* New upstream release (http://www.openssh.org/txt/release-5.9).

  - Introduce sandboxing of the pre-auth privsep child using an optional
    sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
    mandatory restrictions on the syscalls the privsep child can perform.
  - Add new SHA256-based HMAC transport integrity modes from
    http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt.
  - The pre-authentication sshd(8) privilege separation slave process now
    logs via a socket shared with the master process, avoiding the need to
    maintain /dev/log inside the chroot (closes: #75043, #429243,
    #599240).
  - ssh(1) now warns when a server refuses X11 forwarding (closes:
    #504757).
  - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
    separated by whitespace (closes: #76312).  The authorized_keys2
    fallback is deprecated but documented (closes: #560156).
  - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4
    ToS/DSCP (closes: #498297).
  - ssh-add(1) now accepts keys piped from standard input.  E.g. "ssh-add
    - < /path/to/key" (closes: #229124).
  - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691).
  - Say "required" rather than "recommended" in unprotected-private-key
    warning (LP: #663455).

2 files changed, 8 insertions, 26 deletions

diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 6afdcc4b4..3a4dfea37 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        5.8p1
+Version:        5.9p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
@@ -28,11 +28,12 @@ Provides:	ssh
 # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
 # building prerequisites -- stuff for
 #   OpenSSL (openssl-devel),
-#   TCP Wrappers (nkitb),
+#   TCP Wrappers (tcpd-devel),
 #   and Gnome (glibdev, gtkdev, and gnlibsd)
 #
 BuildPrereq:    openssl
-BuildPrereq:    nkitb
+BuildPrereq:    tcpd-devel
+BuildPrereq:    zlib-devel
 #BuildPrereq:   glibdev
 #BuildPrereq:   gtkdev
 #BuildPrereq:   gnlibsd
@@ -177,15 +178,8 @@ rm -rf $RPM_BUILD_ROOT
 /usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
 
 %post
-if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then
-        echo "Generating SSH RSA host key..."
-        /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' >&2
-fi
-if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then
-        echo "Generating SSH DSA host key..."
-        /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' >&2
-fi
-%{fillup_and_insserv -n -s -y ssh sshd START_SSHD}
+/usr/bin/ssh-keygen -A
+%{fillup_and_insserv -n -y ssh sshd}
 %run_permissions
 
 %verifyscript
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
index 4d4880d7e..4a3bc41db 100644
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@@ -43,20 +43,8 @@ rc_reset
 
 case "$1" in
     start)
-        if ! test -f /etc/ssh/ssh_host_key ; then
-            echo Generating /etc/ssh/ssh_host_key.
-            ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ''
-        fi
-        if ! test -f /etc/ssh/ssh_host_dsa_key ; then
-            echo Generating /etc/ssh/ssh_host_dsa_key.
-            
-            ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
-        fi
-        if ! test -f /etc/ssh/ssh_host_rsa_key ; then
-            echo Generating /etc/ssh/ssh_host_rsa_key.
-            
-            ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
-        fi
+        # Generate any missing host keys
+        ssh-keygen -A
         echo -n "Starting SSH daemon"
         ## Start daemon with startproc(8). If this fails
         ## the echo return value is set appropriate.