- drop the pam-session patch from the previous build (#201341)

- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)

openssh-4.3p2-no-v6only.patch

@@ -0,0 +1,11 @@
+--- openssh-4.3p2/channels.c.no-v6only	2006-07-17 15:39:31.000000000 +0200
++++ openssh-4.3p2/channels.c	2006-08-08 12:44:51.000000000 +0200
+@@ -2794,7 +2794,7 @@
+ 				}
+ 			}
+ #ifdef IPV6_V6ONLY
+-			if (ai->ai_family == AF_INET6) {
++			if (x11_use_localhost && ai->ai_family == AF_INET6) {
+ 				int on = 1;
+ 				if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
+ 					error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));

openssh-4.3p2-pam-session.patch

@@ -1,91 +0,0 @@
-Index: auth-pam.c
-===================================================================
-RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
-retrieving revision 1.134
-diff -u -p -r1.134 auth-pam.c
---- auth-pam.c	15 May 2006 07:22:33 -0000	1.134
-+++ auth-pam.c	22 May 2006 08:50:59 -0000
-@@ -573,15 +573,17 @@ static struct pam_conv store_conv = { ss
- void
- sshpam_cleanup(void)
- {
--	debug("PAM: cleanup");
--	if (sshpam_handle == NULL)
-+	if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
- 		return;
-+	debug("PAM: cleanup");
- 	pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
- 	if (sshpam_cred_established) {
-+		debug("PAM: deleting credentials");
- 		pam_setcred(sshpam_handle, PAM_DELETE_CRED);
- 		sshpam_cred_established = 0;
- 	}
- 	if (sshpam_session_open) {
-+		debug("PAM: closing session");
- 		pam_close_session(sshpam_handle, PAM_SILENT);
- 		sshpam_session_open = 0;
- 	}
-Index: monitor.c
-===================================================================
-RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/monitor.c,v
-retrieving revision 1.104
-diff -u -p -r1.104 monitor.c
---- monitor.c	21 May 2006 08:26:40 -0000	1.104
-+++ monitor.c	22 May 2006 08:37:58 -0000
-@@ -354,6 +354,10 @@ monitor_child_preauth(Authctxt *_authctx
- 				    MONITOR_REQ_PAM_ACCOUNT, &m);
- 				authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
- 				buffer_free(&m);
-+				if (authenticated) {
-+					do_pam_session();
-+					do_pam_setcred(0);
-+				}
- 			}
- #endif
- 		}
-@@ -1531,6 +1535,11 @@ mm_answer_term(int sock, Buffer *req)
- 	/* The child is terminating */
- 	session_destroy_all(&mm_session_close);
- 
-+#ifdef USE_PAM
-+	if (options.use_pam)
-+		sshpam_cleanup();
-+#endif
-+
- 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
- 		if (errno != EINTR)
- 			exit(1);
-Index: session.c
-===================================================================
-RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/session.c,v
-retrieving revision 1.328
-diff -u -p -r1.328 session.c
---- session.c	4 May 2006 06:24:34 -0000	1.328
-+++ session.c	22 May 2006 08:14:24 -0000
-@@ -541,7 +541,7 @@ do_exec_pty(Session *s, const char *comm
- 	ttyfd = s->ttyfd;
- 
- #if defined(USE_PAM)
--	if (options.use_pam) {
-+	if (options.use_pam && !use_privsep) {
- 		do_pam_set_tty(s->tty);
- 		if (!use_privsep)
- 			do_pam_setcred(1);
-@@ -1284,7 +1284,7 @@ do_setusercontext(struct passwd *pw)
- 		}
- #endif
- # ifdef USE_PAM
--		if (options.use_pam) {
-+		if (options.use_pam && !use_privsep) {
- 			do_pam_session();
- 			do_pam_setcred(0);
- 		}
-@@ -1326,7 +1326,7 @@ do_setusercontext(struct passwd *pw)
- 		 * These will have been wiped by the above initgroups() call.
- 		 * Reestablish them here.
- 		 */
--		if (options.use_pam) {
-+		if (options.use_pam && !use_privsep) {
- 			do_pam_session();
- 			do_pam_setcred(0);
- 		}

openssh.spec

@@ -2,6 +2,8 @@
 %if %{WITH_SELINUX}
 # Audit patch applicable only over SELinux patch
 %define WITH_AUDIT 1
+%else
+%define WITH_AUDIT 0
 %endif
 
 # OpenSSH privilege separation requires a user & group ID
@@ -49,6 +51,7 @@
 # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
 %define rescue 0
 %{?build_rescue:%define rescue 1}
+%{?build_rescue:%define rescue_rel rescue}
 
 # Turn off some stuff for resuce builds
 %if %{rescue}
@@ -58,12 +61,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.3p2
-%define rel 7
+Release: 8%{?rescue_rel}
-%if %{rescue}
-%define %{rel}rescue
-%else
-Release: %{rel}
-%endif
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@@ -92,7 +90,7 @@ Patch35: openssh-4.2p1-askpass-progress.patch
 Patch36: openssh-4.3p2-buffer-len.patch
 Patch37: openssh-4.3p2-configure-typo.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
-Patch39: openssh-4.3p2-pam-session.patch
+Patch39: openssh-4.3p2-no-v6only.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
@@ -220,7 +218,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch36 -p0 -b .buffer-len
 %patch37 -p1 -b .typo
 %patch38 -p1 -b .grab-info
-%patch39 -p0 -b .pam-session
+%patch39 -p1 -b .no-v6only
 
 autoreconf
 
@@ -462,6 +460,10 @@ fi
 %endif
 
 %changelog
+* Tue Aug  8 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-8
+- drop the pam-session patch from the previous build (#201341)
+- don't set IPV6_V6ONLY sock opt when listening on wildcard addr (#201594)
+
 * Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com> - 4.3p2-7
 - dropped old ssh obsoletes
 - call the pam_session_open/close from the monitor when privsep is