- rediff patches

6 files changed, 742 insertions, 736 deletions

diff --git a/openssh-bug-2905.patch b/openssh-bug-2905.patch
index 94f34df..31150e9 100644
--- a/openssh-bug-2905.patch
+++ b/openssh-bug-2905.patch
@@ -1,8 +1,9 @@
---- openssh-portable/sandbox-seccomp-filter.c.org	2018-09-14 10:56:00.557388954 +0200
-+++ openssh-portable/sandbox-seccomp-filter.c	2018-09-14 11:13:00.051826982 +0200
-@@ -166,6 +166,9 @@ static const struct sock_filter preauth_
- #ifdef __NR_exit_group
- 	SC_ALLOW(__NR_exit_group),
+diff -urNp -x '*.orig' openssh-8.4p1.org/sandbox-seccomp-filter.c openssh-8.4p1/sandbox-seccomp-filter.c
+--- openssh-8.4p1.org/sandbox-seccomp-filter.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/sandbox-seccomp-filter.c	2021-03-01 11:30:52.381809172 +0100
+@@ -204,6 +204,9 @@ static const struct sock_filter preauth_
+ #ifdef __NR_futex
+ 	SC_ALLOW(__NR_futex),
  #endif
 +#ifdef	__NR_futex
 +	SC_ALLOW(__NR_futex),
diff --git a/openssh-chroot.patch b/openssh-chroot.patch
index 64ea0ca..30e3339 100644
--- a/openssh-chroot.patch
+++ b/openssh-chroot.patch
@@ -1,6 +1,7 @@
---- openssh-4.4p1/servconf.c.orig	2006-08-18 16:23:15.000000000 +0200
-+++ openssh-4.4p1/servconf.c	2006-10-05 10:11:17.065971000 +0200
-@@ -56,7 +56,9 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.c openssh-8.4p1/servconf.c
+--- openssh-8.4p1.org/servconf.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/servconf.c	2021-03-01 11:30:33.634174889 +0100
+@@ -92,7 +92,9 @@ initialize_server_options(ServerOptions
  
  	/* Portable-specific options */
  	options->use_pam = -1;
@@ -11,7 +12,7 @@
  	/* Standard Options */
  	options->num_ports = 0;
  	options->ports_from_cmdline = 0;
-@@ -131,6 +133,9 @@
+@@ -301,6 +303,9 @@ fill_default_server_options(ServerOption
  	if (options->use_pam == -1)
  		options->use_pam = 0;
  
@@ -19,17 +20,17 @@
 +		options->use_chroot = 0;
 +	
  	/* Standard Options */
- 	if (options->protocol == SSH_PROTO_UNKNOWN)
- 		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
-@@ -270,6 +275,7 @@
+ 	if (options->num_host_key_files == 0) {
+ 		/* fill default hostkeys for protocols */
+@@ -502,6 +507,7 @@ typedef enum {
  	sBadOption,		/* == unknown option */
  	/* Portable-specific options */
  	sUsePAM,
 +	sUseChroot,
  	/* Standard Options */
- 	sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ 	sPort, sHostKeyFile, sLoginGraceTime,
  	sPermitRootLogin, sLogFacility, sLogLevel,
-@@ -312,6 +318,11 @@
+@@ -556,6 +562,11 @@ static struct {
  #else
  	{ "usepam", sUnsupported, SSHCFG_GLOBAL },
  #endif
@@ -41,7 +42,7 @@
  	{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
  	/* Standard Options */
  	{ "port", sPort, SSHCFG_GLOBAL },
-@@ -662,6 +673,10 @@
+@@ -1319,6 +1330,10 @@ process_server_config_line_depth(ServerO
  		intptr = &options->use_pam;
  		goto parse_flag;
  
@@ -52,19 +53,21 @@
  	/* Standard Options */
  	case sBadOption:
  		return -1;
---- openssh-3.7.1p2/servconf.h	2003-09-02 14:58:22.000000000 +0200
-+++ openssh-3.7.1p2.pius/servconf.h	2003-10-07 20:49:08.000000000 +0200
-@@ -109,6 +109,7 @@
- 	int	max_startups_rate;
- 	int	max_startups;
+diff -urNp -x '*.orig' openssh-8.4p1.org/servconf.h openssh-8.4p1/servconf.h
+--- openssh-8.4p1.org/servconf.h	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/servconf.h	2021-03-01 11:30:33.637508395 +0100
+@@ -178,6 +178,7 @@ typedef struct {
+ 	int	max_authtries;
+ 	int	max_sessions;
  	char   *banner;			/* SSH-2 banner message */
 +	int     use_chroot;		/* Enable chrooted enviroment support */
  	int	use_dns;
  	int	client_alive_interval;	/*
  					 * poke the client this often to
---- openssh-7.2p1/session.c.orig	2016-03-05 10:24:44.227756638 +0100
-+++ openssh-7.2p1/session.c	2016-03-05 10:24:50.237756386 +0100
-@@ -1381,6 +1381,10 @@ void
+diff -urNp -x '*.orig' openssh-8.4p1.org/session.c openssh-8.4p1/session.c
+--- openssh-8.4p1.org/session.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/session.c	2021-03-01 11:30:33.637508395 +0100
+@@ -1367,6 +1367,10 @@ void
  do_setusercontext(struct passwd *pw)
  {
  	char uidstr[32], *chroot_path, *tmp;
@@ -75,7 +78,7 @@
  
  	platform_setusercontext(pw);
  
-@@ -1532,6 +1536,29 @@ do_setusercontext(struct passwd *pw)
+@@ -1409,6 +1413,29 @@ do_setusercontext(struct passwd *pw)
  			free(options.chroot_directory);
  			options.chroot_directory = NULL;
  			in_chroot = 1;
@@ -105,9 +108,10 @@
  		}
  
  #ifdef HAVE_LOGIN_CAP
---- openssh-3.7.1p2/sshd_config	2003-09-02 14:51:18.000000000 +0200
-+++ openssh-3.7.1p2.pius/sshd_config	2003-10-07 20:49:08.000000000 +0200
-@@ -91,6 +91,10 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
+--- openssh-8.4p1.org/sshd_config	2021-03-01 11:30:33.370827964 +0100
++++ openssh-8.4p1/sshd_config	2021-03-01 11:30:33.637508395 +0100
+@@ -85,6 +85,10 @@ GSSAPIAuthentication yes
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  
@@ -118,9 +122,10 @@
  #AllowAgentForwarding yes
  # Security advisory:
  # http://securitytracker.com/alerts/2004/Sep/1011143.html
---- openssh-4.4p1/sshd_config.0.orig	2006-09-26 13:03:48.000000000 +0200
-+++ openssh-4.4p1/sshd_config.0	2006-10-05 10:11:41.615971000 +0200
-@@ -921,6 +921,16 @@ DESCRIPTION
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.0 openssh-8.4p1/sshd_config.0
+--- openssh-8.4p1.org/sshd_config.0	2020-09-27 09:42:11.000000000 +0200
++++ openssh-8.4p1/sshd_config.0	2021-03-01 11:30:33.637508395 +0100
+@@ -1011,6 +1011,16 @@ DESCRIPTION
               TrustedUserCAKeys.  For more details on certificates, see the
               CERTIFICATES section in ssh-keygen(1).
  
