87 changed files with 6513 additions and 10034 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-SOURCES/DJM-GPG-KEY.gpg
-SOURCES/openssh-8.0p1.tar.gz
-SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
+SOURCES/gpgkey-736060BA.gpg
+SOURCES/openssh-8.7p1.tar.gz
+SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz
--- a/.openssh.metadata
+++ b/.openssh.metadata
@ -1,3 +1,3 @@
-bed7240bb17840b451b8f8457791c33456814d93 SOURCES/DJM-GPG-KEY.gpg
-756dbb99193f9541c9206a667eaa27b0fa184a4f SOURCES/openssh-8.0p1.tar.gz
-a4482a050fdad1d012427e45799564136708cf6b SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
+dbb35b4e9ae3f72b930a82c6fd5e83e9dcd7b193 SOURCES/gpgkey-736060BA.gpg
+8719032c1e47732c8fdb14adfb24b5e9e71de802 SOURCES/openssh-8.7p1.tar.gz
+66dd8274346fd006ff40f525c082cfb701085b5f SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz
--- a/SOURCES/openssh-4.3p2-askpass-grab-info.patch
+++ b/SOURCES/openssh-4.3p2-askpass-grab-info.patch
@ -1,19 +1,18 @@
-diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info	2016-12-23 13:31:22.645213115 +0100
-+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:40.997216691 +0100
-@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
+diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
+--- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info	2021-04-19 13:57:11.720113536 +0200
+++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c	2021-04-19 13:59:29.842163204 +0200
+@@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
+ 
 	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
- 				     GTK_MESSAGE_ERROR,
- 				     GTK_BUTTONS_CLOSE,
-				     "Could not grab %s. "
-				     "A malicious client may be eavesdropping "
-				     "on your session.", what);
-+				     "SSH password dialog could not grab the %s input.\n"
-+				     "This might be caused by application such as screensaver, "
-+				     "however it could also mean that someone may be eavesdropping "
-+				     "on your session.\n"
-+				     "Either close the application which grabs the %s or "
-+				     "log out and log in again to prevent this from happening.", what, what);
+ 	    GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
+-	    "Could not grab %s. A malicious client may be eavesdropping "
+-	    "on your session.", what);
+	    "SSH password dialog could not grab the %s input.\n"
+	    "This might be caused by application such as screensaver, "
+	    "however it could also mean that someone may be eavesdropping "
+	    "on your session.\n"
+	    "Either close the application which grabs the %s or "
+	    "log out and log in again to prevent this from happening.", what, what);
 	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
 
 	gtk_dialog_run(GTK_DIALOG(err));
--- a/SOURCES/openssh-5.1p1-askpass-progress.patch
+++ b/SOURCES/openssh-5.1p1-askpass-progress.patch
@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c	2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@
- #include <string.h>
 #include <unistd.h>
+ 
 #include <X11/Xlib.h>
 +#include <glib.h>
 #include <gtk/gtk.h>
 #include <gdk/gdkx.h>
- 
-@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
- 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ #include <gdk/gdkkeysyms.h>
+@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
+ 	return 1;
 }
 
 +static void
@ -25,57 +25,59 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
 +}
 +
 static int
- passphrase_dialog(char *message)
+ passphrase_dialog(char *message, int prompt_type)
 {
 	const char *failed;
 	char *passphrase, *local;
 	int result, grab_tries, grab_server, grab_pointer;
+ 	int buttons, default_response;
 -	GtkWidget *parent_window, *dialog, *entry;
 +	GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
 	GdkGrabStatus status;
+ 	GdkColor fg, bg;
+ 	int fg_set = 0, bg_set = 0;
+@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
+ 		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
 
- 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
-@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
- 					"%s",
- 					message);
- 
-+	hbox = gtk_hbox_new(FALSE, 0);
-+	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
-+	    FALSE, 0);
-+	gtk_widget_show(hbox);
+ 	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
+		hbox = gtk_hbox_new(FALSE, 0);
+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+		    FALSE, 0);
+		gtk_widget_show(hbox);
 +
- 	entry = gtk_entry_new();
- 	gtk_box_pack_start(
-	    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
-	    FALSE, FALSE, 0);
-+	    GTK_BOX(hbox), entry,
-+	    TRUE, FALSE, 0);
-+	gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
- 	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
- 	gtk_widget_grab_focus(entry);
- 	gtk_widget_show(entry);
- 
-+	hbox = gtk_hbox_new(FALSE, 0);
-+	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
-+	    FALSE, 8);
-+	gtk_widget_show(hbox);
+		entry = gtk_entry_new();
+		if (fg_set)
+			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
+		if (bg_set)
+			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
+		gtk_box_pack_start(
+-		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
+-		    entry, FALSE, FALSE, 0);
+		    GTK_BOX(hbox), entry, TRUE, FALSE, 0);
+		gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
+ 		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+ 		gtk_widget_grab_focus(entry);
+ 		if (prompt_type == PROMPT_ENTRY) {
+@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
+ 			g_signal_connect(G_OBJECT(entry), "key_press_event",
+ 			    G_CALLBACK(check_none), dialog);
+ 		}
 +
-+	progress = gtk_progress_bar_new();
-+	
-+	gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
-+	gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
-+	    TRUE, 5);
-+	gtk_widget_show(progress);
+		hbox = gtk_hbox_new(FALSE, 0);
+		gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
+		    hbox, FALSE, FALSE, 8);
+		gtk_widget_show(hbox);
 +
- 	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
- 	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
- 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
-@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
- 	gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
- 	g_signal_connect(G_OBJECT(entry), "activate",
- 			 G_CALLBACK(ok_dialog), dialog);
-+	g_signal_connect(G_OBJECT(entry), "changed",
-+			 G_CALLBACK(move_progress), progress);
- 
- 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+		progress = gtk_progress_bar_new();
+
+		gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
+		    "Passphrase length hidden intentionally");
+		gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
+		    TRUE, 5);
+		gtk_widget_show(progress);
+		g_signal_connect(G_OBJECT(entry), "changed",
+				 G_CALLBACK(move_progress), progress);
+
+ 	}
 
+ 	/* Grab focus */
--- a/SOURCES/openssh-6.6.1p1-log-in-chroot.patch
+++ b/SOURCES/openssh-6.6.1p1-log-in-chroot.patch
@ -1,19 +1,19 @@
-diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/log.c	2016-12-23 15:14:33.330168088 +0100
-@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
- void
- log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
+--- openssh-8.6p1/log.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/log.c	2021-05-06 11:32:25.179006811 +0200
+@@ -194,6 +194,11 @@ void
+ log_init(const char *av0, LogLevel level, SyslogFacility facility,
+     int on_stderr)
 {
 +	log_init_handler(av0, level, facility, on_stderr, 1);
 +}
 +
 +void
-+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
-@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
+@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
 		exit(1);
 	}
 
