Merge 6.7p1.

  * New upstream release (http://www.openssh.com/txt/release-6.7):
    - sshd(8): The default set of ciphers and MACs has been altered to
      remove unsafe algorithms.  In particular, CBC ciphers and arcfour* are
      disabled by default.  The full set of algorithms remains available if
      configured explicitly via the Ciphers and MACs sshd_config options.
    - ssh(1), sshd(8): Add support for Unix domain socket forwarding.  A
      remote TCP port may be forwarded to a local Unix domain socket and
      vice versa or both ends may be a Unix domain socket (closes: #236718).
    - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
      key types.
    - sftp(1): Allow resumption of interrupted uploads.
    - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
      the same as the one sent during initial key exchange.
    - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses
      when GatewayPorts=no; allows client to choose address family.
    - sshd(8): Add a sshd_config PermitUserRC option to control whether
      ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
      option.
    - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
      expands to a unique identifer based on a hash of the tuple of (local
      host, remote user, hostname, port).  Helps avoid exceeding miserly
      pathname limits for Unix domain sockets in multiplexing control paths.
    - sshd(8): Make the "Too many authentication failures" message include
      the user, source address, port and protocol in a format similar to the
      authentication success / failure messages.
    - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
      available. It considers time spent suspended, thereby ensuring
      timeouts (e.g. for expiring agent keys) fire correctly (closes:
      #734553).
    - Use prctl() to prevent sftp-server from accessing
      /proc/self/{mem,maps}.
  * Restore TCP wrappers support, removed upstream in 6.7.  It is true that
    dropping this reduces preauth attack surface in sshd.  On the other
    hand, this support seems to be quite widely used, and abruptly dropping
    it (from the perspective of users who don't read openssh-unix-dev) could
    easily cause more serious problems in practice.  It's not entirely clear
    what the right long-term answer for Debian is, but it at least probably
    doesn't involve dropping this feature shortly before a freeze.
  * Replace patch to disable OpenSSL version check with an updated version
    of Kurt Roeckx's patch from #732940 to just avoid checking the status
    field.

1 files changed, 34 insertions, 33 deletions

diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index e3ff4d7e4..e50c77f62 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,33 +1,33 @@
-From 7a26d16efb4ee303c8d66ee82caf9d0686f4a074 Mon Sep 17 00:00:00 2001
+From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:57 +0000
 Subject: Add support for registering ConsoleKit sessions on login
 
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
-Last-Updated: 2014-03-20
+Last-Updated: 2014-10-07
 
 Patch-Name: consolekit.patch
 ---
  Makefile.in    |   3 +-
  configure      | 132 +++++++++++++++++++++++++++++++
  configure.ac   |  25 ++++++
- consolekit.c   | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ consolekit.c   | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  consolekit.h   |  24 ++++++
  monitor.c      |  42 ++++++++++
  monitor.h      |   2 +
- monitor_wrap.c |  30 ++++++++
+ monitor_wrap.c |  30 +++++++
  monitor_wrap.h |   4 +
  session.c      |  13 ++++
  session.h      |   6 ++
- 11 files changed, 520 insertions(+), 1 deletion(-)
+ 11 files changed, 521 insertions(+), 1 deletion(-)
  create mode 100644 consolekit.c
  create mode 100644 consolekit.h
 
 diff --git a/Makefile.in b/Makefile.in
-index ee1d2c3..3d96c05 100644
+index 086d8dd..c4cb8ea 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+@@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         sftp-server.o sftp-common.o \
         roaming_common.o roaming_serv.o \
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -38,10 +38,10 @@ index ee1d2c3..3d96c05 100644
  MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
  MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 diff --git a/configure b/configure
-index b6b5b6d..e2f12cd 100755
+index ea5f200..7be478a 100755
 --- a/configure
 +++ b/configure
-@@ -740,6 +740,7 @@ with_privsep_user
+@@ -739,6 +739,7 @@ with_privsep_user
  with_sandbox
  with_selinux
  with_kerberos5
@@ -49,7 +49,7 @@ index b6b5b6d..e2f12cd 100755
  with_privsep_path
  with_xauth
  enable_strip
-@@ -1432,6 +1433,7 @@ Optional Packages:
+@@ -1430,6 +1431,7 @@ Optional Packages:
    --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
    --with-selinux          Enable SELinux support
    --with-kerberos5=PATH   Enable Kerberos 5 support
@@ -57,7 +57,7 @@ index b6b5b6d..e2f12cd 100755
    --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
    --with-xauth=PATH       Specify path to xauth program
    --with-maildir=/path/to/mail    Specify your system mail directory
-@@ -17217,6 +17219,135 @@ fi
+@@ -17211,6 +17213,135 @@ fi
  
  
  
