New upstream release (7.2).

author: Colin Watson <cjwatson@debian.org> 2016-02-29 12:15:15 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-03-08 11:51:22 +0000
commit: 46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree: 0dd97fa4fb649a62b4639fe2674380872b1f3e98 /debian/patches
parent: c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent: 85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)
29 files changed, 259 insertions, 296 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 3635e50ad..549570c5c 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From a791d607756f04e41153c2297e5f9a608daa7335 Mon Sep 17 00:00:00 2001
+From d104554289d524d6f8c97cc93a8ff5aabbfcdd6c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch
 4 files changed, 32 insertions(+), 9 deletions(-)
 diff --git a/auth-options.c b/auth-options.c
-index e387697..f1e3ddf 100644
+index edbaf80..bda39df 100644
 --- a/auth-options.c
 +++ b/auth-options.c
 @@ -58,9 +58,20 @@ int forced_tun_device = -1;
@@ -40,7 +40,7 @@ index e387697..f1e3ddf 100644
 auth_clear_options(void)
 {
        no_agent_forwarding_flag = 0;
-@@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
+@@ -314,10 +325,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                /* FALLTHROUGH */
                        case 0:
                                free(patterns);
@@ -58,7 +58,7 @@ index e387697..f1e3ddf 100644
                                auth_debug_add("Your host '%.200s' is not "
                                    "permitted to use this key for login.",
                                    remote_host);
-@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
+@@ -540,11 +554,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
                                        break;
                                case 0:
                                        /* no match */
@@ -104,10 +104,10 @@ index cbd971b..4cf2163 100644
         * Go though the accepted keys, looking for the current key.  If
         * found, perform a challenge-response dialog to verify that the
 diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 5aa319c..1eee161 100644
+index 41b34ae..aace7ca 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
+@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
        u_long linenum = 0;
        u_int i;
 
@@ -115,7 +115,7 @@ index 5aa319c..1eee161 100644
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                /* Skip leading whitespace. */
                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+@@ -731,6 +732,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
        found_key = 0;
 
        found = NULL;
@@ -123,7 +123,7 @@ index 5aa319c..1eee161 100644
        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                char *cp, *key_options = NULL;
                if (found != NULL)
-@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
+@@ -878,6 +880,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
        if (key_cert_check_authority(key, 0, 1,
            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 2b1bd05f7..5a0dcd806 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 9769daa27369920a909debed3ee297c32f0c3ef7 Mon Sep 17 00:00:00 2001
+From 88659ca2f10e2401f887b9dd58f6361d7bfa08e4 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,7 +13,7 @@ Patch-Name: authorized-keys-man-symlink.patch
 1 file changed, 1 insertion(+)
 diff --git a/Makefile.in b/Makefile.in
-index 3d2a328..915c740 100644
+index 0954c63..85cde7f 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -324,6 +324,7 @@ install-files:
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index eceac3ccf..7f8cdb172 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 1cbbbb90ae1a4f88f8090e1fdecee007b8d360f8 Mon Sep 17 00:00:00 2001
+From 3c79e49a4fbd8e4c84f6af6f1173563bda8b273b Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -19,7 +19,7 @@ Patch-Name: debian-banner.patch
 4 files changed, 18 insertions(+), 1 deletion(-)
 diff --git a/servconf.c b/servconf.c
-index ed3a88d..a778f44 100644
+index fad7c92..8ca9695 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
@@ -30,16 +30,16 @@ index ed3a88d..a778f44 100644
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -347,6 +348,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -359,6 +360,8 @@ fill_default_server_options(ServerOptions *options)
                options->fwd_opts.streamlocal_bind_unlink = 0;
        if (options->fingerprint_hash == -1)
                options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 +       if (options->debian_banner == -1)
 +               options->debian_banner = 1;
 
-        if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
+        assemble_algorithms(options);
-            kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
+ 
-@@ -430,6 +433,7 @@ typedef enum {
+@@ -437,6 +440,7 @@ typedef enum {
        sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
        sStreamLocalBindMask, sStreamLocalBindUnlink,
        sAllowStreamLocalForwarding, sFingerprintHash,
@@ -47,7 +47,7 @@ index ed3a88d..a778f44 100644
        sDeprecated, sUnsupported
 } ServerOpCodes;
 
-@@ -577,6 +581,7 @@ static struct {
+@@ -588,6 +592,7 @@ static struct {
        { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
        { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
        { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
@@ -55,7 +55,7 @@ index ed3a88d..a778f44 100644
        { NULL, sBadOption, 0 }
 };
 
-@@ -1867,6 +1872,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1874,6 +1879,10 @@ process_server_config_line(ServerOptions *options, char *line,
                        options->fingerprint_hash = value;
                break;
 
@@ -80,10 +80,10 @@ index 778ba17..161fa37 100644
 
 /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index 189d34a..8d17521 100644
+index c762190..57ae4ad 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
        }
 
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -94,10 +94,10 @@ index 189d34a..8d17521 100644
            options.version_addendum, newline);
 
 diff --git a/sshd_config.5 b/sshd_config.5
-index c8ee35d..b149bd3 100644
+index bc79a66..b565640 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -533,6 +533,11 @@ or
+@@ -534,6 +534,11 @@ or
 .Dq no .
 The default is
 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 0a5e2cd39..24f1a77ec 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 003a875a474100d250b6643270ef3874da6591d8 Mon Sep 17 00:00:00 2001
+From 85e40e87a75fb80a0bf893ac05a417d6c353537d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -32,10 +32,10 @@ Patch-Name: debian-config.patch
 6 files changed, 72 insertions(+), 4 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index b9442fd..ee46ad6 100644
+index cc1a633..dc22360 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
+@@ -1797,7 +1797,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
@@ -45,10 +45,10 @@ index b9442fd..ee46ad6 100644
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
 diff --git a/ssh.1 b/ssh.1
-index 05b7f10..649d6c3 100644
+index 74d9655..7fb9d30 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -755,6 +755,16 @@ directive in
+@@ -760,6 +760,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
@@ -65,7 +65,7 @@ index 05b7f10..649d6c3 100644
 .It Fl x
 Disables X11 forwarding.
 .Pp
-@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
+@@ -768,6 +778,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
@@ -84,7 +84,7 @@ index 05b7f10..649d6c3 100644
 Send log information using the
 .Xr syslog 3
 diff --git a/ssh_config b/ssh_config
-index 228e5ab..c9386aa 100644
+index 4e879cd..5190b06 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -17,9 +17,10 @@
@@ -99,7 +99,7 @@ index 228e5ab..c9386aa 100644
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
-@@ -48,3 +49,7 @@
+@@ -50,3 +51,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
@@ -108,7 +108,7 @@ index 228e5ab..c9386aa 100644
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index d4928b8..81b9b74 100644
+index 0f52d14..51765c9 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -134,7 +134,7 @@ index d4928b8..81b9b74 100644
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
-@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
+@@ -799,7 +815,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
@@ -145,10 +145,10 @@ index d4928b8..81b9b74 100644
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
 diff --git a/sshd_config b/sshd_config
-index 64786c9..d8338db 100644
+index f103298..d103ac5 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -125,7 +125,7 @@ UsePrivilegeSeparation sandbox              # Default for new installations.
+@@ -125,7 +125,7 @@ AuthorizedKeysFile  .ssh/authorized_keys
 #Banner none
 