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
 
 	log_on_stderr = on_stderr;
 	if (on_stderr)
-diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/log.h	2016-12-23 15:14:33.330168088 +0100
-@@ -49,6 +49,7 @@ typedef enum {
- typedef void (log_handler_fn)(LogLevel, const char *, void *);
- 
- void     log_init(char *, LogLevel, SyslogFacility, int);
-+void     log_init_handler(char *, LogLevel, SyslogFacility, int, int);
+diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
+--- openssh-8.6p1/log.h.log-in-chroot	2021-05-06 11:32:25.179006811 +0200
+++ openssh-8.6p1/log.h	2021-05-06 11:34:22.349925757 +0200
+@@ -52,6 +52,7 @@ typedef enum {
+ typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
+ 
+ void     log_init(const char *, LogLevel, SyslogFacility, int);
+void     log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
 LogLevel log_level_get(void);
 int      log_change_level(LogLevel);
 int      log_is_on_stderr(void);
-diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot	2016-12-23 15:14:33.311168085 +0100
-+++ openssh-7.4p1/monitor.c	2016-12-23 15:16:42.154193100 +0100
-@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
+diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
+--- openssh-8.6p1/monitor.c.log-in-chroot	2021-05-06 11:32:25.153006607 +0200
+++ openssh-8.6p1/monitor.c	2021-05-06 11:33:37.671575348 +0200
+@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
 		close(pmonitor->m_log_sendfd);
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
 
@ -49,25 +49,25 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 	authctxt = (Authctxt *)ssh->authctxt;
 	memset(authctxt, 0, sizeof(*authctxt));
 	ssh->authctxt = authctxt;
-@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
+@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
 	close(pmonitor->m_recvfd);
 	pmonitor->m_recvfd = -1;
 
 +	pmonitor->m_state = "postauth";
 +
 	monitor_set_child_handler(pmonitor->m_pid);
- 	signal(SIGHUP, &monitor_child_handler);
- 	signal(SIGTERM, &monitor_child_handler);
-@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
+ 	ssh_signal(SIGHUP, &monitor_child_handler);
+ 	ssh_signal(SIGTERM, &monitor_child_handler);
+@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
+ 	/* Log it */
 	if (log_level_name(level) == NULL)
- 		fatal("%s: invalid log level %u (corrupted message?)",
- 		    __func__, level);
-	do_log2(level, "%s [preauth]", msg);
-+	do_log2(level, "%s [%s]", msg, pmonitor->m_state);
+ 		fatal_f("invalid log level %u (corrupted message?)", level);
+-	sshlogdirect(level, forced, "%s [preauth]", msg);
+	sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
 
 	sshbuf_free(logmsg);
 	free(msg);
-@@ -1719,13 +1723,28 @@ monitor_init(void)
+@@ -1868,13 +1872,28 @@ monitor_init(void)
 	mon = xcalloc(1, sizeof(*mon));
 	monitor_openfds(mon, 1);
 
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 +		xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
 +
 +		if (stat(dev_log_path, &dev_log_stat) != 0) {
-+			debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
+			debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
 +			do_logfds = 1;
 +		}
 +		free(dev_log_path);
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 }
 
 #ifdef GSSAPI
-diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot	2016-12-23 15:14:33.330168088 +0100
-+++ openssh-7.4p1/monitor.h	2016-12-23 15:16:28.372190424 +0100
-@@ -83,10 +83,11 @@ struct monitor {
+diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
+--- openssh-8.6p1/monitor.h.log-in-chroot	2021-05-06 11:32:25.153006607 +0200
+++ openssh-8.6p1/monitor.h	2021-05-06 11:32:25.180006819 +0200
+@@ -80,10 +80,11 @@ struct monitor {
 	int			 m_log_sendfd;
 	struct kex		**m_pkex;
 	pid_t			 m_pid;
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
 
 struct Authctxt;
 void monitor_child_preauth(struct ssh *, struct monitor *);
-diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot	2016-12-23 15:14:33.319168086 +0100
-+++ openssh-7.4p1/session.c	2016-12-23 15:18:18.742211853 +0100
+diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
+--- openssh-8.6p1/session.c.log-in-chroot	2021-05-06 11:32:25.166006709 +0200
+++ openssh-8.6p1/session.c	2021-05-06 11:32:25.181006827 +0200
@@ -160,6 +160,7 @@ login_cap_t *lc;
 
 static int is_child = 0;
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 
 /* File containing userauth info, if ExposeAuthInfo set */
 static char *auth_info_file = NULL;
-@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
+@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
 	int ret;
 	const char *forced = NULL, *tty = NULL;
 	char session_type[1024];
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 
 	if (options.adm_forced_command) {
 		original_command = command;
-@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
+@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
 			tty += 5;
 	}
 
@ -144,10 +144,10 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
 	    session_type,
 	    tty == NULL ? "" : " on ",
-@@ -1486,14 +1492,6 @@ child_close_fds(void)
- 	 * descriptors left by system functions.  They will be closed later.
- 	 */
- 	endpwent();
+@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
+ 
+ 	/* Stop directing logs to a high-numbered fd before we close it */
+ 	log_redirect_stderr_to(NULL);
 -
 -	/*
 -	 * Close any extra open file descriptors so that we don't have them
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 }
 
 /*
-@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
+@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
 			exit(1);
 	}
 
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	do_rc_files(ssh, s, shell);
 
 	/* restore SIGPIPE for child */
-@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
+@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
 	fflush(NULL);
 
 	/* Get the last component of the shell name. */
-diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/sftp.h	2016-12-23 15:14:33.331168088 +0100
+diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
+--- openssh-8.6p1/sftp.h.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/sftp.h	2021-05-06 11:32:25.181006827 +0200
@@ -97,5 +97,5 @@
 
 struct passwd;
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
 -int	sftp_server_main(int, char **, struct passwd *);
 +int	sftp_server_main(int, char **, struct passwd *, int);
 void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
-diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/sftp-server.c	2016-12-23 15:14:33.331168088 +0100
-@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
+diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
+--- openssh-8.6p1/sftp-server.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/sftp-server.c	2021-05-06 11:32:25.181006827 +0200
+@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
 }
 
 int
@ -209,16 +209,16 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 {
 	fd_set *rset, *wset;
 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
+ 	extern char *__progname;
 
