* New upstream release (http://www.openssh.com/txt/release-5.6):

  - Added a ControlPersist option to ssh_config(5) that automatically
    starts a background ssh(1) multiplex master when connecting.  This
    connection can stay alive indefinitely, or can be set to automatically
    close after a user-specified duration of inactivity (closes: #335697,
    #350898, #454787, #500573, #550262).
  - Support AuthorizedKeysFile, AuthorizedPrincipalsFile,
    HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5)
    Match blocks (closes: #549858).
  - sftp(1): fix ls in working directories that contain globbing
    characters in their pathnames (LP: #530714).

1 files changed, 30 insertions, 30 deletions

diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index af56dc031..ecb6e0c64 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -132,7 +132,7 @@ Index: b/auth.c
  #include "auth.h"
  #include "auth-options.h"
  #include "canohost.h"
-@@ -593,10 +594,34 @@
+@@ -615,10 +616,34 @@
  
  /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
  int
@@ -172,10 +172,10 @@ Index: b/auth.h
 ===================================================================
 --- a/auth.h
 +++ b/auth.h
-@@ -173,7 +173,7 @@
- char   *authorized_keys_file2(struct passwd *);
+@@ -175,7 +175,7 @@
  
  FILE   *auth_openkeyfile(const char *, struct passwd *, int);
+ FILE   *auth_openprincipals(const char *, struct passwd *, int);
 -int     auth_key_is_revoked(Key *);
 +int     auth_key_is_revoked(Key *, int);
  
@@ -185,9 +185,9 @@ Index: b/auth2-hostbased.c
 ===================================================================
 --- a/auth2-hostbased.c
 +++ b/auth2-hostbased.c
-@@ -145,7 +145,7 @@
-        HostStatus host_status;
+@@ -146,7 +146,7 @@
         int len;
+        char *fp;
  
 -       if (auth_key_is_revoked(key))
 +       if (auth_key_is_revoked(key, 0))
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
 ===================================================================
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -328,9 +328,10 @@
+@@ -439,9 +439,10 @@
         int success;
         char *file;
  
@@ -223,7 +223,7 @@ Index: b/authfile.c
  
  /* Version identification string for SSH v1 identity files. */
  static const char authfile_id_string[] =
-@@ -754,3 +755,140 @@
+@@ -814,3 +815,140 @@
         return ret;
  }
  
@@ -368,7 +368,7 @@ Index: b/authfile.h
 ===================================================================
 --- a/authfile.h
 +++ b/authfile.h
-@@ -24,4 +24,6 @@
+@@ -26,4 +26,6 @@
  int     key_perm_ok(int, const char *);
  int     key_in_file(Key *, const char *, int);
  
@@ -412,7 +412,7 @@ Index: b/readconf.c
         oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-@@ -152,6 +153,7 @@
+@@ -154,6 +155,7 @@
         { "passwordauthentication", oPasswordAuthentication },
         { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
         { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +420,7 @@ Index: b/readconf.c
         { "rsaauthentication", oRSAAuthentication },
         { "pubkeyauthentication", oPubkeyAuthentication },
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
-@@ -461,6 +463,10 @@
+@@ -479,6 +481,10 @@
                 intptr = &options->challenge_response_authentication;
                 goto parse_flag;
  