 # override default of no subsystems
@@ -158,7 +158,7 @@ index 64786c9..d8338db 100644
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index 0828592..0be7250 100644
+index 4d255e5..2387b51 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 725d26e81..8b33364e4 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 54d62ce82775d6a6f556cef7b1ff61412d2d0581 Mon Sep 17 00:00:00 2001
+From 094cc9bf1c7f873542a6c8dc25d0f8e61aa23318 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 646716fe5..2b203f5dc 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 6f8b6ab94f4c4351e49598f08abc6da16fe29740 Mon Sep 17 00:00:00 2001
+From 3aede5a89ef203b53ef86435fe4af709a39379c2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
 1 file changed, 3 insertions(+)
 diff --git a/ssh_config.5 b/ssh_config.5
-index 1e9c058..d4928b8 100644
+index ab8f271..0f52d14 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files
+@@ -883,6 +883,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index b7a072414..3266c4707 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From 17063f049ca0f00cb455eed0852405bc9abe6213 Mon Sep 17 00:00:00 2001
+From 2c7520d8d6245868704cf01dd572cce744663173 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/sshd.8 b/sshd.8
-index 42ba596..17b917c 100644
+index 58eefe9..4e75567 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -67,7 +67,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index c3b601c76..ba2c684fd 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From a1913369b4abfcebec320706e561591c1ed8640c Mon Sep 17 00:00:00 2001
+From 5e5d8faea814efa9368ccec343580b6dcd440d5e Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8bc83cace..aa9f25848 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 6a0a4b2f79889c9b0d5e2478a6ee5f51be38dcc9 Mon Sep 17 00:00:00 2001
+From 374db1757fc18bd6647539b80977e6907a2cecd4 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -22,12 +22,12 @@ Last-Updated: 2016-01-04
 Patch-Name: gssapi.patch
 ---
 ChangeLog.gssapi | 113 +++++++++++++++++++
- Makefile.in      |   5 +-
+ Makefile.in      |   3 +-
 auth-krb5.c      |  17 ++-
 auth.c           |   3 +-
 auth2-gss.c      |  48 +++++++-
 auth2.c          |   2 +
- clientloop.c     |  13 +++
+ clientloop.c     |  15 ++-
 config.h.in      |   6 +
 configure.ac     |  24 ++++
 gss-genr.c       | 275 ++++++++++++++++++++++++++++++++++++++++++++-
@@ -47,14 +47,14 @@ Patch-Name: gssapi.patch
 servconf.h       |   2 +
 ssh-gss.h        |  41 ++++++-
 ssh_config       |   2 +
- ssh_config.5     |  36 +++++-
+ ssh_config.5     |  32 ++++++
 sshconnect2.c    | 120 +++++++++++++++++++-
 sshd.c           | 110 ++++++++++++++++++
 sshd_config      |   2 +
- sshd_config.5    |  11 ++
+ sshd_config.5    |  10 ++
 sshkey.c         |   3 +-
 sshkey.h         |   1 +
- 33 files changed, 1955 insertions(+), 47 deletions(-)
+ 33 files changed, 1951 insertions(+), 46 deletions(-)
 create mode 100644 ChangeLog.gssapi
 create mode 100644 kexgssc.c
 create mode 100644 kexgsss.c
@@ -179,19 +179,17 @@ index 0000000..f117a33
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff --git a/Makefile.in b/Makefile.in
-index 40cc7aa..3d2a328 100644
+index d401787..0954c63 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -91,7 +91,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
-        sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
        kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
        kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-       kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
+        kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
-+       kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+       kexgssc.o \
-+       kexgssc.o
+        platform-pledge.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-        sshconnect.o sshconnect1.o sshconnect2.o mux.o \
 @@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
        auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
        auth2-none.o auth2-passwd.o auth2-pubkey.o \
@@ -200,9 +198,9 @@ index 40cc7aa..3d2a328 100644
 +       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
        loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
        sftp-server.o sftp-common.o \
-        roaming_common.o roaming_serv.o \
+        sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff --git a/auth-krb5.c b/auth-krb5.c
-index 0089b18..ec47869 100644
+index d1c5a2f..f019fb1 100644
 --- a/auth-krb5.c
 +++ b/auth-krb5.c
 @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -374,10 +372,10 @@ index 7177962..3f49bdc 100644
 #endif
        &method_passwd,
 diff --git a/clientloop.c b/clientloop.c
-index 87ceb3d..fba1b54 100644
+index 9820455..1567e4a 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -115,6 +115,10 @@
+@@ -114,6 +114,10 @@
 #include "ssherr.h"
 #include "hostfile.h"
 
@@ -388,11 +386,14 @@ index 87ceb3d..fba1b54 100644
 /* import options */
 extern Options options;
 
-@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+                        break;
+ 
                /* Do channel operations unless rekeying in progress. */
-                if (!rekeying) {
+-               if (!ssh_packet_is_rekeying(active_state))
+               if (!ssh_packet_is_rekeying(active_state)) {
                        channel_after_select(readset, writeset);
-+
+ 
 +#ifdef GSSAPI
 +                       if (options.gss_renewal_rekey &&
 +                           ssh_gssapi_credentials_updated(NULL)) {
@@ -400,15 +401,16 @@ index 87ceb3d..fba1b54 100644
 +                               need_rekeying = 1;
 +                       }
 +#endif
+               }
 +
-                        if (need_rekeying || packet_need_rekeying()) {
+                /* Buffer input from the connection.  */
-                                debug("need rekeying");
+                client_process_net_input(readset);
-                                active_state->kex->done = 0;
+ 
 diff --git a/config.h.in b/config.h.in
-index 7500df5..97accd8 100644
+index 89bf1b0..621c139 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1623,6 +1623,9 @@
+@@ -1641,6 +1641,9 @@
 /* Use btmp to log bad logins */
 #undef USE_BTMP
 
@@ -418,21 +420,21 @@ index 7500df5..97accd8 100644
 /* Use libedit for sftp */
 #undef USE_LIBEDIT
 
