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
++   SSH_VENDOR_PATCHLEVEL="$enableval"],
++  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
++   SSH_VENDOR_PATCHLEVEL=none])
+ 
+ dnl lastlog, [uw]tmpx? detection
+ dnl  NOTE: set the paths in the platform section to avoid the
+@@ -5194,6 +5200,7 @@ echo "           Translate v4 in v6 hack
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+ echo "              Random number source: $RAND_MSG"
+ echo "             Privsep sandbox style: $SANDBOX_STYLE"
++echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
+ 
+ echo ""
+ 
+diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
+--- openssh-7.4p1/servconf.c.vendor	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/servconf.c	2016-12-23 13:36:07.555268628 +0100
+@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
+ 	options->max_authtries = -1;
+ 	options->max_sessions = -1;
+ 	options->banner = NULL;
++	options->show_patchlevel = -1;
+ 	options->use_dns = -1;
+ 	options->client_alive_interval = -1;
+ 	options->client_alive_count_max = -1;
+@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
+ 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ 	if (options->version_addendum == NULL)
+ 		options->version_addendum = xstrdup("");
++	if (options->show_patchlevel == -1)
++		options->show_patchlevel = 0;
+ 	if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+ 		options->fwd_opts.streamlocal_bind_mask = 0177;
+ 	if (options->fwd_opts.streamlocal_bind_unlink == -1)
+@@ -402,7 +405,7 @@ typedef enum {
+ 	sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
+ 	sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+ 	sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
+-	sBanner, sUseDNS, sHostbasedAuthentication,
++	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostKeyAlgorithms,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+@@ -528,6 +531,7 @@ static struct {
+ 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
+ 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
+ 	{ "banner", sBanner, SSHCFG_ALL },
++	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
+ 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
+ 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
+ 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
+@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
+ 		intptr = &options->disable_forwarding;
+ 		goto parse_flag;
+ 
++	case sShowPatchLevel:
++		intptr = &options->show_patchlevel;
++		goto parse_flag;
++
+ 	case sAllowUsers:
+ 		while ((arg = strdelim(&cp)) && *arg != '\0') {
+ 			if (match_user(NULL, NULL, NULL, arg) == -1)
+@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
+ 	dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
+ 	dump_cfg_fmtint(sCompression, o->compression);
+ 	dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
++	dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
+ 	dump_cfg_fmtint(sUseDNS, o->use_dns);
+ 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ 	dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
+diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
+--- openssh-7.4p1/servconf.h.vendor	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/servconf.h	2016-12-23 13:34:51.694253847 +0100
+@@ -149,6 +149,7 @@ typedef struct {
+ 	int	max_authtries;
+ 	int	max_sessions;
+ 	char   *banner;			/* SSH-2 banner message */
++	int	show_patchlevel;	/* Show vendor patch level to clients */
+ 	int	use_dns;
+ 	int	client_alive_interval;	/*
+ 					 * poke the client this often to
+diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
+--- openssh-7.4p1/sshd_config.5.vendor	2016-12-23 13:34:51.695253847 +0100
++++ openssh-7.4p1/sshd_config.5	2016-12-23 13:37:17.482282253 +0100
+@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
+ .Cm AcceptEnv
+ or
+ .Cm PermitUserEnvironment .
++.It Cm ShowPatchLevel 
++Specifies whether 
++.Nm sshd 
++will display the patch level of the binary in the identification string. 
++The patch level is set at compile-time. 
++The default is 
++.Dq no . 
+ .It Cm StreamLocalBindMask
+ Sets the octal file creation mode mask
+ .Pq umask
+diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
+--- openssh-7.4p1/sshd_config.vendor	2016-12-23 13:34:51.690253846 +0100
++++ openssh-7.4p1/sshd_config	2016-12-23 13:34:51.695253847 +0100
+@@ -105,6 +105,7 @@ X11Forwarding yes
+ #Compression delayed
+ #ClientAliveInterval 0
+ #ClientAliveCountMax 3
++#ShowPatchLevel no
+ #UseDNS no
+ #PidFile /var/run/sshd.pid
+ #MaxStartups 10:30:100
+diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
+--- openssh-7.4p1/sshd.c.vendor	2016-12-23 13:34:51.682253844 +0100
++++ openssh-7.4p1/sshd.c	2016-12-23 13:38:32.434296856 +0100
+@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
+ 	char remote_version[256];	/* Must be at least as big as buf. */
+ 
+ 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
++	    (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
+ 	    *options.version_addendum == '\0' ? "" : " ",
+ 	    options.version_addendum);
+ 
+@@ -1650,7 +1651,8 @@ main(int ac, char **av)
+ 		exit(1);
+ 	}
+ 
+-	debug("sshd version %s, %s", SSH_VERSION,
++	debug("sshd version %s, %s", 
++		(options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
+ #ifdef WITH_OPENSSL
+ 	    SSLeay_version(SSLEAY_VERSION)
+ #else

