summaryrefslogtreecommitdiff
path: root/debian/patches/gssapi.patch
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-04-02 01:26:17 +0100
committerColin Watson <cjwatson@debian.org>2017-04-02 01:54:08 +0100
commit20adc7e0fc13ff9c7d270db250aac1fa140e3851 (patch)
tree5d9f06b0ff195db88093037d9102f0cdcf3884c6 /debian/patches/gssapi.patch
parentaf27669f905133925224acc753067dea710881dd (diff)
parentec338656a3d6b21bb87f3b6367b232d297f601e5 (diff)
New upstream release (7.5p1)
Diffstat (limited to 'debian/patches/gssapi.patch')
-rw-r--r--debian/patches/gssapi.patch118
1 files changed, 59 insertions, 59 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 7196d16b6..c74926dc6 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 48fbb156bdc676fb6ba6817770e4e971fbf85b1f Mon Sep 17 00:00:00 2001 1From d51c7ac3328464dec21514fb398ab5c140a0664f Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -43,9 +43,9 @@ Patch-Name: gssapi.patch
43 monitor.h | 3 + 43 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++- 44 monitor_wrap.c | 47 +++++++-
45 monitor_wrap.h | 4 +- 45 monitor_wrap.h | 4 +-
46 readconf.c | 42 +++++++ 46 readconf.c | 43 +++++++
47 readconf.h | 5 + 47 readconf.h | 5 +
48 servconf.c | 28 ++++- 48 servconf.c | 26 +++++
49 servconf.h | 2 + 49 servconf.h | 2 +
50 ssh-gss.h | 41 ++++++- 50 ssh-gss.h | 41 ++++++-
51 ssh_config | 2 + 51 ssh_config | 2 +
@@ -56,7 +56,7 @@ Patch-Name: gssapi.patch
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2062 insertions(+), 148 deletions(-) 59 35 files changed, 2062 insertions(+), 147 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -181,7 +181,7 @@ index 00000000..f117a336
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index e10f3742..00a320e1 100644 184index 5870e9e6..6b774c1a 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -454,7 +454,7 @@ index 1ca83577..3b5036df 100644
454 "gssapi-with-mic", 454 "gssapi-with-mic",
455 userauth_gssapi, 455 userauth_gssapi,
456diff --git a/auth2.c b/auth2.c 456diff --git a/auth2.c b/auth2.c
457index 9108b861..ce0d3760 100644 457index 97dd2ef0..946e9235 100644
458--- a/auth2.c 458--- a/auth2.c
459+++ b/auth2.c 459+++ b/auth2.c
460@@ -70,6 +70,7 @@ extern Authmethod method_passwd; 460@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
@@ -592,7 +592,7 @@ index 26d62855..0cadc9f1 100644
592 int get_peer_port(int); 592 int get_peer_port(int);
593 char *get_local_ipaddr(int); 593 char *get_local_ipaddr(int);
594diff --git a/clientloop.c b/clientloop.c 594diff --git a/clientloop.c b/clientloop.c
595index 4289a408..99c68b69 100644 595index 06481623..38b0330e 100644
596--- a/clientloop.c 596--- a/clientloop.c
597+++ b/clientloop.c 597+++ b/clientloop.c
598@@ -113,6 +113,10 @@ 598@@ -113,6 +113,10 @@
@@ -627,10 +627,10 @@ index 4289a408..99c68b69 100644
627 client_process_net_input(readset); 627 client_process_net_input(readset);
628 628
629diff --git a/config.h.in b/config.h.in 629diff --git a/config.h.in b/config.h.in
630index 75e02ab4..afe540e9 100644 630index b65420e4..fd8a73f1 100644
631--- a/config.h.in 631--- a/config.h.in
632+++ b/config.h.in 632+++ b/config.h.in
633@@ -1667,6 +1667,9 @@ 633@@ -1670,6 +1670,9 @@
634 /* Use btmp to log bad logins */ 634 /* Use btmp to log bad logins */
635 #undef USE_BTMP 635 #undef USE_BTMP
636 636
@@ -640,7 +640,7 @@ index 75e02ab4..afe540e9 100644
640 /* Use libedit for sftp */ 640 /* Use libedit for sftp */
641 #undef USE_LIBEDIT 641 #undef USE_LIBEDIT
642 642
643@@ -1682,6 +1685,9 @@ 643@@ -1685,6 +1688,9 @@
644 /* Use PIPES instead of a socketpair() */ 644 /* Use PIPES instead of a socketpair() */