- 	ssh_malloc_init();	/* must be called before any mallocs */
 	__progname = ssh_get_progname(argv[0]);
 -	log_init(__progname, log_level, log_facility, log_stderr);
 +	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
 
 	pw = pwcopy(user_pw);
 
-@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
 		}
 	}
 
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
 
 	/*
 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
-diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/sftp-server-main.c	2016-12-23 15:14:33.331168088 +0100
-@@ -49,5 +49,5 @@ main(int argc, char **argv)
+diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
+--- openssh-8.6p1/sftp-server-main.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/sftp-server-main.c	2021-05-06 11:32:25.181006827 +0200
+@@ -50,5 +50,5 @@ main(int argc, char **argv)
 		return 1;
 	}
 
 -	return (sftp_server_main(argc, argv, user_pw));
 +	return (sftp_server_main(argc, argv, user_pw, 0));
 }
-diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot	2016-12-23 15:14:33.328168088 +0100
-+++ openssh-7.4p1/sshd.c	2016-12-23 15:14:33.332168088 +0100
-@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
+diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
+--- openssh-8.6p1/sshd.c.log-in-chroot	2021-05-06 11:32:25.177006795 +0200
+++ openssh-8.6p1/sshd.c	2021-05-06 11:32:25.182006834 +0200
+@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
 	}
 
 	/* New socket pair */
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
 
 	pmonitor->m_pid = fork();
 	if (pmonitor->m_pid == -1)
-@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
 
