replace TwoFactorAuth with RequiredAuthentications[12]

https://bugzilla.mindrot.org/show_bug.cgi?id=983
2012-02-06 22:15:10 +01:00 · 2012-02-06 22:15:10 +01:00 · d9e6186c71
commit d9e6186c71
parent 21699d5622
8 changed files with 1754 additions and 929 deletions
--- a/openssh-5.9p1-akc.patch
+++ b/openssh-5.9p1-akc.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc	2011-09-14 07:24:40.876512251 +0200
+--- openssh-5.9p1/auth2-pubkey.c.akc	2012-02-06 20:47:36.641814218 +0100
-+++ openssh-5.9p1/auth2-pubkey.c	2011-09-14 07:24:43.318458515 +0200
+++ openssh-5.9p1/auth2-pubkey.c	2012-02-06 20:47:36.665095838 +0100
@@ -27,6 +27,7 @@
 #include <sys/types.h>
@ -136,7 +136,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 +	do {
 +		if ((cp = strrchr(progname, '/')) == NULL)
 +			break;
-+		else 
+		else
 +			*cp = '\0';
 +	
 +		debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 		return 0;
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
 diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.akc	2011-09-14 07:24:42.863494886 +0200
+--- openssh-5.9p1/configure.ac.akc	2012-02-06 20:47:36.656046570 +0100
-+++ openssh-5.9p1/configure.ac	2011-09-14 07:24:43.441583848 +0200
+++ openssh-5.9p1/configure.ac	2012-02-06 20:47:36.666095176 +0100
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
 	esac ]
 )
@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.akc	2011-09-14 07:24:29.402475399 +0200
+--- openssh-5.9p1/servconf.c.akc	2012-02-06 20:47:36.573033521 +0100
-+++ openssh-5.9p1/servconf.c	2011-09-14 07:56:27.158585590 +0200
+++ openssh-5.9p1/servconf.c	2012-02-06 20:47:36.667106367 +0100
-@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
+@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
@ -282,7 +282,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	options->zero_knowledge_password_authentication = -1;
 	options->revoked_keys_file = NULL;
 	options->trusted_user_ca_keys = NULL;
-@@ -348,6 +350,7 @@ typedef enum {
+@@ -329,6 +331,7 @@ typedef enum {
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
 	sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
 	sKexAlgorithms, sIPQoS,
@ -290,9 +290,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	sDeprecated, sUnsupported
 } ServerOpCodes;
-@@ -487,6 +490,13 @@ static struct {
+@@ -455,6 +458,13 @@ static struct {
- 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+ 	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
- 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ 	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
 +	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	{ NULL, sBadOption, 0 }
 };
-@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
+@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
 		}
 		break;
@ -329,16 +329,16 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
-@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
+@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(hostbased_uses_name_from_packet_only);
 	M_CP_INTOPT(kbd_interactive_authentication);
 	M_CP_INTOPT(zero_knowledge_password_authentication);
 	M_CP_INTOPT(second_zero_knowledge_password_authentication);
 	M_CP_INTOPT(two_factor_authentication);
 +	M_CP_STROPT(authorized_keys_command);
 +	M_CP_STROPT(authorized_keys_command_runas);
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);
-@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
+@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
 	dump_cfg_string(sAuthorizedPrincipalsFile,
 	    o->authorized_principals_file);
@ -348,9 +348,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
 diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.akc	2011-09-14 07:24:29.511480441 +0200
+--- openssh-5.9p1/servconf.h.akc	2012-02-06 20:47:36.574033734 +0100
-+++ openssh-5.9p1/servconf.h	2011-09-14 07:24:43.678459183 +0200
+++ openssh-5.9p1/servconf.h	2012-02-06 20:47:36.668096740 +0100
-@@ -174,6 +174,8 @@ typedef struct {
+@@ -169,6 +169,8 @@ typedef struct {
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
 	char   *authorized_principals_file;
@ -359,9 +359,22 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
 }       ServerOptions;
 /*
 diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
 --- openssh-5.9p1/sshd_config.akc	2011-05-29 13:39:39.000000000 +0200
 +++ openssh-5.9p1/sshd_config	2012-02-06 20:47:36.669067546 +0100
@@ -49,6 +49,9 @@
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
 +#AuthorizedKeysCommand none
 +#AuthorizedKeysCommandRunAs nobody
 +
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
 diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
 --- openssh-5.9p1/sshd_config.0.akc	2011-09-07 01:16:30.000000000 +0200
-+++ openssh-5.9p1/sshd_config.0	2011-09-14 07:24:43.791460201 +0200
+++ openssh-5.9p1/sshd_config.0	2012-02-06 20:47:36.669067546 +0100
@@ -71,6 +71,23 @@ DESCRIPTION
              See PATTERNS in ssh_config(5) for more information on patterns.
@ -370,8 +383,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
 +
 +             Specifies a program to be used for lookup of the user's
 +	     public keys.  The program will be invoked with its first
-+	     argument the name of the user being authorized, and should produce 
+	     argument the name of the user being authorized, and should produce
-+	     on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS 
+	     on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
 +	     in sshd(8)).  By default (or when set to the empty string) there is no
 +	     AuthorizedKeysCommand run.  If the AuthorizedKeysCommand does not successfully
 +	     authorize the user, authorization falls through to the
@ -397,34 +410,17 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
              GSSAPIAuthentication, HostbasedAuthentication,
              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
 diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc	2011-09-14 07:24:29.793520372 +0200
+--- openssh-5.9p1/sshd_config.5.akc	2012-02-06 20:47:36.574891218 +0100
-+++ openssh-5.9p1/sshd_config.5	2011-09-14 07:24:43.912583678 +0200
+++ openssh-5.9p1/sshd_config.5	2012-02-06 20:49:58.913878595 +0100
-@@ -706,6 +706,8 @@ Available keywords are
+@@ -151,6 +151,19 @@ See
- .Cm AllowAgentForwarding ,
+ in
- .Cm AllowTcpForwarding ,
+ .Xr ssh_config 5
- .Cm AuthorizedKeysFile ,
+ for more information on patterns.
 +.Cm AuthorizedKeysCommand ,
 +.Cm AuthorizedKeysCommandRunAs ,
 .Cm AuthorizedPrincipalsFile ,
 .Cm Banner ,
 .Cm ChrootDirectory ,
@@ -718,6 +720,7 @@ Available keywords are
 .Cm KerberosAuthentication ,
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 +.Cm PubkeyAuthentication ,
 .Cm PasswordAuthentication ,
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
 +.It Cm AuthorizedKeysCommand
 +Specifies a program to be used for lookup of the user's
 +public keys.  The program will be invoked with its first
-+argument the name of the user being authorized, and should produce 
+argument the name of the user being authorized, and should produce
-+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS 
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
 +in sshd(8)).  By default (or when set to the empty string) there is no
 +AuthorizedKeysCommand run.  If the AuthorizedKeysCommand does not successfully
 +authorize the user, authorization falls through to the
@ -433,20 +429,23 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
 +.It Cm AuthorizedKeysCommandRunAs
 +Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
 +string (the default value) means the user being authorized is used.
-+.Dq 
+ .It Cm AuthorizedKeysFile
- .It Cm RhostsRSAAuthentication
+ Specifies the file that contains the public keys that can be used
- Specifies whether rhosts or /etc/hosts.equiv authentication together
+ for user authentication.
- with successful RSA host authentication is allowed.