645 #undef USE_PIPES 645 #undef USE_PIPES
646 646
@@ -651,7 +651,7 @@ index 75e02ab4..afe540e9 100644
651 #undef USE_SOLARIS_PRIVS 651 #undef USE_SOLARIS_PRIVS
652 652
653diff --git a/configure.ac b/configure.ac 653diff --git a/configure.ac b/configure.ac
654index eb9f45dc..5fdc696c 100644 654index c2878e3d..ead34acf 100644
655--- a/configure.ac 655--- a/configure.ac
656+++ b/configure.ac 656+++ b/configure.ac
657@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 657@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -1433,7 +1433,7 @@ index 53993d67..2e27cbf9 100644
1433 1433
1434 #endif 1434 #endif
1435diff --git a/kex.c b/kex.c 1435diff --git a/kex.c b/kex.c
1436index 6a94bc53..d8708684 100644 1436index cf4ac0dc..556a32e9 100644
1437--- a/kex.c 1437--- a/kex.c
1438+++ b/kex.c 1438+++ b/kex.c
1439@@ -54,6 +54,10 @@ 1439@@ -54,6 +54,10 @@
@@ -1473,7 +1473,7 @@ index 6a94bc53..d8708684 100644
1473 return NULL; 1473 return NULL;
1474 } 1474 }
1475 1475
1476@@ -597,6 +613,9 @@ kex_free(struct kex *kex) 1476@@ -605,6 +621,9 @@ kex_free(struct kex *kex)
1477 sshbuf_free(kex->peer); 1477 sshbuf_free(kex->peer);
1478 sshbuf_free(kex->my); 1478 sshbuf_free(kex->my);
1479 free(kex->session_id); 1479 free(kex->session_id);
@@ -2168,7 +2168,7 @@ index 00000000..38ca082b
2168+} 2168+}
2169+#endif /* GSSAPI */ 2169+#endif /* GSSAPI */
2170diff --git a/monitor.c b/monitor.c 2170diff --git a/monitor.c b/monitor.c
2171index 43f48470..76d9e346 100644 2171index 96d22b7e..506645c7 100644
2172--- a/monitor.c 2172--- a/monitor.c
2173+++ b/monitor.c 2173+++ b/monitor.c
2174@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2174@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2199,7 +2199,7 @@ index 43f48470..76d9e346 100644
2199 #ifdef WITH_OPENSSL 2199 #ifdef WITH_OPENSSL
2200 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2200 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2201 #endif 2201 #endif
2202@@ -301,6 +310,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2202@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2203 /* Permit requests for moduli and signatures */ 2203 /* Permit requests for moduli and signatures */
2204 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2204 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2205 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2205 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2210,7 +2210,7 @@ index 43f48470..76d9e346 100644
2210 2210
2211 /* The first few requests do not require asynchronous access */ 2211 /* The first few requests do not require asynchronous access */
2212 while (!authenticated) { 2212 while (!authenticated) {
2213@@ -400,6 +413,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2213@@ -402,6 +415,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2214 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2214 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2215 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2215 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2216 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2216 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2221,7 +2221,7 @@ index 43f48470..76d9e346 100644
2221 2221
2222 if (!no_pty_flag) { 2222 if (!no_pty_flag) {
2223 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2223 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2224@@ -1601,6 +1618,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2224@@ -1606,6 +1623,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2225 # endif 2225 # endif