-@@ -1638,6 +1641,9 @@
+@@ -1656,6 +1659,9 @@
 /* Use PIPES instead of a socketpair() */
 #undef USE_PIPES
 
 +/* platform has the Security Authorization Session API */
 +#undef USE_SECURITY_SESSION_API
 +
- /* Define if you have Solaris process contracts */
+ /* Define if you have Solaris privileges */
- #undef USE_SOLARIS_PROCESS_CONTRACTS
+ #undef USE_SOLARIS_PRIVS
 
 diff --git a/configure.ac b/configure.ac
-index 9b05c30..7a25603 100644
+index 7258cc0..5f1ff74 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -1212,10 +1214,10 @@ index 53993d6..2f6baf7 100644
 
 #endif
 diff --git a/kex.c b/kex.c
-index b777b7d..390bb69 100644
+index d371f47..913e923 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -55,6 +55,10 @@
+@@ -54,6 +54,10 @@
 #include "sshbuf.h"
 #include "digest.h"
 
@@ -1226,7 +1228,7 @@ index b777b7d..390bb69 100644
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # if defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-@@ -97,6 +101,14 @@ static const struct kexalg kexalgs[] = {
+@@ -109,6 +113,14 @@ static const struct kexalg kexalgs[] = {
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
        { NULL, -1, -1, -1},
 };
@@ -1241,7 +1243,7 @@ index b777b7d..390bb69 100644
 
 char *
 kex_alg_list(char sep)
-@@ -129,6 +141,10 @@ kex_alg_by_name(const char *name)
+@@ -141,6 +153,10 @@ kex_alg_by_name(const char *name)
                if (strcmp(k->name, name) == 0)
                        return k;
        }
@@ -1253,10 +1255,10 @@ index b777b7d..390bb69 100644
 }
 
 diff --git a/kex.h b/kex.h
-index d71b532..ee46815 100644
+index 1c58966..123ef83 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -93,6 +93,9 @@ enum kex_exchange {
+@@ -92,6 +92,9 @@ enum kex_exchange {
        KEX_DH_GEX_SHA256,
        KEX_ECDH_SHA2,
        KEX_C25519_SHA256,
@@ -1266,7 +1268,7 @@ index d71b532..ee46815 100644
        KEX_MAX
 };
 
-@@ -139,6 +142,12 @@ struct kex {
+@@ -140,6 +143,12 @@ struct kex {
        u_int   flags;
        int     hash_alg;
        int     ec_nid;
@@ -1279,7 +1281,7 @@ index d71b532..ee46815 100644
        char    *client_version_string;
        char    *server_version_string;
        char    *failed_choice;
-@@ -187,6 +196,11 @@ int         kexecdh_server(struct ssh *);
+@@ -190,6 +199,11 @@ int         kexecdh_server(struct ssh *);
 int     kexc25519_client(struct ssh *);
 int     kexc25519_server(struct ssh *);
 
@@ -1935,10 +1937,10 @@ index 0000000..0847469
 +}
 +#endif /* GSSAPI */
 diff --git a/monitor.c b/monitor.c
-index a914209..2658aaa 100644
+index ac7dd30..6c82023 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
+@@ -156,6 +156,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
 int mm_answer_gss_accept_ctx(int, Buffer *);
 int mm_answer_gss_userok(int, Buffer *);
 int mm_answer_gss_checkmic(int, Buffer *);
@@ -1947,7 +1949,7 @@ index a914209..2658aaa 100644
 #endif
 
 #ifdef SSH_AUDIT_EVENTS
-@@ -234,11 +236,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -233,11 +235,18 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
     {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1966,7 +1968,7 @@ index a914209..2658aaa 100644
 #ifdef WITH_OPENSSL
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
 #endif
-@@ -353,6 +362,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -352,6 +361,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                /* Permit requests for moduli and signatures */
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1977,7 +1979,7 @@ index a914209..2658aaa 100644
        } else {
                mon_dispatch = mon_dispatch_proto15;
 
-@@ -461,6 +474,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -460,6 +473,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1988,7 +1990,7 @@ index a914209..2658aaa 100644
        } else {
                mon_dispatch = mon_dispatch_postauth15;
                monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
+@@ -1861,6 +1878,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
 # endif
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2002,7 +2004,7 @@ index a914209..2658aaa 100644
                kex->load_host_public_key=&get_hostkey_public_by_type;
                kex->load_host_private_key=&get_hostkey_private_by_type;
                kex->host_key_index=&get_hostkey_index;
-@@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
        OM_uint32 major;
        u_int len;
 
@@ -2012,7 +2014,7 @@ index a914209..2658aaa 100644
        goid.elements = buffer_get_string(m, &len);
        goid.length = len;
 
-@@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
        OM_uint32 flags = 0; /* GSI needs this */
        u_int len;
 
@@ -2022,7 +2024,7 @@ index a914209..2658aaa 100644
        in.value = buffer_get_string(m, &len);
        in.length = len;
        major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2030,7 +2032,7 @@ index a914209..2658aaa 100644
        }
        return (0);
 }
-@@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
        OM_uint32 ret;
        u_int len;
 
@@ -2040,7 +2042,7 @@ index a914209..2658aaa 100644
        gssbuf.value = buffer_get_string(m, &len);
        gssbuf.length = len;
        mic.value = buffer_get_string(m, &len);
-@@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
 {
        int authenticated;
 
@@ -2053,7 +2055,7 @@ index a914209..2658aaa 100644
 
        buffer_clear(m);
        buffer_put_int(m, authenticated);
-@@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2054,5 +2092,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2142,7 +2144,7 @@ index 93b8b66..bc50ade 100644
 
 struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index eac421b..81ceddb 100644
+index c5db6df..74fbd2e 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -2206,7 +2208,7 @@ index eac421b..81ceddb 100644
 #endif /* GSSAPI */
 
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index de4a08f..9758290 100644
+index eb820ae..403f8d0 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2222,10 +2224,10 @@ index de4a08f..9758290 100644
 