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
--- a/SOURCES/openssh-6.6.1p1-scp-non-existing-directory.patch
+++ b/SOURCES/openssh-6.6.1p1-scp-non-existing-directory.patch
@ -10,5 +10,5 @@
 +		}
 		omode = mode;
 		mode |= S_IWUSR;
- 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
+ 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) == -1) {
 -- 
--- a/SOURCES/openssh-6.6.1p1-selinux-contexts.patch
+++ b/SOURCES/openssh-6.6.1p1-selinux-contexts.patch
@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
 +
 +	contexts_path = selinux_openssh_contexts_path();
 +	if (contexts_path == NULL) {
-+		debug3("%s: Failed to get the path to SELinux context", __func__);
+		debug3_f("Failed to get the path to SELinux context");
 +		return;
 +	}
 +
 +	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
-+		debug("%s: Failed to open SELinux context file", __func__);
+		debug_f("Failed to open SELinux context file");
 +		return;
 +	}
 +
 +	if (fstat(fileno(contexts_file), &sb) != 0 ||
 +	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
-+		logit("%s: SELinux context file needs to be owned by root"
-+		    " and not writable by anyone else", __func__);
+		logit_f("SELinux context file needs to be owned by root"
+		    " and not writable by anyone else");
 +		fclose(contexts_file);
 +		return;
 +	}
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
 +		if (arg && strcmp(arg, "privsep_preauth") == 0) {
 +			arg = strdelim(&cp);
 +			if (!arg || *arg == '\0') {
-+				debug("%s: privsep_preauth is empty", __func__);
+				debug_f("privsep_preauth is empty");
 +				fclose(contexts_file);
 +				return;
 +			}
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
 +	fclose(contexts_file);
 +
 +	if (preauth_context == NULL) {
-+		debug("%s: Unable to find 'privsep_preauth' option in"
-+		    " SELinux context file", __func__);
+		debug_f("Unable to find 'privsep_preauth' option in"
+		    " SELinux context file");
 +		return;
 +	}
 +
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
 	if ((cx = index(cx + 1, ':')))
 		strlcat(newctx, cx, newlen);
 -	debug3("%s: setting context from '%s' to '%s'", __func__,
-+	debug("%s: setting context from '%s' to '%s'", __func__,
+	debug_f("setting context from '%s' to '%s'",
 	    oldctx, newctx);
 	if (setcon(newctx) < 0)
- 		switchlog("%s: setcon %s from %s failed with %s", __func__,
+ 		do_log2(log_level, "%s: setcon %s from %s failed with %s",
+		    __func__, newctx, oldctx, strerror(errno));
 diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
 index cb51f99..8b7cda2 100644
 --- a/openbsd-compat/port-linux.h
--- a/SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch
@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +	options->enable_k5users = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+	options->permit_empty_passwd = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
 #endif
 	if (options->use_kuserok == -1)
@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum {
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
- 	sHostKeyAlgorithms,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 -	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 +		intptr = &options->enable_k5users;
 +		goto parse_flag;
 +
- 	case sPermitListen:
- 	case sPermitOpen:
- 		if (opcode == sPermitListen) {
+	case sMatch:
+		if (cmdline)
+			fatal("Match directive not supported as a command-line "
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
@ -122,7 +122,7 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
 --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users	2016-12-23 15:18:40.616216100 +0100
 +++ openssh-7.4p1/sshd_config	2016-12-23 15:18:40.631216103 +0100
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
- GSSAPICleanupCredentials no
+ #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 +#GSSAPIEnablek5users no
--- a/SOURCES/openssh-6.6p1-ctr-cavstest.patch
+++ b/SOURCES/openssh-6.6p1-ctr-cavstest.patch
@ -1,257 +0,0 @@
-diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ctr-cavs	2015-03-18 11:22:05.493289018 +0100
-+++ openssh-6.8p1/Makefile.in	2015-03-18 11:22:44.504196316 +0100
-@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
- SSH_KEYCAT=$(libexecdir)/ssh-keycat
-+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
- MKDIR_P=@MKDIR_P@
- INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
- 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
- 
- XMSS_OBJS=\
- 	ssh-xmss.o \
-@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
- ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
- 	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
- 
-+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
-+	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
- 
-@@ -326,6 +330,7 @@ install-files:
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
- 	fi
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
-+	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs	2015-03-18 11:22:05.521288952 +0100
-+++ openssh-6.8p1/ctr-cavstest.c	2015-03-18 11:22:05.521288952 +0100
-@@ -0,0 +1,215 @@
-+/*
-+ *
-+ * invocation (all of the following are equal):
-+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
-+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
-+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+#include <sys/param.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "xmalloc.h"
-+#include "log.h"
-+#include "ssherr.h"
-+#include "cipher.h"
-+
-+/* compatibility with old or broken OpenSSL versions */
-+#include "openbsd-compat/openssl-compat.h"
-+
-+void usage(void) {
-+        fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
-+                        "                    --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
-+                        "                    [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
-+                        "Hexadecimal output is printed to stdout.\n"
-+                        "Hexadecimal input data can be alternatively read from stdin.\n");
-+        exit(1);
-+}
-+
-+void *fromhex(char *hex, size_t *len)
-+{
-+        unsigned char *bin;
-+        char *p;
-+        size_t n = 0;
-+        int shift = 4;
-+        unsigned char out = 0;
-+        unsigned char *optr;
-+
-+        bin = xmalloc(strlen(hex)/2);
-+        optr = bin;
-+
-+        for (p = hex; *p != '\0'; ++p) {
-+                unsigned char c;
-+
-+                c = *p;
-+                if (isspace(c))
-+                        continue;
-+
-+                if (c >= '0' && c <= '9') {
-+                        c = c - '0';
-+                } else if (c >= 'A' && c <= 'F') {
-+                        c = c - 'A' + 10;
-+                } else if (c >= 'a' && c <= 'f') {
-+                        c = c - 'a' + 10;
-+                } else {
-+                        /* truncate on nonhex cipher */
-+                        break;
-+                }
-+
-+                out |= c << shift;
-+                shift = (shift + 4) % 8;
-+
-+                if (shift) {
-+                        *(optr++) = out;
-+                        out = 0;
-+                        ++n;
-+                }
-+        }
-+
-+        *len = n;
-+        return bin;
-+}
-+
-+#define READ_CHUNK 4096
-+#define MAX_READ_SIZE 1024*1024*100
-+char *read_stdin(void)
-+{
-+        char *buf;
-+        size_t n, total = 0;
-+
-+        buf = xmalloc(READ_CHUNK);
-+
-+        do {
-+                n = fread(buf + total, 1, READ_CHUNK, stdin);
-+                if (n < READ_CHUNK) /* terminate on short read */
-+                        break;
-+
-+                total += n;
-+                buf = xreallocarray(buf, total + READ_CHUNK, 1);
-+        } while(total < MAX_READ_SIZE);
-+        return buf;
-+}
-+
-+int main (int argc, char *argv[])
-+{
-+
-+        const struct sshcipher *c;
-+        struct sshcipher_ctx *cc;
-+        char *algo = "aes128-ctr";
-+        char *hexkey = NULL;
-+        char *hexiv = "00000000000000000000000000000000";
-+        char *hexdata = NULL;
-+        char *p;
-+        int i, r;
-+        int encrypt = 1;
-+        void *key;
-+        size_t keylen;
-+        void *iv;
-+        size_t ivlen;
-+        void *data;
-+        size_t datalen;
-+        void *outdata;
-+
-+        for (i = 1; i < argc; ++i) {
-+                if (strcmp(argv[i], "--algo") == 0) {
-+                        algo = argv[++i];
-+                } else if (strcmp(argv[i], "--key") == 0) {
-+                        hexkey = argv[++i];
-+                } else if (strcmp(argv[i], "--mode") == 0) {
-+                        ++i;
-+                        if (argv[i] == NULL) {
-+                                usage();
-+                        }
-+                        if (strncmp(argv[i], "enc", 3) == 0) {
-+                                encrypt = 1;
-+                        } else if (strncmp(argv[i], "dec", 3) == 0) {
-+                                encrypt = 0;
-+                        } else {
-+                                usage();
-+                        }
-+                } else if (strcmp(argv[i], "--iv") == 0) {
-+                        hexiv = argv[++i];
-+                } else if (strcmp(argv[i], "--data") == 0) {
-+                        hexdata = argv[++i];
-+                }
-+        }
-+
-+        if (hexkey == NULL || algo == NULL) {
-+                usage();
-+        }
-+
-+	OpenSSL_add_all_algorithms();
-+
-+	c = cipher_by_name(algo);
-+	if (c == NULL) {
-+		fprintf(stderr, "Error: unknown algorithm\n");
-+		return 2;
-+	}
-+
-+        if (hexdata == NULL) {
-+                hexdata = read_stdin();
-+        } else {
-+                hexdata = xstrdup(hexdata);
-+        }
-+
-+        key = fromhex(hexkey, &keylen);
-+
-+	if (keylen != 16 && keylen != 24 && keylen == 32) {
-+		fprintf(stderr, "Error: unsupported key length\n");
-+		return 2;
-+	}
-+
-+        iv = fromhex(hexiv, &ivlen);
-+
-+        if (ivlen != 16) {
-+		fprintf(stderr, "Error: unsupported iv length\n");
-+		return 2;
-+        }
-+
-+        data = fromhex(hexdata, &datalen);
-+
-+	if (data == NULL || datalen == 0) {
-+		fprintf(stderr, "Error: no data to encrypt/decrypt\n");
-+		return 2;
-+	}
-+
-+	if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
-+		fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
-+		return 2;
-+	}
-+
-+	free(key);
-+	free(iv);
-+
-+	outdata = malloc(datalen);
-+	if(outdata == NULL) {
-+		fprintf(stderr, "Error: memory allocation failure\n");
-+		return 2;
-+	}
-+
-+	if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
-+		fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
-+		return 2;
-+	}
-+
-+	free(data);
-+
-+	cipher_free(cc);
-+
-+        for (p = outdata; datalen > 0; ++p, --datalen) {
-+		printf("%02X", (unsigned char)*p);
-+	}
-+
-+        free(outdata);
-+
-+        printf("\n");
-+        return 0;
-+}
-+
--- a/SOURCES/openssh-6.6p1-keycat.patch
+++ b/SOURCES/openssh-6.6p1-keycat.patch
@ -1,10 +1,10 @@
-diff -up openssh/auth.c.keycat openssh/misc.c
--- openssh/auth.c.keycat	2015-06-24 10:57:50.158849606 +0200
-+++ openssh/auth.c	2015-06-24 11:04:23.989868638 +0200
-@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
+diff -up openssh/misc.c.keycat openssh/misc.c
+--- openssh/misc.c.keycat	2015-06-24 10:57:50.158849606 +0200
+++ openssh/misc.c	2015-06-24 11:04:23.989868638 +0200
+@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
+ 			error("%s: dup2: %s", tag, strerror(errno));
 			_exit(1);
 		}
- 
 +#ifdef WITH_SELINUX
 +		if (sshd_selinux_setup_env_variables() < 0) {
 +			error ("failed to copy environment:  %s",
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
 +			_exit(127);
 +		}
 +#endif
-+
- 		execve(av[0], av, child_env);
- 		error("%s exec \"%s\": %s", tag, command, strerror(errno));
- 		_exit(127);
+ 		if (env != NULL)
+ 			execve(av[0], av, env);
+ 		else
 diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
 --- openssh/HOWTO.ssh-keycat.keycat	2015-06-24 10:57:50.157849608 +0200
 +++ openssh/HOWTO.ssh-keycat	2015-06-24 10:57:50.157849608 +0200
@ -36,44 +35,44 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
 --- openssh/Makefile.in.keycat	2015-06-24 10:57:50.152849621 +0200
 +++ openssh/Makefile.in	2015-06-24 10:57:50.157849608 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
 +SSH_KEYCAT=$(libexecdir)/ssh-keycat
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
+ K5LIBS=@K5LIBS@
 GSSLIBS=@GSSLIBS@
- SSHLIBS=@SSHLIBS@
 SSHDLIBS=@SSHDLIBS@
 +KEYCATLIBS=@KEYCATLIBS@
 LIBEDIT=@LIBEDIT@
+ LIBFIDO2=@LIBFIDO2@
 AR=@AR@
- AWK=@AWK@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
- MKDIR_P=@MKDIR_P@
- INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+ .SUFFIXES: .lo
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
 
