merge patched into master

32 files changed, 277 insertions, 137 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index cd9486a07..e8c4eb71a 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9cbb60f5e4932634db04c330c88abc49cc5567bd
-9cbb60f5e4932634db04c330c88abc49cc5567bd
+db4cdf7b763414af951c7f4031b10679c54d7988
+db4cdf7b763414af951c7f4031b10679c54d7988
 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
 openssh_6.6p1.orig.tar.gz
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 8d26d7b6f..96632057b 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -9,10 +9,10 @@ Last-Update: 2013-09-14
 
 Patch-Name: auth-log-verbosity.patch
 ---
- auth-options.c | 35 ++++++++++++++++++++++++++---------
- auth-options.h |  1 +
- auth-rsa.c     |  2 ++
- auth2-pubkey.c |  3 +++
+ auth-options.c |   35 ++++++++++++++++++++++++++---------
+ auth-options.h |    1 +
+ auth-rsa.c     |    2 ++
+ auth2-pubkey.c |    3 +++
  4 files changed, 32 insertions(+), 9 deletions(-)
 
 diff --git a/auth-options.c b/auth-options.c
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 74bfb46e6..fbe7b40c0 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -9,7 +9,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: authorized-keys-man-symlink.patch
 ---
- Makefile.in | 1 +
+ Makefile.in |    1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/Makefile.in b/Makefile.in
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index e3ff4d7e4..938bd6baa 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -8,17 +8,17 @@ Last-Updated: 2014-03-20
 
 Patch-Name: consolekit.patch
 ---
- Makefile.in    |   3 +-
- configure      | 132 +++++++++++++++++++++++++++++++
- configure.ac   |  25 ++++++
- consolekit.c   | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- consolekit.h   |  24 ++++++
- monitor.c      |  42 ++++++++++
- monitor.h      |   2 +
- monitor_wrap.c |  30 ++++++++
- monitor_wrap.h |   4 +
- session.c      |  13 ++++
- session.h      |   6 ++
+ Makefile.in    |    3 +-
+ configure      |  132 +++++++++++++++++++++++++++++++
+ configure.ac   |   25 ++++++
+ consolekit.c   |  240 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ consolekit.h   |   24 ++++++
+ monitor.c      |   42 ++++++++++
+ monitor.h      |    2 +
+ monitor_wrap.c |   30 +++++++
+ monitor_wrap.h |    4 +
+ session.c      |   13 +++
+ session.h      |    6 ++
  11 files changed, 520 insertions(+), 1 deletion(-)
  create mode 100644 consolekit.c
  create mode 100644 consolekit.h
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 49219cf93..14e6a5d54 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -12,10 +12,10 @@ Last-Update: 2013-09-14
 
 Patch-Name: debian-banner.patch
 ---
- servconf.c    | 9 +++++++++
- servconf.h    | 2 ++
- sshd.c        | 3 ++-
- sshd_config.5 | 5 +++++
+ servconf.c    |    9 +++++++++
+ servconf.h    |    2 ++
+ sshd.c        |    3 ++-
+ sshd_config.5 |    5 +++++
  4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/servconf.c b/servconf.c
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 9bb0c6520..ac15d90e0 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -26,11 +26,11 @@ Last-Update: 2014-02-12
 
 Patch-Name: debian-config.patch
 ---
- readconf.c    |  2 +-
- ssh_config    |  7 ++++++-
- ssh_config.5  | 19 ++++++++++++++++++-
- sshd_config   |  1 +
- sshd_config.5 | 25 +++++++++++++++++++++++++
+ readconf.c    |    2 +-
+ ssh_config    |    7 ++++++-
+ ssh_config.5  |   19 ++++++++++++++++++-
+ sshd_config   |    1 +
+ sshd_config.5 |   25 +++++++++++++++++++++++++
  5 files changed, 51 insertions(+), 3 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index bc89c50fc..b3889ba0e 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -12,9 +12,9 @@ Last-Update: 2010-04-06
 