SOURCES/openssh-6.3p1-ctr-evp-fast.patch

@@ -0,0 +1,101 @@
+diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
+--- openssh-5.9p1/cipher-ctr.c.ctr-evp	2012-01-11 09:24:06.000000000 +0100
++++ openssh-5.9p1/cipher-ctr.c	2012-01-11 15:54:04.675956600 +0100
+@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in
+ 
+ struct ssh_aes_ctr_ctx
+ {
+-	AES_KEY		aes_ctx;
++	EVP_CIPHER_CTX	ecbctx;
+ 	u_char		aes_counter[AES_BLOCK_SIZE];
+ };
+ 
+@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char
+ {
+ 	struct ssh_aes_ctr_ctx *c;
+ 	size_t n = 0;
+-	u_char buf[AES_BLOCK_SIZE];
++	u_char ctrbuf[AES_BLOCK_SIZE*256];
++	u_char buf[AES_BLOCK_SIZE*256];
+ 
+ 	if (len == 0)
+ 		return (1);
+ 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
+ 		return (0);
+ 
+-	while ((len--) > 0) {
++	for (; len > 0; len -= sizeof(u_int)) {
++		u_int r,a,b;
++
+ 		if (n == 0) {
+-			AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
+-			ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
++			int outl, i, buflen;
++
++			buflen = MIN(len, sizeof(ctrbuf));
++
++			for(i = 0; i < buflen; i += AES_BLOCK_SIZE) {
++				memcpy(&ctrbuf[i], c->aes_counter, AES_BLOCK_SIZE);
++				ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
++			}
++
++			EVP_EncryptUpdate(&c->ecbctx, buf, &outl,
++				ctrbuf, buflen);
+ 		}
+-		*(dest++) = *(src++) ^ buf[n];
+-		n = (n + 1) % AES_BLOCK_SIZE;
++
++		memcpy(&a, src, sizeof(a));
++		memcpy(&b, &buf[n], sizeof(b));
++		r = a ^ b;
++		memcpy(dest, &r, sizeof(r));
++		src += sizeof(a);
++		dest += sizeof(r);
++
++		n = (n + sizeof(b)) % sizeof(buf);
+ 	}
++	memset(ctrbuf, '\0', sizeof(ctrbuf));
++	memset(buf, '\0', sizeof(buf));
+ 	return (1);
+ }
+ 
+@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co
+ 		c = xmalloc(sizeof(*c));
+ 		EVP_CIPHER_CTX_set_app_data(ctx, c);
+ 	}
+-	if (key != NULL)
+-		AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
+-		    &c->aes_ctx);
++
++	EVP_CIPHER_CTX_init(&c->ecbctx);
++
++	if (key != NULL) {
++		const EVP_CIPHER *cipher;
++		switch(EVP_CIPHER_CTX_key_length(ctx)*8) {
++			case 128:
++				cipher = EVP_aes_128_ecb();
++				break;
++			case 192:
++				cipher = EVP_aes_192_ecb();
++				break;
++			case 256:
++				cipher = EVP_aes_256_ecb();
++				break;
++			default:
++				fatal("ssh_aes_ctr_init: wrong aes key length");
++		}
++		if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL))
++			fatal("ssh_aes_ctr_init: cannot initialize aes encryption");
++		EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0);
++	}
+ 	if (iv != NULL)
+ 		memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
+ 	return (1);
+@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+ 	struct ssh_aes_ctr_ctx *c;
+ 
+ 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
++		EVP_CIPHER_CTX_cleanup(&c->ecbctx);
+ 		memset(c, 0, sizeof(*c));
+ 		free(c);
+ 		EVP_CIPHER_CTX_set_app_data(ctx, NULL);

SOURCES/openssh-6.4p1-fromto-remote.patch

@@ -0,0 +1,16 @@
+diff --git a/scp.c b/scp.c
+index d98fa67..25d347b 100644
+--- a/scp.c
++++ b/scp.c
+@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
+ 			addargs(&alist, "%s", ssh_program);
+ 			addargs(&alist, "-x");
+ 			addargs(&alist, "-oClearAllForwardings=yes");
+-			addargs(&alist, "-n");
++			if (isatty(fileno(stdin)))
++				addargs(&alist, "-t");
++			else
++				addargs(&alist, "-n");
+ 			for (j = 0; j < remote_remote_args.num; j++) {
+ 				addargs(&alist, "%s",
+ 				    remote_remote_args.list[j]);