 #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index cd01482..56e0f44 100644
+index 69d4553..d2a3d4b 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -147,6 +147,8 @@ typedef enum {
+@@ -148,6 +148,8 @@ typedef enum {
        oClearAllForwardings, oNoHostAuthenticationForLocalhost,
        oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
        oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2234,7 +2236,7 @@ index cd01482..56e0f44 100644
        oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
        oSendEnv, oControlPath, oControlMaster, oControlPersist,
        oHashKnownHosts,
-@@ -192,10 +194,19 @@ static struct {
+@@ -193,10 +195,19 @@ static struct {
        { "afstokenpassing", oUnsupported },
 #if defined(GSSAPI)
        { "gssapiauthentication", oGssAuthentication },
@@ -2254,7 +2256,7 @@ index cd01482..56e0f44 100644
 #endif
        { "fallbacktorsh", oDeprecated },
        { "usersh", oDeprecated },
-@@ -894,10 +905,30 @@ parse_time:
+@@ -926,10 +937,30 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2285,7 +2287,7 @@ index cd01482..56e0f44 100644
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
+@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -2298,7 +2300,7 @@ index cd01482..56e0f44 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
+@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2314,7 +2316,7 @@ index cd01482..56e0f44 100644
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index bb2d552..e7e80c3 100644
+index c84d068..37a0555 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -45,7 +45,12 @@ typedef struct {
@@ -2331,7 +2333,7 @@ index bb2d552..e7e80c3 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 6c7a91e..cfe7029 100644
+index b19d30e..b8af6dd 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
@@ -2345,7 +2347,7 @@ index 6c7a91e..cfe7029 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -287,10 +289,14 @@ fill_default_server_options(ServerOptions *options)
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -2361,7 +2363,7 @@ index 6c7a91e..cfe7029 100644
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -412,6 +418,7 @@ typedef enum {
+@@ -419,6 +425,7 @@ typedef enum {
        sHostKeyAlgorithms,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2369,7 +2371,7 @@ index 6c7a91e..cfe7029 100644
        sAcceptEnv, sPermitTunnel,
        sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -485,12 +492,20 @@ static struct {
+@@ -492,12 +499,20 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2390,7 +2392,7 @@ index 6c7a91e..cfe7029 100644
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1242,6 +1257,10 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -2401,7 +2403,7 @@ index 6c7a91e..cfe7029 100644
        case sGssCleanupCreds:
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
-@@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1250,6 +1269,10 @@ process_server_config_line(ServerOptions *options, char *line,
                intptr = &options->gss_strict_acceptor;
                goto parse_flag;
 
@@ -2412,7 +2414,7 @@ index 6c7a91e..cfe7029 100644
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o)
+@@ -2265,7 +2288,10 @@ dump_config(ServerOptions *o)
 #endif
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2542,7 +2544,7 @@ index a99d7f0..914701b 100644
 
 #endif /* _SSH_GSS_H */
 diff --git a/ssh_config b/ssh_config
-index 03a228f..228e5ab 100644
+index 90fb63f..4e879cd 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -26,6 +26,8 @@
@@ -2555,19 +2557,18 @@ index 03a228f..228e5ab 100644
 #   CheckHostIP yes
 #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index a47f3ca..cac8cda 100644
+index caf13a6..9060d5b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -826,10 +826,42 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
- Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI may be used. When using
 +GSSAPI key exchange the server need not have a host key.
 +The default is
 +.Dq no .
-+Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIClientIdentity
 +If set, specifies the GSSAPI client identity that ssh should use when 
 +connecting to the server. The default is unset, which means that the default 
@@ -2581,8 +2582,6 @@ index a47f3ca..cac8cda 100644
 Forward (delegate) credentials to the server.
 The default is
 .Dq no .
-Note that this option applies to protocol version 2 only.
-+Note that this option applies to protocol version 2 connections using GSSAPI.
 +.It Cm GSSAPIRenewalForcesRekey
 +If set to 
 +.Dq yes
@@ -2601,15 +2600,14 @@ index a47f3ca..cac8cda 100644
 +command line will be passed untouched to the GSSAPI library.
 +The default is
 +.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
 .It Cm HashKnownHosts
 Indicates that
 .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 7751031..32e9b0d 100644
+index f79c96b..b452eae 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -160,6 +160,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -161,6 +161,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
        struct kex *kex;
        int r;
 
@@ -2621,7 +2619,7 @@ index 7751031..32e9b0d 100644
        xxx_host = host;
        xxx_hostaddr = hostaddr;
 
-@@ -193,6 +198,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -195,6 +200,33 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
                    order_hostkeyalgs(host, hostaddr, port));
        }
 
@@ -2655,7 +2653,7 @@ index 7751031..32e9b0d 100644
        if (options.rekey_limit || options.rekey_interval)
                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                    (time_t)options.rekey_interval);
-@@ -211,10 +243,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -213,10 +245,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 # endif
 #endif
        kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2685,8 +2683,8 @@ index 7751031..32e9b0d 100644
 +
        dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
 
-        if (options.use_roaming && !kex->roaming) {
+        /* remove ext-info from the KEX proposals for rekeying */
-@@ -306,6 +358,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
+@@ -311,6 +363,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
 int    input_gssapi_hash(int type, u_int32_t, void *);
 int    input_gssapi_error(int, u_int32_t, void *);
 int    input_gssapi_errtok(int, u_int32_t, void *);
@@ -2694,7 +2692,7 @@ index 7751031..32e9b0d 100644
 #endif
 
 void   userauth(Authctxt *, char *);
-@@ -321,6 +374,11 @@ static char *authmethods_get(void);
+@@ -326,6 +379,11 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -2706,7 +2704,7 @@ index 7751031..32e9b0d 100644
        {"gssapi-with-mic",
                userauth_gssapi,
                NULL,
-@@ -627,19 +685,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -656,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt)
        static u_int mech = 0;
        OM_uint32 min;
        int ok = 0;
@@ -2740,7 +2738,7 @@ index 7751031..32e9b0d 100644
                        ok = 1; /* Mechanism works */
                } else {
                        mech++;
-@@ -736,8 +806,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -765,8 +835,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
@@ -2751,7 +2749,7 @@ index 7751031..32e9b0d 100644
 
        if (authctxt == NULL)
                fatal("input_gssapi_response: no authentication context");
-@@ -850,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -879,6 +949,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
        free(lang);
        return 0;
 }
@@ -2801,10 +2799,10 @@ index 7751031..32e9b0d 100644
 
 int
 diff --git a/sshd.c b/sshd.c
-index 43d4650..d659a68 100644
+index 430569c..5cd9129 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -126,6 +126,10 @@
+@@ -125,6 +125,10 @@
 #include "version.h"
 #include "ssherr.h"
 
@@ -2890,7 +2888,7 @@ index 43d4650..d659a68 100644
        /*
         * We don't want to listen forever unless the other side
         * successfully authenticates itself.  So we set up an alarm which is
-@@ -2569,6 +2630,48 @@ do_ssh2_kex(void)
+@@ -2571,6 +2632,48 @@ do_ssh2_kex(void)
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
            list_hostkey_types());
 