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
- 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
 
 +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
 +	$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
 +
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 
@@ -321,6 +325,7 @@ install-files:
- 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
- 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
- 	fi
+ 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -466,16 +465,16 @@ index 3bbccfd..6481f1f 100644
 				esac
 			fi
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
+ 	fi ]
 )
- AC_SUBST([SSHLIBS])
 AC_SUBST([SSHDLIBS])
 +AC_SUBST([KEYCATLIBS])
 
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
@@ -5031,6 +5034,9 @@ fi
- if test ! -z "${SSHLIBS}"; then
- echo "          +for ssh: ${SSHLIBS}"
+ if test ! -z "${SSHDLIBS}"; then
+ echo "         +for sshd: ${SSHDLIBS}"
 fi
 +if test ! -z "${KEYCATLIBS}"; then
 +echo "   +for ssh-keycat: ${KEYCATLIBS}"
--- a/SOURCES/openssh-6.6p1-keyperm.patch
+++ b/SOURCES/openssh-6.6p1-keyperm.patch
@ -1,8 +1,7 @@
-diff --git a/authfile.c b/authfile.c
-index e93d867..4fc5b3d 100644
--- a/authfile.c
-+++ b/authfile.c
-@@ -32,6 +32,7 @@
+diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
+--- openssh-8.2p1/authfile.c.keyperm	2020-02-14 01:40:54.000000000 +0100
+++ openssh-8.2p1/authfile.c	2020-02-17 11:55:12.841729758 +0100
+@@ -31,6 +31,7 @@
 
 #include <errno.h>
 #include <fcntl.h>
@ -10,17 +9,23 @@ index e93d867..4fc5b3d 100644
 #include <stdio.h>
 #include <stdarg.h>
 #include <stdlib.h>
-@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
+@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
 #ifdef HAVE_CYGWIN
 	if (check_ntsec(filename))
 #endif
-+	if (st.st_mode & 040) {
-+		struct group *gr;
-+
-+		if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
-+			st.st_mode &= ~040;
-+	}
 +
 	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
+		if (st.st_mode & 040) {
+			struct group *gr;
+
+			if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
+				/* The only additional bit is read
+				 * for ssh_keys group, which is fine */
+				if ((st.st_mode & 077) == 040 ) {
+					return 0;
+				}
+			}
+		}
 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
+ 		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
--- a/SOURCES/openssh-6.6p1-kuserok.patch
+++ b/SOURCES/openssh-6.6p1-kuserok.patch
@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 +	options->use_kuserok = -1;
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
- 	options->challenge_response_authentication = -1;
+	options->permit_empty_passwd = -1;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
 	if (options->gss_kex_algorithms == NULL)
 		options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
@ -193,9 +193,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
- 	sRhostsRSAAuthentication, sRSAAuthentication,
- 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
+	sPort, sHostKeyFile, sLoginGraceTime,
+	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken, sKerberosUniqueCCache,
 +	sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
 	sChallengeResponseAuthentication,
@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
- 		*activep = value;
- 		break;
- 
+		}
+		break;
+
 +	case sKerberosUseKuserok:
 +		intptr = &options->use_kuserok;
 +		goto parse_flag;
 +
- 	case sPermitListen:
- 	case sPermitOpen:
- 		if (opcode == sPermitListen) {
+	case sMatch:
+		if (cmdline)
+			fatal("Match directive not supported as a command-line "
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(client_alive_interval);
 	M_CP_INTOPT(ip_qos_interactive);
@ -286,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
 +#KerberosUseKuserok yes
 
 # GSSAPI options
- GSSAPIAuthentication yes
+ #GSSAPIAuthentication no
--- a/SOURCES/openssh-6.6p1-privsep-selinux.patch
+++ b/SOURCES/openssh-6.6p1-privsep-selinux.patch
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux	2016-12-23 18:58:52.973122201 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c	2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
- 	debug3("%s: done", __func__);
+ 	debug3_f("done");
 }
 