SOURCES/openssh-6.6.1p1-log-in-chroot.patch

@@ -0,0 +1,263 @@
+diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
+--- openssh-7.4p1/log.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/log.c	2016-12-23 15:14:33.330168088 +0100
+@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
+ void
+ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+ {
++	log_init_handler(av0, level, facility, on_stderr, 1);
++}
++
++void
++log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
+ #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
+ 	struct syslog_data sdata = SYSLOG_DATA_INIT;
+ #endif
+@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
+ 		exit(1);
+ 	}
+ 
+-	log_handler = NULL;
+-	log_handler_ctx = NULL;
++	if (reset_handler) {
++		log_handler = NULL;
++		log_handler_ctx = NULL;
++	}
+ 
+ 	log_on_stderr = on_stderr;
+ 	if (on_stderr)
+diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
+--- openssh-7.4p1/log.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/log.h	2016-12-23 15:14:33.330168088 +0100
+@@ -49,6 +49,7 @@ typedef enum {
+ typedef void (log_handler_fn)(LogLevel, const char *, void *);
+ 
+ void     log_init(char *, LogLevel, SyslogFacility, int);
++void     log_init_handler(char *, LogLevel, SyslogFacility, int, int);
+ LogLevel log_level_get(void);
+ int      log_change_level(LogLevel);
+ int      log_is_on_stderr(void);
+diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
+--- openssh-7.4p1/monitor.c.log-in-chroot	2016-12-23 15:14:33.311168085 +0100
++++ openssh-7.4p1/monitor.c	2016-12-23 15:16:42.154193100 +0100
+@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
+ 		close(pmonitor->m_log_sendfd);
+ 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
+ 
++	pmonitor->m_state = "preauth";
++
+ 	authctxt = _authctxt;
+ 	memset(authctxt, 0, sizeof(*authctxt));
+ 	ssh->authctxt = authctxt;
+@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
+ 	close(pmonitor->m_recvfd);
+ 	pmonitor->m_recvfd = -1;
+ 
++	pmonitor->m_state = "postauth";
++
+ 	monitor_set_child_handler(pmonitor->m_pid);
+ 	signal(SIGHUP, &monitor_child_handler);
+ 	signal(SIGTERM, &monitor_child_handler);
+@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
+ 	if (log_level_name(level) == NULL)
+ 		fatal("%s: invalid log level %u (corrupted message?)",
+ 		    __func__, level);
+-	do_log2(level, "%s [preauth]", msg);
++	do_log2(level, "%s [%s]", msg, pmonitor->m_state);
+ 
+ 	sshbuf_free(logmsg);
+ 	free(msg);
+@@ -1719,13 +1723,28 @@ monitor_init(void)
+ 	mon = xcalloc(1, sizeof(*mon));
+ 	monitor_openfds(mon, 1);
+ 
++	mon->m_state = "";
++
+ 	return mon;
+ }
+ 
+ void
+-monitor_reinit(struct monitor *mon)
++monitor_reinit(struct monitor *mon, const char *chroot_dir)
+ {
+-	monitor_openfds(mon, 0);
++	struct stat dev_log_stat;
++	char *dev_log_path;
++	int do_logfds = 0;
++
++	if (chroot_dir != NULL) {
++		xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
++
++		if (stat(dev_log_path, &dev_log_stat) != 0) {
++			debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
++			do_logfds = 1;
++		}
++		free(dev_log_path);
++	}
++	monitor_openfds(mon, do_logfds);
+ }
+ 
+ #ifdef GSSAPI
+diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
+--- openssh-7.4p1/monitor.h.log-in-chroot	2016-12-23 15:14:33.330168088 +0100
++++ openssh-7.4p1/monitor.h	2016-12-23 15:16:28.372190424 +0100
+@@ -83,10 +83,11 @@ struct monitor {
+ 	int			 m_log_sendfd;
+ 	struct kex		**m_pkex;
+ 	pid_t			 m_pid;
++	char		*m_state;
+ };
+ 
+ struct monitor *monitor_init(void);
+-void monitor_reinit(struct monitor *);
++void monitor_reinit(struct monitor *, const char *);
+ 
+ struct Authctxt;
+ void monitor_child_preauth(struct Authctxt *, struct monitor *);
+diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
+--- openssh-7.4p1/session.c.log-in-chroot	2016-12-23 15:14:33.319168086 +0100
++++ openssh-7.4p1/session.c	2016-12-23 15:18:18.742211853 +0100
+@@ -160,6 +160,7 @@ login_cap_t *lc;
+ 
+ static int is_child = 0;
+ static int in_chroot = 0;
++static int have_dev_log = 1;
+ 
+ /* File containing userauth info, if ExposeAuthInfo set */
+ static char *auth_info_file = NULL;
+@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
+ 	int ret;
+ 	const char *forced = NULL, *tty = NULL;
+ 	char session_type[1024];
++	struct stat dev_log_stat;
+ 
+ 	if (options.adm_forced_command) {
+ 		original_command = command;
+@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
+ 			tty += 5;
+ 	}
+ 
++	if (lstat("/dev/log", &dev_log_stat) != 0) {
++		have_dev_log = 0;
++	}
++
+ 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
+ 	    session_type,
+ 	    tty == NULL ? "" : " on ",
+@@ -1486,14 +1492,6 @@ child_close_fds(void)
+ 	 * descriptors left by system functions.  They will be closed later.
+ 	 */
+ 	endpwent();
+-
+-	/*
+-	 * Close any extra open file descriptors so that we don't have them
+-	 * hanging around in clients.  Note that we want to do this after
+-	 * initgroups, because at least on Solaris 2.3 it leaves file
+-	 * descriptors open.
+-	 */
+-	closefrom(STDERR_FILENO + 1);
+ }
+ 
+ /*
+@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
+ 			exit(1);
+ 	}
+ 
+-	closefrom(STDERR_FILENO + 1);
+-
+ 	do_rc_files(ssh, s, shell);
+ 
+ 	/* restore SIGPIPE for child */
+@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
+ 		argv[i] = NULL;
+ 		optind = optreset = 1;
+ 		__progname = argv[0];
+-		exit(sftp_server_main(i, argv, s->pw));
++		exit(sftp_server_main(i, argv, s->pw, have_dev_log));
+ 	}
+ 
++	/*
++	 * Close any extra open file descriptors so that we don't have them
++	 * hanging around in clients.  Note that we want to do this after
++	 * initgroups, because at least on Solaris 2.3 it leaves file
++	 * descriptors open.
++	 */
++	closefrom(STDERR_FILENO + 1);
++
+ 	fflush(NULL);
+ 
+ 	/* Get the last component of the shell name. */
+diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
+--- openssh-7.4p1/sftp.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/sftp.h	2016-12-23 15:14:33.331168088 +0100
+@@ -97,5 +97,5 @@
+ 
+ struct passwd;
+ 
+-int	sftp_server_main(int, char **, struct passwd *);
++int	sftp_server_main(int, char **, struct passwd *, int);
+ void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
+diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
+--- openssh-7.4p1/sftp-server.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/sftp-server.c	2016-12-23 15:14:33.331168088 +0100
+@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
+ }
+ 
+ int
+-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
++sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
+ {
+ 	fd_set *rset, *wset;
+ 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
+@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
+ 
+ 	ssh_malloc_init();	/* must be called before any mallocs */
+ 	__progname = ssh_get_progname(argv[0]);
+-	log_init(__progname, log_level, log_facility, log_stderr);
++	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
+ 
+ 	pw = pwcopy(user_pw);
+ 
+@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
+ 		}
+ 	}
+ 
+-	log_init(__progname, log_level, log_facility, log_stderr);
++	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
+ 
+ 	/*
+ 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
+diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
+--- openssh-7.4p1/sftp-server-main.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
++++ openssh-7.4p1/sftp-server-main.c	2016-12-23 15:14:33.331168088 +0100
+@@ -49,5 +49,5 @@ main(int argc, char **argv)
+ 		return 1;
+ 	}
+ 
+-	return (sftp_server_main(argc, argv, user_pw));
++	return (sftp_server_main(argc, argv, user_pw, 0));
+ }
+diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
+--- openssh-7.4p1/sshd.c.log-in-chroot	2016-12-23 15:14:33.328168088 +0100
++++ openssh-7.4p1/sshd.c	2016-12-23 15:14:33.332168088 +0100
+@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
+ 	}
+ 
+ 	/* New socket pair */
+-	monitor_reinit(pmonitor);
++	monitor_reinit(pmonitor, options.chroot_directory);
+ 
+ 	pmonitor->m_pid = fork();
+ 	if (pmonitor->m_pid == -1)
+@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
+ 
+ 	close(pmonitor->m_sendfd);
+ 	pmonitor->m_sendfd = -1;
++	close(pmonitor->m_log_recvfd);
++	pmonitor->m_log_recvfd = -1;
++
++	if (pmonitor->m_log_sendfd != -1)
++		set_log_handler(mm_log_handler, pmonitor);
+ 
+ 	/* Demote the private keys to public keys. */
+ 	demote_sensitive_data();