@@ -137,9 +142,10 @@
       UseDNS  Specifies whether sshd(8) should look up the remote host name,
               and to check that the resolved host name for the remote IP
               address maps back to the very same IP address.
---- openssh-3.8p1/sshd_config.5.orig	2004-02-18 04:31:24.000000000 +0100
-+++ openssh-3.8p1/sshd_config.5	2004-02-25 21:17:23.000000000 +0100
-@@ -552,6 +552,16 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config.5 openssh-8.4p1/sshd_config.5
+--- openssh-8.4p1.org/sshd_config.5	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/sshd_config.5	2021-03-01 11:30:33.637508395 +0100
+@@ -1640,6 +1640,16 @@ Gives the facility code that is used whe
  The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
  LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
  The default is AUTH.
diff --git a/openssh-config.patch b/openssh-config.patch
index 799ce2c..b6bf853 100644
--- a/openssh-config.patch
+++ b/openssh-config.patch
@@ -1,6 +1,43 @@
---- openssh-4.6p1/sshd_config~	2007-10-13 01:37:17.000000000 +0200
-+++ openssh-4.6p1/sshd_config	2007-10-13 01:47:12.000000000 +0200
-@@ -41,7 +41,7 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh_config openssh-8.4p1/ssh_config
+--- openssh-8.4p1.org/ssh_config	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/ssh_config	2021-03-01 11:30:15.249892693 +0100
+@@ -20,10 +20,13 @@
+ # Host *
+ #   ForwardAgent no
+ #   ForwardX11 no
++#   ForwardX11Trusted no
+ #   PasswordAuthentication yes
+ #   HostbasedAuthentication no
+ #   GSSAPIAuthentication no
+ #   GSSAPIDelegateCredentials no
++#   GSSAPIKeyExchange no
++#   GSSAPITrustDNS no
+ #   BatchMode no
+ #   CheckHostIP yes
+ #   AddressFamily any
+@@ -44,3 +47,18 @@
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
+ #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
++
++Host *
++	GSSAPIAuthentication yes
++# If this option is set to yes then remote X11 clients will have full access
++# to the original X11 server. As some X11 clients don't support the untrusted
++# mode correctly, you might consider changing this to 'yes' or using '-Y'.
++#	ForwardX11Trusted no
++	ServerAliveInterval 60
++	ServerAliveCountMax 10
++	TCPKeepAlive no
++	# Allow DSA keys
++#	PubkeyAcceptedKeyTypes +ssh-dss
++#	HostkeyAlgorithms +ssh-dss
++# Send locale-related environment variables, also pass some GIT vars
++	SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
+diff -urNp -x '*.orig' openssh-8.4p1.org/sshd_config openssh-8.4p1/sshd_config
+--- openssh-8.4p1.org/sshd_config	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/sshd_config	2021-03-01 11:30:15.249892693 +0100
+@@ -29,7 +29,7 @@
  # Authentication:
  
  #LoginGraceTime 2m
@@ -9,25 +46,25 @@
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
-@@ -50,6 +51,9 @@
- # To disable tunneled clear text passwords, change to no here!
+@@ -57,6 +57,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
-+
+ 
 +# Allow DSA keys
 +## PubkeyAcceptedKeyTypes +ssh-dss
- 
++
  # Change to no to disable s/key passwords
  #ChallengeResponseAuthentication yes
-@@ -66,6 +70,7 @@
+ 
+@@ -69,6 +72,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
 +GSSAPIAuthentication yes
  
- # Set this to 'yes' to enable PAM authentication, account processing, 
- # and session processing. If this is enabled, PAM authentication will 
-@@ -89,10 +92,12 @@
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+@@ -79,10 +83,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
@@ -42,9 +79,9 @@
  #GatewayPorts no
  #X11Forwarding no
  #X11DisplayOffset 10
-@@ -106,6 +112,9 @@
+@@ -105,9 +111,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
  # no default banner path
- #Banner /some/path
+ #Banner none
  
 +# Accept locale-related environment variables, also accept some GIT vars
 +AcceptEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
@@ -52,10 +89,6 @@
  # override default of no subsystems
  Subsystem	sftp	/usr/libexec/sftp-server
  
-@@ -119,6 +133,10 @@
- # override default of no subsystems
- Subsystem	sftp	/usr/libexec/sftp-server
- 
 +# Uncomment this if you want to use .local domain
 +#Host *.local
 +#	CheckHostIP no
@@ -63,39 +96,3 @@
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #	X11Forwarding no
---- openssh-4.6p1/ssh_config~	2006-06-13 05:01:10.000000000 +0200
-+++ openssh-4.6p1/ssh_config	2007-10-13 02:00:16.000000000 +0200
-@@ -20,10 +20,13 @@
- # Host *
- #   ForwardAgent no
- #   ForwardX11 no
-+#   ForwardX11Trusted no
- #   PasswordAuthentication yes
- #   HostbasedAuthentication no
- #   GSSAPIAuthentication no
- #   GSSAPIDelegateCredentials no
-+#   GSSAPIKeyExchange no
-+#   GSSAPITrustDNS no
- #   BatchMode no
- #   CheckHostIP yes
- #   AddressFamily any
-@@ -42,3 +45,18 @@
- #   ProxyCommand ssh -q -W %h:%p gateway.example.com
- #   RekeyLimit 1G 1h
- #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
-+
-+Host *
-+	GSSAPIAuthentication yes
-+# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 server. As some X11 clients don't support the untrusted
-+# mode correctly, you might consider changing this to 'yes' or using '-Y'.
-+#	ForwardX11Trusted no
-+	ServerAliveInterval 60
-+	ServerAliveCountMax 10
-+	TCPKeepAlive no
-+	# Allow DSA keys
-+#	PubkeyAcceptedKeyTypes +ssh-dss
-+#	HostkeyAlgorithms +ssh-dss
-+# Send locale-related environment variables, also pass some GIT vars
-+	SendEnv LANG LC_* LANGUAGE XMODIFIERS TZ GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL
-+	HashKnownHosts yes
diff --git a/openssh-ldap-fixes.patch b/openssh-ldap-fixes.patch
index 19feca6..0b42df4 100644
--- a/openssh-ldap-fixes.patch
+++ b/openssh-ldap-fixes.patch
@@ -1,7 +1,19 @@
-diff -ur openssh-5.9p1.org/ldap-helper.c openssh-5.9p1/ldap-helper.c
---- openssh-5.9p1.org/ldap-helper.c	2011-09-11 08:44:20.526555802 +0200
-+++ openssh-5.9p1/ldap-helper.c	2011-09-11 08:43:11.328426660 +0200
-@@ -62,6 +62,8 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
+--- openssh-8.4p1.org/Makefile.in	2021-03-01 11:29:52.615391132 +0100
++++ openssh-8.4p1/Makefile.in	2021-03-01 11:29:52.908739606 +0100
+@@ -234,7 +234,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ 
+ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
+-	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
++	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ 
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper.c
+--- openssh-8.4p1.org/ldap-helper.c	2021-03-01 11:29:52.615391132 +0100
++++ openssh-8.4p1/ldap-helper.c	2021-03-01 11:29:52.908739606 +0100
+@@ -62,6 +62,8 @@ usage(void)
  int
  main(int ac, char **av)
  {
@@ -10,16 +22,3 @@ diff -ur openssh-5.9p1.org/ldap-helper.c openssh-5.9p1/ldap-helper.c
  	int opt;
  	FILE *outfile = NULL;
  