+@@ -706,6 +719,8 @@ Available keywords are
-diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
+ .Cm AllowAgentForwarding ,
--- openssh-5.9p1/sshd_config.akc	2011-09-14 07:24:29.620461608 +0200
+ .Cm AllowTcpForwarding ,
-+++ openssh-5.9p1/sshd_config	2011-09-14 07:24:44.034462546 +0200
+ .Cm AuthorizedKeysFile ,
-@@ -49,6 +49,9 @@
+.Cm AuthorizedKeysCommand ,
- # but this is overridden so installations will only check .ssh/authorized_keys
+.Cm AuthorizedKeysCommandRunAs ,
- AuthorizedKeysFile	.ssh/authorized_keys
+ .Cm AuthorizedPrincipalsFile ,
- 
+ .Cm Banner ,
-+#AuthorizedKeysCommand none
+ .Cm ChrootDirectory ,
-+#AuthorizedKeysCommandRunAs nobody
+@@ -718,6 +733,7 @@ Available keywords are
-+
+ .Cm KerberosAuthentication ,
- # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+ .Cm MaxAuthTries ,
- #RhostsRSAAuthentication no
+ .Cm MaxSessions ,
- # similar for protocol version 2
+.Cm PubkeyAuthentication ,
 .Cm PasswordAuthentication ,
 .Cm PermitEmptyPasswords ,
 .Cm PermitOpen ,
--- a/openssh-5.9p1-audit4.patch
+++ b/openssh-5.9p1-audit4.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit4	2011-09-18 05:13:24.922458521 +0200
+--- openssh-5.9p1/audit-bsm.c.audit4	2012-02-06 17:15:01.574908126 +0100
-+++ openssh-5.9p1/audit-bsm.c	2011-09-18 05:13:26.808459314 +0200
+++ openssh-5.9p1/audit-bsm.c	2012-02-06 17:15:21.656095559 +0100
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
 {
 	/* not implemented */
@ -12,9 +12,52 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
 diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
 --- openssh-5.9p1/audit.c.audit4	2012-02-06 17:15:01.576787216 +0100
 +++ openssh-5.9p1/audit.c	2012-02-06 17:15:21.690032906 +0100
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
 	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
 }
 +void
 +audit_session_key_free(int ctos)
 +{
 +	PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
 +}
 +
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
 		(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
 	        (unsigned)uid);
 }
 +
 +/*
 + * This will be called on succesfull session key discard
 + */
 +void
 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
 +		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
 --- openssh-5.9p1/audit.h.audit4	2012-02-06 17:15:01.576787216 +0100
 +++ openssh-5.9p1/audit.h	2012-02-06 17:15:21.690876254 +0100
@@ -62,5 +62,7 @@ void	audit_unsupported(int);
 void	audit_kex(int, char *, char *, char *);
 void	audit_unsupported_body(int);
 void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 +void	audit_session_key_free(int ctos);
 +void	audit_session_key_free_body(int ctos, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit4	2011-09-18 05:13:25.041460630 +0200
+--- openssh-5.9p1/audit-linux.c.audit4	2012-02-06 17:15:01.575908525 +0100
-+++ openssh-5.9p1/audit-linux.c	2011-09-18 05:13:26.897563551 +0200
+++ openssh-5.9p1/audit-linux.c	2012-02-06 17:15:21.682001323 +0100
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
 #endif
 }
@ -65,52 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
 +}
 +
 #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
 --- openssh-5.9p1/audit.c.audit4	2011-09-18 05:13:25.151459504 +0200
 +++ openssh-5.9p1/audit.c	2011-09-18 05:13:26.995548664 +0200
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
 	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
 }
 +void
 +audit_session_key_free(int ctos)
 +{
 +	PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
 +}
 +
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
 		(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
 	        (unsigned)uid);
 }
 +
 +/*
 + * This will be called on succesfull session key discard
 + */
 +void
 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
 +{
 +	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
 +		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
 --- openssh-5.9p1/audit.h.audit4	2011-09-18 05:13:25.247587021 +0200
 +++ openssh-5.9p1/audit.h	2011-09-18 05:13:27.107531553 +0200
@@ -62,5 +62,7 @@ void	audit_unsupported(int);
 void	audit_kex(int, char *, char *, char *);
 void	audit_unsupported_body(int);
 void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 +void	audit_session_key_free(int ctos);
 +void	audit_session_key_free_body(int ctos, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit4	2011-09-18 05:13:25.350459598 +0200
+--- openssh-5.9p1/auditstub.c.audit4	2012-02-06 17:15:01.576787216 +0100
-+++ openssh-5.9p1/auditstub.c	2011-09-18 05:13:27.209523920 +0200
+++ openssh-5.9p1/auditstub.c	2012-02-06 17:15:21.690876254 +0100
@@ -27,6 +27,8 @@
  * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
  */
@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
 +{
 +}
 diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
--- openssh-5.9p1/kex.c.audit4	2011-09-18 05:13:25.656459960 +0200
+--- openssh-5.9p1/kex.c.audit4	2012-02-06 17:15:01.578907640 +0100
-+++ openssh-5.9p1/kex.c	2011-09-18 05:13:27.309500951 +0200
+++ openssh-5.9p1/kex.c	2012-02-06 17:15:21.691785656 +0100
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
 	fprintf(stderr, "\n");
 }
@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
 +
 diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
 --- openssh-5.9p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.9p1/kex.h	2011-09-18 05:13:27.419492884 +0200
+++ openssh-5.9p1/kex.h	2012-02-06 17:15:21.691785656 +0100
@@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 --- openssh-5.9p1/mac.c.audit4	2011-08-17 02:29:03.000000000 +0200
-+++ openssh-5.9p1/mac.c	2011-09-18 05:13:27.545464964 +0200
+++ openssh-5.9p1/mac.c	2012-02-06 17:15:21.692918961 +0100
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
 	mac->umac_ctx = NULL;
 }
@ -209,16 +209,16 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 int
 diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
 --- openssh-5.9p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.9p1/mac.h	2011-09-18 05:13:27.675473027 +0200
+++ openssh-5.9p1/mac.h	2012-02-06 17:15:21.692918961 +0100
@@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
 int	 mac_init(Mac *);
 u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit4	2011-09-18 05:13:25.778584691 +0200
+--- openssh-5.9p1/monitor.c.audit4	2012-02-06 17:15:01.579896475 +0100
-+++ openssh-5.9p1/monitor.c	2011-09-18 05:15:22.786522699 +0200
+++ openssh-5.9p1/monitor.c	2012-02-06 17:16:32.405783810 +0100
-@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
+@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer 
 int mm_answer_audit_end_command(int, Buffer *);
 int mm_answer_audit_unsupported_body(int, Buffer *);
 int mm_answer_audit_kex_body(int, Buffer *);
@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 #endif
 static int monitor_read_log(struct monitor *);
-@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[]
+@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[] 
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
     {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -234,7 +234,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 #endif
 #ifdef BSD_AUTH
     {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20
+@@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
     {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
     {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
     {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[]
+@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[] 
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
     {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -250,7 +250,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15
+@@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
     {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
     {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
     {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -437,10 +442,6 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
- 		}
+ #endif
 	}
 -	/* Drain any buffered messages from the child */
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 	if (!authctxt->valid)
 		fatal("%s: authenticated invalid user", __func__);
 	if (strcmp(auth_method, "unknown") == 0)
-@@ -1927,11 +1928,13 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
 	blob = buffer_get_string(&m, &bloblen);
 	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 	xfree(blob);
 	/* Now get sequence numbers for the packets */
-@@ -1977,6 +1980,21 @@ mm_get_keystate(struct monitor *pmonitor