2226 #endif /* WITH_OPENSSL */ 2226 #endif /* WITH_OPENSSL */
2227 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2227 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2235,7 +2235,7 @@ index 43f48470..76d9e346 100644
2235 kex->load_host_public_key=&get_hostkey_public_by_type; 2235 kex->load_host_public_key=&get_hostkey_public_by_type;
2236 kex->load_host_private_key=&get_hostkey_private_by_type; 2236 kex->load_host_private_key=&get_hostkey_private_by_type;
2237 kex->host_key_index=&get_hostkey_index; 2237 kex->host_key_index=&get_hostkey_index;
2238@@ -1680,8 +1704,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2238@@ -1685,8 +1709,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2239 OM_uint32 major; 2239 OM_uint32 major;
2240 u_int len; 2240 u_int len;
2241 2241
@@ -2246,7 +2246,7 @@ index 43f48470..76d9e346 100644
2246 2246
2247 goid.elements = buffer_get_string(m, &len); 2247 goid.elements = buffer_get_string(m, &len);
2248 goid.length = len; 2248 goid.length = len;
2249@@ -1710,8 +1734,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2249@@ -1715,8 +1739,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2250 OM_uint32 flags = 0; /* GSI needs this */ 2250 OM_uint32 flags = 0; /* GSI needs this */
2251 u_int len; 2251 u_int len;
2252 2252
@@ -2257,7 +2257,7 @@ index 43f48470..76d9e346 100644
2257 2257
2258 in.value = buffer_get_string(m, &len); 2258 in.value = buffer_get_string(m, &len);
2259 in.length = len; 2259 in.length = len;
2260@@ -1730,6 +1754,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2260@@ -1735,6 +1759,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2261 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2261 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2265,7 +2265,7 @@ index 43f48470..76d9e346 100644
2265 } 2265 }
2266 return (0); 2266 return (0);
2267 } 2267 }
2268@@ -1741,8 +1766,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2268@@ -1746,8 +1771,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2269 OM_uint32 ret; 2269 OM_uint32 ret;
2270 u_int len; 2270 u_int len;
2271 2271
@@ -2276,7 +2276,7 @@ index 43f48470..76d9e346 100644
2276 2276
2277 gssbuf.value = buffer_get_string(m, &len); 2277 gssbuf.value = buffer_get_string(m, &len);
2278 gssbuf.length = len; 2278 gssbuf.length = len;
2279@@ -1770,10 +1795,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2279@@ -1775,10 +1800,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2280 { 2280 {
2281 int authenticated; 2281 int authenticated;
2282 2282
@@ -2291,7 +2291,7 @@ index 43f48470..76d9e346 100644
2291 2291
2292 buffer_clear(m); 2292 buffer_clear(m);
2293 buffer_put_int(m, authenticated); 2293 buffer_put_int(m, authenticated);
2294@@ -1786,5 +1812,76 @@ mm_answer_gss_userok(int sock, Buffer *m) 2294@@ -1791,5 +1817,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
2295 /* Monitor loop will terminate if authenticated */ 2295 /* Monitor loop will terminate if authenticated */
2296 return (authenticated); 2296 return (authenticated);
2297 } 2297 }
@@ -2463,7 +2463,7 @@ index db5902f5..8f9dd896 100644
2463 2463
2464 #ifdef USE_PAM 2464 #ifdef USE_PAM
2465diff --git a/readconf.c b/readconf.c 2465diff --git a/readconf.c b/readconf.c
2466index fa3fab8f..7902ef26 100644 2466index 9d59493f..00d9cc30 100644
2467--- a/readconf.c 2467--- a/readconf.c
2468+++ b/readconf.c 2468+++ b/readconf.c
2469@@ -160,6 +160,8 @@ typedef enum { 2469@@ -160,6 +160,8 @@ typedef enum {
@@ -2475,8 +2475,8 @@ index fa3fab8f..7902ef26 100644
