* New upstream release (http://www.openssh.com/txt/release-6.1).

- Enable pre-auth sandboxing by default for new installs. - Allow "PermitOpen none" to refuse all port-forwarding requests (closes: #543683).
author: Colin Watson <cjwatson@debian.org> 2012-09-07 00:20:47 +0100
committer: Colin Watson <cjwatson@debian.org> 2012-09-07 00:20:47 +0100
commit: eab78da6a54225de06271d9c8da650f04a55ed88 (patch)
tree: aa258ca77515939f6d89317ff67fbcb0bca08b24 /debian/patches/gssapi.patch
parent: a26f5de49df59322fde07f7be91b3e3969c9c238 (diff)
parent: c6a2c0334e45419875687d250aed9bea78480f2e (diff)
1 files changed, 30 insertions, 30 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index d78835bd6..786500feb 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
 security history.
 Author: Simon Wilkinson <simon@sxw.org.uk>
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2010-02-27
+Last-Updated: 2012-09-07
 Index: b/ChangeLog.gssapi
 ===================================================================
@@ -176,8 +176,8 @@ Index: b/auth-krb5.c
 #ifndef HEIMDAL
 krb5_error_code
 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
-       int tmpfd, ret;
+-       int tmpfd, ret, oerrno;
-+       int ret;
+       int ret, oerrno;
        char ccname[40];
        mode_t old_umask;
 +#ifdef USE_CCAPI
@@ -196,9 +196,9 @@ Index: b/auth-krb5.c
 +#ifndef USE_CCAPI
        old_umask = umask(0177);
        tmpfd = mkstemp(ccname + strlen("FILE:"));
-        umask(old_umask);
+        oerrno = errno;
-@@ -249,6 +261,7 @@
+@@ -251,6 +263,7 @@
-                return errno;
+                return oerrno;
        }
        close(tmpfd);
 +#endif
@@ -327,7 +327,7 @@ Index: b/clientloop.c
 /* import options */
 extern Options options;
 
-@@ -1540,6 +1544,15 @@
+@@ -1544,6 +1548,15 @@
                /* Do channel operations unless rekeying in progress. */
                if (!rekeying) {
                        channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
 ===================================================================
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1465,6 +1465,9 @@
+@@ -1471,6 +1471,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -357,7 +357,7 @@ Index: b/config.h.in
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1480,6 +1483,9 @@
+@@ -1486,6 +1489,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
@@ -1973,7 +1973,7 @@ Index: b/key.c
 ===================================================================
 --- a/key.c
 +++ b/key.c
-@@ -971,6 +971,8 @@
+@@ -976,6 +976,8 @@
                }
                break;
 #endif /* OPENSSL_HAS_ECC */
@@ -1982,7 +1982,7 @@ Index: b/key.c
        }
        return "ssh-unknown";
 }
-@@ -1276,6 +1278,8 @@
+@@ -1281,6 +1283,8 @@
            strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
                return KEY_ECDSA_CERT;
 #endif
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1803,6 +1820,13 @@
+@@ -1800,6 +1817,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
        kex->server = 1;
        kex->hostkey_type = buffer_get_int(m);
        kex->kex_type = buffer_get_int(m);
-@@ -2009,6 +2033,9 @@
+@@ -2006,6 +2030,9 @@
        OM_uint32 major;
        u_int len;
 
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -2036,6 +2063,9 @@
+@@ -2033,6 +2060,9 @@
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2053,6 +2083,7 @@
+@@ -2050,6 +2080,7 @@
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
        }
        return (0);
 }
-@@ -2064,6 +2095,9 @@
+@@ -2061,6 +2092,9 @@
        OM_uint32 ret;
        u_int len;
 
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2090,7 +2124,11 @@
+@@ -2087,7 +2121,11 @@
 {
        int authenticated;
 