@@ -193,7 +193,7 @@ index b6b5b6d..e2f12cd 100755
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -19746,6 +19877,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -19739,6 +19870,7 @@ echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -202,10 +202,10 @@ index b6b5b6d..e2f12cd 100755
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/configure.ac b/configure.ac
-index d235fb0..8669271 100644
+index 7f160f1..f5c65c5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4072,6 +4072,30 @@ AC_ARG_WITH([kerberos5],
+@@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5],
  AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
  
@@ -236,7 +236,7 @@ index d235fb0..8669271 100644
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -4873,6 +4897,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -4914,6 +4938,7 @@ echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -246,10 +246,10 @@ index d235fb0..8669271 100644
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/consolekit.c b/consolekit.c
 new file mode 100644
-index 0000000..f1039e6
+index 0000000..0266f06
 --- /dev/null
 +++ b/consolekit.c
-@@ -0,0 +1,240 @@
+@@ -0,0 +1,241 @@
 +/*
 + * Copyright (c) 2008 Colin Watson.  All rights reserved.
 + *
@@ -305,6 +305,7 @@ index 0000000..f1039e6
 +#include "hostfile.h"
 +#include "auth.h"
 +#include "log.h"
++#include "misc.h"
 +#include "servconf.h"
 +#include "canohost.h"
 +#include "session.h"
@@ -521,10 +522,10 @@ index 0000000..8ce3716
 +
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor.c b/monitor.c
-index 11eac63..7c105e6 100644
+index 94b194d..cc15ce4 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -97,6 +97,9 @@
+@@ -100,6 +100,9 @@
  #include "ssh2.h"
  #include "roaming.h"
  #include "authfd.h"
@@ -534,7 +535,7 @@ index 11eac63..7c105e6 100644
  
  #ifdef GSSAPI
  static Gssctxt *gsscontext = NULL;
-@@ -187,6 +190,10 @@ int mm_answer_audit_command(int, Buffer *);
+@@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *);
  
  static int monitor_read_log(struct monitor *);
  
@@ -543,9 +544,9 @@ index 11eac63..7c105e6 100644
 +#endif
 +
  static Authctxt *authctxt;
- static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
  
-@@ -272,6 +279,9 @@ struct mon_table mon_dispatch_postauth20[] = {
+ #ifdef WITH_SSH1
+@@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = {
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
  #endif
@@ -555,17 +556,17 @@ index 11eac63..7c105e6 100644
      {0, 0, NULL}
  };
  
-@@ -314,6 +324,9 @@ struct mon_table mon_dispatch_postauth15[] = {
+@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = {
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
  #endif
 +#ifdef USE_CONSOLEKIT
 +    {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register},
 +#endif
+ #endif /* WITH_SSH1 */
      {0, 0, NULL}
  };
- 
-@@ -492,6 +505,9 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
         }
@@ -575,7 +576,7 @@ index 11eac63..7c105e6 100644
  
         for (;;)
                 monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2269,3 +2285,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
  
  #endif /* GSSAPI */
  
@@ -619,10 +620,10 @@ index 4d5e8fa..10ba59e 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index f75dc9d..a8fb07b 100644
+index 6dc890a..4c57d4d 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1353,3 +1353,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+@@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
  
  #endif /* GSSAPI */
  
@@ -670,10 +671,10 @@ index 9c2ee49..00e93fe 100644
 +
  #endif /* _MM_WRAP_H_ */
 diff --git a/session.c b/session.c
-index 6848df4..9d43fc3 100644
+index 6f389ac..6250c20 100644
 --- a/session.c
 +++ b/session.c
-@@ -92,6 +92,7 @@
+@@ -93,6 +93,7 @@
  #include "kex.h"
  #include "monitor_wrap.h"
  #include "sftp.h"
@@ -681,7 +682,7 @@ index 6848df4..9d43fc3 100644
  
  #if defined(KRB5) && defined(USE_AFS)
  #include <kafs.h>
-@@ -1160,6 +1161,9 @@ do_setup_env(Session *s, const char *shell)
+@@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell)
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
         char *path = NULL;
  #endif
@@ -691,7 +692,7 @@ index 6848df4..9d43fc3 100644
  
         /* Initialize the environment. */
         envsize = 100;
-@@ -1304,6 +1308,11 @@ do_setup_env(Session *s, const char *shell)
+@@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell)
                 child_set_env(&env, &envsize, "KRB5CCNAME",
                     s->authctxt->krb5_ccname);
  #endif
@@ -703,7 +704,7 @@ index 6848df4..9d43fc3 100644
  #ifdef USE_PAM
         /*
          * Pull in any environment variables that may have
-@@ -2353,6 +2362,10 @@ session_pty_cleanup2(Session *s)
+@@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s)
  
         debug("session_pty_cleanup: session %d release %s", s->self, s->tty);