 Patch-Name: dnssec-sshfp.patch
 ---
- dns.c                           | 14 +++++++++++++-
- openbsd-compat/getrrsetbyname.c | 10 +++++-----
- openbsd-compat/getrrsetbyname.h |  3 +++
+ dns.c                           |   14 +++++++++++++-
+ openbsd-compat/getrrsetbyname.c |   10 +++++-----
+ openbsd-compat/getrrsetbyname.h |    3 +++
  3 files changed, 21 insertions(+), 6 deletions(-)
 
 diff --git a/dns.c b/dns.c
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 16c40b05f..73ca79c6b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -9,7 +9,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: doc-hash-tab-completion.patch
 ---
- ssh_config.5 | 3 +++
+ ssh_config.5 |    3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index da8fc7ed4..873869869 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -8,7 +8,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: doc-upstart.patch
 ---
- sshd.8 | 5 ++++-
+ sshd.8 |    5 ++++-
  1 file changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/sshd.8 b/sshd.8
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index dab518f65..7503cc172 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -8,7 +8,7 @@ Last-Update: 2010-02-28
 
 Patch-Name: gnome-ssh-askpass2-icon.patch
 ---
- contrib/gnome-ssh-askpass2.c | 2 ++
+ contrib/gnome-ssh-askpass2.c |    2 ++
  1 file changed, 2 insertions(+)
 
 diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d8439bf03..cf0ad8cad 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -21,39 +21,39 @@ Last-Updated: 2014-03-19
 
 Patch-Name: gssapi.patch
 ---
- ChangeLog.gssapi | 113 +++++++++++++++++++
- Makefile.in      |   3 +-
- auth-krb5.c      |  17 ++-
- auth2-gss.c      |  48 +++++++-
- auth2.c          |   2 +
- clientloop.c     |  13 +++
- config.h.in      |   6 +
- configure        |  57 ++++++++++
- configure.ac     |  24 ++++
- gss-genr.c       | 275 ++++++++++++++++++++++++++++++++++++++++++++-
- gss-serv-krb5.c  |  85 ++++++++++++--
- gss-serv.c       | 221 +++++++++++++++++++++++++++++++-----
- kex.c            |  16 +++
- kex.h            |  14 +++
- kexgssc.c        | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- kexgsss.c        | 289 ++++++++++++++++++++++++++++++++++++++++++++++++
- key.c            |   3 +-
- key.h            |   1 +
- monitor.c        | 108 +++++++++++++++++-
- monitor.h        |   3 +
- monitor_wrap.c   |  47 +++++++-
- monitor_wrap.h   |   4 +-
- readconf.c       |  42 +++++++
- readconf.h       |   5 +
- servconf.c       |  38 ++++++-
- servconf.h       |   3 +
- ssh-gss.h        |  41 ++++++-
- ssh_config       |   2 +
- ssh_config.5     |  34 +++++-
- sshconnect2.c    | 124 ++++++++++++++++++++-
- sshd.c           | 110 ++++++++++++++++++
- sshd_config      |   2 +
- sshd_config.5    |  28 +++++
+ ChangeLog.gssapi |  113 +++++++++++++++++++
+ Makefile.in      |    3 +-
+ auth-krb5.c      |   17 ++-
+ auth2-gss.c      |   48 +++++++-
+ auth2.c          |    2 +
+ clientloop.c     |   13 +++
+ config.h.in      |    6 +
+ configure        |   57 ++++++++++
+ configure.ac     |   24 ++++
+ gss-genr.c       |  275 +++++++++++++++++++++++++++++++++++++++++++-
+ gss-serv-krb5.c  |   85 ++++++++++++--
+ gss-serv.c       |  221 +++++++++++++++++++++++++++++++-----
+ kex.c            |   16 +++
+ kex.h            |   14 +++
+ kexgssc.c        |  332 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ kexgsss.c        |  289 +++++++++++++++++++++++++++++++++++++++++++++++
+ key.c            |    3 +-
+ key.h            |    1 +
+ monitor.c        |  108 +++++++++++++++++-
+ monitor.h        |    3 +
+ monitor_wrap.c   |   47 +++++++-
+ monitor_wrap.h   |    4 +-
+ readconf.c       |   42 +++++++
+ readconf.h       |    5 +
+ servconf.c       |   38 ++++++-
+ servconf.h       |    3 +
+ ssh-gss.h        |   41 ++++++-
+ ssh_config       |    2 +
+ ssh_config.5     |   34 +++++-
+ sshconnect2.c    |  124 +++++++++++++++++++-
+ sshd.c           |  110 ++++++++++++++++++
+ sshd_config      |    2 +
+ sshd_config.5    |   28 +++++
  33 files changed, 2051 insertions(+), 59 deletions(-)
  create mode 100644 ChangeLog.gssapi
  create mode 100644 kexgssc.c
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index e79f4990f..bcfc13c99 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -8,7 +8,7 @@ Last-Update: 2010-02-27
 