2475 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2475 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2476 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2476 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2477 oHashKnownHosts, 2477 oHashKnownHosts,
2478@@ -205,10 +207,19 @@ static struct { 2478@@ -196,10 +198,20 @@ static struct {
2479 { "afstokenpassing", oUnsupported }, 2479 /* Sometimes-unsupported options */
2480 #if defined(GSSAPI) 2480 #if defined(GSSAPI)
2481 { "gssapiauthentication", oGssAuthentication }, 2481 { "gssapiauthentication", oGssAuthentication },
2482+ { "gssapikeyexchange", oGssKeyEx }, 2482+ { "gssapikeyexchange", oGssKeyEx },
@@ -2485,17 +2485,18 @@ index fa3fab8f..7902ef26 100644
2485+ { "gssapiclientidentity", oGssClientIdentity }, 2485+ { "gssapiclientidentity", oGssClientIdentity },
2486+ { "gssapiserveridentity", oGssServerIdentity }, 2486+ { "gssapiserveridentity", oGssServerIdentity },
2487+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, 2487+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
2488 #else 2488 # else
2489 { "gssapiauthentication", oUnsupported }, 2489 { "gssapiauthentication", oUnsupported },
2490+ { "gssapikeyexchange", oUnsupported }, 2490+ { "gssapikeyexchange", oUnsupported },
2491 { "gssapidelegatecredentials", oUnsupported }, 2491 { "gssapidelegatecredentials", oUnsupported },
2492+ { "gssapitrustdns", oUnsupported }, 2492+ { "gssapitrustdns", oUnsupported },
2493+ { "gssapiclientidentity", oUnsupported }, 2493+ { "gssapiclientidentity", oUnsupported },
2494+ { "gssapiserveridentity", oUnsupported },
2494+ { "gssapirenewalforcesrekey", oUnsupported }, 2495+ { "gssapirenewalforcesrekey", oUnsupported },
2495 #endif 2496 #endif
2496 { "fallbacktorsh", oDeprecated }, 2497 #ifdef ENABLE_PKCS11
2497 { "usersh", oDeprecated }, 2498 { "smartcarddevice", oPKCS11Provider },
2498@@ -961,10 +972,30 @@ parse_time: 2499@@ -973,10 +985,30 @@ parse_time:
2499 intptr = &options->gss_authentication; 2500 intptr = &options->gss_authentication;
2500 goto parse_flag; 2501 goto parse_flag;
2501 2502
@@ -2526,7 +2527,7 @@ index fa3fab8f..7902ef26 100644
2526 case oBatchMode: 2527 case oBatchMode:
2527 intptr = &options->batch_mode; 2528 intptr = &options->batch_mode;
2528 goto parse_flag; 2529 goto parse_flag;
2529@@ -1776,7 +1807,12 @@ initialize_options(Options * options) 2530@@ -1798,7 +1830,12 @@ initialize_options(Options * options)
2530 options->pubkey_authentication = -1; 2531 options->pubkey_authentication = -1;
2531 options->challenge_response_authentication = -1; 2532 options->challenge_response_authentication = -1;
2532 options->gss_authentication = -1; 2533 options->gss_authentication = -1;
@@ -2539,7 +2540,7 @@ index fa3fab8f..7902ef26 100644
2539 options->password_authentication = -1; 2540 options->password_authentication = -1;
2540 options->kbd_interactive_authentication = -1; 2541 options->kbd_interactive_authentication = -1;
2541 options->kbd_interactive_devices = NULL; 2542 options->kbd_interactive_devices = NULL;
2542@@ -1920,8 +1956,14 @@ fill_default_options(Options * options) 2543@@ -1942,8 +1979,14 @@ fill_default_options(Options * options)
2543 options->challenge_response_authentication = 1; 2544 options->challenge_response_authentication = 1;
2544 if (options->gss_authentication == -1) 2545 if (options->gss_authentication == -1)
2545 options->gss_authentication = 0; 2546 options->gss_authentication = 0;
@@ -2572,7 +2573,7 @@ index cef55f71..fd3d7c75 100644
2572 * authentication. */ 2573 * authentication. */