SOURCES/openssh-6.6.1p1-scp-non-existing-directory.patch

@@ -0,0 +1,14 @@
+--- a/scp.c	
++++ a/scp.c	
+@@ -1084,6 +1084,10 @@ sink(int argc, char **argv)
+ 			free(vect[0]);
+ 			continue;
+ 		}
++		if (buf[0] == 'C' && ! exists && np[strlen(np)-1] == '/') {
++			errno = ENOTDIR;
++			goto bad;
++		}
+ 		omode = mode;
+ 		mode |= S_IWUSR;
+ 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+-- 

SOURCES/openssh-6.6.1p1-selinux-contexts.patch

@@ -0,0 +1,126 @@
+diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+index 8f32464..18a2ca4 100644
+--- a/openbsd-compat/port-linux-sshd.c
++++ b/openbsd-compat/port-linux-sshd.c
+@@ -32,6 +32,7 @@
+ #include "misc.h"      /* servconf.h needs misc.h for struct ForwardOptions */
+ #include "servconf.h"
+ #include "port-linux.h"
++#include "misc.h"
+ #include "sshkey.h"
+ #include "hostfile.h"
+ #include "auth.h"
+@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+ void
+ sshd_selinux_copy_context(void)
+ {
+-	security_context_t *ctx;
++	char *ctx;
+ 
+ 	if (!sshd_selinux_enabled())
+ 		return;
+@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
+ 	}
+ }
+ 
++void
++sshd_selinux_change_privsep_preauth_context(void)
++{
++	int len;
++	char line[1024], *preauth_context = NULL, *cp, *arg;
++	const char *contexts_path;
++	FILE *contexts_file;
++
++	contexts_path = selinux_openssh_contexts_path();
++	if (contexts_path != NULL) {
++		if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
++			struct stat sb;
++
++			if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
++				while (fgets(line, sizeof(line), contexts_file)) {
++					/* Strip trailing whitespace */
++					for (len = strlen(line) - 1; len > 0; len--) {
++						if (strchr(" \t\r\n", line[len]) == NULL)
++							break;
++						line[len] = '\0';
++					}
++
++					if (line[0] == '\0')
++						continue;
++
++					cp = line;
++					arg = strdelim(&cp);
++					if (arg && *arg == '\0')
++						arg = strdelim(&cp);
++
++					if (arg && strcmp(arg, "privsep_preauth") == 0) {
++						arg = strdelim(&cp);
++						if (!arg || *arg == '\0') {
++							debug("%s: privsep_preauth is empty", __func__);
++							fclose(contexts_file);
++							return;
++						}
++						preauth_context = xstrdup(arg);
++					}
++				}
++			}
++			fclose(contexts_file);
++		}
++	}
++
++	if (preauth_context == NULL)
++		preauth_context = xstrdup("sshd_net_t");
++
++	ssh_selinux_change_context(preauth_context);
++	free(preauth_context);
++}
++
+ #endif
+ #endif
+ 
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 22ea8ef..1fc963d 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -26,6 +26,7 @@
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
+ 	strlcpy(newctx + len, newname, newlen - len);
+ 	if ((cx = index(cx + 1, ':')))
+ 		strlcat(newctx, cx, newlen);
+-	debug3("%s: setting context from '%s' to '%s'", __func__,
++	debug("%s: setting context from '%s' to '%s'", __func__,
+ 	    oldctx, newctx);
+ 	if (setcon(newctx) < 0)
+ 		switchlog("%s: setcon %s from %s failed with %s", __func__,
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index cb51f99..8b7cda2 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
+ void sshd_selinux_copy_context(void);
+ void sshd_selinux_setup_exec_context(char *);
+ int sshd_selinux_setup_env_variables(void);
++void sshd_selinux_change_privsep_preauth_context(void);
+ #endif
+ 
+ #ifdef LINUX_OOM_ADJUST
+diff --git a/sshd.c b/sshd.c
+index 2871fe9..39b9c08 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -629,7 +629,7 @@ privsep_preauth_child(void)
+ 	demote_sensitive_data();
+ 
+ #ifdef WITH_SELINUX
+-	ssh_selinux_change_context("sshd_net_t");
++	sshd_selinux_change_privsep_preauth_context();
+ #endif
+ 
+ 	/* Demote the child */

SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch

@@ -0,0 +1,129 @@
+diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
+--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
++++ openssh-7.4p1/gss-serv-krb5.c	2016-12-23 15:18:40.628216102 +0100
+@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
+ 	FILE *fp;
+ 	char file[MAXPATHLEN];
+ 	char *line = NULL;
+-	char kuser[65]; /* match krb5_kuserok() */
+ 	struct stat st;
+ 	struct passwd *pw = the_authctxt->pw;
+ 	int found_principal = 0;
+@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
+ 
+ 	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ 	/* If both .k5login and .k5users DNE, self-login is ok. */
+-	if (!k5login_exists && (access(file, F_OK) == -1)) {
++	if ( !options.enable_k5users || (!k5login_exists && (access(file, F_OK) == -1))) {
+                 return ssh_krb5_kuserok(krb_context, principal, luser,
+                                         k5login_exists);
+ 	}
+diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users	2016-12-23 15:18:40.615216100 +0100
++++ openssh-7.4p1/servconf.c	2016-12-23 15:35:36.354401156 +0100
+@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
+ 	options->gss_strict_acceptor = -1;
+ 	options->gss_store_rekey = -1;
+ 	options->use_kuserok = -1;
++	options->enable_k5users = -1;
+ 	options->password_authentication = -1;
+ 	options->kbd_interactive_authentication = -1;
+ 	options->challenge_response_authentication = -1;
+@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
+ 		options->gss_store_rekey = 0;
+ 	if (options->use_kuserok == -1)
+ 		options->use_kuserok = 1;
++	if (options->enable_k5users == -1)
++		options->enable_k5users = 0;
+ 	if (options->password_authentication == -1)
+ 		options->password_authentication = 1;
+ 	if (options->kbd_interactive_authentication == -1)
+@@ -418,7 +421,7 @@ typedef enum {
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostKeyAlgorithms,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+-	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
+ 	sGssKeyEx, sGssStoreRekey, sAcceptEnv, sSetEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
+ 	sUsePrivilegeSeparation, sAllowAgentForwarding,
+@@ -497,12 +500,14 @@ static struct {
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
++	{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
+ #else
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
++	{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
+ #endif
+ 	{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
+@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
+ 		intptr = &options->use_kuserok;
+ 		goto parse_flag;
+ 
++	case sGssEnablek5users:
++		intptr = &options->enable_k5users;
++		goto parse_flag;
++
+ 	case sPermitListen:
+ 	case sPermitOpen:
+ 		if (opcode == sPermitListen) {
+@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
+ 	M_CP_INTOPT(ip_qos_interactive);
+ 	M_CP_INTOPT(ip_qos_bulk);
+ 	M_CP_INTOPT(use_kuserok);
++	M_CP_INTOPT(enable_k5users);
+ 	M_CP_INTOPT(rekey_limit);
+ 	M_CP_INTOPT(rekey_interval);
+ 	M_CP_INTOPT(log_level);
+@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
+ # endif
+ 	dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
+ 	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
++	dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+ #endif
+ #ifdef GSSAPI
+ 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
+--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
++++ openssh-7.4p1/servconf.h	2016-12-23 15:18:40.629216102 +0100
+@@ -174,6 +174,7 @@ typedef struct {
+	int     kerberos_unique_ccache;		/* If true, the acquired ticket will
+						 * be stored in per-session ccache */
+ 	int	use_kuserok;
++	int		enable_k5users;
+ 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
+ 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
+ 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
+diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
+--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users	2016-12-23 15:18:40.630216103 +0100
++++ openssh-7.4p1/sshd_config.5	2016-12-23 15:36:21.607408435 +0100
+@@ -628,6 +628,12 @@ Specifies whether to automatically destr
+ on logout.
+ The default is
+ .Cm yes .
++.It Cm GSSAPIEnablek5users
++Specifies whether to look at .k5users file for GSSAPI authentication
++access control. Further details are described in
++.Xr ksu 1 .
++The default is
++.Cm no .
+ .It Cm GSSAPIKeyExchange
+ Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+ doesn't rely on ssh keys to verify host identity.
+diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
+--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
++++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
+@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
+ GSSAPICleanupCredentials no
+ #GSSAPIStrictAcceptorCheck yes
+ #GSSAPIKeyExchange no
++#GSSAPIEnablek5users no
+ 
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will

SOURCES/openssh-6.6p1-allow-ip-opts.patch

@@ -0,0 +1,39 @@
+diff -up openssh/sshd.c.ip-opts openssh/sshd.c
+--- openssh/sshd.c.ip-opts	2016-07-25 13:58:48.998507834 +0200
++++ openssh/sshd.c	2016-07-25 14:01:28.346469878 +0200
+@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
+ 
+ 	if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
+ 	    &option_size) >= 0 && option_size != 0) {
+-		text[0] = '\0';
+-		for (i = 0; i < option_size; i++)
+-			snprintf(text + i*3, sizeof(text) - i*3,
+-			    " %2.2x", opts[i]);
+-		fatal("Connection from %.100s port %d with IP opts: %.800s",
+-		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
++		i = 0;
++		do {
++			switch (opts[i]) {
++				case 0:
++				case 1:
++					++i;
++					break;
++				case 130:
++				case 133:
++				case 134:
++					i += opts[i + 1];
++					break;
++				default:
++				/* Fail, fatally, if we detect either loose or strict
++			 	 * source routing options. */
++					text[0] = '\0';
++					for (i = 0; i < option_size; i++)
++						snprintf(text + i*3, sizeof(text) - i*3,
++							" %2.2x", opts[i]);
++					fatal("Connection from %.100s port %d with IP options:%.800s",
++						ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
++			}
++		} while (i < option_size);
+ 	}
+ 	return;
+ #endif /* IP_OPTIONS */