+@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
 	}
 	buffer_free(&m);
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 }
-@@ -2421,4 +2439,22 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
 	return 0;
 }
@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit4	2011-09-18 05:13:25.887586033 +0200
+--- openssh-5.9p1/monitor.h.audit4	2012-02-06 17:15:01.580908188 +0100
-+++ openssh-5.9p1/monitor.h	2011-09-18 05:13:27.934522919 +0200
+++ openssh-5.9p1/monitor.h	2012-02-06 17:15:21.695033617 +0100
@@ -63,6 +63,7 @@ enum monitor_reqtype {
 	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
 	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
 	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
 diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit4	2011-09-18 05:13:26.013583317 +0200
+--- openssh-5.9p1/monitor_wrap.c.audit4	2012-02-06 17:15:01.581802928 +0100
-+++ openssh-5.9p1/monitor_wrap.c	2011-09-18 05:13:28.049519981 +0200
+++ openssh-5.9p1/monitor_wrap.c	2012-02-06 17:15:21.696033353 +0100
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
 		fatal("%s: conversion of newkeys failed", __func__);
@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit4	2011-09-18 05:13:26.119474152 +0200
+--- openssh-5.9p1/monitor_wrap.h.audit4	2012-02-06 17:15:01.582908343 +0100
-+++ openssh-5.9p1/monitor_wrap.h	2011-09-18 05:13:28.151521539 +0200
+++ openssh-5.9p1/monitor_wrap.h	2012-02-06 17:15:21.696033353 +0100
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
 void mm_audit_end_command(int, const char *);
 void mm_audit_unsupported_body(int);
@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
 struct Session;
 diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.audit4	2011-09-18 05:13:20.417548627 +0200
+--- openssh-5.9p1/packet.c.audit4	2012-02-06 17:15:01.545908387 +0100
-+++ openssh-5.9p1/packet.c	2011-09-18 05:13:28.278520968 +0200
+++ openssh-5.9p1/packet.c	2012-02-06 17:15:21.696886524 +0100
@@ -60,6 +60,7 @@
 #include <signal.h>
@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
 +
 diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 --- openssh-5.9p1/packet.h.audit4	2011-05-15 00:43:13.000000000 +0200
-+++ openssh-5.9p1/packet.h	2011-09-18 05:13:28.385521238 +0200
+++ openssh-5.9p1/packet.h	2012-02-06 17:15:21.697874825 +0100
@@ -124,4 +124,5 @@ void	 packet_restore_state(void);
 void	*packet_get_input(void);
 void	*packet_get_output(void);
@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
 diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit4	2011-09-18 05:13:22.842504192 +0200
+--- openssh-5.9p1/session.c.audit4	2012-02-06 17:15:01.562908533 +0100
-+++ openssh-5.9p1/session.c	2011-09-18 05:13:28.511522576 +0200
+++ openssh-5.9p1/session.c	2012-02-06 17:15:21.697874825 +0100
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
 	/* remove hostkey from the child's memory */
@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit4	2011-09-18 05:13:26.617460032 +0200
+--- openssh-5.9p1/sshd.c.audit4	2012-02-06 17:15:01.583866459 +0100
-+++ openssh-5.9p1/sshd.c	2011-09-18 05:13:28.621521065 +0200
+++ openssh-5.9p1/sshd.c	2012-02-06 17:15:21.699033720 +0100
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
 	}
 }
--- a/openssh-5.9p1-gsskex.patch
+++ b/openssh-5.9p1-gsskex.patch
--- a/openssh-5.9p1-redhat.patch
+++ b/openssh-5.9p1-redhat.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
+diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config
--- openssh-5.9p0/ssh_config.redhat	2010-01-12 09:40:27.000000000 +0100
+--- openssh-5.9p1/ssh_config.redhat	2010-01-12 09:40:27.000000000 +0100
-+++ openssh-5.9p0/ssh_config	2011-09-05 14:48:16.386439023 +0200
+++ openssh-5.9p1/ssh_config	2012-02-06 17:32:43.428032471 +0100
@@ -45,3 +45,14 @@
 #   PermitLocalCommand no
 #   VisualHostKey no
@ -16,37 +16,9 @@ diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +	SendEnv XMODIFIERS
-diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0
+diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config
--- openssh-5.9p0/sshd_config.0.redhat	2011-09-05 14:48:08.522441255 +0200
+--- openssh-5.9p1/sshd_config.redhat	2012-02-06 17:32:43.427032448 +0100
-+++ openssh-5.9p0/sshd_config.0	2011-09-05 14:48:16.477443868 +0200
+++ openssh-5.9p1/sshd_config	2012-02-06 17:35:15.356783832 +0100
@@ -581,9 +581,9 @@ DESCRIPTION
      SyslogFacility
              Gives the facility code that is used when logging messages from
 -             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
 -             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
 -             default is AUTH.
 +             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
 +             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 +             The default is AUTH.
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
 diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5
 --- openssh-5.9p0/sshd_config.5.redhat	2011-09-05 14:48:08.657564688 +0200
 +++ openssh-5.9p0/sshd_config.5	2011-09-05 14:48:16.589501736 +0200
@@ -1029,7 +1029,7 @@ Note that this option applies to protoco
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
 -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
 diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
 --- openssh-5.9p0/sshd_config.redhat	2011-09-05 14:48:16.250626793 +0200
 +++ openssh-5.9p0/sshd_config	2011-09-05 15:06:01.513443553 +0200
@@ -32,6 +32,7 @@
 # Logging
 # obsoletes QuietMode and FascistLogging
@ -77,15 +49,13 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-@@ -89,6 +94,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -89,11 +94,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
 +UsePAM yes
- #TwoFactorAuthentication no
+ #AllowAgentForwarding yes
 #SecondPubkeyAuthentication yes
@@ -101,6 +107,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AllowTcpForwarding yes
 #GatewayPorts no
 #X11Forwarding no
@ -93,7 +63,7 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
-@@ -121,6 +128,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -114,6 +121,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # no default banner path
 #Banner none
@ -106,3 +76,31 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0
 --- openssh-5.9p1/sshd_config.0.redhat	2012-02-06 17:32:43.302970171 +0100
 +++ openssh-5.9p1/sshd_config.0	2012-02-06 17:32:43.428032471 +0100
@@ -581,9 +581,9 @@ DESCRIPTION
      SyslogFacility
              Gives the facility code that is used when logging messages from
 -             sshd(8).  The possible values are: DAEMON, USER, AUTH, LOCAL0,
 -             LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  The
 -             default is AUTH.
 +             sshd(8).  The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
 +             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 +             The default is AUTH.
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
 diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5
 --- openssh-5.9p1/sshd_config.5.redhat	2012-02-06 17:32:43.303971959 +0100
 +++ openssh-5.9p1/sshd_config.5	2012-02-06 17:32:43.429032398 +0100
@@ -1019,7 +1019,7 @@ Note that this option applies to protoco
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
 -The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
 +The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
--- a/openssh-5.9p1-required-authentications.patch
+++ b/openssh-5.9p1-required-authentications.patch
@ -0,0 +1,827 @@
 diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
 --- openssh-5.9p1/auth.c.required-authentication	2012-02-06 17:03:51.034158031 +0100
 +++ openssh-5.9p1/auth.c	2012-02-06 17:03:55.007830206 +0100
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
 }
 void
 -auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
 +auth_log(Authctxt *authctxt, int authenticated, const char *method,
 +    const char *submethod, const char *info)
 {
 	void (*authlog) (const char *fmt,...) = verbose;
 	char *authmsg;
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
 	else
 		authmsg = authenticated ? "Accepted" : "Failed";
 -	authlog("%s %s for %s%.100s from %.200s port %d%s",
 +	authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
 	    authmsg,
 	    method,
 +	    submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
 	    authctxt->valid ? "" : "invalid user ",
 	    authctxt->user,
 	    get_remote_ipaddr(),
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
  * Check whether root logins are disallowed.