-diff -ur openssh-5.9p1.org/Makefile.in openssh-5.9p1/Makefile.in
---- openssh-5.9p1.org/Makefile.in	2011-09-11 08:44:20.543222823 +0200
-+++ openssh-5.9p1/Makefile.in	2011-09-11 08:43:11.348427083 +0200
-@@ -165,7 +165,7 @@
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lssh -lopenbsd-compat $(LIBS)
- 
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
--	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
- 
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-
diff --git a/openssh-ldap.patch b/openssh-ldap.patch
index fe93879..4585cbe 100644
--- a/openssh-ldap.patch
+++ b/openssh-ldap.patch
@@ -1,9 +1,220 @@
-diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
---- openssh-6.2p1/configure.ac.ldap	2013-03-20 02:55:15.000000000 +0100
-+++ openssh-6.2p1/configure.ac	2013-03-25 21:27:15.888248071 +0100
-@@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
- 	esac ]
- )
+diff -urNp -x '*.orig' openssh-8.4p1.org/HOWTO.ldap-keys openssh-8.4p1/HOWTO.ldap-keys
+--- openssh-8.4p1.org/HOWTO.ldap-keys	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/HOWTO.ldap-keys	2021-03-01 11:29:31.277623165 +0100
+@@ -0,0 +1,108 @@
++
++HOW TO START
++
++1) configure LDAP server
++  * Use LDAP server documentation
++2) add appropriate LDAP schema
++  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
++  * LDAP user entry
++        User entry:
++	- attached to the 'ldapPublicKey' objectclass
++	- attached to the 'posixAccount' objectclass
++	- with a filled 'sshPublicKey' attribute 
++3) insert users into LDAP
++  * Use LDAP Tree management tool as useful
++  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
++  * Example:
++	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
++	objectclass: top
++	objectclass: person
++	objectclass: organizationalPerson
++	objectclass: posixAccount
++	objectclass: ldapPublicKey
++	description: Jonathan Archer
++	userPassword: Porthos
++	cn: onathan Archer
++	sn: onathan Archer
++	uid: captain
++	uidNumber: 1001
++	gidNumber: 1001
++	homeDirectory: /home/captain
++	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
++	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
++4) on the ssh side set in sshd_config
++  * Set up the backend
++	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
++	AuthorizedKeysCommandUser <appropriate user to run LDAP>
++  * Do not forget to set
++	PubkeyAuthentication yes
++  * Swith off unnecessary auth methods
++5) confugure ldap.conf
++  * Default ldap.conf is placed in /etc/ssh
++  * The configuration style is the same as other ldap based aplications
++6) if necessary edit ssh-ldap-wrapper
++  * There is a possibility to change ldap.conf location
++  * There are some debug options
++  * Example
++	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
++
++HOW TO MIGRATE FROM LPK
++
++1) goto HOW TO START 4) .... the ldap schema is the same
++
++2) convert the group requests to the appropriate LDAP requests
++
++HOW TO SOLVE PROBLEMS
++
++1) use debug in sshd
++  * /usr/sbin/sshd -d -d -d -d
++2) use debug in ssh-ldap-helper
++  * ssh-ldap-helper -d -d -d -d -s <username>
++3) use tcpdump ... other ldap client etc.
++
++ADVANTAGES
++
++1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
++
++DISADVANTAGES
++
++1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
++  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
++  of your users in all your server farm -- be VERY CAREFUL.
++2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
++  as the impersonated user.
++3) If LDAP server is down there may be no fallback on passwd auth.
++  
++MISC.
++  
++1) todo
++  * Possibility to reuse the ssh-ldap-helper.
++  * Tune the LDAP part to accept  all possible LDAP configurations.
++
++2) differences from original lpk
++  * No LDAP code in sshd.
++  * Support for various LDAP platforms and configurations.
++  * LDAP is configured in separate ldap.conf file.
++
++3) docs/link 
++  * http://pacsec.jp/core05/psj05-barisani-en.pdf
++  * http://fritz.potsdam.edu/projects/openssh-lpk/
++  * http://fritz.potsdam.edu/projects/sshgate/
++  * http://dev.inversepath.com/trac/openssh-lpk
++  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
++
++4) contributors/ideas/greets
++  - Eric AUGE <eau@phear.org>
++  - Andrea Barisani <andrea@inversepath.com>
++  - Falk Siemonsmeier.
++  - Jacob Rief.
++  - Michael Durchgraf.
++  - frederic peters.
++  - Finlay dobbie.
++  - Stefan Fisher.
++  - Robin H. Johnson.
++  - Adrian Bridgett.
++
++5) Author
++    Jan F. Chadima <jchadima@redhat.com>
++
+diff -urNp -x '*.orig' openssh-8.4p1.org/Makefile.in openssh-8.4p1/Makefile.in
+--- openssh-8.4p1.org/Makefile.in	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/Makefile.in	2021-03-01 11:29:31.280956671 +0100
+@@ -23,6 +23,8 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
++SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
++SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+@@ -63,10 +65,11 @@ LDFLAGS_NOPIE=-L. -Lopenbsd-compat/ @LDF
+ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ MKDIR_P=@MKDIR_P@
++INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+ 
+ .SUFFIXES: .lo
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+ 
+ XMSS_OBJS=\
+ 	ssh-xmss.o \
+@@ -150,8 +153,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve
+ 
+ SFTP_OBJS=	sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
+ 
+-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
+-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
++MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
++MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
+ MANTYPE		= @MANTYPE@
+ 
+ CONFIGFILES=sshd_config.out ssh_config.out moduli.out
+@@ -230,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ 
++ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
++	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ 
+@@ -395,6 +401,10 @@ install-files:
+ 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
++	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++	    $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
++	    $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
++	fi
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+@@ -412,6 +422,10 @@ install-files:
+ 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+ 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ 	$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
++	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++	    $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
++	    $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
++	fi
+ 
+ install-sysconf:
+ 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
+@@ -435,6 +449,13 @@ install-sysconf:
+ 	else \
+ 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
+ 	fi
++	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
++			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
++		else \
++			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
++		fi ; \
++	fi
+ 
+ host-key: ssh-keygen$(EXEEXT)
+ 	@if [ -z "$(DESTDIR)" ] ; then \
+@@ -473,6 +494,8 @@ uninstall:
+ 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
++	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
++	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
+@@ -485,6 +508,7 @@ uninstall:
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
++	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
+ 
+ regress-prep:
+ 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
+diff -urNp -x '*.orig' openssh-8.4p1.org/configure.ac openssh-8.4p1/configure.ac
+--- openssh-8.4p1.org/configure.ac	2021-03-01 11:29:31.004275724 +0100
++++ openssh-8.4p1/configure.ac	2021-03-01 11:29:31.277623165 +0100
+@@ -1763,6 +1763,106 @@ AC_COMPILE_IFELSE(
+ CFLAGS="$SAVED_CFLAGS"
+ AC_SUBST([PICFLAG])
  