 Patch-Name: helpful-wait-terminate.patch
 ---
- serverloop.c | 2 +-
+ serverloop.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/serverloop.c b/serverloop.c
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 680701f3d..00066c220 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -20,9 +20,9 @@ Last-Update: 2013-09-14
 
 Patch-Name: keepalive-extensions.patch
 ---
- readconf.c    | 14 ++++++++++++--
- ssh_config.5  | 21 +++++++++++++++++++--
- sshd_config.5 |  3 +++
+ readconf.c    |   14 ++++++++++++--
+ ssh_config.5  |   21 +++++++++++++++++++--
+ sshd_config.5 |    3 +++
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 09e09ecf8..2cd0c0bb5 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -11,7 +11,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: lintian-symlink-pickiness.patch
 ---
- Makefile.in | 4 ++--
+ Makefile.in |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index e00b6c345..261a28f38 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -9,7 +9,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: mention-ssh-keygen-on-keychange.patch
 ---
- sshconnect.c | 7 ++++++-
+ sshconnect.c |    7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
index 56fa46aac..67b24c80c 100644
--- a/debian/patches/no-openssl-version-check.patch
+++ b/debian/patches/no-openssl-version-check.patch
@@ -13,7 +13,7 @@ Last-Update: 2013-12-23
 
 Patch-Name: no-openssl-version-check.patch
 ---
- entropy.c | 12 ------------
+ entropy.c |   12 ------------
  1 file changed, 12 deletions(-)
 
 diff --git a/entropy.c b/entropy.c
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9a34a4182..88c0241ec 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -14,11 +14,11 @@ Last-Update: 2013-09-14
 
 Patch-Name: openbsd-docs.patch
 ---
- moduli.5      |  4 ++--
- ssh-keygen.1  | 12 ++++--------
- ssh.1         |  4 ++++
- sshd.8        |  5 ++---
- sshd_config.5 |  3 +--
+ moduli.5      |    4 ++--
+ ssh-keygen.1  |   12 ++++--------
+ ssh.1         |    4 ++++
+ sshd.8        |    5 ++---
+ sshd_config.5 |    3 +--
  5 files changed, 13 insertions(+), 15 deletions(-)
 
 diff --git a/moduli.5 b/moduli.5
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index c9c20d1c0..49a3b17a6 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -13,9 +13,9 @@ Last-Update: 2013-09-14
 
 Patch-Name: package-versioning.patch
 ---
- sshconnect.c | 4 ++--
- sshd.c       | 2 +-
- version.h    | 7 ++++++-
+ sshconnect.c |    4 ++--
+ sshd.c       |    2 +-
+ version.h    |    7 ++++++-
  3 files changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 075b59823..ca713dfc3 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -18,7 +18,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: quieter-signals.patch
 ---
- clientloop.c | 6 ++++--
+ clientloop.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index ff037a43a..7749c8ea3 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -13,7 +13,7 @@ Last-Update: 2010-02-27
 