 +void
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
 +		return;
 +
 +	if (getexeccon((security_context_t *)&ctx) != 0) {
-+		logit("%s: getexeccon failed with %s", __func__, strerror(errno));
+		logit_f("getexeccon failed with %s", strerror(errno));
 +		return;
 +	}
 +	if (ctx != NULL) {
 +		/* unset exec context before we will lose this capabililty */
 +		if (setexeccon(NULL) != 0)
-+			fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
+			fatal_f("setexeccon failed with %s", strerror(errno));
 +		if (setcon(ctx) != 0)
-+			fatal("%s: setcon failed with %s", __func__, strerror(errno));
+			fatal_f("setcon failed with %s", strerror(errno));
 +		freecon(ctx);
 +	}
 +}
--- a/SOURCES/openssh-6.7p1-coverity.patch
+++ b/SOURCES/openssh-6.7p1-coverity.patch
@ -1,29 +1,232 @@
-diff -up openssh-8.0p1/channels.c.coverity openssh-8.0p1/channels.c
--- openssh-8.0p1/channels.c.coverity	2021-06-21 10:59:17.297473319 +0200
-+++ openssh-8.0p1/channels.c	2021-06-21 11:11:32.467290400 +0200
-@@ -341,15 +341,15 @@ channel_register_fds(struct ssh *ssh, Ch
- 		 * restore their blocking state on exit to avoid interfering
- 		 * with other programs that follow.
- 		 */
-		if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
-+		if (rfd >= 0 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
- 			c->restore_block |= CHANNEL_RESTORE_RFD;
- 			set_nonblock(rfd);
- 		}
-		if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
-+		if (wfd >= 0 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
- 			c->restore_block |= CHANNEL_RESTORE_WFD;
- 			set_nonblock(wfd);
+diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
+--- openssh-8.5p1/addr.c.coverity	2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/addr.c	2021-03-24 12:03:33.782968159 +0100
+@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
+ 	if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
+ 		return -1;
+ 
+-	if (ai == NULL || ai->ai_addr == NULL)
+	if (ai == NULL || ai->ai_addr == NULL) {
+		freeaddrinfo(ai);
+ 		return -1;
+	}
+ 
+ 	if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
+ 	    n) == -1) {
+@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
+ 	if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
+ 		return -1;
+ 
+-	if (ai == NULL || ai->ai_addr == NULL)
+	if (ai == NULL || ai->ai_addr == NULL) {
+		freeaddrinfo(ai);
+ 		return -1;
+	}
+ 
+ 	if (sa != NULL) {
+-		if (slen < ai->ai_addrlen)
+		if (slen < ai->ai_addrlen) {
+			freeaddrinfo(ai);
+ 			return -1;
+		}
+ 		memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
+ 	}
+ 
+diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
+--- openssh-8.5p1/auth-krb5.c.coverity	2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c	2021-03-24 12:03:33.782968159 +0100
+@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
+ 		umask(old_umask);
+ 		if (tmpfd == -1) {
+ 			logit("mkstemp(): %.100s", strerror(oerrno));
+			free(ccname);
+ 			return oerrno;
 		}
-		if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
-+		if (efd >= 0 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
- 			c->restore_block |= CHANNEL_RESTORE_EFD;
- 			set_nonblock(efd);
+ 
+@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
+ 			oerrno = errno;
+ 			logit("fchmod(): %.100s", strerror(oerrno));
+ 			close(tmpfd);
+			free(ccname);
+ 			return oerrno;
 		}
-diff -up openssh-8.0p1/monitor.c.coverity openssh-8.0p1/monitor.c
--- openssh-8.0p1/monitor.c.coverity	2021-06-21 10:59:17.282473202 +0200
-+++ openssh-8.0p1/monitor.c	2021-06-21 10:59:17.297473319 +0200
-@@ -401,7 +401,7 @@ monitor_child_preauth(struct ssh *ssh, s
+ 		/* make sure the KRB5CCNAME is set for non-standard location */
+diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
+--- openssh-8.5p1/auth-options.c.coverity	2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c	2021-03-24 12:03:33.782968159 +0100
+@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
+ 		return r;
+ 	}
+ 	/* success */
+	sshbuf_free(b);
+ 	return 0;
+ }
+ 
+diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
+--- openssh-7.4p1/channels.c.coverity	2016-12-23 16:40:26.881788686 +0100
+++ openssh-7.4p1/channels.c	2016-12-23 16:42:36.244818763 +0100
+@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
+ 		debug("channel %d: connection failed: %s",
+ 		    c->self, strerror(err));
+ 		/* Try next address, if any */
+-		if ((sock = connect_next(&c->connect_ctx)) > 0) {
+		if ((sock = connect_next(&c->connect_ctx)) >= 0) {
+ 			close(c->sock);
+ 			c->sock = c->rfd = c->wfd = sock;
+ 			channel_find_maxfd(ssh->chanctxt);
+@@ -3804,7 +3804,7 @@ int
+ channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
+ {
+ 	int r, success = 0, idx = -1;
+-	char *host_to_connect, *listen_host, *listen_path;
+	char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
+ 	int port_to_connect, listen_port;
+ 
+ 	/* Send the forward request to the remote side. */
+@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
+ 	success = 1;
+ 	if (success) {
+ 		/* Record that connection to this host/port is permitted. */
+-		host_to_connect = listen_host = listen_path = NULL;
+ 		port_to_connect = listen_port = 0;
+ 		if (fwd->connect_path != NULL) {
+ 			host_to_connect = xstrdup(fwd->connect_path);
+@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
+ 		    host_to_connect, port_to_connect,
+ 		    listen_host, listen_path, listen_port, NULL);
+ 	}
+	free(host_to_connect);
+	free(listen_host);
+	free(listen_path);
+ 	return idx;
+ }
+ 
+diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
+--- openssh-8.5p1/dns.c.coverity	2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c	2021-03-24 12:03:33.783968166 +0100
+@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
+		    &hostkey_digest, &hostkey_digest_len, hostkey)) {
+			error("Error calculating key fingerprint.");
+			freerrset(fingerprints);
+				free(dnskey_digest);
+			return -1;
+		}
+
+diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
+--- openssh-8.5p1/gss-genr.c.coverity	2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c	2021-03-26 11:54:37.881726318 +0100
+@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+ 			enclen = __b64_ntop(digest,
+ 			    ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
+ 			    ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
+-
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+ 			cp = strncpy(s, kex, strlen(kex));
+#pragma pop
+ 			for ((p = strsep(&cp, ",")); p && *p != '\0';
+ 				(p = strsep(&cp, ","))) {
+ 				if (sshbuf_len(buf) != 0 &&
+diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
+--- openssh-8.5p1/krl.c.coverity	2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c	2021-03-24 12:03:33.783968166 +0100
+@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
+ 	sshkey_free(key);
+ 	sshbuf_free(copy);
+ 	sshbuf_free(sect);
+	/* coverity[leaked_storage : FALSE] */
+ 	return r;
+ }
+ 
+@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+ 		return r;
+ 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
+ 	free(rb.blob);
+	rb.blob = NULL; /* make coverity happy */
+ 	if (erb != NULL) {
+ 		KRL_DBG(("revoked by key SHA1"));
+ 		return SSH_ERR_KEY_REVOKED;
+@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+ 		return r;
+ 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
+ 	free(rb.blob);
+	rb.blob = NULL; /* make coverity happy */
+ 	if (erb != NULL) {
+ 		KRL_DBG(("revoked by key SHA256"));
+ 		return SSH_ERR_KEY_REVOKED;
+@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+ 		return r;
+ 	erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
+ 	free(rb.blob);
+	rb.blob = NULL; /* make coverity happy */
+ 	if (erb != NULL) {
+ 		KRL_DBG(("revoked by explicit key"));
+ 		return SSH_ERR_KEY_REVOKED;
+diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
+--- openssh-8.5p1/loginrec.c.coverity	2021-03-24 13:18:53.793225885 +0100
+++ openssh-8.5p1/loginrec.c	2021-03-24 13:21:27.948404751 +0100
+@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
+ 	 */
+ 
+ 	/* Use strncpy because we don't necessarily want null termination */
+	/* coverity[buffer_size_warning : FALSE] */
+ 	strncpy(ut->ut_name, li->username,
+ 	    MIN_SIZEOF(ut->ut_name, li->username));
+ # ifdef HAVE_HOST_IN_UTMP
+	/* coverity[buffer_size_warning : FALSE] */
+ 	strncpy(ut->ut_host, li->hostname,
+ 	    MIN_SIZEOF(ut->ut_host, li->hostname));
+ # endif
+@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
+ 
+ 	memset(&ut, 0, sizeof(ut));
+ 	/* strncpy because we don't necessarily want nul termination */
+	/* coverity[buffer_size_warning : FALSE] */
+ 	strncpy(ut.ut_user, username, sizeof(ut.ut_user));
+ 	strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
+ 
+@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
+ 	ut.ut_pid = getpid();
+ 
+ 	/* strncpy because we don't necessarily want nul termination */
+	/* coverity[buffer_size_warning : FALSE] */
+ 	strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
+ 
+ 	if (ssh_packet_connection_is_on_socket(ssh) &&
+diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
+--- openssh-8.5p1/misc.c.coverity	2021-03-24 12:03:33.745967902 +0100
+++ openssh-8.5p1/misc.c	2021-03-24 13:31:47.037079617 +0100
+@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
+ 	}
+ 	if (nullfd > STDERR_FILENO)
+ 		close(nullfd);
+	/* coverity[leaked_handle : FALSE]*/
+	/* coverity[leaked_handle : FALSE]*/
+ }
+ 
+ char *
+@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
+ 	}
+ 	if (devnull > STDERR_FILENO)
+ 		close(devnull);
+	/* coverity[leaked_handle : FALSE]*/
+ 	return ret;
+ }
+ 
+diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
+--- openssh-8.5p1/moduli.c.coverity	2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/moduli.c	2021-03-24 12:03:33.784968173 +0100
+@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
+ 	else
+ 		logit("failed to write to checkpoint file '%s': %s", cpfile,
+ 		    strerror(errno));
+	/* coverity[leaked_storage : FALSE] */
+ }
+ 
+ static unsigned long
+diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
+--- openssh-7.4p1/monitor.c.coverity	2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c	2016-12-23 16:40:26.900788691 +0100
+@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
 	mm_get_keystate(ssh, pmonitor);
 