@@ -2939,7 +2937,7 @@ index 43d4650..d659a68 100644
        /* start key exchange */
        if ((r = kex_setup(active_state, myproposal)) != 0)
                fatal("kex_setup: %s", ssh_err(r));
-@@ -2583,6 +2686,13 @@ do_ssh2_kex(void)
+@@ -2585,6 +2688,13 @@ do_ssh2_kex(void)
 # endif
 #endif
        kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2954,7 +2952,7 @@ index 43d4650..d659a68 100644
        kex->client_version_string=client_version_string;
        kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index 4d77f05..64786c9 100644
+index a848d73..f103298 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -84,6 +84,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
@@ -2967,23 +2965,22 @@ index 4d77f05..64786c9 100644
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index b18d340..5491c89 100644
+index a37a3ac..c6d6858 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -623,6 +623,11 @@ The default is
+ Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Dq no .
- Note that this option applies to protocol version 2 only.
 +.It Cm GSSAPIKeyExchange
 +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
 +doesn't rely on ssh keys to verify host identity.
 +The default is
 +.Dq no .
-+Note that this option applies to protocol version 2 only.
 .It Cm GSSAPICleanupCredentials
 Specifies whether to automatically destroy the user's credentials cache
 on logout.
-@@ -642,6 +648,11 @@ machine's default store.
+@@ -643,6 +648,11 @@ machine's default store.
 This facility is provided to assist with operation on multi homed machines.
 The default is
 .Dq yes .
@@ -2996,28 +2993,28 @@ index b18d340..5491c89 100644
 Specifies the key types that will be accepted for hostbased authentication
 as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index 32dd8f2..5368e7c 100644
+index 87b093e..e595b11 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = {
+@@ -115,6 +115,7 @@ static const struct keytype keytypes[] = {
 #  endif /* OPENSSL_HAS_NISTP521 */
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
-+       { "null", "null", KEY_NULL, 0, 0 },
+       { "null", "null", KEY_NULL, 0, 0, 0 },
-        { NULL, NULL, -1, -1, 0 }
+        { NULL, NULL, -1, -1, 0, 0 }
 };
 
-@@ -200,7 +201,7 @@ key_alg_list(int certs_only, int plain_only)
+@@ -203,7 +204,7 @@ key_alg_list(int certs_only, int plain_only)
        const struct keytype *kt;
 
        for (kt = keytypes; kt->type != -1; kt++) {
-               if (kt->name == NULL)
+-               if (kt->name == NULL || kt->sigonly)
-+               if (kt->name == NULL || kt->type == KEY_NULL)
+               if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL)
                        continue;
                if ((certs_only && !kt->cert) || (plain_only && kt->cert))
                        continue;
 diff --git a/sshkey.h b/sshkey.h
-index c8d3cdd..5cf4e5d 100644
+index a20a14f..2259cbb 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -62,6 +62,7 @@ enum sshkey_types {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index a19fe6c6d..935235b27 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 0a3d1df1344642161b1ee001a3885a1ee8ebc03b Mon Sep 17 00:00:00 2001
+From 5c2c0e042d57cee75528686f47b4c47db434ad8b Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,10 +12,10 @@ Patch-Name: helpful-wait-terminate.patch
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/serverloop.c b/serverloop.c
-index 306ac36..68f0251 100644
+index 80d1db5..830f885 100644
 --- a/serverloop.c
 +++ b/serverloop.c
-@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -683,7 +683,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
                        if (!channel_still_open())
                                break;
                        if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 9b5d38271..de0f73c59 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From ea47a6eba9fce31a1b4cd909b7ba19541c9d9c9b Mon Sep 17 00:00:00 2001
+From a9c7a3f8b035fe820fd32283460b1a28e696d2fe Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,10 +26,10 @@ Patch-Name: keepalive-extensions.patch
 3 files changed, 34 insertions(+), 4 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index 831072f..83582e3 100644
+index 559e4c7..fde6b41 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -160,6 +160,7 @@ typedef enum {
+@@ -161,6 +161,7 @@ typedef enum {
        oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
        oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
        oPubkeyAcceptedKeyTypes,
@@ -37,7 +37,7 @@ index 831072f..83582e3 100644
        oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
-@@ -290,6 +291,8 @@ static struct {
+@@ -293,6 +294,8 @@ static struct {
        { "hostbasedkeytypes", oHostbasedKeyTypes },
        { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
        { "ignoreunknown", oIgnoreUnknown },
@@ -46,7 +46,7 @@ index 831072f..83582e3 100644
 