 +# Check whether user wants LDAP support
 +LDAP_MSG="no"
@@ -107,122 +318,297 @@ diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
 +
  dnl    Checks for library functions. Please keep in alphabetical order
  AC_CHECK_FUNCS([ \
- 	arc4random \
-diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
---- openssh-6.2p1/HOWTO.ldap-keys.ldap	2013-03-25 21:27:15.889248078 +0100
-+++ openssh-6.2p1/HOWTO.ldap-keys	2013-03-25 21:27:15.889248078 +0100
-@@ -0,0 +1,108 @@
+ 	Blowfish_initstate \
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.c openssh-8.4p1/ldap-helper.c
+--- openssh-8.4p1.org/ldap-helper.c	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldap-helper.c	2021-03-01 11:29:31.280956671 +0100
+@@ -0,0 +1,155 @@
++/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++/*
++ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
 +
-+HOW TO START
++#include "ldapincludes.h"
++#include "log.h"
++#include "misc.h"
++#include "xmalloc.h"
++#include "ldapconf.h"
++#include "ldapbody.h"
++#include <string.h>
++#include <unistd.h>
 +
-+1) configure LDAP server
-+  * Use LDAP server documentation
-+2) add appropriate LDAP schema
-+  * For OpenLDAP or SunONE Use attached schema, otherwise you have to create it. 
-+  * LDAP user entry
-+        User entry:
-+	- attached to the 'ldapPublicKey' objectclass
-+	- attached to the 'posixAccount' objectclass
-+	- with a filled 'sshPublicKey' attribute 
-+3) insert users into LDAP
-+  * Use LDAP Tree management tool as useful
-+  * Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema and the additionnal lpk.schema.
-+  * Example:
-+	dn: uid=captain,ou=commanders,dc=enterprise,dc=universe
-+	objectclass: top
-+	objectclass: person
-+	objectclass: organizationalPerson
-+	objectclass: posixAccount
-+	objectclass: ldapPublicKey
-+	description: Jonathan Archer
-+	userPassword: Porthos
-+	cn: onathan Archer
-+	sn: onathan Archer
-+	uid: captain
-+	uidNumber: 1001
-+	gidNumber: 1001
-+	homeDirectory: /home/captain
-+	sshPublicKey: ssh-rss AAAAB3.... =captain@universe
-+	sshPublicKey: command="kill -9 1" ssh-rss AAAAM5...
-+4) on the ssh side set in sshd_config
-+  * Set up the backend
-+	AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
-+	AuthorizedKeysCommandUser <appropriate user to run LDAP>
-+  * Do not forget to set
-+	PubkeyAuthentication yes
-+  * Swith off unnecessary auth methods
-+5) confugure ldap.conf
-+  * Default ldap.conf is placed in /etc/ssh
-+  * The configuration style is the same as other ldap based aplications
-+6) if necessary edit ssh-ldap-wrapper
-+  * There is a possibility to change ldap.conf location
-+  * There are some debug options
-+  * Example
-+	/usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt
++static int config_debug = 0;
++int config_exclusive_config_file = 0;
++static char *config_file_name = "/etc/ssh/ldap.conf";
++static char *config_single_user = NULL;
++static int config_verbose = SYSLOG_LEVEL_VERBOSE;
++int config_warning_config_file = 0;
++extern char *__progname;
 +
-+HOW TO MIGRATE FROM LPK
++static void
++usage(void)
++{
++	fprintf(stderr, "usage: %s [options]\n",
++	    __progname);
++	fprintf(stderr, "Options:\n");
++	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
++	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
++	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
++	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
++	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
++	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
++	exit(1);
++}
 +
-+1) goto HOW TO START 4) .... the ldap schema is the same
++/*
++ * Main program for the ssh pka ldap agent.
++ */
 +
-+2) convert the group requests to the appropriate LDAP requests
++int
++main(int ac, char **av)
++{
++	int opt;
++	FILE *outfile = NULL;
 +
-+HOW TO SOLVE PROBLEMS
++	__progname = ssh_get_progname(av[0]);
 +
-+1) use debug in sshd
-+  * /usr/sbin/sshd -d -d -d -d
-+2) use debug in ssh-ldap-helper
-+  * ssh-ldap-helper -d -d -d -d -s <username>
-+3) use tcpdump ... other ldap client etc.
++	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
 +
-+ADVANTAGES
++	/*
++	 * Initialize option structure to indicate that no values have been
++	 * set.
++	 */
++	initialize_options();
 +
-+1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only).
++	/* Parse command-line arguments. */
++	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
++		switch (opt) {
++		case 'd':
++			config_debug = 1;
++			break;
 +
-+DISADVANTAGES
++		case 'e':
++			config_exclusive_config_file = 1;
++			config_warning_config_file = 1;
++			break;
 +
-+1)  LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP 
-+  allows write to users dn, somebody could replace some user's public key by his own and impersonate some 
-+  of your users in all your server farm -- be VERY CAREFUL.
-+2) With incomplete PKI the MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login 
-+  as the impersonated user.
-+3) If LDAP server is down there may be no fallback on passwd auth.
-+  
-+MISC.
-+  
-+1) todo
-+  * Possibility to reuse the ssh-ldap-helper.
-+  * Tune the LDAP part to accept  all possible LDAP configurations.
++		case 'f':
++			config_file_name = optarg;
++			break;
 +
-+2) differences from original lpk
-+  * No LDAP code in sshd.
-+  * Support for various LDAP platforms and configurations.
-+  * LDAP is configured in separate ldap.conf file.
++		case 's':
++			config_single_user = optarg;
++			outfile = fdopen (dup (fileno (stdout)), "w");
++			break;
 +
-+3) docs/link 
-+  * http://pacsec.jp/core05/psj05-barisani-en.pdf
-+  * http://fritz.potsdam.edu/projects/openssh-lpk/
-+  * http://fritz.potsdam.edu/projects/sshgate/
-+  * http://dev.inversepath.com/trac/openssh-lpk
-+  * http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/supportedSchemas.htm )
++		case 'v':
++			config_debug = 1;
++			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
++			    config_verbose++;
++			break;
 +
-+4) contributors/ideas/greets
-+  - Eric AUGE <eau@phear.org>
-+  - Andrea Barisani <andrea@inversepath.com>
-+  - Falk Siemonsmeier.
-+  - Jacob Rief.
-+  - Michael Durchgraf.
-+  - frederic peters.
-+  - Finlay dobbie.
-+  - Stefan Fisher.
-+  - Robin H. Johnson.
-+  - Adrian Bridgett.
++		case 'w':
++			config_warning_config_file = 1;
++			break;
 +
-+5) Author
-+    Jan F. Chadima <jchadima@redhat.com>
++		case '?':
++		default:
++			usage();
++			break;
++		}
++	}
++
++	/* Initialize loging */
++	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
++
++	if (ac != optind)
++	    fatal ("illegal extra parameter %s", av[1]);
++
++	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
++	if (config_debug == 0)
++	    sanitise_stdfd();
++
++	/* Read config file */
++	read_config_file(config_file_name);
++	fill_default_options();
++	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
++		debug3 ("=== Configuration ===");
++		dump_config();
++		debug3 ("=== *** ===");
++	}
++
++	ldap_checkconfig();
++	ldap_do_connect();
++
++	if (config_single_user) {
++		process_user (config_single_user, outfile);
++	} else {
++		usage();
++		fatal ("Not yet implemented");
++/* TODO
++ * open unix socket a run the loop on it
++ */
++	}
++
++	ldap_do_close();
++	return 0;
++}
++
++/* Ugly hack */
++void   *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
++void    buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
++
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldap-helper.h openssh-8.4p1/ldap-helper.h
+--- openssh-8.4p1.org/ldap-helper.h	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldap-helper.h	2021-03-01 11:29:31.280956671 +0100
+@@ -0,0 +1,32 @@
++/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++/*
++ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef LDAP_HELPER_H
++#define LDAP_HELPER_H
++
++extern int config_exclusive_config_file;
++extern int config_warning_config_file;
++
++#endif /* LDAP_HELPER_H */
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldap.conf openssh-8.4p1/ldap.conf
+--- openssh-8.4p1.org/ldap.conf	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldap.conf	2021-03-01 11:29:31.280956671 +0100
+@@ -0,0 +1,88 @@
++# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
++#
++# This is the example configuration file for the OpenSSH
++# LDAP backend
++# 
++# see ssh-ldap.conf(5)
++#
++
++# URI with your LDAP server name. This allows to use
++# Unix Domain Sockets to connect to a local LDAP Server.
++#uri ldap://127.0.0.1/
++#uri ldaps://127.0.0.1/   
++#uri ldapi://%2fvar%2frun%2fldapi_sock/
++# Note: %2f encodes the '/' used as directory separator
++
++# Another way to specify your LDAP server is to provide an
++# host name and the port of our LDAP server. Host name
++# must be resolvable without using LDAP.
++# Multiple hosts may be specified, each separated by a 
++# space. How long nss_ldap takes to failover depends on
++# whether your LDAP client library supports configurable
++# network or connect timeouts (see bind_timelimit).
++#host 127.0.0.1
++
++# The port.
++# Optional: default is 389.
++#port 389
++
++# The distinguished name to bind to the server with.
++# Optional: default is to bind anonymously.
++#binddn cn=openssh_keys,dc=example,dc=org
++
++# The credentials to bind with. 
++# Optional: default is no credential.
++#bindpw TopSecret
++
++# The distinguished name of the search base.
++#base dc=example,dc=org
++
++# The LDAP version to use (defaults to 3
++# if supported by client library)
++#ldap_version 3
++
++# The search scope.
++#scope sub
++#scope one
++#scope base
++
++# Search timelimit
++#timelimit 30
++
++# Bind/connect timelimit
++#bind_timelimit 30
++
++# Reconnect policy: hard (default) will retry connecting to
++# the software with exponential backoff, soft will fail
++# immediately.
++#bind_policy hard
++
++# SSL setup, may be implied by URI also.
++#ssl no
++#ssl on
++#ssl start_tls
++
++# OpenLDAP SSL options
++# Require and verify server certificate (yes/no)
++# Default is to use libldap's default behavior, which can be configured in
++# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
++# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
++#tls_checkpeer hard
++
++# CA certificates for server certificate verification
++# At least one of these are required if tls_checkpeer is "yes"
++#tls_cacertfile /etc/ssl/ca.cert
++#tls_cacertdir /etc/pki/tls/certs
++
++# Seed the PRNG if /dev/urandom is not provided
++#tls_randfile /var/run/egd-pool
 +
-diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
---- openssh-6.2p1/ldapbody.c.ldap	2013-03-25 21:27:15.889248078 +0100
-+++ openssh-6.2p1/ldapbody.c	2013-03-25 21:27:15.889248078 +0100
++# SSL cipher suite