 Patch-Name: scp-quoting.patch
 ---
- scp.c | 12 ++++++++++--
+ scp.c |   12 ++++++++++--
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/scp.c b/scp.c
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index e0ca12fb0..48f901c02 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -13,22 +13,22 @@ Last-Update: 2013-09-14
 
 Patch-Name: selinux-role.patch
 ---
- auth.h                      |  1 +
- auth1.c                     |  8 +++++++-
- auth2.c                     | 10 ++++++++--
- monitor.c                   | 32 +++++++++++++++++++++++++++++---
- monitor.h                   |  2 ++
- monitor_wrap.c              | 22 ++++++++++++++++++++--
- monitor_wrap.h              |  3 ++-
- openbsd-compat/port-linux.c | 27 ++++++++++++++++++++-------
- openbsd-compat/port-linux.h |  4 ++--
- platform.c                  |  4 ++--
- platform.h                  |  2 +-
- session.c                   | 10 +++++-----
- session.h                   |  2 +-
- sshd.c                      |  2 +-
- sshpty.c                    |  4 ++--
- sshpty.h                    |  2 +-
+ auth.h                      |    1 +
+ auth1.c                     |    8 +++++++-
+ auth2.c                     |   10 ++++++++--
+ monitor.c                   |   32 +++++++++++++++++++++++++++++---
+ monitor.h                   |    2 ++
+ monitor_wrap.c              |   22 ++++++++++++++++++++--
+ monitor_wrap.h              |    3 ++-
+ openbsd-compat/port-linux.c |   27 ++++++++++++++++++++-------
+ openbsd-compat/port-linux.h |    4 ++--
+ platform.c                  |    4 ++--
+ platform.h                  |    2 +-
+ session.c                   |   10 +++++-----
+ session.h                   |    2 +-
+ sshd.c                      |    2 +-
+ sshpty.c                    |    4 ++--
+ sshpty.h                    |    2 +-
  16 files changed, 104 insertions(+), 31 deletions(-)
 
 diff --git a/auth.h b/auth.h
diff --git a/debian/patches/series b/debian/patches/series
index 5d21e57d1..7bd72e6ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ no-openssl-version-check.patch
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
+sshfp_with_server_cert
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 48c16d2a2..c67d55002 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -12,7 +12,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: shell-path.patch
 ---
- sshconnect.c | 4 ++--
+ sshconnect.c |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index ac9eb4794..91c9d5434 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -8,7 +8,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: sigstop.patch
 ---
- sshd.c | 4 ++++
+ sshd.c |    4 ++++
  1 file changed, 4 insertions(+)
 
 diff --git a/sshd.c b/sshd.c
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index af23075b3..5df77f45d 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -9,7 +9,7 @@ Last-Update: 2013-06-08
 
 Patch-Name: ssh-agent-setgid.patch
 ---
- ssh-agent.1 | 15 +++++++++++++++
+ ssh-agent.1 |   15 +++++++++++++++
  1 file changed, 15 insertions(+)
 
 diff --git a/ssh-agent.1 b/ssh-agent.1
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index d456facea..2a54cd8e2 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -14,7 +14,7 @@ Last-Update: 2013-09-14
 
 Patch-Name: ssh-argv0.patch
 ---
- ssh.1 | 1 +
+ ssh.1 |    1 +
  1 file changed, 1 insertion(+)
 
 diff --git a/ssh.1 b/ssh.1
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index fa738b084..30f5056f2 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -12,8 +12,8 @@ Last-Update: 2014-02-09
 
 Patch-Name: ssh-vulnkey-compat.patch
 ---
- readconf.c | 1 +
- servconf.c | 1 +
+ readconf.c |    1 +
+ servconf.c |    1 +
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index ded7c122a..60537323a 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -8,8 +8,8 @@ Last-Update: 2013-09-14
 