2573 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2574 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2574diff --git a/servconf.c b/servconf.c 2575diff --git a/servconf.c b/servconf.c
2575index 795ddbab..14c81fa9 100644 2576index 56b83165..d796b7c8 100644
2576--- a/servconf.c 2577--- a/servconf.c
2577+++ b/servconf.c 2578+++ b/servconf.c
2578@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) 2579@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
@@ -2595,8 +2596,7 @@ index 795ddbab..14c81fa9 100644
2595 if (options->gss_cleanup_creds == -1) 2596 if (options->gss_cleanup_creds == -1)
2596 options->gss_cleanup_creds = 1; 2597 options->gss_cleanup_creds = 1;
2597 if (options->gss_strict_acceptor == -1) 2598 if (options->gss_strict_acceptor == -1)
2598- options->gss_strict_acceptor = 0; 2599 options->gss_strict_acceptor = 1;
2599+ options->gss_strict_acceptor = 1;
2600+ if (options->gss_store_rekey == -1) 2600+ if (options->gss_store_rekey == -1)
2601+ options->gss_store_rekey = 0; 2601+ options->gss_store_rekey = 0;
2602 if (options->password_authentication == -1) 2602 if (options->password_authentication == -1)
@@ -2631,7 +2631,7 @@ index 795ddbab..14c81fa9 100644
2631 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2631 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2632 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2632 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2633 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2633 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2634@@ -1207,6 +1222,10 @@ process_server_config_line(ServerOptions *options, char *line, 2634@@ -1217,6 +1232,10 @@ process_server_config_line(ServerOptions *options, char *line,
2635 intptr = &options->gss_authentication; 2635 intptr = &options->gss_authentication;
2636 goto parse_flag; 2636 goto parse_flag;
2637 2637
@@ -2642,7 +2642,7 @@ index 795ddbab..14c81fa9 100644
2642 case sGssCleanupCreds: 2642 case sGssCleanupCreds:
2643 intptr = &options->gss_cleanup_creds; 2643 intptr = &options->gss_cleanup_creds;
2644 goto parse_flag; 2644 goto parse_flag;
2645@@ -1215,6 +1234,10 @@ process_server_config_line(ServerOptions *options, char *line, 2645@@ -1225,6 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line,
2646 intptr = &options->gss_strict_acceptor; 2646 intptr = &options->gss_strict_acceptor;
2647 goto parse_flag; 2647 goto parse_flag;
2648 2648
@@ -2653,7 +2653,7 @@ index 795ddbab..14c81fa9 100644
2653 case sPasswordAuthentication: 2653 case sPasswordAuthentication:
2654 intptr = &options->password_authentication; 2654 intptr = &options->password_authentication;
2655 goto parse_flag; 2655 goto parse_flag;
2656@@ -2248,7 +2271,10 @@ dump_config(ServerOptions *o) 2656@@ -2250,7 +2273,10 @@ dump_config(ServerOptions *o)
2657 #endif 2657 #endif
2658 #ifdef GSSAPI 2658 #ifdef GSSAPI
2659 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2659 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2796,10 +2796,10 @@ index 90fb63f0..4e879cd2 100644
2796 # CheckHostIP yes 2796 # CheckHostIP yes
2797 # AddressFamily any 2797 # AddressFamily any
2798diff --git a/ssh_config.5 b/ssh_config.5 2798diff --git a/ssh_config.5 b/ssh_config.5
2799index 591365f3..a7703fc7 100644 2799index 532745b2..ec60273e 100644
2800--- a/ssh_config.5 2800--- a/ssh_config.5
2801+++ b/ssh_config.5 2801+++ b/ssh_config.5
2802@@ -748,10 +748,42 @@ The default is 2802@@ -752,10 +752,42 @@ The default is
2803 Specifies whether user authentication based on GSSAPI is allowed. 2803 Specifies whether user authentication based on GSSAPI is allowed.
2804 The default is 2804 The default is
2805 .Cm no . 2805 .Cm no .