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2103,6 +2141,74 @@
+@@ -2100,6 +2138,74 @@
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2406,7 +2406,7 @@ Index: b/servconf.c
 ===================================================================
 --- a/servconf.c
 +++ b/servconf.c
-@@ -97,7 +97,10 @@
+@@ -100,7 +100,10 @@
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -2417,7 +2417,7 @@ Index: b/servconf.c
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -225,8 +228,14 @@
+@@ -229,8 +232,14 @@
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2432,7 +2432,7 @@ Index: b/servconf.c
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -318,7 +327,9 @@
+@@ -323,7 +332,9 @@
        sBanner, sUseDNS, sHostbasedAuthentication,
        sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
        sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2443,7 @@ Index: b/servconf.c
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -382,10 +393,20 @@
+@@ -387,10 +398,20 @@
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2464,7 @@ Index: b/servconf.c
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -962,10 +983,22 @@
+@@ -1031,10 +1052,22 @@
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2487,7 +2487,7 @@ Index: b/servconf.c
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -1720,7 +1753,10 @@
+@@ -1868,7 +1901,10 @@
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2893,7 +2893,7 @@ Index: b/sshd.c
 #ifdef LIBWRAP
 #include <tcpd.h>
 #include <syslog.h>
-@@ -1616,10 +1620,13 @@
+@@ -1607,10 +1611,13 @@
                logit("Disabling protocol version 1. Could not load host key");
                options.protocol &= ~SSH_PROTO_1;
        }
@@ -2907,7 +2907,7 @@ Index: b/sshd.c
        if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
-@@ -1948,6 +1955,60 @@
+@@ -1938,6 +1945,60 @@
        /* Log the connection. */
        verbose("Connection from %.500s port %d", remote_ip, remote_port);
 
@@ -2968,7 +2968,7 @@ Index: b/sshd.c
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2329,6 +2390,48 @@
+@@ -2319,6 +2380,48 @@
 
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
 
@@ -3017,7 +3017,7 @@ Index: b/sshd.c
        /* start key exchange */
        kex = kex_setup(myproposal);
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2336,6 +2439,13 @@
+@@ -2326,6 +2429,13 @@
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
        kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3035,7 @@ Index: b/sshd_config
 ===================================================================
 --- a/sshd_config
 +++ b/sshd_config
-@@ -75,6 +75,8 @@
+@@ -77,6 +77,8 @@
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
@@ -3048,7 +3048,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -424,12 +424,40 @@
+@@ -426,12 +426,40 @@
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
author	Colin Watson <cjwatson@debian.org>	2012-09-07 00:20:47 +0100
committer	Colin Watson <cjwatson@debian.org>	2012-09-07 00:20:47 +0100
commit	eab78da6a54225de06271d9c8da650f04a55ed88 (patch)
tree	aa258ca77515939f6d89317ff67fbcb0bca08b24 /debian/patches/gssapi.patch
parent	a26f5de49df59322fde07f7be91b3e3969c9c238 (diff)
parent	c6a2c0334e45419875687d250aed9bea78480f2e (diff)

diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index d78835bd6..786500feb 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch
@@ -13,7 +13,7 @@ Description: GSSAPI key exchange support
13	security history.	13	security history.
14	Author: Simon Wilkinson <simon@sxw.org.uk>	14	Author: Simon Wilkinson <simon@sxw.org.uk>
15	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242	15	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16	Last-Updated: 2010-02-27	16	Last-Updated: 2012-09-07
17		17
18	Index: b/ChangeLog.gssapi	18	Index: b/ChangeLog.gssapi
19	===================================================================	19	===================================================================
@@ -176,8 +176,8 @@ Index: b/auth-krb5.c
176	#ifndef HEIMDAL	176	#ifndef HEIMDAL
177	krb5_error_code	177	krb5_error_code
178	ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {	178	ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
179	- int tmpfd, ret;	179	- int tmpfd, ret, oerrno;
180	+ int ret;	180	+ int ret, oerrno;
181	char ccname[40];	181	char ccname[40];
182	mode_t old_umask;	182	mode_t old_umask;
183	+#ifdef USE_CCAPI	183	+#ifdef USE_CCAPI
@@ -196,9 +196,9 @@ Index: b/auth-krb5.c
196	+#ifndef USE_CCAPI	196	+#ifndef USE_CCAPI
197	old_umask = umask(0177);	197	old_umask = umask(0177);
198	tmpfd = mkstemp(ccname + strlen("FILE:"));	198	tmpfd = mkstemp(ccname + strlen("FILE:"));
199	umask(old_umask);	199	oerrno = errno;
200	@@ -249,6 +261,7 @@	200	@@ -251,6 +263,7 @@
201	return errno;	201	return oerrno;
202	}	202	}
203	close(tmpfd);	203	close(tmpfd);
204	+#endif	204	+#endif
@@ -327,7 +327,7 @@ Index: b/clientloop.c
327	/* import options */	327	/* import options */
328	extern Options options;	328	extern Options options;
329		329
330	@@ -1540,6 +1544,15 @@	330	@@ -1544,6 +1548,15 @@
331	/* Do channel operations unless rekeying in progress. */	331	/* Do channel operations unless rekeying in progress. */
332	if (!rekeying) {	332	if (!rekeying) {
333	channel_after_select(readset, writeset);	333	channel_after_select(readset, writeset);
@@ -347,7 +347,7 @@ Index: b/config.h.in
347	===================================================================	347	===================================================================
348	--- a/config.h.in	348	--- a/config.h.in
349	+++ b/config.h.in	349	+++ b/config.h.in
350	@@ -1465,6 +1465,9 @@	350	@@ -1471,6 +1471,9 @@
351	/* Use btmp to log bad logins */	351	/* Use btmp to log bad logins */
352	#undef USE_BTMP	352	#undef USE_BTMP
353		353
@@ -357,7 +357,7 @@ Index: b/config.h.in
357	/* Use libedit for sftp */	357	/* Use libedit for sftp */
358	#undef USE_LIBEDIT	358	#undef USE_LIBEDIT
359		359
360	@@ -1480,6 +1483,9 @@	360	@@ -1486,6 +1489,9 @@
361	/* Use PIPES instead of a socketpair() */	361	/* Use PIPES instead of a socketpair() */
362	#undef USE_PIPES	362	#undef USE_PIPES
363		363
@@ -1973,7 +1973,7 @@ Index: b/key.c
1973	===================================================================	1973	===================================================================
1974	--- a/key.c	1974	--- a/key.c
1975	+++ b/key.c	1975	+++ b/key.c
1976	@@ -971,6 +971,8 @@	1976	@@ -976,6 +976,8 @@
1977	}	1977	}
1978	break;	1978	break;
1979	#endif /* OPENSSL_HAS_ECC */	1979	#endif /* OPENSSL_HAS_ECC */
@@ -1982,7 +1982,7 @@ Index: b/key.c
1982	}	1982	}
1983	return "ssh-unknown";	1983	return "ssh-unknown";
1984	}	1984	}
1985	@@ -1276,6 +1278,8 @@	1985	@@ -1281,6 +1283,8 @@
1986	strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {	1986	strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) {
1987	return KEY_ECDSA_CERT;	1987	return KEY_ECDSA_CERT;
1988	#endif	1988	#endif
@@ -2059,7 +2059,7 @@ Index: b/monitor.c
2059	} else {	2059	} else {
2060	mon_dispatch = mon_dispatch_postauth15;	2060	mon_dispatch = mon_dispatch_postauth15;
2061	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);	2061	monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2062	@@ -1803,6 +1820,13 @@	2062	@@ -1800,6 +1817,13 @@
2063	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	2063	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2064	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	2064	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2065	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	2065	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2073,7 +2073,7 @@ Index: b/monitor.c
2073	kex->server = 1;	2073	kex->server = 1;
2074	kex->hostkey_type = buffer_get_int(m);	2074	kex->hostkey_type = buffer_get_int(m);
2075	kex->kex_type = buffer_get_int(m);	2075	kex->kex_type = buffer_get_int(m);
2076	@@ -2009,6 +2033,9 @@	2076	@@ -2006,6 +2030,9 @@