++# See man ciphers for syntax
++#tls_ciphers TLSv1
++
++# Client certificate and key
++# Use these, if your server requires client authentication.
++#tls_cert
++#tls_key
++
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.c openssh-8.4p1/ldapbody.c
+--- openssh-8.4p1.org/ldapbody.c	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapbody.c	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,494 @@
 +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -718,9 +1104,9 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
 +	return;
 +}
 +
-diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
---- openssh-6.2p1/ldapbody.h.ldap	2013-03-25 21:27:15.889248078 +0100
-+++ openssh-6.2p1/ldapbody.h	2013-03-25 21:27:15.889248078 +0100
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapbody.h openssh-8.4p1/ldapbody.h
+--- openssh-8.4p1.org/ldapbody.h	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapbody.h	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,37 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -759,9 +1145,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
 +
 +#endif /* LDAPBODY_H */
 +
-diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
---- openssh-6.2p2/ldapconf.c.ldap	2013-06-07 15:10:05.601942693 +0200
-+++ openssh-6.2p2/ldapconf.c	2013-06-07 15:10:24.928857566 +0200
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.c openssh-8.4p1/ldapconf.c
+--- openssh-8.4p1.org/ldapconf.c	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapconf.c	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,691 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1454,9 +1840,9 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
 +	dump_cfg_string(lAccountClass, options.logdir);
 +}
 +
-diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
---- openssh-6.2p2/ldapconf.h.ldap	2013-06-07 15:10:05.602942689 +0200
-+++ openssh-6.2p2/ldapconf.h	2013-06-07 15:10:24.928857566 +0200
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapconf.h openssh-8.4p1/ldapconf.h
+--- openssh-8.4p1.org/ldapconf.h	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapconf.h	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,72 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1530,296 +1916,9 @@ diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
 +void dump_config(void);
 +
 +#endif /* LDAPCONF_H */
-diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
---- openssh-6.2p1/ldap.conf.ldap	2013-03-25 21:27:15.891248091 +0100
-+++ openssh-6.2p1/ldap.conf	2013-03-25 21:27:15.891248091 +0100
-@@ -0,0 +1,88 @@
-+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
-+#
-+# This is the example configuration file for the OpenSSH
-+# LDAP backend
-+# 
-+# see ssh-ldap.conf(5)
-+#
-+
-+# URI with your LDAP server name. This allows to use
-+# Unix Domain Sockets to connect to a local LDAP Server.
-+#uri ldap://127.0.0.1/
-+#uri ldaps://127.0.0.1/   
-+#uri ldapi://%2fvar%2frun%2fldapi_sock/
-+# Note: %2f encodes the '/' used as directory separator
-+
-+# Another way to specify your LDAP server is to provide an
-+# host name and the port of our LDAP server. Host name
-+# must be resolvable without using LDAP.
-+# Multiple hosts may be specified, each separated by a 
-+# space. How long nss_ldap takes to failover depends on
-+# whether your LDAP client library supports configurable
-+# network or connect timeouts (see bind_timelimit).
-+#host 127.0.0.1
-+
-+# The port.
-+# Optional: default is 389.
-+#port 389
-+
-+# The distinguished name to bind to the server with.
-+# Optional: default is to bind anonymously.
-+#binddn cn=openssh_keys,dc=example,dc=org
-+
-+# The credentials to bind with. 
-+# Optional: default is no credential.
-+#bindpw TopSecret
-+
-+# The distinguished name of the search base.
-+#base dc=example,dc=org
-+
-+# The LDAP version to use (defaults to 3
-+# if supported by client library)
-+#ldap_version 3
-+
-+# The search scope.
-+#scope sub
-+#scope one
-+#scope base
-+
-+# Search timelimit
-+#timelimit 30
-+
-+# Bind/connect timelimit
-+#bind_timelimit 30
-+
-+# Reconnect policy: hard (default) will retry connecting to
-+# the software with exponential backoff, soft will fail
-+# immediately.
-+#bind_policy hard
-+
-+# SSL setup, may be implied by URI also.
-+#ssl no
-+#ssl on
-+#ssl start_tls
-+
-+# OpenLDAP SSL options
-+# Require and verify server certificate (yes/no)
-+# Default is to use libldap's default behavior, which can be configured in
-+# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
-+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
-+#tls_checkpeer hard
-+
-+# CA certificates for server certificate verification
-+# At least one of these are required if tls_checkpeer is "yes"
-+#tls_cacertfile /etc/ssl/ca.cert
-+#tls_cacertdir /etc/pki/tls/certs
-+
-+# Seed the PRNG if /dev/urandom is not provided
-+#tls_randfile /var/run/egd-pool
-+
-+# SSL cipher suite
-+# See man ciphers for syntax
-+#tls_ciphers TLSv1
-+
-+# Client certificate and key
-+# Use these, if your server requires client authentication.
-+#tls_cert
-+#tls_key
-+
-diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
---- openssh-6.2p1/ldap-helper.c.ldap	2013-03-25 21:27:15.892248097 +0100
-+++ openssh-6.2p1/ldap-helper.c	2013-03-25 21:27:15.892248097 +0100
-@@ -0,0 +1,155 @@
-+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
-+/*
-+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "ldapincludes.h"
-+#include "log.h"
-+#include "misc.h"
-+#include "xmalloc.h"
-+#include "ldapconf.h"
-+#include "ldapbody.h"
-+#include <string.h>
-+#include <unistd.h>
-+
-+static int config_debug = 0;
-+int config_exclusive_config_file = 0;
-+static char *config_file_name = "/etc/ssh/ldap.conf";
-+static char *config_single_user = NULL;
-+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
-+int config_warning_config_file = 0;
-+extern char *__progname;
-+
-+static void
-+usage(void)
-+{
-+	fprintf(stderr, "usage: %s [options]\n",
-+	    __progname);
-+	fprintf(stderr, "Options:\n");
-+	fprintf(stderr, "  -d          Output the log messages to stderr.\n");
-+	fprintf(stderr, "  -e          Check the config file for unknown commands.\n");
-+	fprintf(stderr, "  -f file     Use alternate config file (default is /etc/ssh/ldap.conf).\n");
-+	fprintf(stderr, "  -s user     Do not demonize, send the user's key to stdout.\n");
-+	fprintf(stderr, "  -v          Increase verbosity of the debug output (implies -d).\n");
-+	fprintf(stderr, "  -w          Warn on unknown commands in the config file.\n");
-+	exit(1);
-+}
-+
-+/*
-+ * Main program for the ssh pka ldap agent.
-+ */
-+
-+int
-+main(int ac, char **av)
-+{
-+	int opt;
-+	FILE *outfile = NULL;
-+
-+	__progname = ssh_get_progname(av[0]);
-+
-+	log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
-+
-+	/*
-+	 * Initialize option structure to indicate that no values have been
-+	 * set.
-+	 */
-+	initialize_options();
-+
-+	/* Parse command-line arguments. */
-+	while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
-+		switch (opt) {
-+		case 'd':
-+			config_debug = 1;
-+			break;
-+
-+		case 'e':
-+			config_exclusive_config_file = 1;
-+			config_warning_config_file = 1;
-+			break;
-+
-+		case 'f':
-+			config_file_name = optarg;
-+			break;
-+
-+		case 's':
-+			config_single_user = optarg;
-+			outfile = fdopen (dup (fileno (stdout)), "w");
-+			break;
-+
-+		case 'v':
-+			config_debug = 1;
-+			if (config_verbose < SYSLOG_LEVEL_DEBUG3)
-+			    config_verbose++;
-+			break;
-+
-+		case 'w':
-+			config_warning_config_file = 1;
-+			break;
-+
-+		case '?':
-+		default:
-+			usage();
-+			break;
-+		}
-+	}
-+
-+	/* Initialize loging */
-+	log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
-+
-+	if (ac != optind)
-+	    fatal ("illegal extra parameter %s", av[1]);
-+
-+	/* Ensure that fds 0 and 2 are open or directed to /dev/null */
-+	if (config_debug == 0)
-+	    sanitise_stdfd();
-+
-+	/* Read config file */
-+	read_config_file(config_file_name);
-+	fill_default_options();
-+	if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
-+		debug3 ("=== Configuration ===");
-+		dump_config();
-+		debug3 ("=== *** ===");
-+	}
-+
-+	ldap_checkconfig();
-+	ldap_do_connect();
-+
-+	if (config_single_user) {
-+		process_user (config_single_user, outfile);
-+	} else {
-+		usage();
-+		fatal ("Not yet implemented");
-+/* TODO
-+ * open unix socket a run the loop on it
-+ */
-+	}
-+
-+	ldap_do_close();
-+	return 0;
-+}
-+
-+/* Ugly hack */
-+void   *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
-+void    buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
-+
-diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
---- openssh-6.2p1/ldap-helper.h.ldap	2013-03-25 21:27:15.892248097 +0100
-+++ openssh-6.2p1/ldap-helper.h	2013-03-25 21:27:15.892248097 +0100
-@@ -0,0 +1,32 @@
-+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
-+/*
-+ * Copyright (c) 2009 Jan F. Chadima.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#ifndef LDAP_HELPER_H
-+#define LDAP_HELPER_H
-+
-+extern int config_exclusive_config_file;
-+extern int config_warning_config_file;
-+
-+#endif /* LDAP_HELPER_H */
-diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
---- openssh-6.2p1/ldapincludes.h.ldap	2013-03-25 21:27:15.892248097 +0100
-+++ openssh-6.2p1/ldapincludes.h	2013-03-25 21:27:15.892248097 +0100
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapincludes.h openssh-8.4p1/ldapincludes.h
+--- openssh-8.4p1.org/ldapincludes.h	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapincludes.h	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,41 @@
 +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1862,9 +1961,9 @@ diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
 +#endif
 +
 +#endif /* LDAPINCLUDES_H */
-diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
---- openssh-6.2p1/ldapmisc.c.ldap	2013-03-25 21:27:15.893248104 +0100
-+++ openssh-6.2p1/ldapmisc.c	2013-03-25 21:27:15.893248104 +0100
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapmisc.c openssh-8.4p1/ldapmisc.c
+--- openssh-8.4p1.org/ldapmisc.c	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapmisc.c	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,79 @@
 +
 +#include "ldapincludes.h"
@@ -1945,9 +2044,9 @@ diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
 +}
 +#endif
 +
-diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
---- openssh-6.2p1/ldapmisc.h.ldap	2013-03-25 21:27:15.893248104 +0100
-+++ openssh-6.2p1/ldapmisc.h	2013-03-25 21:27:15.893248104 +0100
+diff -urNp -x '*.orig' openssh-8.4p1.org/ldapmisc.h openssh-8.4p1/ldapmisc.h
+--- openssh-8.4p1.org/ldapmisc.h	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ldapmisc.h	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,35 @@
