From 6a5e296ba702ee5316b3961a313051bc8beaa4cd Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Jan 15 2009 10:52:07 +0000
Subject: - remove obsolete --with-rsh (#478298)

- add pam_sepermit to allow blocking confined users in permissive mode
    (#471746)
- move system-auth after pam_selinux in the session stack

---

diff --git a/openssh.spec b/openssh.spec
index 6d30b3e..d13db06 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -63,7 +63,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.1p1
-Release: 4%{?dist}%{?rescue_rel}
+Release: 5%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -264,7 +264,6 @@ fi
 	--libexecdir=%{_libexecdir}/openssh \
 	--datadir=%{_datadir}/openssh \
 	--with-tcp-wrappers \
-	--with-rsh=%{_bindir}/rsh \
 	--with-default-path=/usr/local/bin:/bin:/usr/bin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/sshd \
@@ -479,6 +478,12 @@ fi
 %endif
 
 %changelog
+* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 5.1p1-5
+- remove obsolete --with-rsh (#478298)
+- add pam_sepermit to allow blocking confined users in permissive mode
+  (#471746)
+- move system-auth after pam_selinux in the session stack
+
 * Thu Dec 11 2008 Tomas Mraz <tmraz@redhat.com> - 5.1p1-4
 - set FD_CLOEXEC on channel sockets (#475866)
 - adjust summary
diff --git a/sshd.pam b/sshd.pam
index 54c526c..dcfa756 100644
--- a/sshd.pam
+++ b/sshd.pam
@@ -1,12 +1,13 @@
 #%PAM-1.0
+auth	   required	pam_sepermit.so
 auth       include      system-auth
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth
 # pam_selinux.so close should be the first session rule
 session    required     pam_selinux.so close
-session    include      system-auth
 session    required     pam_loginuid.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
 session    required     pam_selinux.so open env_params
 session    optional     pam_keyinit.so force revoke
+session    include      system-auth