  */
 int
 -auth_root_allowed(char *method)
 +auth_root_allowed(const char *method)
 {
 	switch (options.permit_root_login) {
 	case PERMIT_YES:
@@ -694,3 +696,57 @@ fakepw(void)
 	return (&fake);
 }
 +
 +int
 +auth_method_in_list(const char *list, const char *method)
 +{
 +	char *cp;
 +
 +	cp = match_list(method, list, NULL);
 +	if (cp != NULL) {
 +		xfree(cp);
 +		return 1;
 +	}
 +
 +	return 0;
 +}
 +
 +#define	DELIM	","
 +int
 +auth_remove_from_list(char **list, const char *method)
 +{
 +	char *oldlist, *cp, *newlist = NULL;
 +	u_int len = 0, ret = 0;
 +
 +	if (list == NULL || *list == NULL)
 +		return (0);
 +
 +	oldlist = *list;
 +	len = strlen(oldlist) + 1;
 +	newlist = xmalloc(len);
 +	memset(newlist, '\0', len);
 +
 +	/* Remove method from list, if present */
 +	for (;;) {
 +		if ((cp = strsep(&oldlist, DELIM)) == NULL)
 +			break;
 +		if (*cp == '\0')
 +			continue;
 +		if (strcmp(cp, method) != 0) {
 +			if (*newlist != '\0')
 +				strlcat(newlist, DELIM, len);
 +			strlcat(newlist, cp, len);
 +		} else
 +			ret++;
 +	}
 +
 +	/* Return NULL instead of empty list */
 +	if (*newlist == '\0') {
 +		xfree(newlist);
 +		newlist = NULL;
 +	}
 +	xfree(*list);
 +	*list = newlist;
 +	
 +	return (ret);
 +}
 diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
 --- openssh-5.9p1/auth.h.required-authentication	2011-05-29 13:39:38.000000000 +0200
 +++ openssh-5.9p1/auth.h	2012-02-06 17:03:55.008839468 +0100
@@ -142,10 +142,11 @@ void disable_forwarding(void);
 void	do_authentication(Authctxt *);
 void	do_authentication2(Authctxt *);
 -void	auth_log(Authctxt *, int, char *, char *);
 -void	userauth_finish(Authctxt *, int, char *);
 +void	auth_log(Authctxt *, int, const char *, const char *, const char *);
 +void	userauth_finish(Authctxt *, int, const char *, const char *);
 +int	auth_root_allowed(const char *);
 +
 void	userauth_send_banner(const char *);
 -int	auth_root_allowed(char *);
 char	*auth2_read_banner(void);
@@ -192,6 +193,11 @@ void	 auth_debug_send(void);
 void	 auth_debug_reset(void);
 struct passwd *fakepw(void);
 +int	 auth_method_in_list(const char *, const char *);
 +int	 auth_remove_from_list(char **, const char *);
 +
 +int	 auth1_check_required(const char *);
 +int	 auth2_check_required(const char *);
 int	 sys_auth_passwd(Authctxt *, const char *);
 diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
 --- openssh-5.9p1/auth1.c.required-authentication	2010-08-31 14:36:39.000000000 +0200
 +++ openssh-5.9p1/auth1.c	2012-02-06 17:03:55.055811924 +0100
@@ -98,6 +98,54 @@ static const struct AuthMethod1
 	return (NULL);
 }
 +static const struct AuthMethod1 *
 +lookup_authmethod1_by_name(const char *name)
 +{
 +	int i;
 +
 +	for (i = 0; auth1_methods[i].name != NULL; i++)
 +		if (strcmp(auth1_methods[i].name, name) == 0)
 +			return (&(auth1_methods[i]));
 +
 +	return NULL;
 +}
 +
 +#define	DELIM	","
 +int
 +auth1_check_required(const char *list)
 +{
 +	char *orig_methods, *methods, *cp;
 +	static const struct AuthMethod1 *m;
 +	int ret = 0;
 +
 +	orig_methods = methods = xstrdup(list);
 +	for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
 +		if ((cp = strsep(&methods, DELIM)) == NULL)
 +			break;
 +		debug2("auth1_check_required: method \"%s\"", cp);
 +		if (*cp == '\0') {
 +			debug("auth1_check_required: empty method");
 +			ret = -1;
 +		}
 +		if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
 +			debug("auth1_check_required: unknown method "
 +			    "\"%s\"", cp);
 +			ret = -1;
 +		}
 +		if (*(m->enabled) == 0) {
 +			debug("auth1_check_required: method %s explicitly "
 +			    "disabled", cp);
 +			ret = -1;
 +		}
 +		/* Activate method if it isn't already */
 +		if (*(m->enabled) == -1)
 +			*(m->enabled) = 1;
 +        }
 +	xfree(orig_methods);
 +	return (ret);
 +}
 +
 +
 static char *
 get_authname(int type)
 {
@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
 {
 	int authenticated = 0;
 	char info[1024];
 +	const char *meth_name;
 	int prev = 0, type = 0;
 	const struct AuthMethod1 *meth;
@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
 	    authctxt->valid ? "" : "invalid user ", authctxt->user);
 	/* If the user has no password, accept authentication immediately. */
 -	if (options.permit_empty_passwd && options.password_authentication &&
 +	if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
 #ifdef KRB5
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
 		if (options.use_pam && (PRIVSEP(do_pam_account())))
 #endif
 		{
 -			auth_log(authctxt, 1, "without authentication", "");
 +			auth_log(authctxt, 1, "without authentication", NULL, "");
 			return;
 		}
 	}
@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
 		/* Get a packet from the client. */
 		prev = type;
 		type = packet_read();
 +		meth_name = get_authname(type);
 		/*
 		 * If we started challenge-response authentication but the
@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
 		if (authctxt->failures >= options.max_authtries)
 			goto skip;
 		if ((meth = lookup_authmethod1(type)) == NULL) {
 -			logit("Unknown message during authentication: "
 -			    "type %d", type);
 +			logit("Unknown message during authentication: type %d",
 +			    type);
 			goto skip;
 		}
@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
 			goto skip;
 		}
 +		/*
 +		 * Skip methods not in required list, until all the required
 +		 * ones are done
 +		 */
 +		if (options.required_auth1 != NULL &&
 +		    !auth_method_in_list(options.required_auth1, meth_name)) {
 +			debug("Skipping method \"%s\" until required "
 +			    "authentication completed", meth_name);
 +			goto skip;
 +		}
 +
 		authenticated = meth->method(authctxt, info, sizeof(info));
 		if (authenticated == -1)
 			continue; /* "postponed" */
@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
  skip:
 		/* Log before sending the reply */
 -		auth_log(authctxt, authenticated, get_authname(type), info);
 +		auth_log(authctxt, authenticated, meth_name, NULL, info);
 +
 +		/* Loop until the required authmethods are done */
 +		if (authenticated && options.required_auth1 != NULL) {
 +			if (auth_remove_from_list(&options.required_auth1,
 +			    meth_name) != 1)
 +				fatal("INTERNAL ERROR: authenticated method "
 +				    "\"%s\" not in required list \"%s\"",
 +				    meth_name, options.required_auth1);
 +			debug2("do_authloop: required list now: %s",
 +			    options.required_auth1 == NULL ?
 +			    "DONE" : options.required_auth1);
 +			if (options.required_auth1 == NULL)
 +				return;
 +			authenticated = 0;
 +			/*
 +			 * Disable method so client can't authenticate with it
 +			 * after the required authentications are complete.
 +			 */
 +			*(meth->enabled) = 0;
 +			packet_send_debug("Further authentication required");
 +			goto send_fail;
 +		}
 		if (client_user != NULL) {
 			xfree(client_user);
@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
 #endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
 + send_fail:
 		packet_start(SSH_SMSG_FAILURE);
 		packet_send();
 diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
 --- openssh-5.9p1/auth2.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
 +++ openssh-5.9p1/auth2.c	2012-02-06 17:03:55.100896430 +0100
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
 {
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 -	char *user, *service, *method, *style = NULL;
 +	char *user, *service, *method, *active_methods, *style = NULL;
 	int authenticated = 0;
 	if (authctxt == NULL)
@@ -277,22 +277,31 @@ input_userauth_request(int type, u_int32
 	authctxt->server_caused_failure = 0;
 	/* try to authenticate user */
 -	m = authmethod_lookup(method);
 -	if (m != NULL && authctxt->failures < options.max_authtries) {
 -		debug2("input_userauth_request: try method %s", method);
 -		authenticated =	m->userauth(authctxt);
 -	}
 -	userauth_finish(authctxt, authenticated, method);
 +	active_methods = authmethods_get();
 +	if (strcmp(method, "none") == 0 || 
 +	    auth_method_in_list(active_methods, method)) {
 +		m = authmethod_lookup(method);
 +		if (m != NULL) {
 +			debug2("input_userauth_request: try method %s", method);
 +			authenticated =	m->userauth(authctxt);
 +		}
 +	}
 +	xfree(active_methods);
 +	userauth_finish(authctxt, authenticated, method, NULL);
 + 
 	xfree(service);
 	xfree(user);
 	xfree(method);
 }
 void
 -userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 +userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
 +    const char *submethod)
 {
 	char *methods;
 +	Authmethod *m = NULL;
 +	u_int partial = 0;
 	if (!authctxt->valid && authenticated)
 		fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int 
 #endif /* _UNICOS */
 	/* Log before sending the reply */
 -	auth_log(authctxt, authenticated, method, " ssh2");
 +	auth_log(authctxt, authenticated, method, submethod, " ssh2");
 	if (authctxt->postponed)
 		return;
 -	/* XXX todo: check if multiple auth methods are needed */
 +	/* Handle RequiredAuthentications2: loop until required methods done */
 +	if (authenticated && options.required_auth2 != NULL) {
 +		if ((m = authmethod_lookup(method)) == NULL)
 +			fatal("INTERNAL ERROR: authenticated method "
 +			    "\"%s\" unknown", method);
 +		if (auth_remove_from_list(&options.required_auth2, method) != 1)
 +			fatal("INTERNAL ERROR: authenticated method "
 +			    "\"%s\" not in required list \"%s\"", 
 +			    method, options.required_auth2);
 +		debug2("userauth_finish: required list now: %s",
 +		    options.required_auth2 == NULL ?