@@ -2843,7 +2843,7 @@ index 591365f3..a7703fc7 100644
2843 Indicates that 2843 Indicates that
2844 .Xr ssh 1 2844 .Xr ssh 1
2845diff --git a/sshconnect2.c b/sshconnect2.c 2845diff --git a/sshconnect2.c b/sshconnect2.c
2846index 103a2b36..c35a0bd5 100644 2846index f8a54bee..5743c2c4 100644
2847--- a/sshconnect2.c 2847--- a/sshconnect2.c
2848+++ b/sshconnect2.c 2848+++ b/sshconnect2.c
2849@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2849@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2892,8 +2892,8 @@ index 103a2b36..c35a0bd5 100644
2892+#endif 2892+#endif
2893+ 2893+
2894 if (options.rekey_limit || options.rekey_interval) 2894 if (options.rekey_limit || options.rekey_interval)
2895 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2895 packet_set_rekey_limits(options.rekey_limit,
2896 (time_t)options.rekey_interval); 2896 options.rekey_interval);
2897@@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2897@@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2898 # endif 2898 # endif
2899 #endif 2899 #endif
@@ -3060,7 +3060,7 @@ index 103a2b36..c35a0bd5 100644
3060 3060
3061 int 3061 int
3062diff --git a/sshd.c b/sshd.c 3062diff --git a/sshd.c b/sshd.c
3063index 1dc4d182..0970f297 100644 3063index 010a2c38..20a7a5f3 100644
3064--- a/sshd.c 3064--- a/sshd.c
3065+++ b/sshd.c 3065+++ b/sshd.c
3066@@ -123,6 +123,10 @@ 3066@@ -123,6 +123,10 @@
@@ -3083,7 +3083,7 @@ index 1dc4d182..0970f297 100644
3083 ssh_gssapi_prepare_supported_oids(); 3083 ssh_gssapi_prepare_supported_oids();
3084 #endif 3084 #endif
3085 3085
3086@@ -1705,10 +1709,13 @@ main(int ac, char **av) 3086@@ -1719,10 +1723,13 @@ main(int ac, char **av)
3087 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); 3087 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3088 free(fp); 3088 free(fp);
3089 } 3089 }
@@ -3097,7 +3097,7 @@ index 1dc4d182..0970f297 100644
3097 3097
3098 /* 3098 /*
3099 * Load certificates. They are stored in an array at identical 3099 * Load certificates. They are stored in an array at identical
3100@@ -1978,6 +1985,60 @@ main(int ac, char **av) 3100@@ -1992,6 +1999,60 @@ main(int ac, char **av)
3101 remote_ip, remote_port, laddr, ssh_local_port(ssh)); 3101 remote_ip, remote_port, laddr, ssh_local_port(ssh));
3102 free(laddr); 3102 free(laddr);
3103 3103
@@ -3158,7 +3158,7 @@ index 1dc4d182..0970f297 100644
3158 /* 3158 /*
3159 * We don't want to listen forever unless the other side 3159 * We don't want to listen forever unless the other side
3160 * successfully authenticates itself. So we set up an alarm which is 3160 * successfully authenticates itself. So we set up an alarm which is
3161@@ -2159,6 +2220,48 @@ do_ssh2_kex(void) 3161@@ -2173,6 +2234,48 @@ do_ssh2_kex(void)
3162 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3162 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3163 list_hostkey_types()); 3163 list_hostkey_types());
3164 3164
@@ -3207,7 +3207,7 @@ index 1dc4d182..0970f297 100644
3207 /* start key exchange */ 3207 /* start key exchange */
3208 if ((r = kex_setup(active_state, myproposal)) != 0) 3208 if ((r = kex_setup(active_state, myproposal)) != 0)
3209 fatal("kex_setup: %s", ssh_err(r)); 3209 fatal("kex_setup: %s", ssh_err(r));
3210@@ -2176,6 +2279,13 @@ do_ssh2_kex(void) 3210@@ -2190,6 +2293,13 @@ do_ssh2_kex(void)
3211 # endif 3211 # endif
3212 #endif 3212 #endif
3213 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3213 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3222,7 +3222,7 @@ index 1dc4d182..0970f297 100644
3222 kex->client_version_string=client_version_string; 3222 kex->client_version_string=client_version_string;
3223 kex->server_version_string=server_version_string; 3223 kex->server_version_string=server_version_string;
3224diff --git a/sshd_config b/sshd_config 3224diff --git a/sshd_config b/sshd_config
3225index 9f09e4a6..00e5a728 100644 3225index 4eb2e02e..c01dd656 100644
3226--- a/sshd_config 3226--- a/sshd_config
3227+++ b/sshd_config 3227+++ b/sshd_config
3228@@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3228@@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -3235,10 +3235,10 @@ index 9f09e4a6..00e5a728 100644
3235 # Set this to 'yes' to enable PAM authentication, account processing, 3235 # Set this to 'yes' to enable PAM authentication, account processing,
3236 # and session processing. If this is enabled, PAM authentication will 3236 # and session processing. If this is enabled, PAM authentication will
3237diff --git a/sshd_config.5 b/sshd_config.5 3237diff --git a/sshd_config.5 b/sshd_config.5
3238index 32b29d24..dd765b39 100644 3238index ac6ccc79..3f819c76 100644
3239--- a/sshd_config.5 3239--- a/sshd_config.5
3240+++ b/sshd_config.5 3240+++ b/sshd_config.5
3241@@ -623,6 +623,11 @@ The default is 3241@@ -627,6 +627,11 @@ The default is
3242 Specifies whether user authentication based on GSSAPI is allowed. 3242 Specifies whether user authentication based on GSSAPI is allowed.