SOURCES/openssh-6.6p1-ctr-cavstest.patch

@@ -0,0 +1,257 @@
+diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.ctr-cavs	2015-03-18 11:22:05.493289018 +0100
++++ openssh-6.8p1/Makefile.in	2015-03-18 11:22:44.504196316 +0100
+@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+ SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_KEYCAT=$(libexecdir)/ssh-keycat
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
+ MKDIR_P=@MKDIR_P@
+ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+ 
+ XMSS_OBJS=\
+ 	ssh-xmss.o \
+@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ 	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
+ 
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 
+@@ -326,6 +330,7 @@ install-files:
+ 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ 	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
++	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs	2015-03-18 11:22:05.521288952 +0100
++++ openssh-6.8p1/ctr-cavstest.c	2015-03-18 11:22:05.521288952 +0100
+@@ -0,0 +1,215 @@
++/*
++ *
++ * invocation (all of the following are equal):
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
++ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
++ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
++ */
++
++#include "includes.h"
++
++#include <sys/types.h>
++#include <sys/param.h>
++#include <stdarg.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <ctype.h>
++
++#include "xmalloc.h"
++#include "log.h"
++#include "ssherr.h"
++#include "cipher.h"
++
++/* compatibility with old or broken OpenSSL versions */
++#include "openbsd-compat/openssl-compat.h"
++
++void usage(void) {
++        fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
++                        "                    --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
++                        "                    [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
++                        "Hexadecimal output is printed to stdout.\n"
++                        "Hexadecimal input data can be alternatively read from stdin.\n");
++        exit(1);
++}
++
++void *fromhex(char *hex, size_t *len)
++{
++        unsigned char *bin;
++        char *p;
++        size_t n = 0;
++        int shift = 4;
++        unsigned char out = 0;
++        unsigned char *optr;
++
++        bin = xmalloc(strlen(hex)/2);
++        optr = bin;
++
++        for (p = hex; *p != '\0'; ++p) {
++                unsigned char c;
++
++                c = *p;
++                if (isspace(c))
++                        continue;
++
++                if (c >= '0' && c <= '9') {
++                        c = c - '0';
++                } else if (c >= 'A' && c <= 'F') {
++                        c = c - 'A' + 10;
++                } else if (c >= 'a' && c <= 'f') {
++                        c = c - 'a' + 10;
++                } else {
++                        /* truncate on nonhex cipher */
++                        break;
++                }
++
++                out |= c << shift;
++                shift = (shift + 4) % 8;
++
++                if (shift) {
++                        *(optr++) = out;
++                        out = 0;
++                        ++n;
++                }
++        }
++
++        *len = n;
++        return bin;
++}
++
++#define READ_CHUNK 4096
++#define MAX_READ_SIZE 1024*1024*100
++char *read_stdin(void)
++{
++        char *buf;
++        size_t n, total = 0;
++
++        buf = xmalloc(READ_CHUNK);
++
++        do {
++                n = fread(buf + total, 1, READ_CHUNK, stdin);
++                if (n < READ_CHUNK) /* terminate on short read */
++                        break;
++
++                total += n;
++                buf = xreallocarray(buf, total + READ_CHUNK, 1);
++        } while(total < MAX_READ_SIZE);
++        return buf;
++}
++
++int main (int argc, char *argv[])
++{
++
++        const struct sshcipher *c;
++        struct sshcipher_ctx *cc;
++        char *algo = "aes128-ctr";
++        char *hexkey = NULL;
++        char *hexiv = "00000000000000000000000000000000";
++        char *hexdata = NULL;
++        char *p;
++        int i, r;
++        int encrypt = 1;
++        void *key;
++        size_t keylen;
++        void *iv;
++        size_t ivlen;
++        void *data;
++        size_t datalen;
++        void *outdata;
++
++        for (i = 1; i < argc; ++i) {
++                if (strcmp(argv[i], "--algo") == 0) {
++                        algo = argv[++i];
++                } else if (strcmp(argv[i], "--key") == 0) {
++                        hexkey = argv[++i];
++                } else if (strcmp(argv[i], "--mode") == 0) {
++                        ++i;
++                        if (argv[i] == NULL) {
++                                usage();
++                        }
++                        if (strncmp(argv[i], "enc", 3) == 0) {
++                                encrypt = 1;
++                        } else if (strncmp(argv[i], "dec", 3) == 0) {
++                                encrypt = 0;
++                        } else {
++                                usage();
++                        }
++                } else if (strcmp(argv[i], "--iv") == 0) {
++                        hexiv = argv[++i];
++                } else if (strcmp(argv[i], "--data") == 0) {
++                        hexdata = argv[++i];
++                }
++        }
++
++        if (hexkey == NULL || algo == NULL) {
++                usage();
++        }
++
++	SSLeay_add_all_algorithms();
++
++	c = cipher_by_name(algo);
++	if (c == NULL) {
++		fprintf(stderr, "Error: unknown algorithm\n");
++		return 2;
++	}
++
++        if (hexdata == NULL) {
++                hexdata = read_stdin();
++        } else {
++                hexdata = xstrdup(hexdata);
++        }
++
++        key = fromhex(hexkey, &keylen);
++
++	if (keylen != 16 && keylen != 24 && keylen == 32) {
++		fprintf(stderr, "Error: unsupported key length\n");
++		return 2;
++	}
++
++        iv = fromhex(hexiv, &ivlen);
++
++        if (ivlen != 16) {
++		fprintf(stderr, "Error: unsupported iv length\n");
++		return 2;
++        }
++
++        data = fromhex(hexdata, &datalen);
++
++	if (data == NULL || datalen == 0) {
++		fprintf(stderr, "Error: no data to encrypt/decrypt\n");
++		return 2;
++	}
++
++	if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
++		fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
++		return 2;
++	}
++
++	free(key);
++	free(iv);
++
++	outdata = malloc(datalen);
++	if(outdata == NULL) {
++		fprintf(stderr, "Error: memory allocation failure\n");
++		return 2;
++	}
++
++	if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
++		fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
++		return 2;
++	}
++
++	free(data);
++
++	cipher_free(cc);
++
++        for (p = outdata; datalen > 0; ++p, --datalen) {
++		printf("%02X", (unsigned char)*p);
++	}
++
++        free(outdata);
++
++        printf("\n");
++        return 0;
++}
++