2077	OM_uint32 major;	2077	OM_uint32 major;
2078	u_int len;	2078	u_int len;
2079		2079
@@ -2083,7 +2083,7 @@ Index: b/monitor.c
2083	goid.elements = buffer_get_string(m, &len);	2083	goid.elements = buffer_get_string(m, &len);
2084	goid.length = len;	2084	goid.length = len;
2085		2085
2086	@@ -2036,6 +2063,9 @@	2086	@@ -2033,6 +2060,9 @@
2087	OM_uint32 flags = 0; /* GSI needs this */	2087	OM_uint32 flags = 0; /* GSI needs this */
2088	u_int len;	2088	u_int len;
2089		2089
@@ -2093,7 +2093,7 @@ Index: b/monitor.c
2093	in.value = buffer_get_string(m, &len);	2093	in.value = buffer_get_string(m, &len);
2094	in.length = len;	2094	in.length = len;
2095	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);	2095	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2096	@@ -2053,6 +2083,7 @@	2096	@@ -2050,6 +2080,7 @@
2097	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);	2097	monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2098	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);	2098	monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2099	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);	2099	monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2101,7 +2101,7 @@ Index: b/monitor.c
2101	}	2101	}
2102	return (0);	2102	return (0);
2103	}	2103	}
2104	@@ -2064,6 +2095,9 @@	2104	@@ -2061,6 +2092,9 @@
2105	OM_uint32 ret;	2105	OM_uint32 ret;
2106	u_int len;	2106	u_int len;
2107		2107
@@ -2111,7 +2111,7 @@ Index: b/monitor.c
2111	gssbuf.value = buffer_get_string(m, &len);	2111	gssbuf.value = buffer_get_string(m, &len);
2112	gssbuf.length = len;	2112	gssbuf.length = len;
2113	mic.value = buffer_get_string(m, &len);	2113	mic.value = buffer_get_string(m, &len);
2114	@@ -2090,7 +2124,11 @@	2114	@@ -2087,7 +2121,11 @@
2115	{	2115	{
2116	int authenticated;	2116	int authenticated;
2117		2117
@@ -2124,7 +2124,7 @@ Index: b/monitor.c
2124		2124
2125	buffer_clear(m);	2125	buffer_clear(m);
2126	buffer_put_int(m, authenticated);	2126	buffer_put_int(m, authenticated);
2127	@@ -2103,6 +2141,74 @@	2127	@@ -2100,6 +2138,74 @@
2128	/* Monitor loop will terminate if authenticated */	2128	/* Monitor loop will terminate if authenticated */
2129	return (authenticated);	2129	return (authenticated);
2130	}	2130	}
@@ -2406,7 +2406,7 @@ Index: b/servconf.c
2406	===================================================================	2406	===================================================================
2407	--- a/servconf.c	2407	--- a/servconf.c
2408	+++ b/servconf.c	2408	+++ b/servconf.c
2409	@@ -97,7 +97,10 @@	2409	@@ -100,7 +100,10 @@
2410	options->kerberos_ticket_cleanup = -1;	2410	options->kerberos_ticket_cleanup = -1;
2411	options->kerberos_get_afs_token = -1;	2411	options->kerberos_get_afs_token = -1;
2412	options->gss_authentication=-1;	2412	options->gss_authentication=-1;
@@ -2417,7 +2417,7 @@ Index: b/servconf.c
2417	options->password_authentication = -1;	2417	options->password_authentication = -1;
2418	options->kbd_interactive_authentication = -1;	2418	options->kbd_interactive_authentication = -1;
2419	options->challenge_response_authentication = -1;	2419	options->challenge_response_authentication = -1;
2420	@@ -225,8 +228,14 @@	2420	@@ -229,8 +232,14 @@
2421	options->kerberos_get_afs_token = 0;	2421	options->kerberos_get_afs_token = 0;
2422	if (options->gss_authentication == -1)	2422	if (options->gss_authentication == -1)
2423	options->gss_authentication = 0;	2423	options->gss_authentication = 0;
@@ -2432,7 +2432,7 @@ Index: b/servconf.c
2432	if (options->password_authentication == -1)	2432	if (options->password_authentication == -1)
2433	options->password_authentication = 1;	2433	options->password_authentication = 1;
2434	if (options->kbd_interactive_authentication == -1)	2434	if (options->kbd_interactive_authentication == -1)
2435	@@ -318,7 +327,9 @@	2435	@@ -323,7 +332,9 @@
2436	sBanner, sUseDNS, sHostbasedAuthentication,	2436	sBanner, sUseDNS, sHostbasedAuthentication,
2437	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,	2437	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2438	sClientAliveCountMax, sAuthorizedKeysFile,	2438	sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2443,7 +2443,7 @@ Index: b/servconf.c
2443	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	2443	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2444	sUsePrivilegeSeparation, sAllowAgentForwarding,	2444	sUsePrivilegeSeparation, sAllowAgentForwarding,
2445	sZeroKnowledgePasswordAuthentication, sHostCertificate,	2445	sZeroKnowledgePasswordAuthentication, sHostCertificate,
2446	@@ -382,10 +393,20 @@	2446	@@ -387,10 +398,20 @@