3243 The default is 3243 The default is
3244 .Cm no . 3244 .Cm no .
@@ -3250,7 +3250,7 @@ index 32b29d24..dd765b39 100644
3250 .It Cm GSSAPICleanupCredentials 3250 .It Cm GSSAPICleanupCredentials
3251 Specifies whether to automatically destroy the user's credentials cache 3251 Specifies whether to automatically destroy the user's credentials cache
3252 on logout. 3252 on logout.
3253@@ -642,6 +647,11 @@ machine's default store. 3253@@ -646,6 +651,11 @@ machine's default store.
3254 This facility is provided to assist with operation on multi homed machines. 3254 This facility is provided to assist with operation on multi homed machines.
3255 The default is 3255 The default is
3256 .Cm yes . 3256 .Cm yes .
@@ -3263,10 +3263,10 @@ index 32b29d24..dd765b39 100644
3263 Specifies the key types that will be accepted for hostbased authentication 3263 Specifies the key types that will be accepted for hostbased authentication
3264 as a comma-separated pattern list. 3264 as a comma-separated pattern list.
3265diff --git a/sshkey.c b/sshkey.c 3265diff --git a/sshkey.c b/sshkey.c
3266index c01da6c3..377d72fa 100644 3266index 53a7674b..54001989 100644
3267--- a/sshkey.c 3267--- a/sshkey.c
3268+++ b/sshkey.c 3268+++ b/sshkey.c
3269@@ -114,6 +114,7 @@ static const struct keytype keytypes[] = { 3269@@ -116,6 +116,7 @@ static const struct keytype keytypes[] = {
3270 # endif /* OPENSSL_HAS_NISTP521 */ 3270 # endif /* OPENSSL_HAS_NISTP521 */
3271 # endif /* OPENSSL_HAS_ECC */ 3271 # endif /* OPENSSL_HAS_ECC */
3272 #endif /* WITH_OPENSSL */ 3272 #endif /* WITH_OPENSSL */
@@ -3274,17 +3274,17 @@ index c01da6c3..377d72fa 100644
3274 { NULL, NULL, -1, -1, 0, 0 } 3274 { NULL, NULL, -1, -1, 0, 0 }
3275 }; 3275 };
3276 3276
3277@@ -202,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, char sep) 3277@@ -204,7 +205,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
3278 const struct keytype *kt; 3278 const struct keytype *kt;
3279 3279
3280 for (kt = keytypes; kt->type != -1; kt++) { 3280 for (kt = keytypes; kt->type != -1; kt++) {
3281- if (kt->name == NULL || kt->sigonly) 3281- if (kt->name == NULL)
3282+ if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL) 3282+ if (kt->name == NULL || kt->type == KEY_NULL)
3283 continue; 3283 continue;
3284 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 3284 if (!include_sigonly && kt->sigonly)
3285 continue; 3285 continue;
3286diff --git a/sshkey.h b/sshkey.h 3286diff --git a/sshkey.h b/sshkey.h
3287index f3936384..7eb2a139 100644 3287index 1b9e42f4..f91e4a08 100644
3288--- a/sshkey.h 3288--- a/sshkey.h
3289+++ b/sshkey.h 3289+++ b/sshkey.h
3290@@ -62,6 +62,7 @@ enum sshkey_types { 3290@@ -62,6 +62,7 @@ enum sshkey_types {