 +		    "DONE" : options.required_auth2);
 +		/*
 +		 * if authenticated and no more required methods 
 +		 * then declare success
 +		 */
 +		if ( authenticated && options.required_auth2 == NULL ) {
 +			debug2("userauth_finish: authenticated and no more required methods");
 +		} else {
 +			/*
 +			 * Disable method so client can't authenticate with it after
 +			 * the required authentications are complete.
 +			 */
 +			if (m->enabled != NULL)
 +			*(m->enabled) = 0;
 +			authenticated = 0;
 +			partial = 1;
 +			goto send_fail;
 +		}
 +	}
 +
 	if (authenticated == 1) {
 		/* turn off userauth */
 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int 
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
 -
 		/* Allow initial try of "none" auth without failure penalty */
 		if (!authctxt->server_caused_failure &&
 		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int 
 #endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
 		}
 + send_fail:
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
 -		packet_put_char(0);	/* XXX partial success, unused */
 +		packet_put_char(partial);
 		packet_send();
 		packet_write_wait();
 		xfree(methods);
@@ -373,6 +412,9 @@ authmethods_get(void)
 	char *list;
 	int i;
 +	if (options.required_auth2 != NULL)
 +		return xstrdup(options.required_auth2);
 +
 	buffer_init(&b);
 	for (i = 0; authmethods[i] != NULL; i++) {
 		if (strcmp(authmethods[i]->name, "none") == 0)
@@ -407,3 +449,43 @@ authmethod_lookup(const char *name)
 	return NULL;
 }
 +#define DELIM ","
 +
 +int
 +auth2_check_required(const char *list)
 +{
 +	char *orig_methods, *methods, *cp;
 +	struct Authmethod *m;
 +	int i, ret = 0;
 +
 +	orig_methods = methods = xstrdup(list);
 +	for(;;) {
 +		if ((cp = strsep(&methods, DELIM)) == NULL)
 +			break;
 +		debug2("auth2_check_required: method \"%s\"", cp);
 +		if (*cp == '\0') {
 +			debug("auth2_check_required: empty method");
 +			ret = -1;
 +		}
 +		for (i = 0; authmethods[i] != NULL; i++)
 +			if (strcmp(cp, authmethods[i]->name) == 0)
 +				break;
 +		if ((m = authmethods[i]) == NULL) {
 +			debug("auth2_check_required: unknown method "
 +			    "\"%s\"", cp);
 +			ret = -1;
 +			break;
 +		}
 +		if (m->enabled == NULL || *(m->enabled) == 0) {
 +			debug("auth2_check_required: method %s explicitly "
 +			    "disabled", cp);
 +			ret = -1;
 +		}
 +		/* Activate method if it isn't already */
 +		if (*(m->enabled) == -1)
 +			*(m->enabled) = 1;
 +	}
 +	xfree(orig_methods);
 +	return (ret);
 +}
 +
 diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
 --- openssh-5.9p1/auth2-gss.c.required-authentication	2011-05-05 06:04:11.000000000 +0200
 +++ openssh-5.9p1/auth2-gss.c	2012-02-06 17:03:55.098862514 +0100
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
 		}
 		authctxt->postponed = 0;
 		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
 -		userauth_finish(authctxt, 0, "gssapi-with-mic");
 +		userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
 	} else {
 		if (send_tok.length != 0) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type,
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
 -	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
 +	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
 }
 static void
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
 -	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
 +	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
 }
 Authmethod method_gssapi = {
 diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
 --- openssh-5.9p1/auth2-chall.c.required-authentication	2009-01-28 06:13:39.000000000 +0100
 +++ openssh-5.9p1/auth2-chall.c	2012-02-06 17:03:55.098862514 +0100
@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
 			auth2_challenge_start(authctxt);
 		}
 	}
 -	userauth_finish(authctxt, authenticated, method);
 -	xfree(method);
 +	userauth_finish(authctxt, authenticated, "keyboard-interactive",
 +	    kbdintctxt->device?kbdintctxt->device->name:NULL);
 }
 void
 diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
 --- openssh-5.9p1/auth2-none.c.required-authentication	2010-06-26 02:01:33.000000000 +0200
 +++ openssh-5.9p1/auth2-none.c	2012-02-06 17:03:55.099879104 +0100
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
 {
 	none_enabled = 0;
 	packet_check_eom();
 -	if (options.permit_empty_passwd && options.password_authentication)
 +	if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
 		return (PRIVSEP(auth_password(authctxt, "")));
 	return (0);
 }
 diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
 --- openssh-5.9p1/monitor.c.required-authentication	2012-02-06 17:03:51.020095446 +0100
 +++ openssh-5.9p1/monitor.c	2012-02-06 17:03:55.101912924 +0100
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
 static char *hostbased_cuser = NULL;
 static char *hostbased_chost = NULL;
 static char *auth_method = "unknown";
 +static char *auth_submethod = NULL;
 static u_int session_id2_len = 0;
 static u_char *session_id2 = NULL;
 static pid_t monitor_child_pid;
@@ -352,7 +353,8 @@ void
 monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
 {
 	struct mon_table *ent;
 -	int authenticated = 0;
 +	int no_increment, authenticated = 0;
 +	char **req_auth;
 	debug3("preauth child monitor started");
@@ -367,12 +369,14 @@ monitor_child_preauth(Authctxt *_authctx
 	if (compat20) {
 		mon_dispatch = mon_dispatch_proto20;
 +		req_auth = &options.required_auth2;
 		/* Permit requests for moduli and signatures */
 		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
 	} else {
 		mon_dispatch = mon_dispatch_proto15;
 +		req_auth = &options.required_auth1;
 		monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
 	}
@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
 	/* The first few requests do not require asynchronous access */
 	while (!authenticated) {
 		auth_method = "unknown";
 +		auth_submethod = NULL;
 +		no_increment = 1;
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
 		if (authenticated) {
 			if (!(ent->flags & MON_AUTHDECIDE))
@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
 			}
 #endif
 		}
 +		/* Loop until the required authmethods are done */
 +		if (authenticated && *req_auth != NULL) {
 +			if (auth_remove_from_list(req_auth, auth_method) != 1)
 +				fatal("INTERNAL ERROR: authenticated method "
 +				    "\"%s\" not in required list \"%s\"",
 +				    auth_method, *req_auth);
 +			debug2("monitor_child_preauth: required list now: %s",
 +			    *req_auth == NULL ? "DONE" : *req_auth);
 +			if (*req_auth != NULL)
 +				authenticated = 0;
 +			no_increment = 1;
 +		}
 		if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
 			auth_log(authctxt, authenticated, auth_method,
 -			    compat20 ? " ssh2" : "");
 -			if (!authenticated)
 +				 auth_submethod, compat20 ? " ssh2" : "");
 +			if (!authenticated && !no_increment)
 				authctxt->failures++;
 		}
 #ifdef JPAKE
@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer 
 		auth_method = "none";
 	else
 		auth_method = "password";
 +	auth_submethod = NULL;
 	/* Causes monitor loop to terminate if authenticated */
 	return (authenticated);
@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