SOURCES/openssh-6.6p1-force_krb.patch

@@ -0,0 +1,280 @@
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
+index 413b845..54dd383 100644
+--- a/gss-serv-krb5.c
++++ b/gss-serv-krb5.c
+@@ -32,7 +32,9 @@
+ #include <sys/types.h>
+ 
+ #include <stdarg.h>
++#include <stdio.h>
+ #include <string.h>
++#include <unistd.h>
+ 
+ #include "xmalloc.h"
+ #include "sshkey.h"
+@@ -45,6 +47,7 @@
+ 
+ #include "ssh-gss.h"
+ 
++extern Authctxt *the_authctxt;
+ extern ServerOptions options;
+ 
+ #ifdef HEIMDAL
+@@ -56,6 +59,13 @@ extern ServerOptions options;
+ # include <gssapi/gssapi_krb5.h>
+ #endif
+ 
++/* all commands are allowed by default */
++char **k5users_allowed_cmds = NULL;
++
++static int ssh_gssapi_k5login_exists();
++static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
++    int);
++
+ static krb5_context krb_context = NULL;
+ 
+ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
+@@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ 	krb5_principal princ;
+ 	int retval;
+ 	const char *errmsg;
++	int k5login_exists;
+ 
+ 	if (ssh_gssapi_krb5_init() == 0)
+ 		return 0;
+@@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ 		krb5_free_error_message(krb_context, errmsg);
+ 		return 0;
+ 	}
+-	if (krb5_kuserok(krb_context, princ, name)) {
++	/* krb5_kuserok() returns 1 if .k5login DNE and this is self-login.
++	 * We have to make sure to check .k5users in that case. */
++	k5login_exists = ssh_gssapi_k5login_exists();
++	/* NOTE: .k5login and .k5users must opened as root, not the user,
++	 * because if they are on a krb5-protected filesystem, user credentials
++	 * to access these files aren't available yet. */
++	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
+ 		retval = 1;
+ 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+ 		    name, (char *)client->displayname.value);
++	} else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
++		name, k5login_exists)) {
++		retval = 1;
++		logit("Authorized to %s, krb5 principal %s "
++		    "(ssh_gssapi_krb5_cmdok)",
++		    name, (char *)client->displayname.value);
+ 	} else
+ 		retval = 0;
+ 
+@@ -110,6 +133,137 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ 	return retval;
+ }
+ 
++/* Test for existence of .k5login.
++ * We need this as part of our .k5users check, because krb5_kuserok()
++ * returns success if .k5login DNE and user is logging in as himself.
++ * With .k5login absent and .k5users present, we don't want absence
++ * of .k5login to authorize self-login.  (absence of both is required)
++ * Returns 1 if .k5login is available, 0 otherwise.
++ */
++static int
++ssh_gssapi_k5login_exists()
++{
++	char file[MAXPATHLEN];
++	struct passwd *pw = the_authctxt->pw;
++
++	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
++	return access(file, F_OK) == 0;
++}
++
++/* check .k5users for login or command authorization
++ * Returns 1 if principal is authorized, 0 otherwise.
++ * If principal is authorized, (global) k5users_allowed_cmds may be populated.
++ */
++static int
++ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
++    const char *luser, int k5login_exists)
++{
++	FILE *fp;
++	char file[MAXPATHLEN];
++	char *line = NULL;
++	char kuser[65]; /* match krb5_kuserok() */
++	struct stat st;
++	struct passwd *pw = the_authctxt->pw;
++	int found_principal = 0;
++	int ncommands = 0, allcommands = 0;
++	u_long linenum = 0;
++	size_t linesize = 0;
++
++	snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
++	/* If both .k5login and .k5users DNE, self-login is ok. */
++	if (!k5login_exists && (access(file, F_OK) == -1)) {
++		return (krb5_aname_to_localname(krb_context, principal,
++		    sizeof(kuser), kuser) == 0) &&
++		    (strcmp(kuser, luser) == 0);
++	}
++	if ((fp = fopen(file, "r")) == NULL) {
++		int saved_errno = errno;
++		/* 2nd access check to ease debugging if file perms are wrong.
++		 * But we don't want to report this if .k5users simply DNE. */
++		if (access(file, F_OK) == 0) {
++			logit("User %s fopen %s failed: %s",
++			    pw->pw_name, file, strerror(saved_errno));
++		}
++		return 0;
++	}
++	/* .k5users must be owned either by the user or by root */
++	if (fstat(fileno(fp), &st) == -1) {
++		/* can happen, but very wierd error so report it */
++		logit("User %s fstat %s failed: %s",
++		    pw->pw_name, file, strerror(errno));
++		fclose(fp);
++		return 0;
++	}
++	if (!(st.st_uid == pw->pw_uid || st.st_uid == 0)) {
++		logit("User %s %s is not owned by root or user",
++		    pw->pw_name, file);
++		fclose(fp);
++		return 0;
++	}
++	/* .k5users must be a regular file.  krb5_kuserok() doesn't do this
++	  * check, but we don't want to be deficient if they add a check. */
++	if (!S_ISREG(st.st_mode)) {
++		logit("User %s %s is not a regular file", pw->pw_name, file);
++		fclose(fp);
++		return 0;
++	}
++	/* file exists; initialize k5users_allowed_cmds (to none!) */
++	k5users_allowed_cmds = xcalloc(++ncommands,
++	    sizeof(*k5users_allowed_cmds));
++
++	/* Check each line.  ksu allows unlimited length lines. */
++	while (!allcommands && getline(&line, &linesize, fp) != -1) {
++		linenum++;
++		char *token;
++
++		/* we parse just like ksu, even though we could do better */
++		if ((token = strtok(line, " \t\n")) == NULL)
++			continue;
++		if (strcmp(name, token) == 0) {
++			/* we matched on client principal */
++			found_principal = 1;
++			if ((token = strtok(NULL, " \t\n")) == NULL) {
++				/* only shell is allowed */
++				k5users_allowed_cmds[ncommands-1] =
++				    xstrdup(pw->pw_shell);
++				k5users_allowed_cmds =
++				    xreallocarray(k5users_allowed_cmds, ++ncommands,
++					sizeof(*k5users_allowed_cmds));
++				break;
++			}
++			/* process the allowed commands */
++			while (token) {
++				if (strcmp(token, "*") == 0) {
++					allcommands = 1;
++					break;
++				}
++				k5users_allowed_cmds[ncommands-1] =
++				    xstrdup(token);
++				k5users_allowed_cmds =
++				    xreallocarray(k5users_allowed_cmds, ++ncommands,
++					sizeof(*k5users_allowed_cmds));
++				token = strtok(NULL, " \t\n");
++			}
++		}
++       }
++	free(line);
++	if (k5users_allowed_cmds) {
++		/* terminate vector */
++		k5users_allowed_cmds[ncommands-1] = NULL;
++		/* if all commands are allowed, free vector */
++		if (allcommands) {
++			int i;
++			for (i = 0; i < ncommands; i++) {
++				free(k5users_allowed_cmds[i]);
++			}
++			free(k5users_allowed_cmds);
++			k5users_allowed_cmds = NULL;
++		}
++	}
++	fclose(fp);
++	return found_principal;
++}
++ 
+ 
+ /* This writes out any forwarded credentials from the structure populated
+  * during userauth. Called after we have setuid to the user */
+diff --git a/session.c b/session.c
+index 28659ec..9c94d8e 100644
+--- a/session.c
++++ b/session.c
+@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
+ 		command = auth_opts->force_command;
+ 		forced = "(key-option)";
+ 	}
++#ifdef GSSAPI
++#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
++	else if (k5users_allowed_cmds) {
++		const char *match = command;
++		int allowed = 0, i = 0;
++
++		if (!match)
++			match = s->pw->pw_shell;
++		while (k5users_allowed_cmds[i]) {
++			if (strcmp(match, k5users_allowed_cmds[i++]) == 0) {
++				debug("Allowed command '%.900s'", match);
++				allowed = 1;
++				break;
++			}
++		}
++		if (!allowed) {
++			debug("command '%.900s' not allowed", match);
++			return 1;
++		}
++	}
++#endif
++#endif
++
+ 	if (forced != NULL) {
+ 		if (IS_INTERNAL_SFTP(command)) {
+ 			s->is_subsystem = s->is_subsystem ?
+diff --git a/ssh-gss.h b/ssh-gss.h
+index 0374c88..509109a 100644
+--- a/ssh-gss.h
++++ b/ssh-gss.h
+@@ -49,6 +49,10 @@
+ #  endif /* !HAVE_DECL_GSS_C_NT_... */
+ 
+ # endif /* !HEIMDAL */
++
++/* .k5users support */
++extern char **k5users_allowed_cmds;
++
+ #endif /* KRB5 */
+ 
+ /* draft-ietf-secsh-gsskeyex-06 */
+diff --git a/sshd.8 b/sshd.8
+index adcaaf9..824163b 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
+ The client tries to authenticate itself using
+ host-based authentication,
+ public key authentication,
++GSSAPI authentication,
+ challenge-response authentication,
+ or password authentication.
+ .Pp
+@@ -800,6 +801,12 @@ This file is used in exactly the same way as
+ but allows host-based authentication without permitting login with
+ rlogin/rsh.
+ .Pp
++.It Pa ~/.k5login
++.It Pa ~/.k5users
++These files enforce GSSAPI/Kerberos authentication access control.
++Further details are described in
++.Xr ksu 1 .
++.Pp
+ .It Pa ~/.ssh/
+ This directory is the default location for all user-specific configuration
+ and authentication information.