        { NULL, oBadOption }
 };
-@@ -1304,6 +1307,8 @@ parse_keytypes:
+@@ -1350,6 +1353,8 @@ parse_keytypes:
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 831072f..83582e3 100644
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -1856,8 +1861,13 @@ fill_default_options(Options * options)
+@@ -1906,8 +1911,13 @@ fill_default_options(Options * options)
                options->rekey_interval = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index 831072f..83582e3 100644
                options->server_alive_count_max = 3;
        if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index cac8cda..78e918a 100644
+index 9060d5b..bbf638b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -233,8 +233,12 @@ Valid arguments are
+@@ -268,8 +268,12 @@ The default is
 If set to
 .Dq yes ,
 passphrase/password querying will be disabled.
@@ -89,7 +89,7 @@ index cac8cda..78e918a 100644
 The argument must be
 .Dq yes
 or
-@@ -1476,8 +1480,15 @@ from the server,
+@@ -1551,7 +1555,14 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -98,7 +98,6 @@ index cac8cda..78e918a 100644
 +or 300 if the
 +.Cm BatchMode
 +option is set.
- This option applies to protocol version 2 only.
 +.Cm ProtocolKeepAlives
 +and
 +.Cm SetupTimeOut
@@ -106,7 +105,7 @@ index cac8cda..78e918a 100644
 .It Cm StreamLocalBindMask
 Sets the octal file creation mode mask
 .Pq umask
-@@ -1543,6 +1554,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1617,6 +1628,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -120,10 +119,10 @@ index cac8cda..78e918a 100644
 connections will die if the route is down temporarily, and some people
 find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 5491c89..c8ee35d 100644
+index c6d6858..bc79a66 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1510,6 +1510,9 @@ This avoids infinitely hanging sessions.
+@@ -1518,6 +1518,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
deleted file mode 100644
index a2a440fae..000000000
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c685ea67334abf73c014aa6ab9f833e9d28fdab8 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Sun, 9 Feb 2014 16:10:08 +0000
-Subject: Fix picky lintian errors about slogin symlinks
-Apparently this breaks some SVR4 packaging systems, so upstream can't win
-either way and opted to keep the status quo.  We need this patch anyway.
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
-Last-Update: 2013-09-14
-Patch-Name: lintian-symlink-pickiness.patch
---
- Makefile.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/Makefile.in b/Makefile.in
-index 915c740..e161d0e 100644
--- a/Makefile.in
-+++ b/Makefile.in
-@@ -330,9 +330,9 @@ install-files:
-        $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-        $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-        -rm -f $(DESTDIR)$(bindir)/slogin
-       ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-+       ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-        -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-       ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-+       ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
- 
- install-sysconf:
-        if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index a9c4cb7fc..7e6ad3996 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 89f2729da6734f2d5e3a31d2a75e817750f6cd95 Mon Sep 17 00:00:00 2001
+From cbec84cf05e5dbd6d8a739a7d01e1d242a006d20 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index cd467fd..bbde8af 100644
+index 8b8e760..fd67727 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -1078,9 +1078,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1081,9 +1081,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                        error("%s. This could either mean that", key_msg);
                        error("DNS SPOOFING is happening or the IP address for the host");
                        error("and its host key have changed at the same time.");
@@ -31,7 +31,7 @@ index cd467fd..bbde8af 100644
                }
                /* The host key has changed. */
                warn_changed_key(host_key);
-@@ -1088,6 +1092,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1091,6 +1095,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                    user_hostfiles[0]);
                error("Offending %s key in %s:%lu", key_type(host_found->key),
                    host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 194100f56..42463eed7 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From dcc3ce03144d1560d878db8290c9f19dc0511f6f Mon Sep 17 00:00:00 2001
+From c2f77b15d182a5399d4548a57a471d6be7b25a87 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9b1c38bfc..abeaad7a5 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From eb8141e6ac12c0714e0951598fe44634327bfde7 Mon Sep 17 00:00:00 2001
+From 5a19d59c0b76162929545ad1bc92e7de69ce9a7b Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de08..149846c 100644
 .Sh SEE ALSO
 .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index ed17a08..c560179 100644
+index 37a4fc2..24bed5f 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -174,9 +174,7 @@ key in
+@@ -178,9 +178,7 @@ key in
 .Pa ~/.ssh/id_ed25519
 or
 .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index ed17a08..c560179 100644
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -223,9 +221,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
+@@ -227,9 +225,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
 for which host keys
 do not exist, generate the host keys with the default key file path,
 an empty passphrase, default bits for the key type, and default comment.
@@ -69,7 +69,7 @@ index ed17a08..c560179 100644
 .It Fl a Ar rounds
 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
 2 key when the
-@@ -638,7 +634,7 @@ option.
+@@ -642,7 +638,7 @@ option.
 Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index ed17a08..c560179 100644
 It is important that this file contains moduli of a range of bit lengths and
 that both ends of a connection share common moduli.
 .Sh CERTIFICATES
-@@ -837,7 +833,7 @@ on all machines
+@@ -841,7 +837,7 @@ on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
@@ -88,11 +88,11 @@ index ed17a08..c560179 100644
 The file format is described in
 .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index ff80022..4fba77f 100644
+index feb0e89..41e0aab 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -853,6 +853,10 @@ Protocol 1 is restricted to using only RSA keys,
+@@ -852,6 +852,10 @@ implements public key authentication protocol automatically,
- but protocol 2 may use any.
+ using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
 The HISTORY section of
 .Xr ssl 8
 +(on non-OpenBSD systems, see
@@ -103,7 +103,7 @@ index ff80022..4fba77f 100644
 .Pp
 The file
 diff --git a/sshd.8 b/sshd.8
-index 2105979..42ba596 100644
+index 589841f..58eefe9 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -67,7 +67,7 @@ over an insecure network.
@@ -115,16 +115,16 @@ index 2105979..42ba596 100644
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -861,7 +861,7 @@ This file is for host-based authentication (see
+@@ -891,7 +891,7 @@ This file is for host-based authentication (see
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
 -.It Pa /etc/moduli
 +.It Pa /etc/ssh/moduli
- Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+ Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
+ key exchange method.
 The file format is described in
- .Xr moduli 5 .
+@@ -993,7 +993,6 @@ The content of this file is not sensitive; it can be world-readable.
-@@ -960,7 +960,6 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 2105979..42ba596 100644
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index b149bd3..0828592 100644
+index b565640..4d255e5 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -374,8 +374,7 @@ This option is only available for protocol version 2.
+@@ -375,8 +375,7 @@ then no banner is displayed.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index fb7724f58..b41c066e3 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 3e38e90de2e2ead094624f4f140568574c40cae6 Mon Sep 17 00:00:00 2001
+From f7587633dc374db82455fe7a3fa921de5c4a897b Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
 3 files changed, 9 insertions(+), 4 deletions(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index bbde8af..0ec1e54 100644
+index fd67727..07dfc9d 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -527,10 +527,10 @@ send_client_banner(int connection_out, int minor1)
        /* Send our own protocol version identification. */
        if (compat20) {
                xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -33,13 +33,13 @@ index bbde8af..0ec1e54 100644
 -                   PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
 +                   PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
        }
-        if (roaming_atomicio(vwrite, connection_out, client_version_string,
+        if (atomicio(vwrite, connection_out, client_version_string,
            strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index 1b49b26..189d34a 100644
+index bb093cc..c762190 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
        }
 
        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -49,13 +49,13 @@ index 1b49b26..189d34a 100644
            options.version_addendum, newline);
 
 diff --git a/version.h b/version.h
-index 41e1ea9..2969570 100644
+index 4189982..236dd87 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_7.1"
+ #define SSH_VERSION    "OpenSSH_7.2"
 
- #define SSH_PORTABLE   "p2"
+ #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
 +#define SSH_RELEASE_MINIMUM    SSH_VERSION SSH_PORTABLE
 +#ifdef SSH_EXTRAVERSION
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 0dc3f1c32..51d5c09d0 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 72aec10a082f61d9a601b03ec57e0053e03397dd Mon Sep 17 00:00:00 2001
+From 754544297b321ab1ce1923e6aa9987bb82dd4fc5 Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/clientloop.c b/clientloop.c
-index fba1b54..5653cc4 100644
+index 1567e4a..3b6cacb 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1716,8 +1716,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1753,8 +1753,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                exit_status = 0;
        }
 
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 13090ff06..47ccdda3c 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From f1fe58341ea22a6f07e5e1de79aa0385c0ee0c6a Mon Sep 17 00:00:00 2001
+From 9496f70a8203592158275489519996476b2356af Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
 3 files changed, 89 insertions(+)
 diff --git a/configure.ac b/configure.ac
-index 7a25603..128889a 100644
+index 5f1ff74..5d720f7 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
+@@ -1481,6 +1481,62 @@ AC_ARG_WITH([skey],
        ]
 )
 