 +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
 +/*
@@ -1984,107 +2083,9 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
 +
 +#endif /* LDAPMISC_H */
 +
---- openssh-7.2p1/Makefile.in.orig	2016-02-26 04:40:04.000000000 +0100
-+++ openssh-7.2p1/Makefile.in	2016-03-04 19:44:30.903306337 +0100
-@@ -25,6 +25,8 @@
- ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
- SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
-+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,10 +63,11 @@
- EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
-+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-
- .SUFFIXES: .lo
- 
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT)
- 
- LIBOPENSSH_OBJS=\
- 	ssh_api.o \
-@@ -112,8 +115,8 @@
- 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
- 	sandbox-solaris.o
- 
--MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out
--MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
-+MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
- MANTYPE		= @MANTYPE@
- 
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -235,6 +235,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
- ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
- 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
- 
-+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
-+	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
- 
-@@ -395,6 +395,10 @@ install-files:
- 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
-+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+	    $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
-+	    $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
-+	fi
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -416,6 +416,10 @@ install-files:
- 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
- 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
- 	$(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
-+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+	    $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
-+	    $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
-+	fi
- 
- install-sysconf:
- 	$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -352,6 +366,13 @@
- 	else \
- 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
- 	fi
-+	if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+		if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
-+			$(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
-+		else \
-+			echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
-+		fi ; \
-+	fi
- 
- host-key: ssh-keygen$(EXEEXT)
- 	@if [ -z "$(DESTDIR)" ] ; then \
-@@ -488,6 +488,8 @@ uninstall:
- 	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
- 	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- 	-rm -f $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
-+	-rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
-+	-rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -502,6 +502,7 @@ uninstall:
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
- 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
-+	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
- 
- regress-prep:
- 	$(MKDIR_P) `pwd`/regress/unittests/test_helper
-diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
---- openssh-6.2p1/openssh-lpk-openldap.schema.ldap	2013-03-25 21:27:15.894248110 +0100
-+++ openssh-6.2p1/openssh-lpk-openldap.schema	2013-03-25 21:27:15.894248110 +0100
+diff -urNp -x '*.orig' openssh-8.4p1.org/openssh-lpk-openldap.schema openssh-8.4p1/openssh-lpk-openldap.schema
+--- openssh-8.4p1.org/openssh-lpk-openldap.schema	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/openssh-lpk-openldap.schema	2021-03-01 11:29:31.280956671 +0100
 @@ -0,0 +1,21 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2107,9 +2108,9 @@ diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lp
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
---- openssh-6.2p1/openssh-lpk-sun.schema.ldap	2013-03-25 21:27:15.894248110 +0100
-+++ openssh-6.2p1/openssh-lpk-sun.schema	2013-03-25 21:27:15.894248110 +0100
+diff -urNp -x '*.orig' openssh-8.4p1.org/openssh-lpk-sun.schema openssh-8.4p1/openssh-lpk-sun.schema
+--- openssh-8.4p1.org/openssh-lpk-sun.schema	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/openssh-lpk-sun.schema	2021-03-01 11:29:31.284290176 +0100
 @@ -0,0 +1,23 @@
 +#
 +# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2134,9 +2135,100 @@ diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun
 +	DESC 'MANDATORY: OpenSSH LPK objectclass'
 +	MUST ( sshPublicKey $ uid ) 
 +	)
-diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
---- openssh-6.2p2/ssh-ldap.conf.5.ldap	2013-06-07 15:10:05.604942680 +0200
-+++ openssh-6.2p2/ssh-ldap.conf.5	2013-06-07 15:10:24.928857566 +0200
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh-ldap-helper.8 openssh-8.4p1/ssh-ldap-helper.8
+--- openssh-8.4p1.org/ssh-ldap-helper.8	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ssh-ldap-helper.8	2021-03-01 11:29:31.284290176 +0100
+@@ -0,0 +1,79 @@
++.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
++.\"
++.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
++.\"
++.\" Permission to use, copy, modify, and distribute this software for any
++.\" purpose with or without fee is hereby granted, provided that the above
++.\" copyright notice and this permission notice appear in all copies.
++.\"
++.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++.\"
++.Dd $Mdocdate: April 29 2010 $
++.Dt SSH-LDAP-HELPER 8
++.Os
++.Sh NAME
++.Nm ssh-ldap-helper
++.Nd sshd helper program for ldap support
++.Sh SYNOPSIS
++.Nm ssh-ldap-helper
++.Op Fl devw
++.Op Fl f Ar file
++.Op Fl s Ar user
++.Sh DESCRIPTION
++.Nm
++is used by
++.Xr sshd 1
++to access keys provided by an LDAP.
++.Nm
++is disabled by default and can only be enabled in the
++sshd configuration file
++.Pa /etc/ssh/sshd_config
++by setting
++.Cm AuthorizedKeysCommand
++to
++.Dq /usr/libexec/ssh-ldap-wrapper .
++.Pp
++.Nm
++is not intended to be invoked by the user, but from
++.Xr sshd 8 via
++.Xr ssh-ldap-wrapper .
++.Pp
++The options are as follows:
++.Bl -tag -width Ds
++.It Fl d
++Set the debug mode; 
++.Nm
++prints all logs to stderr instead of syslog.
++.It Fl e
++Implies \-w;
++.Nm
++halts if it encounters an unknown item in the ldap.conf file.
++.It Fl f
++.Nm
++uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
++.It Fl s
++.Nm
++prints out the user's keys to stdout and exits.
++.It Fl v
++Implies \-d;
++increases verbosity.
++.It Fl w
++.Nm
++writes warnings about unknown items in the ldap.conf configuration file.
++.El
++.Sh SEE ALSO
++.Xr sshd 8 ,
++.Xr sshd_config 5 ,
++.Xr ssh-ldap.conf 5 ,
++.Sh HISTORY
++.Nm
++first appeared in
++OpenSSH 5.5 + PKA-LDAP .
++.Sh AUTHORS
++.An Jan F. Chadima Aq jchadima@redhat.com
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh-ldap-wrapper openssh-8.4p1/ssh-ldap-wrapper
+--- openssh-8.4p1.org/ssh-ldap-wrapper	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ssh-ldap-wrapper	2021-03-01 11:29:31.284290176 +0100
+@@ -0,0 +1,4 @@
++#!/bin/sh
++
++exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
++
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh-ldap.conf.5 openssh-8.4p1/ssh-ldap.conf.5
+--- openssh-8.4p1.org/ssh-ldap.conf.5	1970-01-01 01:00:00.000000000 +0100
++++ openssh-8.4p1/ssh-ldap.conf.5	2021-03-01 11:29:31.284290176 +0100
 @@ -0,0 +1,379 @@
 +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
 +.\"
@@ -2517,94 +2609,3 @@ diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
 +OpenSSH 5.5 + PKA-LDAP .
 +.Sh AUTHORS
 +.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
---- openssh-6.2p1/ssh-ldap-helper.8.ldap	2013-03-25 21:27:15.895248117 +0100
-+++ openssh-6.2p1/ssh-ldap-helper.8	2013-03-25 21:27:15.895248117 +0100
-@@ -0,0 +1,79 @@
-+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
-+.\"
-+.\" Copyright (c) 2010 Jan F. Chadima.  All rights reserved.
-+.\"
-+.\" Permission to use, copy, modify, and distribute this software for any
-+.\" purpose with or without fee is hereby granted, provided that the above
-+.\" copyright notice and this permission notice appear in all copies.
-+.\"
-+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+.\"
-+.Dd $Mdocdate: April 29 2010 $
-+.Dt SSH-LDAP-HELPER 8
-+.Os
-+.Sh NAME
-+.Nm ssh-ldap-helper
-+.Nd sshd helper program for ldap support
-+.Sh SYNOPSIS
-+.Nm ssh-ldap-helper
-+.Op Fl devw
-+.Op Fl f Ar file
-+.Op Fl s Ar user
-+.Sh DESCRIPTION
-+.Nm
-+is used by
-+.Xr sshd 1
-+to access keys provided by an LDAP.
-+.Nm
-+is disabled by default and can only be enabled in the
-+sshd configuration file
-+.Pa /etc/ssh/sshd_config
-+by setting
-+.Cm AuthorizedKeysCommand
-+to
-+.Dq /usr/libexec/ssh-ldap-wrapper .
-+.Pp
-+.Nm
-+is not intended to be invoked by the user, but from
-+.Xr sshd 8 via
-+.Xr ssh-ldap-wrapper .
-+.Pp
-+The options are as follows:
-+.Bl -tag -width Ds
-+.It Fl d
-+Set the debug mode; 
-+.Nm
-+prints all logs to stderr instead of syslog.
-+.It Fl e
-+Implies \-w;
-+.Nm
-+halts if it encounters an unknown item in the ldap.conf file.
-+.It Fl f
-+.Nm
-+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
-+.It Fl s
-+.Nm
-+prints out the user's keys to stdout and exits.
-+.It Fl v
-+Implies \-d;
-+increases verbosity.
-+.It Fl w
-+.Nm
-+writes warnings about unknown items in the ldap.conf configuration file.
-+.El
-+.Sh SEE ALSO
-+.Xr sshd 8 ,
-+.Xr sshd_config 5 ,
-+.Xr ssh-ldap.conf 5 ,
-+.Sh HISTORY
-+.Nm
-+first appeared in
-+OpenSSH 5.5 + PKA-LDAP .
-+.Sh AUTHORS
-+.An Jan F. Chadima Aq jchadima@redhat.com
-diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
---- openssh-6.2p1/ssh-ldap-wrapper.ldap	2013-03-25 21:27:15.896248124 +0100
-+++ openssh-6.2p1/ssh-ldap-wrapper	2013-03-25 21:27:15.896248124 +0100
-@@ -0,0 +1,4 @@
-+#!/bin/sh
-+
-+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
-+
diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch
index a190b7c..244b177 100644
--- a/openssh-sigpipe.patch
+++ b/openssh-sigpipe.patch
@@ -1,16 +1,17 @@
---- openssh-4.0p1/clientloop.c.orig	2005-03-01 11:24:33.000000000 +0100
-+++ openssh-4.0p1/clientloop.c	2005-03-10 15:10:05.000000000 +0100
-@@ -104,6 +104,9 @@
-  */
- extern char *host;
+diff -urNp -x '*.orig' openssh-8.4p1.org/clientloop.c openssh-8.4p1/clientloop.c
+--- openssh-8.4p1.org/clientloop.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/clientloop.c	2021-03-01 11:29:10.909905265 +0100
+@@ -127,6 +127,9 @@ extern int fork_after_authentication_fla
+ /* Control socket */
+ extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */
  