 	mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
 	auth_method = "bsdauth";
 +	auth_submethod = NULL;
 	return (authok != 0);
 }
@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
 	mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
 	auth_method = "skey";
 +	auth_submethod = NULL;
 	return (authok != 0);
 }
@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
 		xfree(prompts);
 	if (echo_on != NULL)
 		xfree(echo_on);
 -	auth_method = "keyboard-interactive/pam";
 +	auth_method = "keyboard-interactive";
 +	auth_submethod = "pam";
 	mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
 	return (0);
 }
@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
 	buffer_clear(m);
 	buffer_put_int(m, ret);
 	mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
 -	auth_method = "keyboard-interactive/pam";
 +	auth_method = "keyboard-interactive";
 +	auth_submethod = "pam";
 	if (ret == 0)
 		sshpam_authok = sshpam_ctxt;
 	return (0);
@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer 
 	(sshpam_device.free_ctx)(sshpam_ctxt);
 	buffer_clear(m);
 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
 -	auth_method = "keyboard-interactive/pam";
 +	auth_method = "keyboard-interactive";
 +	auth_submethod = "pam";
 	return (sshpam_authok == sshpam_ctxt);
 }
 #endif
@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			allowed = options.pubkey_authentication &&
 			    user_key_allowed(authctxt->pw, key);
 			auth_method = "publickey";
 +			auth_submethod = NULL;
 			if (options.pubkey_authentication && allowed != 1)
 				auth_clear_options();
 			break;
@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			    hostbased_key_allowed(authctxt->pw,
 			    cuser, chost, key);
 			auth_method = "hostbased";
 +			auth_submethod = NULL;
 			break;
 		case MM_RSAHOSTKEY:
 			key->type = KEY_RSA1; /* XXX */
@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
 			if (options.rhosts_rsa_authentication && allowed != 1)
 				auth_clear_options();
 			auth_method = "rsa";
 +			auth_submethod = NULL;
 			break;
 		default:
 			fatal("%s: unknown key type %d", __func__, type);
@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
 		hostbased_chost = chost;
 	} else {
 		/* Log failed attempt */
 -		auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
 +		auth_log(authctxt, 0, auth_method, auth_submethod,
 +		    compat20 ? " ssh2" : "");
 		xfree(blob);
 		xfree(cuser);
 		xfree(chost);
@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
 	xfree(data);
 	auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
 +	auth_submethod = NULL;
 	monitor_reset_key_state();
@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
 	debug3("%s entering", __func__);
 	auth_method = "rsa";
 +	auth_submethod = NULL;
 	if (options.rsa_authentication && authctxt->valid) {
 		if ((client_n = BN_new()) == NULL)
 			fatal("%s: BN_new", __func__);
@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer 
 	xfree(response);
 	auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
 +	auth_submethod = NULL;
 	/* reset state */
 	BN_clear_free(ssh1_challenge);
@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 	auth_method = "gssapi-with-mic";
 +	auth_submethod = NULL;
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock, 
 	monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
 	auth_method = "jpake-01@openssh.com";
 +	auth_submethod = NULL;
 	return authenticated;
 }
 diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
 --- openssh-5.9p1/servconf.c.required-authentication	2012-02-06 17:03:51.024963230 +0100
 +++ openssh-5.9p1/servconf.c	2012-02-06 17:03:55.102929716 +0100
@@ -42,6 +42,8 @@
 #include "key.h"
 #include "kex.h"
 #include "mac.h"
 +#include "hostfile.h"
 +#include "auth.h"
 #include "match.h"
 #include "channels.h"
 #include "groupaccess.h"
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions 
 	options->num_authkeys_files = 0;
 	options->num_accept_env = 0;
 	options->permit_tun = -1;
 +	options->required_auth1 = NULL;
 +	options->required_auth2 = NULL;
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
 	options->chroot_directory = NULL;
@@ -319,6 +323,7 @@ typedef enum {
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 +	sRequiredAuthentications1, sRequiredAuthentications2,
 	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
 	sUsePrivilegeSeparation, sAllowAgentForwarding,
 	sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -447,6 +452,8 @@ static struct {
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 +	{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
 +	{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ NULL, sBadOption, 0 }
 };
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
 			options->max_startups = options->max_startups_begin;
 		break;
 +
 +	case sRequiredAuthentications1:
 +		charptr = &options->required_auth1;
 +		arg = strdelim(&cp);
 +		if (auth1_check_required(arg) != 0)
 +			fatal("%.200s line %d: Invalid required authentication "
 +			    "list", filename, linenum);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.",
 +			    filename, linenum);
 +		if (*charptr == NULL)
 +			*charptr = xstrdup(arg);
 +		break;
 +
 +	case sRequiredAuthentications2:
 +		charptr = &options->required_auth2;
 +		arg = strdelim(&cp);
 +		if (auth2_check_required(arg) != 0)
 +			fatal("%.200s line %d: Invalid required authentication "
 +			    "list", filename, linenum);
 +		if (!arg || *arg == '\0')
 +			fatal("%.200s line %d: Missing argument.",
 +			    filename, linenum);
 +		if (*charptr == NULL)
 +			*charptr = xstrdup(arg);
 +		break;
 +
 	case sMaxAuthTries:
 		intptr = &options->max_authtries;
 		goto parse_int;
 diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
 --- openssh-5.9p1/servconf.h.required-authentication	2011-06-23 00:30:03.000000000 +0200
 +++ openssh-5.9p1/servconf.h	2012-02-06 17:03:55.102929716 +0100
@@ -154,6 +154,9 @@ typedef struct {
 	u_int num_authkeys_files;	/* Files containing public keys */
 	char   *authorized_keys_files[MAX_AUTHKEYS_FILES];
 +	char   *required_auth1; /* Required, but not sufficient */
 +	char   *required_auth2;
 +
 	char   *adm_forced_command;
 	int	use_pam;		/* Enable auth via PAM */
 diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
 --- openssh-5.9p1/sshd_config.5.required-authentication	2011-08-05 22:17:33.000000000 +0200
 +++ openssh-5.9p1/sshd_config.5	2012-02-06 17:09:39.038871798 +0100
@@ -723,6 +723,8 @@ Available keywords are
 .Cm PermitOpen ,
 .Cm PermitRootLogin ,
 .Cm PermitTunnel ,
 +.Cm RequiredAuthentications1,
 +.Cm RequiredAuthentications2,
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
 .Cm RSAAuthentication ,
@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
 Keys listed in this file will be refused for public key authentication.
 Note that if this file is not readable, then public key authentication will
 be refused for all users.
 +.It Cm RequiredAuthentications[12]
 + Requires two authentication methods to succeed before authorizing the connection.
 + (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
 +
 + RequiredAuthentications1 method[,method...] 
 + RequiredAuthentications2 method[,method...]