@@ -431,7 +431,7 @@ Index: b/readconf.c
         case oGssAuthentication:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
-@@ -1050,6 +1056,7 @@
+@@ -1093,6 +1099,7 @@
         options->kbd_interactive_devices = NULL;
         options->rhosts_rsa_authentication = -1;
         options->hostbased_authentication = -1;
@@ -439,7 +439,7 @@ Index: b/readconf.c
         options->batch_mode = -1;
         options->check_host_ip = -1;
         options->strict_host_key_checking = -1;
-@@ -1152,6 +1159,8 @@
+@@ -1201,6 +1208,8 @@
                 options->rhosts_rsa_authentication = 0;
         if (options->hostbased_authentication == -1)
                 options->hostbased_authentication = 0;
@@ -452,7 +452,7 @@ Index: b/readconf.h
 ===================================================================
 --- a/readconf.h
 +++ b/readconf.h
-@@ -54,6 +54,7 @@
+@@ -56,6 +56,7 @@
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
         char    *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
         int     zero_knowledge_password_authentication; /* Try jpake */
@@ -472,7 +472,7 @@ Index: b/servconf.c
         options->permit_empty_passwd = -1;
         options->permit_user_env = -1;
         options->use_login = -1;
-@@ -231,6 +232,8 @@
+@@ -232,6 +233,8 @@
                 options->kbd_interactive_authentication = 0;
         if (options->challenge_response_authentication == -1)
                 options->challenge_response_authentication = 1;
@@ -481,7 +481,7 @@ Index: b/servconf.c
         if (options->permit_empty_passwd == -1)
                 options->permit_empty_passwd = 0;
         if (options->permit_user_env == -1)
-@@ -306,7 +309,7 @@
+@@ -307,7 +310,7 @@
         sListenAddress, sAddressFamily,
         sPrintMotd, sPrintLastLog, sIgnoreRhosts,
         sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +490,7 @@ Index: b/servconf.c
         sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
         sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
         sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
-@@ -415,6 +418,7 @@
+@@ -416,6 +419,7 @@
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +498,7 @@ Index: b/servconf.c
         { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
         { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
         { "uselogin", sUseLogin, SSHCFG_GLOBAL },
-@@ -1009,6 +1013,10 @@
+@@ -1011,6 +1015,10 @@
                 intptr = &options->tcp_keep_alive;
                 goto parse_flag;
  
@@ -509,7 +509,7 @@ Index: b/servconf.c
         case sEmptyPasswd:
                 intptr = &options->permit_empty_passwd;
                 goto parse_flag;
-@@ -1697,6 +1705,7 @@
+@@ -1708,6 +1716,7 @@
         dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
         dump_cfg_fmtint(sStrictModes, o->strict_modes);
         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
 ===================================================================
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -628,6 +628,7 @@
+@@ -669,6 +669,7 @@
  .Xr ssh 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
 ===================================================================
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1426,6 +1426,7 @@
+@@ -1392,6 +1392,7 @@
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
 ===================================================================
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1301,7 +1301,7 @@
+@@ -1422,7 +1422,7 @@
  static void
  load_public_identity_files(void)
  {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
         char *pwdir = NULL, *pwname = NULL;
         int i = 0;
         Key *public;
-@@ -1358,6 +1358,22 @@
+@@ -1479,6 +1479,22 @@
                 public = key_load_public(filename, NULL);
                 debug("identity file %s type %d", filename,
                     public ? public->type : -1);
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
 ===================================================================
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1051,6 +1051,23 @@
+@@ -1082,6 +1082,23 @@
  .Dq any .
  The default is
  .Dq any:any .
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c
 ===================================================================
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -1418,6 +1418,8 @@
+@@ -1421,6 +1421,8 @@
  
         /* list of keys stored in the filesystem */
         for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,9 +1321,9 @@ Index: b/sshconnect2.c
                 key = options.identity_keys[i];
                 if (key && key->type == KEY_RSA1)
                         continue;
-@@ -1510,7 +1512,7 @@
-                if (id->key && id->key->type != KEY_RSA1) {
-                        debug("Offering public key: %s", id->filename);
+@@ -1514,7 +1516,7 @@
+                        debug("Offering %s public key: %s", key_type(id->key),
+                            id->filename);
                         sent = send_pubkey_test(authctxt, id);
 -               } else if (id->key == NULL) {
 +               } else if (id->key == NULL && id->filename) {
@@ -1334,7 +1334,7 @@ Index: b/sshd.8
 ===================================================================
 --- a/sshd.8
 +++ b/sshd.8
-@@ -928,6 +928,7 @@
+@@ -938,6 +938,7 @@
  .Xr ssh-agent 1 ,
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
@@ -1346,7 +1346,7 @@ Index: b/sshd.c
 ===================================================================
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1564,6 +1564,11 @@
+@@ -1573,6 +1573,11 @@
                         sensitive_data.host_keys[i] = NULL;
                         continue;
                 }
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5
 ===================================================================
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -694,6 +694,20 @@
+@@ -743,6 +743,20 @@
  Specifies whether password authentication is allowed.
  The default is
  .Dq yes .