@@ -94,7 +94,7 @@ index 7a25603..128889a 100644
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -4953,6 +5009,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -5003,6 +5059,7 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
@@ -103,10 +103,10 @@ index 7a25603..128889a 100644
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 diff --git a/sshd.8 b/sshd.8
-index 213b5fc..2105979 100644
+index 6c521f2..589841f 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -850,6 +850,12 @@ the user's home directory becomes accessible.
+@@ -880,6 +880,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
@@ -119,7 +119,7 @@ index 213b5fc..2105979 100644
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
-@@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -986,6 +992,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index 213b5fc..2105979 100644
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index d659a68..9275e0b 100644
+index 5cd9129..d1dd711 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -130,6 +130,13 @@
+@@ -129,6 +129,13 @@
 #include <Security/AuthSession.h>
 #endif
 
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index e8049d902..cd2685e3a 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From efd79b5b880f473ef06d4659cf279b07a65de208 Mon Sep 17 00:00:00 2001
+From c2c79a52f66eee7b85b5241d08a70b2593a9bc9e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/scp.c b/scp.c
-index 593fe89..e39294e 100644
+index 0bdd7cb..51bc2b7 100644
 --- a/scp.c
 +++ b/scp.c
 @@ -190,8 +190,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5fec9eae0..c632f0349 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 701eb985309b1c9fce617949298659843fce723d Mon Sep 17 00:00:00 2001
+From a00cba810338ce920de432e7797a45794bf280ba Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
 16 files changed, 104 insertions(+), 31 deletions(-)
 diff --git a/auth.h b/auth.h
-index 8b27575..3c2222f 100644
+index 2160154..3b3a085 100644
 --- a/auth.h
 +++ b/auth.h
 @@ -62,6 +62,7 @@ struct Authctxt {
@@ -113,10 +113,10 @@ index 3f49bdc..6eb3cc7 100644
                if (auth2_setup_methods_lists(authctxt) != 0)
                        packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index 2658aaa..c063ad1 100644
+index 6c82023..5be3fbf 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
+@@ -126,6 +126,7 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index 2658aaa..c063ad1 100644
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -208,6 +209,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -207,6 +208,7 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index 2658aaa..c063ad1 100644
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -879,6 +881,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -875,6 +877,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        else {
                /* Allow service/style information on the auth context */
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index 2658aaa..c063ad1 100644
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
        }
 #ifdef USE_PAM
-@@ -909,14 +912,37 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -905,14 +908,37 @@ mm_answer_authserv(int sock, Buffer *m)
 
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index 2658aaa..c063ad1 100644
        return (0);
 }
 
-@@ -1544,7 +1570,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1541,7 +1567,7 @@ mm_answer_pty(int sock, Buffer *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -203,7 +203,7 @@ index bc50ade..2d82b8b 100644
 
 struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 81ceddb..6799911 100644
+index 74fbd2e..eaf0a12 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
@@ -251,13 +251,13 @@ index 81ceddb..6799911 100644
 int
 mm_auth_password(Authctxt *authctxt, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 9758290..57e740f 100644
+index 403f8d0..d9de551 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
 int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
- int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
+ int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
 -void mm_inform_authserv(char *, char *);
 +void mm_inform_authserv(char *, char *, char *);
 +void mm_inform_authrole(char *);
@@ -383,7 +383,7 @@ index ee313da..f35ec39 100644
 }
 
 diff --git a/platform.h b/platform.h
-index 1c7a45d..436ae7c 100644
+index e687c99..823901b 100644
 --- a/platform.h
 +++ b/platform.h
 @@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 5a64715..afac4a5 100644
+index 7a02500..99ec6f3 100644
 --- a/session.c
 +++ b/session.c
-@@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1489,7 +1489,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -407,17 +407,17 @@ index 5a64715..afac4a5 100644
 +do_setusercontext(struct passwd *pw, const char *role)
 {
        char *chroot_path, *tmp;
- #ifdef USE_LIBIAF
+ 
-@@ -1518,7 +1518,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
 -               platform_setusercontext_post_groups(pw);
 +               platform_setusercontext_post_groups(pw, role);
 
-                if (options.chroot_directory != NULL &&
+                if (!in_chroot && options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1677,7 +1677,7 @@ do_child(Session *s, const char *command)
+@@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 5a64715..afac4a5 100644
                child_close_fds();
                do_pwchange(s);
                exit(1);
-@@ -1704,7 +1704,7 @@ do_child(Session *s, const char *command)
+@@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command)
                /* When PAM is enabled we rely on it to do the nologin check */
                if (!options.use_pam)
                        do_nologin(pw);
@@ -435,7 +435,7 @@ index 5a64715..afac4a5 100644
                /*
                 * PAM session modules in do_setusercontext may have
                 * generated messages, so if this in an interactive
-@@ -2115,7 +2115,7 @@ session_pty_req(Session *s)
+@@ -2112,7 +2112,7 @@ session_pty_req(Session *s)
        tty_parse_modes(s->ttyfd, &n_bytes);
 
        if (!use_privsep)
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
                       const char *value);
 
 diff --git a/sshd.c b/sshd.c
-index 9275e0b..1b49b26 100644
+index d1dd711..bb093cc 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -786,7 +786,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt)
        explicit_bzero(rnd, sizeof(rnd));
 