 +
 +.Pp
 +Example 1:
 +
 + RequiredAuthentications2 password,hostbased
 +
 +Example 2:
 + RequiredAuthentications2 publickey,password
 +
 .It Cm RhostsRSAAuthentication
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
--- a/openssh-5.9p1-role.patch
+++ b/openssh-5.9p1-role.patch
@ -1,30 +1,6 @@
-diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c
+diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h
--- openssh-5.9p0/auth-pam.c.role	2009-07-12 14:07:21.000000000 +0200
+--- openssh-5.9p1/auth.h.role	2012-02-06 17:21:26.038970656 +0100
-+++ openssh-5.9p0/auth-pam.c	2011-08-31 11:42:54.870087433 +0200
+++ openssh-5.9p1/auth.h	2012-02-06 17:21:59.477033401 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
 -do_pam_putenv(char *name, char *value)
 +do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
 diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h
 --- openssh-5.9p0/auth-pam.h.role	2004-09-11 14:17:26.000000000 +0200
 +++ openssh-5.9p0/auth-pam.h	2011-08-31 11:42:54.979086333 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
 -int do_pam_putenv(char *, char *);
 +int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
 --- openssh-5.9p0/auth.h.role	2011-08-31 11:42:47.760024631 +0200
 +++ openssh-5.9p0/auth.h	2011-08-31 11:42:55.090151027 +0200
@@ -59,6 +59,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
@ -35,10 +11,34 @@ diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
 	void		*kbdintctxt;
 	void		*jpake_ctx;
 #ifdef BSD_AUTH
-diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
+diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c
--- openssh-5.9p0/auth1.c.role	2010-08-31 14:36:39.000000000 +0200
+--- openssh-5.9p1/auth-pam.c.role	2012-02-06 17:21:25.983793983 +0100
-+++ openssh-5.9p0/auth1.c	2011-08-31 11:42:55.215033075 +0200
+++ openssh-5.9p1/auth-pam.c	2012-02-06 17:21:59.476038868 +0100
-@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
+@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
 -do_pam_putenv(char *name, char *value)
 +do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
 diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h
 --- openssh-5.9p1/auth-pam.h.role	2004-09-11 14:17:26.000000000 +0200
 +++ openssh-5.9p1/auth-pam.h	2012-02-06 17:21:59.477033401 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
 -int do_pam_putenv(char *, char *);
 +int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
 diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c
 --- openssh-5.9p1/auth1.c.role	2012-02-06 17:21:26.016845827 +0100
 +++ openssh-5.9p1/auth1.c	2012-02-06 17:21:59.478033396 +0100
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
@ -48,7 +48,7 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
-@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
+@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_cstring(&ulen);
 	packet_check_eom();
@ -73,88 +73,13 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c
+diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c
--- openssh-5.9p0/auth2-gss.c.role	2011-05-05 06:04:11.000000000 +0200
+--- openssh-5.9p1/auth2.c.role	2012-02-06 17:21:26.024976386 +0100
-+++ openssh-5.9p0/auth2-gss.c	2011-08-31 11:42:55.313025576 +0200
+++ openssh-5.9p1/auth2.c	2012-02-06 17:23:14.127811737 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
 +	char *micuser;
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
 -	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
 +#ifdef WITH_SELINUX
 +	if (authctxt->role && (strlen(authctxt->role) > 0))
 +		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
 +	else
 +#endif
 +		micuser = authctxt->user;
 +	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
 	    "gssapi-with-mic");
 	gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	buffer_free(&b);
 +	if (micuser != authctxt->user)
 +		xfree(micuser);
 	xfree(mic.value);
 	authctxt->postponed = 0;
 diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c
 --- openssh-5.9p0/auth2-hostbased.c.role	2011-08-31 11:42:47.863023264 +0200
 +++ openssh-5.9p0/auth2-hostbased.c	2011-08-31 11:42:55.421024814 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -	buffer_put_cstring(&b, authctxt->user);
 +#ifdef WITH_SELINUX
 +	if (authctxt->role) {
 +		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
 +		buffer_append(&b, authctxt->user, strlen(authctxt->user));
 +		buffer_put_char(&b, '/');
 +		buffer_append(&b, authctxt->role, strlen(authctxt->role));
 +	} else 
 +#endif
 +		buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
 diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c
 --- openssh-5.9p0/auth2-pubkey.c.role	2011-08-31 11:42:47.978087418 +0200
 +++ openssh-5.9p0/auth2-pubkey.c	2011-08-31 11:42:55.551025263 +0200
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -		buffer_put_cstring(&b, authctxt->user);
 +#ifdef WITH_SELINUX
 +		if (authctxt->role) {
 +			buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
 +			buffer_append(&b, authctxt->user, strlen(authctxt->user));
 +			buffer_put_char(&b, '/');
 +			buffer_append(&b, authctxt->role, strlen(authctxt->role));
 +		} else 
 +#endif
 +			buffer_put_cstring(&b, authctxt->user);
 		buffer_put_cstring(&b,
 		    datafellows & SSH_BUG_PKSERVICE ?
 		    "ssh-userauth" :
 diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
 --- openssh-5.9p0/auth2.c.role	2011-08-31 11:42:45.409026065 +0200
 +++ openssh-5.9p0/auth2.c	2011-08-31 11:42:55.676024869 +0200
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
- 	char *user, *service, *method, *style = NULL;
+ 	char *user, *service, *method, *active_methods, *style = NULL;
 +#ifdef WITH_SELINUX
 +	char *role = NULL;
 +#endif
@ -190,9 +115,84 @@ diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
 		userauth_banner();
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
-diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
+diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c
--- openssh-5.9p0/monitor.c.role	2011-08-31 11:42:53.301024819 +0200
+--- openssh-5.9p1/auth2-gss.c.role	2012-02-06 17:21:26.017853239 +0100
-+++ openssh-5.9p0/monitor.c	2011-08-31 11:42:55.796025812 +0200
+++ openssh-5.9p1/auth2-gss.c	2012-02-06 17:21:59.479096211 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
 +	char *micuser;
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
 -	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
 +#ifdef WITH_SELINUX
 +	if (authctxt->role && (strlen(authctxt->role) > 0))
 +		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
 +	else
 +#endif
 +		micuser = authctxt->user;
 +	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
 	    "gssapi-with-mic");
 	gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	buffer_free(&b);
 +	if (micuser != authctxt->user)
 +		xfree(micuser);
 	xfree(mic.value);
 	authctxt->postponed = 0;
 diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c
 --- openssh-5.9p1/auth2-hostbased.c.role	2012-02-06 17:21:26.038970656 +0100
 +++ openssh-5.9p1/auth2-hostbased.c	2012-02-06 17:21:59.479096211 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -	buffer_put_cstring(&b, authctxt->user);
 +#ifdef WITH_SELINUX
 +	if (authctxt->role) {
 +		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
 +		buffer_append(&b, authctxt->user, strlen(authctxt->user));
 +		buffer_put_char(&b, '/');
 +		buffer_append(&b, authctxt->role, strlen(authctxt->role));
 +	} else 
 +#endif
 +		buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
 diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c
 --- openssh-5.9p1/auth2-pubkey.c.role	2012-02-06 17:21:26.039787441 +0100
 +++ openssh-5.9p1/auth2-pubkey.c	2012-02-06 17:21:59.480096032 +0100
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
 -		buffer_put_cstring(&b, authctxt->user);
 +#ifdef WITH_SELINUX
 +		if (authctxt->role) {
 +			buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
 +			buffer_append(&b, authctxt->user, strlen(authctxt->user));
 +			buffer_put_char(&b, '/');
 +			buffer_append(&b, authctxt->role, strlen(authctxt->role));
 +		} else 
 +#endif
 +			buffer_put_cstring(&b, authctxt->user);
 		buffer_put_cstring(&b,
 		    datafellows & SSH_BUG_PKSERVICE ?
 		    "ssh-userauth" :
 diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c
 --- openssh-5.9p1/monitor.c.role	2012-02-06 17:21:26.071220592 +0100
 +++ openssh-5.9p1/monitor.c	2012-02-06 17:21:59.481783500 +0100
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
@ -203,7 +203,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[] 
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -213,7 +213,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -223,7 +223,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 #ifdef USE_PAM
-@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
@ -249,7 +249,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
-@@ -1227,7 +1255,7 @@ static int
+@@ -1252,7 +1280,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
 	Buffer b;
@ -258,7 +258,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 	u_int len;
 	int fail = 0;
-@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
@ -267,7 +267,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
-@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
@ -276,7 +276,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 	u_int len;
 	int fail = 0;
-@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
@ -285,9 +285,9 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
-diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
+diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h
--- openssh-5.9p0/monitor.h.role	2011-08-31 11:42:53.409025333 +0200
+--- openssh-5.9p1/monitor.h.role	2012-02-06 17:21:26.071852220 +0100
-+++ openssh-5.9p0/monitor.h	2011-08-31 11:42:55.889024801 +0200
+++ openssh-5.9p1/monitor.h	2012-02-06 17:21:59.482846081 +0100
@@ -31,6 +31,9 @@
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
@ -298,9 +298,9 @@ diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
+diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p0/monitor_wrap.c.role	2011-08-31 11:42:53.548024503 +0200