 Patch-Name: ssh1-keepalive.patch
 ---
- clientloop.c | 25 +++++++++++++++----------
- ssh_config.5 |  5 ++++-
+ clientloop.c |   25 +++++++++++++++----------
+ ssh_config.5 |    5 ++++-
  2 files changed, 19 insertions(+), 11 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
diff --git a/debian/patches/sshfp_with_server_cert b/debian/patches/sshfp_with_server_cert
new file mode 100644
index 000000000..7e6a489e6
--- /dev/null
+++ b/debian/patches/sshfp_with_server_cert
@@ -0,0 +1,112 @@
+From db4cdf7b763414af951c7f4031b10679c54d7988 Mon Sep 17 00:00:00 2001
+From: Matthew Vernon <mcv21@cam.ac.uk>
+Date: Tue, 25 Mar 2014 11:02:33 +0000
+Subject: Attempt SSHFP lookup even if server presents a certificate
+
+If an ssh server presents a certificate to the client, then the client
+does not check the DNS for SSHFP records. This means that a malicious
+server can essentially disable DNS-host-key-checking, which means the
+client will fall back to asking the user (who will just say "yes" to
+the fingerprint, sadly).
+
+This patch means that the ssh client will, if necessary, extract the
+server key from the proffered certificate, and attempt to verify it
+against the DNS. The patch was written by Mark Wooding
+<mdw@distorted.org.uk>. I modified it to add one debug2 call, reviewed
+it, and tested it.
+
+Signed-off-by: Matthew Vernon <matthew@debian.org>
+Bug-Debian: http://bugs.debian.org/742513
+Patch-Name: sshfp_with_server_cert
+---
+ sshconnect.c |   67 ++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 20 deletions(-)
+
+diff --git a/sshconnect.c b/sshconnect.c
+index 87c3770..b8510d2 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1218,36 +1218,63 @@ fail:
+        return -1;
+ }
+ 
++static int
++check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
++{
++       int rc = -1;
++       int flags = 0;
++       Key *raw_key = NULL;
++
++       if (!options.verify_host_key_dns)
++               goto done;
++
++       /* XXX certs are not yet supported for DNS; try looking the raw key
++        * up in the DNS anyway.
++        */
++       if (key_is_cert(host_key)) {
++         debug2("Extracting key from cert for SSHFP lookup");
++               raw_key = key_from_private(host_key);
++               if (key_drop_cert(raw_key))
++                       fatal("Couldn't drop certificate");
++               host_key = raw_key;
++       }
++
++       if (verify_host_key_dns(host, hostaddr, host_key, &flags))
++               goto done;
++
++       if (flags & DNS_VERIFY_FOUND) {
++
++               if (options.verify_host_key_dns == 1 &&
++                   flags & DNS_VERIFY_MATCH &&
++                   flags & DNS_VERIFY_SECURE) {
++                       rc = 0;
++               } else if (flags & DNS_VERIFY_MATCH) {
++                       matching_host_key_dns = 1;
++               } else {
++                       warn_changed_key(host_key);
++                       error("Update the SSHFP RR in DNS with the new "
++                             "host key to get rid of this message.");
++               }
++       }
++
++done:
++       if (raw_key)
++               key_free(raw_key);
++       return rc;
++}
++
+ /* returns 0 if key verifies or -1 if key does NOT verify */
+ int
+ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+-       int flags = 0;
+        char *fp;
+ 
+        fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+        debug("Server host key: %s %s", key_type(host_key), fp);
+        free(fp);
+ 
+-       /* XXX certs are not yet supported for DNS */
+-       if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+-           verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+-               if (flags & DNS_VERIFY_FOUND) {
+-
+-                       if (options.verify_host_key_dns == 1 &&
+-                           flags & DNS_VERIFY_MATCH &&
+-                           flags & DNS_VERIFY_SECURE)
+-                               return 0;
+-
+-                       if (flags & DNS_VERIFY_MATCH) {
+-                               matching_host_key_dns = 1;
+-                       } else {
+-                               warn_changed_key(host_key);
+-                               error("Update the SSHFP RR in DNS with the new "
+-                                   "host key to get rid of this message.");
+-                       }
+-               }
+-       }
++       if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
++               return 0;
+ 
+        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
+            options.user_hostfiles, options.num_user_hostfiles,
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 7cbd3a7e3..01f7307de 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -16,8 +16,8 @@ Last-Update: 2013-09-14
 