        /* Drop privileges */
diff --git a/debian/patches/series b/debian/patches/series
index e612e0554..e5821f627 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,7 +15,6 @@ mention-ssh-keygen-on-keychange.patch
 package-versioning.patch
 debian-banner.patch
 authorized-keys-man-symlink.patch
-lintian-symlink-pickiness.patch
 openbsd-docs.patch
 ssh-argv0.patch
 doc-hash-tab-completion.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index e60dfc4d3..953bae5d0 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From ccc03dd81a15fa91155bbdfa6b84a0d6e37c43e4 Mon Sep 17 00:00:00 2001
+From 434f7bc6f37b86a449d3d975fad53233f4c141f2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index 17fbe39..cd467fd 100644
+index 356ec79..8b8e760 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
+@@ -232,7 +232,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
                /* Execute the proxy command.  Note that we gave up any
                   extra privileges above. */
                signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 17fbe39..cd467fd 100644
                perror(argv[0]);
                exit(1);
        }
-@@ -1471,7 +1471,7 @@ ssh_local_cmd(const char *args)
+@@ -1499,7 +1499,7 @@ ssh_local_cmd(const char *args)
        if (pid == 0) {
                signal(SIGPIPE, SIG_DFL);
                debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 0cf814455..e022fa53f 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 5af03fab96e1d53019d1c50282eb21ce3e581895 Mon Sep 17 00:00:00 2001
+From e66add5020e18f6dd9b942b46e02d9b20e24edcc Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,7 +13,7 @@ Patch-Name: sigstop.patch
 1 file changed, 10 insertions(+)
 diff --git a/sshd.c b/sshd.c
-index 8d17521..5ccf175 100644
+index 57ae4ad..c2d42f5 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -2048,6 +2048,16 @@ main(int ac, char **av)
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index ffab898c7..a2f23396e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 7566d3563c174cc339da8b72833e66614cfc1458 Mon Sep 17 00:00:00 2001
+From d7698edca3667ffacae051582028eb3971928edc Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
 1 file changed, 15 insertions(+)
 diff --git a/ssh-agent.1 b/ssh-agent.1
-index d0aa712..2a940d9 100644
+index c4b50bb..2fe2201 100644
 --- a/ssh-agent.1
 +++ b/ssh-agent.1
-@@ -186,6 +186,21 @@ environment variable holds the agent's process ID.
+@@ -193,6 +193,21 @@ environment variable holds the agent's process ID.
 .Pp
 The agent exits automatically when the command given on the command
 line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index d3097fe10..f830f2cf2 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 078b7a5e7b89d20ce867e2c9839096be673b6ae0 Mon Sep 17 00:00:00 2001
+From 30dfe2ed8df15c27b53c883c1b718b13416299d5 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
 1 file changed, 1 insertion(+)
 diff --git a/ssh.1 b/ssh.1
-index 4fba77f..05b7f10 100644
+index 41e0aab..74d9655 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1574,6 +1574,7 @@ if an error occurred.
+@@ -1561,6 +1561,7 @@ if an error occurred.
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index be725e357..f2bb35326 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 7f0a4ecb6694298414e6d84c0aa49c35b19cad1b Mon Sep 17 00:00:00 2001
+From 68e8163d9209f731c582fe5350002c51c9551983 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
 2 files changed, 2 insertions(+)
 diff --git a/readconf.c b/readconf.c
-index 56e0f44..831072f 100644
+index d2a3d4b..559e4c7 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -181,6 +181,7 @@ static struct {
+@@ -182,6 +182,7 @@ static struct {
        { "passwordauthentication", oPasswordAuthentication },
        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
        { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 56e0f44..831072f 100644
        { "pubkeyauthentication", oPubkeyAuthentication },
        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
 diff --git a/servconf.c b/servconf.c
-index cfe7029..ed3a88d 100644
+index b8af6dd..fad7c92 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -522,6 +522,7 @@ static struct {
+@@ -533,6 +533,7 @@ static struct {
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 255395666..5ac2fc593 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 25ead9080a3f98eafc64a9a9c4b6650d922a19fa Mon Sep 17 00:00:00 2001
+From c87856cd1b99bc4188b145b0689af5e1d1babe24 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index ad12930..e68b84a 100644
        { "FATAL",      SYSLOG_LEVEL_FATAL },
        { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 67c1ebf..eb73903 100644
+index f9ff91f..314dd52 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1106,7 +1106,7 @@ main(int ac, char **av)
+@@ -1119,7 +1119,7 @@ main(int ac, char **av)
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
            options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 62ca0f284..3c2c67cda 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From 9d88bc29443745ebf30004136ac18ced47292833 Mon Sep 17 00:00:00 2001
+From a7c8a6babe3b4c47fd00bdbefc22fc10d97b9a26 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
 2 files changed, 33 insertions(+)
 diff --git a/configure.ac b/configure.ac
-index 128889a..eec2b72 100644
+index 5d720f7..c978c11 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4213,6 +4213,29 @@ AC_ARG_WITH([kerberos5],
+@@ -4263,6 +4263,29 @@ AC_ARG_WITH([kerberos5],
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
 
@@ -47,16 +47,16 @@ index 128889a..eec2b72 100644
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
-@@ -5014,6 +5037,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -5065,6 +5088,7 @@ echo "                   libedit support: $LIBEDIT_MSG"
- echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
+ echo "         Solaris privilege support: $SPP_MSG"
 +echo "                   systemd support: $SYSTEMD_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/sshd.c b/sshd.c
-index 5ccf175..366ae92 100644
+index c2d42f5..8802d18 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -85,6 +85,10 @@
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index c2dbdcd7a..456944f6b 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From a1010980d6906a140307825466934a21c3d4d228 Mon Sep 17 00:00:00 2001
+From 6f05f80017871238b4e50fc4e09d57d722416743 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -86,10 +86,10 @@ index bd6a026..782b7f8 100644
                            "bad ownership or modes for directory %s", buf);
                        return -1;
 diff --git a/misc.c b/misc.c
-index ddd2b2d..1c063ea 100644
+index de7e1fa..5704fa6 100644
 --- a/misc.c
 +++ b/misc.c
-@@ -50,8 +50,9 @@
+@@ -51,8 +51,9 @@
 #include <netdb.h>
 #ifdef HAVE_PATHS_H
 # include <paths.h>
@@ -100,7 +100,7 @@ index ddd2b2d..1c063ea 100644
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
-@@ -60,6 +61,7 @@
+@@ -61,6 +62,7 @@
 #include "misc.h"
 #include "log.h"
 #include "ssh.h"
@@ -108,7 +108,7 @@ index ddd2b2d..1c063ea 100644
 
 /* remove newline at end of string */
 char *
-@@ -644,6 +646,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
+@@ -647,6 +649,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
        return -1;
 }
 
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644
 -       return 0;
 -}
 diff --git a/readconf.c b/readconf.c
-index 83582e3..b9442fd 100644
+index fde6b41..cc1a633 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -39,6 +39,8 @@
@@ -228,7 +228,7 @@ index 83582e3..b9442fd 100644
 #ifdef HAVE_UTIL_H
 #include <util.h>
 #endif
-@@ -1579,8 +1581,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
+@@ -1626,8 +1628,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
 
                if (fstat(fileno(f), &sb) == -1)
                        fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +239,10 @@ index 83582e3..b9442fd 100644
        }
 
 diff --git a/ssh.1 b/ssh.1
-index 2ea0a20..ff80022 100644
+index cc53343..feb0e89 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1458,6 +1458,8 @@ The file format and configuration options are described in
+@@ -1459,6 +1459,8 @@ The file format and configuration options are described in
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index 2ea0a20..ff80022 100644
 .It Pa ~/.ssh/environment
 Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index 78e918a..1e9c058 100644
+index bbf638b..ab8f271 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1757,6 +1757,8 @@ The format of this file is described above.
+@@ -1830,6 +1830,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not accessible by others.
author	Colin Watson <cjwatson@debian.org>	2016-02-29 12:15:15 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-03-08 11:51:22 +0000
commit	46961f5704f8e86cea3e99253faad55aef4d8f35 (patch)
tree	0dd97fa4fb649a62b4639fe2674380872b1f3e98 /debian/patches
parent	c753fe267efb1b027424fa8706cf0385fc3d14c1 (diff)
parent	85e40e87a75fb80a0bf893ac05a417d6c353537d (diff)