SOURCES/openssh-6.6p1-keycat.patch

@@ -0,0 +1,485 @@
+diff -up openssh/auth.c.keycat openssh/misc.c
+--- openssh/auth.c.keycat	2015-06-24 10:57:50.158849606 +0200
++++ openssh/auth.c	2015-06-24 11:04:23.989868638 +0200
+@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
+ 			_exit(1);
+ 		}
+ 
++#ifdef WITH_SELINUX
++		if (sshd_selinux_setup_env_variables() < 0) {
++			error ("failed to copy environment:  %s",
++			    strerror(errno));
++			_exit(127);
++		}
++#endif
++
+ 		execve(av[0], av, child_env);
+ 		error("%s exec \"%s\": %s", tag, command, strerror(errno));
+ 		_exit(127);
+diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
+--- openssh/HOWTO.ssh-keycat.keycat	2015-06-24 10:57:50.157849608 +0200
++++ openssh/HOWTO.ssh-keycat	2015-06-24 10:57:50.157849608 +0200
+@@ -0,0 +1,12 @@
++The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
++of an user in any environment. This includes environments with
++polyinstantiation of home directories and SELinux MLS policy enabled.
++
++To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
++        AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
++        AuthorizedKeysCommandUser root
++
++Do not forget to enable public key authentication:
++        PubkeyAuthentication yes
++
++
+diff -up openssh/Makefile.in.keycat openssh/Makefile.in
+--- openssh/Makefile.in.keycat	2015-06-24 10:57:50.152849621 +0200
++++ openssh/Makefile.in	2015-06-24 10:57:50.157849608 +0200
+@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+ SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
++SSH_KEYCAT=$(libexecdir)/ssh-keycat
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
+ GSSLIBS=@GSSLIBS@
+ SSHLIBS=@SSHLIBS@
+ SSHDLIBS=@SSHDLIBS@
++KEYCATLIBS=@KEYCATLIBS@
+ LIBEDIT=@LIBEDIT@
+ AR=@AR@
+ AWK=@AWK@
+@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
+ MKDIR_P=@MKDIR_P@
+ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+ 
+ XMSS_OBJS=\
+ 	ssh-xmss.o \
+@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+ 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
+ 
++ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
++	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+ 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 
+@@ -321,6 +325,7 @@ install-files:
+ 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
+ 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ 	fi
++	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h
+--- openssh/openbsd-compat/port-linux.h.keycat	2015-06-24 10:57:50.150849626 +0200
++++ openssh/openbsd-compat/port-linux.h	2015-06-24 10:57:50.160849601 +0200
+@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+ 
++int sshd_selinux_enabled(void);
+ void sshd_selinux_copy_context(void);
+ void sshd_selinux_setup_exec_context(char *);
++int sshd_selinux_setup_env_variables(void);
+ #endif
+ 
+ #ifdef LINUX_OOM_ADJUST
+diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c
+--- openssh/openbsd-compat/port-linux-sshd.c.keycat	2015-06-24 10:57:50.150849626 +0200
++++ openssh/openbsd-compat/port-linux-sshd.c	2015-06-24 10:57:50.159849603 +0200
+@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
+ extern int inetd_flag;
+ extern int rexeced_flag;
+ 
++/* Wrapper around is_selinux_enabled() to log its return value once only */
++int
++sshd_selinux_enabled(void)
++{
++	static int enabled = -1;
++
++	if (enabled == -1) {
++		enabled = (is_selinux_enabled() == 1);
++		debug("SELinux support %s", enabled ? "enabled" : "disabled");
++	}
++
++	return (enabled);
++}
++
+ /* Send audit message */
+ static int
+ sshd_selinux_send_audit_message(int success, security_context_t default_context,
+@@ -308,7 +322,7 @@ sshd_selinux_getctxbyname(char *pwname,
+ 
+ /* Setup environment variables for pam_selinux */
+ static int
+-sshd_selinux_setup_pam_variables(void)
++sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
+ {
+ 	const char *reqlvl;