 Patch-Name: syslog-level-silent.patch
 ---
- log.c | 1 +
- ssh.c | 2 +-
+ log.c |    1 +
+ ssh.c |    2 +-
  2 files changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/log.c b/log.c
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 3cdb9d8a1..107f15a23 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -17,14 +17,14 @@ Last-Update: 2013-09-14
 
 Patch-Name: user-group-modes.patch
 ---
- auth-rhosts.c |  6 ++----
- auth.c        |  9 +++-----
- misc.c        | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- misc.h        |  2 ++
- platform.c    | 16 --------------
- readconf.c    |  5 +++--
- ssh.1         |  2 ++
- ssh_config.5  |  2 ++
+ auth-rhosts.c |    6 ++---
+ auth.c        |    9 +++-----
+ misc.c        |   69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ misc.h        |    2 ++
+ platform.c    |   16 -------------
+ readconf.c    |    5 +++--
+ ssh.1         |    2 ++
+ ssh_config.5  |    2 ++
  8 files changed, 82 insertions(+), 29 deletions(-)
 
 diff --git a/auth-rhosts.c b/auth-rhosts.c
diff --git a/sshconnect.c b/sshconnect.c
index 87c3770c0..b8510d201 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1218,36 +1218,63 @@ fail:
         return -1;
 }
 
+static int
+check_host_key_sshfp(char *host, struct sockaddr *hostaddr, Key *host_key)
+{
+        int rc = -1;
+        int flags = 0;
+        Key *raw_key = NULL;
+
+        if (!options.verify_host_key_dns)
+                goto done;
+
+        /* XXX certs are not yet supported for DNS; try looking the raw key
+         * up in the DNS anyway.
+         */
+        if (key_is_cert(host_key)) {
+          debug2("Extracting key from cert for SSHFP lookup");
+                raw_key = key_from_private(host_key);
+                if (key_drop_cert(raw_key))
+                        fatal("Couldn't drop certificate");
+                host_key = raw_key;
+        }
+
+        if (verify_host_key_dns(host, hostaddr, host_key, &flags))
+                goto done;
+
+        if (flags & DNS_VERIFY_FOUND) {
+
+                if (options.verify_host_key_dns == 1 &&
+                    flags & DNS_VERIFY_MATCH &&
+                    flags & DNS_VERIFY_SECURE) {
+                        rc = 0;
+                } else if (flags & DNS_VERIFY_MATCH) {
+                        matching_host_key_dns = 1;
+                } else {
+                        warn_changed_key(host_key);
+                        error("Update the SSHFP RR in DNS with the new "
+                              "host key to get rid of this message.");
+                }
+        }
+
+done:
+        if (raw_key)
+                key_free(raw_key);
+        return rc;
+}
+
 /* returns 0 if key verifies or -1 if key does NOT verify */
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
-        int flags = 0;
         char *fp;
 
         fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
         debug("Server host key: %s %s", key_type(host_key), fp);
         free(fp);
 
-        /* XXX certs are not yet supported for DNS */
-        if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-            verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-                if (flags & DNS_VERIFY_FOUND) {
-
-                        if (options.verify_host_key_dns == 1 &&
-                            flags & DNS_VERIFY_MATCH &&
-                            flags & DNS_VERIFY_SECURE)
-                                return 0;
-
-                        if (flags & DNS_VERIFY_MATCH) {
-                                matching_host_key_dns = 1;
-                        } else {
-                                warn_changed_key(host_key);
-                                error("Update the SSHFP RR in DNS with the new "
-                                    "host key to get rid of this message.");
-                        }
-                }
-        }
+        if (check_host_key_sshfp(host, hostaddr, host_key) == 0)
+                return 0;
 
         return check_host_key(host, hostaddr, options.port, host_key, RDRW,
             options.user_hostfiles, options.num_user_hostfiles,