 +/* if we process SIGPIPE */
 +extern int enable_sigpipe;
 +
  /*
-  * Flag to indicate that we have received a window change signal which has
-  * not yet been processed.  This will cause a message indicating the new
-@@ -1317,6 +1317,8 @@ client_loop(struct ssh *ssh, int have_pt
+  * Name of the host we are connecting to.  This is the name given on the
+  * command line, or the Hostname specified for the user-supplied name in a
+@@ -1301,6 +1304,8 @@ client_loop(struct ssh *ssh, int have_pt
  		ssh_signal(SIGQUIT, signal_handler);
  	if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN)
  		ssh_signal(SIGTERM, signal_handler);
@@ -19,10 +20,10 @@
  	ssh_signal(SIGWINCH, window_change_handler);
  
  	if (have_pty)
-diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
---- openssh-3.9p1.org/ssh.0	2004-08-17 19:03:29.327565840 +0200
-+++ openssh-3.9p1/ssh.0	2004-08-17 19:03:41.809668272 +0200
-@@ -433,6 +433,8 @@ DESCRIPTION
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh.0 openssh-8.4p1/ssh.0
+--- openssh-8.4p1.org/ssh.0	2020-09-27 09:42:10.000000000 +0200
++++ openssh-8.4p1/ssh.0	2021-03-01 11:29:10.909905265 +0100
+@@ -446,6 +446,8 @@ DESCRIPTION
       -y      Send log information using the syslog(3) system module.  By
               default this information is sent to stderr.
  