 	/* Drain any buffered messages from the child */
@ -32,13 +235,22 @@ diff -up openssh-8.0p1/monitor.c.coverity openssh-8.0p1/monitor.c
 		;
 
 	if (pmonitor->m_recvfd >= 0)
+@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
+ 	s->ptymaster = s->ptyfd;
+ 
+ 	debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
+-
+	/* coverity[leaked_handle : FALSE] */
+ 	return (0);
+ 
+  error:
 diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
 --- openssh-7.4p1/monitor_wrap.c.coverity	2016-12-23 16:40:26.892788689 +0100
 +++ openssh-7.4p1/monitor_wrap.c	2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
- 		error("%s: cannot allocate fds for pty", __func__);
+ 		error_f("cannot allocate fds for pty");
 -		if (tmp1 > 0)
 +		if (tmp1 >= 0)
 			close(tmp1);
@ -61,30 +273,67 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
 	int i;
 
 	if (sa == NULL) {
-diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-7.4p1/scp.c.coverity	2016-12-23 16:40:26.856788681 +0100
-+++ openssh-7.4p1/scp.c	2016-12-23 16:40:26.901788691 +0100
-@@ -157,7 +157,7 @@ killchild(int signo)
+diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
+--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity	2021-08-30 16:36:11.357288009 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c	2021-08-30 16:37:21.791897976 +0200
+@@ -113,13 +113,13 @@ pselect_notify_setup(void)
+ static void
+ pselect_notify_parent(void)
+ {
+-	if (notify_pipe[1] != -1)
+	if (notify_pipe[1] >= 0)
+ 		(void)write(notify_pipe[1], "", 1);
+ }
+ static void
+ pselect_notify_prepare(fd_set *readset)
+ {
+-	if (notify_pipe[0] != -1)
+	if (notify_pipe[0] >= 0)
+ 		FD_SET(notify_pipe[0], readset);
+ }
+ static void
+@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
+ {
+ 	char c;
+ 
+-	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
+-		while (read(notify_pipe[0], &c, 1) != -1)
+	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
+		while (read(notify_pipe[0], &c, 1) >= 0)
+ 			debug2_f("reading");
+ 		FD_CLR(notify_pipe[0], readset);
+ 	}
+diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
+--- openssh-8.5p1/readconf.c.coverity	2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c	2021-03-24 12:03:33.785968180 +0100
+@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
+ 			} else if (r != 0) {
+ 				error("%.200s line %d: glob failed for %s.",
+ 				    filename, linenum, arg2);
+				free(arg2);
+ 				goto out;
+ 			}
+ 			free(arg2);
+diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
+--- openssh-8.7p1/scp.c.coverity	2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c	2021-08-30 16:27:04.854555296 +0200
+@@ -186,11 +186,11 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
 		kill(do_cmd_pid, signo ? signo : SIGTERM);
 -		waitpid(do_cmd_pid, NULL, 0);
 +		(void) waitpid(do_cmd_pid, NULL, 0);
 	}
+ 	if (do_cmd_pid2 > 1) {
+ 		kill(do_cmd_pid2, signo ? signo : SIGTERM);
+-		waitpid(do_cmd_pid2, NULL, 0);
+		(void) waitpid(do_cmd_pid2, NULL, 0);
+ 	}
 
 	if (signo)
 diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 --- openssh-7.4p1/servconf.c.coverity	2016-12-23 16:40:26.896788690 +0100
 +++ openssh-7.4p1/servconf.c	2016-12-23 16:40:26.901788691 +0100
-@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
- 			fatal("%s line %d: Missing subsystem name.",
- 			    filename, linenum);
- 		if (!*activep) {
-			arg = strdelim(&cp);
-+			/*arg =*/ (void) strdelim(&cp);
- 			break;
- 		}
- 		for (i = 0; i < options->num_subsystems; i++)
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
@ -97,38 +346,11 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
 		}
 		break;
 
-diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
--- openssh-7.4p1/serverloop.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/serverloop.c	2016-12-23 16:40:26.902788691 +0100
-@@ -125,13 +125,13 @@ notify_setup(void)
- static void
- notify_parent(void)
- {
-	if (notify_pipe[1] != -1)
-+	if (notify_pipe[1] >= 0)
- 		(void)write(notify_pipe[1], "", 1);
- }
- static void
- notify_prepare(fd_set *readset)
- {
-	if (notify_pipe[0] != -1)
-+	if (notify_pipe[0] >= 0)
- 		FD_SET(notify_pipe[0], readset);
- }
- static void
-@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
- {
- 	char c;
- 
-	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
-		while (read(notify_pipe[0], &c, 1) != -1)
-+	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
-+		while (read(notify_pipe[0], &c, 1) >= 0)
- 			debug2("%s: reading", __func__);
- }
- 
-@@ -518,7 +518,7 @@ server_request_tun(void)
- 		debug("%s: invalid tun", __func__);
+diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
+--- openssh-8.7p1/serverloop.c.coverity	2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/serverloop.c	2021-08-30 16:28:22.416226981 +0200
+@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
+ 		debug_f("invalid tun");
 		goto done;
 	}
 -	if (auth_opts->force_tun_device != -1) {
@ -136,21 +358,98 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
 		if (tun != SSH_TUNID_ANY &&
 		    auth_opts->force_tun_device != (int)tun)
 			goto done;
-diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity	2016-12-19 05:59:41.000000000 +0100
-+++ openssh-7.4p1/sftp.c	2016-12-23 16:40:26.903788691 +0100
-@@ -224,7 +224,7 @@ killchild(int signo)
- {
- 	if (sshpid > 1) {
- 		kill(sshpid, SIGTERM);
-		waitpid(sshpid, NULL, 0);
-+		(void) waitpid(sshpid, NULL, 0);
+diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
+--- openssh-8.5p1/session.c.coverity	2021-03-24 12:03:33.777968124 +0100
+++ openssh-8.5p1/session.c	2021-03-24 12:03:33.786968187 +0100
+@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
+ 	/* Environment specified by admin */
+ 	for (i = 0; i < options.num_setenv; i++) {
+ 		cp = xstrdup(options.setenv[i]);
+		/* coverity[overwrite_var : FALSE] */
+ 		if ((value = strchr(cp, '=')) == NULL) {
+ 			/* shouldn't happen; vars are checked in servconf.c */
+ 			fatal("Invalid config SetEnv: %s", options.setenv[i]);
+ 		}
+ 		*value++ = '\0';
+ 		child_set_env(&env, &envsize, cp, value);
+		free(cp);
+ 	}
+ 
+ 	/* SSH_CLIENT deprecated */
+--- a/sftp.c	2022-06-30 10:43:13.914058913 +0200
+++ b/sftp.c	2022-06-30 10:48:17.243997888 +0200
+@@ -222,7 +222,7 @@ killchild(int signo)
+ 	pid = sshpid;
+ 	if (pid > 1) {
+ 		kill(pid, SIGTERM);
+-		waitpid(pid, NULL, 0);
+		(void) waitpid(pid, NULL, 0);
 	}
 
 	_exit(1);
+@@ -768,6 +768,8 @@ process_put(struct sftp_conn *conn, cons
+ 			    fflag || global_fflag, 0) == -1)
+ 				err = -1;
+ 		}
+		free(abs_dst);
+		abs_dst = NULL;
+ 	}
+ 
+ out:
+@@ -991,6 +993,7 @@ do_globbed_ls(struct sftp_conn *conn, co
+ 		if (lflag & LS_LONG_VIEW) {
+ 			if (g.gl_statv[i] == NULL) {
+ 				error("no stat information for %s", fname);
+				free(fname);
+ 				continue;
+ 			}
+ 			lname = ls_file(fname, g.gl_statv[i], 1,
+diff --git a/sftp-client.c b/sftp-client.c
+index 9de9afa20f..ea98d9f8d0 100644
+--- a/sftp-client.c
+++ b/sftp-client.c
+@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous,
+ 		(*nreqsp)--;
+ 	}
+ 	debug3_f("done: %u outstanding replies", *nreqsp);
+	sshbuf_free(msg);
+ }
+ 
+ int
+diff --git a/sftp-server.c b/sftp-server.c
+index 18d1949112..6380c4dd23 100644
+--- a/sftp-server.c
+++ b/sftp-server.c
+@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id)
+ 			npath = xstrdup(path + 2);
+ 			free(path);
+ 			xasprintf(&path, "%s/%s", cwd, npath);
+			free(npath);
+ 		} else {
+ 			/* ~user expansions */
+ 			if (tilde_expand(path, pw->pw_uid, &npath) != 0) {
+diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
+--- openssh-8.5p1/sk-usbhid.c.coverity	2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c	2021-03-24 12:03:33.786968187 +0100
+@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
+ 		freezero(rks[i], sizeof(*rks[i]));
+ 	}
+ 	free(rks);
+	free(device);
+ 	return ret;
+ }
+ 
 diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 --- openssh-7.4p1/ssh-agent.c.coverity	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/ssh-agent.c	2016-12-23 16:40:26.903788691 +0100
+@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
+ 
+ 		if (pkcs11_uri_parse(provider, uri) != 0) {
+ 			error("Failed to parse PKCS#11 URI");
+			pkcs11_uri_cleanup(uri);
+ 			return NULL;
+ 		}
+ 		/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 
@ -162,6 +461,17 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
 
 	platform_disable_tracing(0);	/* strict=no */
 
+diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
+--- openssh-8.5p1/ssh.c.coverity	2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c	2021-03-24 12:03:33.786968187 +0100
+@@ -1746,6 +1746,7 @@ control_persist_detach(void)
+ 		close(muxserver_sock);
+ 		muxserver_sock = -1;
+ 		options.control_master = SSHCTL_MASTER_NO;
+		/* coverity[leaked_handle: FALSE]*/
+ 		muxclient(options.control_path);
+ 		/* muxclient() doesn't return on success. */
+ 		fatal("Failed to connect to new control master");
 diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 --- openssh-7.4p1/sshd.c.coverity	2016-12-23 16:40:26.897788690 +0100
 +++ openssh-7.4p1/sshd.c	2016-12-23 16:40:26.904788692 +0100
@ -187,3 +497,58 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
 }
 
 /*
+@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
+ 
+ 	if (newstr)
+ 		myproposal[PROPOSAL_KEX_ALGS] = newstr;
+-	else
+	else {