+--- openssh-5.9p1/monitor_wrap.c.role	2012-02-06 17:21:26.071852220 +0100
-+++ openssh-5.9p0/monitor_wrap.c	2011-08-31 11:42:56.029024553 +0200
+++ openssh-5.9p1/monitor_wrap.c	2012-02-06 17:21:59.483845610 +0100
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
@ -327,9 +327,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
+diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p0/monitor_wrap.h.role	2011-08-31 11:42:53.660025271 +0200
+--- openssh-5.9p1/monitor_wrap.h.role	2012-02-06 17:21:26.073192915 +0100
-+++ openssh-5.9p0/monitor_wrap.h	2011-08-31 11:42:56.131025748 +0200
+++ openssh-5.9p1/monitor_wrap.h	2012-02-06 17:21:59.483845610 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -340,9 +340,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in
+diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in
--- openssh-5.9p0/openbsd-compat/Makefile.in.role	2010-10-07 13:19:24.000000000 +0200
+--- openssh-5.9p1/openbsd-compat/Makefile.in.role	2010-10-07 13:19:24.000000000 +0200
-+++ openssh-5.9p0/openbsd-compat/Makefile.in	2011-08-31 11:48:02.404091479 +0200
+++ openssh-5.9p1/openbsd-compat/Makefile.in	2012-02-06 17:21:59.484846191 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -352,9 +352,9 @@ diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-com
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c
+diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c
--- openssh-5.9p0/openbsd-compat/port-linux.c.role	2011-08-29 08:09:57.000000000 +0200
+--- openssh-5.9p1/openbsd-compat/port-linux.c.role	2011-08-29 08:09:57.000000000 +0200
-+++ openssh-5.9p0/openbsd-compat/port-linux.c	2011-08-31 11:42:56.492087969 +0200
+++ openssh-5.9p1/openbsd-compat/port-linux.c	2012-02-06 17:21:59.484846191 +0100
@@ -31,7 +31,11 @@
 #include "log.h"
@ -532,9 +532,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-co
 #endif /* WITH_SELINUX */
 #ifdef LINUX_OOM_ADJUST
-diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c
+diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c
--- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role	2011-08-31 11:42:56.583047619 +0200
+--- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role	2012-02-06 17:21:59.485846294 +0100
-+++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c	2011-08-31 11:42:56.586178005 +0200
+++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c	2012-02-06 17:21:59.485846294 +0100
@@ -0,0 +1,75 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
--- a/openssh-5.9p1-vendor.patch
+++ b/openssh-5.9p1-vendor.patch
@ -1,7 +1,7 @@
-diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
+diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
--- openssh-5.9p0/configure.ac.vendor	2011-09-03 20:24:29.899501572 +0200
+--- openssh-5.9p1/configure.ac.vendor	2012-02-06 17:35:37.439855272 +0100
-+++ openssh-5.9p0/configure.ac	2011-09-03 20:24:39.153501595 +0200
+++ openssh-5.9p1/configure.ac	2012-02-06 17:35:37.510219862 +0100
-@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog],
+@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
 		fi
 	]
 )
@ -14,7 +14,7 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
-@@ -4357,6 +4363,7 @@ echo "           Translate v4 in v6 hack
+@@ -4361,6 +4367,7 @@ echo "           Translate v4 in v6 hack
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
 echo ""
-diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
+diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
--- openssh-5.9p0/servconf.c.vendor	2011-09-03 20:24:29.080500853 +0200
+--- openssh-5.9p1/servconf.c.vendor	2012-02-06 17:35:37.432972267 +0100
-+++ openssh-5.9p0/servconf.c	2011-09-03 20:27:15.727564566 +0200
+++ openssh-5.9p1/servconf.c	2012-02-06 17:37:58.806272833 +0100
-@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
+@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions 
 	options->max_authtries = -1;
 	options->max_sessions = -1;
 	options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
-@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
+@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
 		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
@ -42,16 +42,16 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-@@ -338,7 +341,7 @@ typedef enum {
+@@ -321,7 +324,7 @@ typedef enum {
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
 	sMaxStartups, sMaxAuthTries, sMaxSessions,
 -	sBanner, sUseDNS, sHostbasedAuthentication,
 +	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
- 	sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
+ 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- 	sSecondPubkeyAuthentication, sSecondGssAuthentication,
+ 	sClientAliveCountMax, sAuthorizedKeysFile,
- 	sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
+ 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-@@ -470,6 +473,7 @@ static struct {
+@@ -436,6 +439,7 @@ static struct {
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions
+@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
 		multistate_ptr = multistate_privsep;
 		goto parse_multistate;
@ -70,7 +70,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o)
+@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseLogin, o->use_login);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -78,10 +78,10 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
+diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
--- openssh-5.9p0/servconf.h.vendor	2011-09-03 20:24:29.179632045 +0200
+--- openssh-5.9p1/servconf.h.vendor	2012-02-06 17:35:37.434095467 +0100
-+++ openssh-5.9p0/servconf.h	2011-09-03 20:24:39.426502323 +0200
+++ openssh-5.9p1/servconf.h	2012-02-06 17:35:37.512225786 +0100
-@@ -148,6 +148,7 @@ typedef struct {
+@@ -140,6 +140,7 @@ typedef struct {
 	int	max_authtries;
 	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
@ -89,31 +89,20 @@ diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
-diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c
+diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
--- openssh-5.9p0/sshd.c.vendor	2011-09-03 20:24:35.987501565 +0200
+--- openssh-5.9p1/sshd_config.vendor	2012-02-06 17:35:37.499226201 +0100
-+++ openssh-5.9p0/sshd.c	2011-09-03 20:24:39.542501643 +0200
+++ openssh-5.9p1/sshd_config	2012-02-06 17:35:37.515220444 +0100
-@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
+@@ -112,6 +112,7 @@ X11Forwarding yes
- 		minor = PROTOCOL_MINOR_1;
+ #Compression delayed
- 	}
+ #ClientAliveInterval 0
- 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+ #ClientAliveCountMax 3
-	    SSH_VERSION, newline);
+#ShowPatchLevel no
-+	   (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
+ #UseDNS yes
- 	server_version_string = xstrdup(buf);
+ #PidFile /var/run/sshd.pid
- 
+ #MaxStartups 10
- 	/* Send our protocol version identification. */
+diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
-@@ -1627,7 +1627,8 @@ main(int ac, char **av)
+--- openssh-5.9p1/sshd_config.0.vendor	2012-02-06 17:35:37.500225787 +0100
- 		exit(1);
+++ openssh-5.9p1/sshd_config.0	2012-02-06 17:35:37.513225808 +0100
 	}
 -	debug("sshd version %.100s", SSH_RELEASE);
 +	debug("sshd version %.100s",
 +	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
 diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
 --- openssh-5.9p0/sshd_config.0.vendor	2011-09-03 20:24:37.524438185 +0200
 +++ openssh-5.9p0/sshd_config.0	2011-09-03 20:24:39.677508255 +0200
@@ -556,6 +556,11 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 1024.
@ -126,10 +115,10 @@ diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
-diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
+diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
--- openssh-5.9p0/sshd_config.5.vendor	2011-09-03 20:24:37.640442022 +0200
+--- openssh-5.9p1/sshd_config.5.vendor	2012-02-06 17:35:37.500225787 +0100
-+++ openssh-5.9p0/sshd_config.5	2011-09-03 20:24:40.176544206 +0200
+++ openssh-5.9p1/sshd_config.5	2012-02-06 17:35:37.514220449 +0100
-@@ -952,6 +952,14 @@ This option applies to protocol version
+@@ -982,6 +982,14 @@ This option applies to protocol version 
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
@ -144,14 +133,25 @@ diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
-diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config
+diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
--- openssh-5.9p0/sshd_config.vendor	2011-09-03 20:24:37.770439735 +0200
+--- openssh-5.9p1/sshd.c.vendor	2012-02-06 17:35:37.485230832 +0100
-+++ openssh-5.9p0/sshd_config	2011-09-03 20:24:40.278628002 +0200
+++ openssh-5.9p1/sshd.c	2012-02-06 17:35:37.513225808 +0100
-@@ -120,6 +120,7 @@ X11Forwarding yes
+@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
- #Compression delayed
+ 		minor = PROTOCOL_MINOR_1;
- #ClientAliveInterval 0
+ 	}
- #ClientAliveCountMax 3
+ 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
-+#ShowPatchLevel no
+-	    SSH_VERSION, newline);
- #UseDNS yes
+	   (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
- #PidFile /var/run/sshd.pid
+ 	server_version_string = xstrdup(buf);
- #MaxStartups 10
+ 
 	/* Send our protocol version identification. */
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
 		exit(1);
 	}
 -	debug("sshd version %.100s", SSH_RELEASE);
 +	debug("sshd version %.100s",
 +	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
--- a/openssh.spec
+++ b/openssh.spec
@ -116,7 +116,8 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1889
 Patch103: openssh-5.8p1-packet.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=983
-Patch104: openssh-5.9p1-2auth.patch
+#Patch104: openssh-5.9p1-2auth.patch
 Patch104: openssh-5.9p1-required-authentications.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
 Patch200: openssh-5.8p1-audit0.patch
@ -395,7 +396,7 @@ The module is most useful for su and sudo service stacks.
 %patch101 -p1 -b .fingerprint
 %patch102 -p1 -b .getaddrinfo
 %patch103 -p1 -b .packet
-%patch104 -p1 -b .2auth
+%patch104 -p1 -b .required-authentication
 %patch200 -p1 -b .audit0
 %patch201 -p1 -b .audit1