@@ -31,10 +32,11 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
       ssh may additionally obtain configuration data from a per-user
       configuration file and a system-wide configuration file.  The file format
       and configuration options are described in ssh_config(5).
---- openssh-5.6p1/ssh.1~	2010-08-24 14:05:48.000000000 +0300
-+++ openssh-5.6p1/ssh.1	2010-08-24 14:06:57.879253682 +0300
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh.1 openssh-8.4p1/ssh.1
+--- openssh-8.4p1.org/ssh.1	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/ssh.1	2021-03-01 11:29:10.909905265 +0100
 @@ -42,7 +42,7 @@
- .Nd OpenSSH SSH client (remote login program)
+ .Nd OpenSSH remote login client
  .Sh SYNOPSIS
  .Nm ssh
 -.Op Fl 46AaCfGgKkMNnqsTtVvXxYy
@@ -42,7 +44,7 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
  .Op Fl B Ar bind_interface
  .Op Fl b Ar bind_address
  .Op Fl c Ar cipher_spec
-@@ -138,6 +138,11 @@ on the local machine as the source addre
+@@ -142,6 +142,11 @@ on the local machine as the source addre
  of the connection.
  Only useful on systems with more than one address.
  .Pp
@@ -54,9 +56,10 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
  .It Fl C
  Requests compression of all data (including stdin, stdout, stderr, and
  data for forwarded X11, TCP and
---- openssh-4.0p1/ssh.c.orig	2005-03-02 02:04:33.000000000 +0100
-+++ openssh-4.0p1/ssh.c	2005-03-10 15:11:10.000000000 +0100
-@@ -135,6 +135,9 @@
+diff -urNp -x '*.orig' openssh-8.4p1.org/ssh.c openssh-8.4p1/ssh.c
+--- openssh-8.4p1.org/ssh.c	2020-09-27 09:25:01.000000000 +0200
++++ openssh-8.4p1/ssh.c	2021-03-01 11:29:10.909905265 +0100
+@@ -190,6 +190,9 @@ struct sshbuf *command;
  /* Should we execute a command or invoke a subsystem? */
  int subsystem_flag = 0;
  
@@ -64,9 +67,9 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
 +int enable_sigpipe = 0;
 +
  /* # of replies received for global requests */
- static int client_global_request_id = 0;
+ static int forward_confirms_pending = -1;
  
-@@ -204,7 +204,7 @@ static void
+@@ -203,7 +206,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
@@ -75,7 +78,7 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
  "           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]\n"
  "           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]\n"
  "           [-i identity_file] [-J [user@]host[:port]] [-L address]\n"
-@@ -666,7 +666,7 @@ main(int ac, char **av)
+@@ -722,7 +725,7 @@ main(int ac, char **av)
  
   again:
  	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
@@ -84,7 +87,7 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
  		switch (opt) {
  		case '1':
  			fatal("SSH protocol v.1 is no longer supported");
-@@ -985,6 +985,9 @@ main(int ac, char **av)
+@@ -1066,6 +1069,9 @@ main(int ac, char **av)
  		case 'F':
  			config = optarg;
  			break;
@@ -94,4 +97,3 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0
  		default:
  			usage();
  		}
-