2447	#ifdef GSSAPI	2447	#ifdef GSSAPI
2448	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },	2448	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2449	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },	2449	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2464,7 +2464,7 @@ Index: b/servconf.c
2464	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },	2464	{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2465	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },	2465	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2466	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },	2466	{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2467	@@ -962,10 +983,22 @@	2467	@@ -1031,10 +1052,22 @@
2468	intptr = &options->gss_authentication;	2468	intptr = &options->gss_authentication;
2469	goto parse_flag;	2469	goto parse_flag;
2470		2470
@@ -2487,7 +2487,7 @@ Index: b/servconf.c
2487	case sPasswordAuthentication:	2487	case sPasswordAuthentication:
2488	intptr = &options->password_authentication;	2488	intptr = &options->password_authentication;
2489	goto parse_flag;	2489	goto parse_flag;
2490	@@ -1720,7 +1753,10 @@	2490	@@ -1868,7 +1901,10 @@
2491	#endif	2491	#endif
2492	#ifdef GSSAPI	2492	#ifdef GSSAPI
2493	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);	2493	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2893,7 +2893,7 @@ Index: b/sshd.c
2893	#ifdef LIBWRAP	2893	#ifdef LIBWRAP
2894	#include <tcpd.h>	2894	#include <tcpd.h>
2895	#include <syslog.h>	2895	#include <syslog.h>
2896	@@ -1616,10 +1620,13 @@	2896	@@ -1607,10 +1611,13 @@
2897	logit("Disabling protocol version 1. Could not load host key");	2897	logit("Disabling protocol version 1. Could not load host key");
2898	options.protocol &= ~SSH_PROTO_1;	2898	options.protocol &= ~SSH_PROTO_1;
2899	}	2899	}
@@ -2907,7 +2907,7 @@ Index: b/sshd.c
2907	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {	2907	if (!(options.protocol & (SSH_PROTO_1\|SSH_PROTO_2))) {
2908	logit("sshd: no hostkeys available -- exiting.");	2908	logit("sshd: no hostkeys available -- exiting.");
2909	exit(1);	2909	exit(1);
2910	@@ -1948,6 +1955,60 @@	2910	@@ -1938,6 +1945,60 @@
2911	/* Log the connection. */	2911	/* Log the connection. */
2912	verbose("Connection from %.500s port %d", remote_ip, remote_port);	2912	verbose("Connection from %.500s port %d", remote_ip, remote_port);
2913		2913
@@ -2968,7 +2968,7 @@ Index: b/sshd.c
2968	/*	2968	/*
2969	* We don't want to listen forever unless the other side	2969	* We don't want to listen forever unless the other side
2970	* successfully authenticates itself. So we set up an alarm which is	2970	* successfully authenticates itself. So we set up an alarm which is
2971	@@ -2329,6 +2390,48 @@	2971	@@ -2319,6 +2380,48 @@
2972		2972
2973	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();	2973	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2974		2974
@@ -3017,7 +3017,7 @@ Index: b/sshd.c
3017	/* start key exchange */	3017	/* start key exchange */
3018	kex = kex_setup(myproposal);	3018	kex = kex_setup(myproposal);
3019	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;	3019	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3020	@@ -2336,6 +2439,13 @@	3020	@@ -2326,6 +2429,13 @@
3021	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;	3021	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3022	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;	3022	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3023	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;	3023	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3035,7 +3035,7 @@ Index: b/sshd_config
3035	===================================================================	3035	===================================================================
3036	--- a/sshd_config	3036	--- a/sshd_config
3037	+++ b/sshd_config	3037	+++ b/sshd_config
3038	@@ -75,6 +75,8 @@	3038	@@ -77,6 +77,8 @@
3039	# GSSAPI options	3039	# GSSAPI options
3040	#GSSAPIAuthentication no	3040	#GSSAPIAuthentication no
3041	#GSSAPICleanupCredentials yes	3041	#GSSAPICleanupCredentials yes
@@ -3048,7 +3048,7 @@ Index: b/sshd_config.5
3048	===================================================================	3048	===================================================================
3049	--- a/sshd_config.5	3049	--- a/sshd_config.5
3050	+++ b/sshd_config.5	3050	+++ b/sshd_config.5
3051	@@ -424,12 +424,40 @@	3051	@@ -426,12 +426,40 @@
3052	The default is	3052	The default is
3053	.Dq no .	3053	.Dq no .
3054	Note that this option applies to protocol version 2 only.	3054	Note that this option applies to protocol version 2 only.