New upstream release (7.7p1)

31 files changed, 246 insertions, 541 deletions

diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
deleted file mode 100644
index ba7642d83..000000000
--- a/debian/patches/auth-log-verbosity.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 50e9edb57b6808cbbf63fe3433febb103baac1e8 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Sun, 9 Feb 2014 16:10:02 +0000
-Subject: Quieten logs when multiple from= restrictions are used
-
-Bug-Debian: http://bugs.debian.org/630606
-Forwarded: no
-Last-Update: 2017-10-04
-
-Patch-Name: auth-log-verbosity.patch
----
- auth-options.c | 35 ++++++++++++++++++++++++++---------
- auth-options.h |  1 +
- auth2-pubkey.c |  3 +++
- 3 files changed, 30 insertions(+), 9 deletions(-)
-
-diff --git a/auth-options.c b/auth-options.c
-index bed00eef..ccdd0b20 100644
---- a/auth-options.c
-+++ b/auth-options.c
-@@ -59,10 +59,21 @@ int forced_tun_device = -1;
- /* "principals=" option. */
- char *authorized_principals = NULL;
- 
-+/* Throttle log messages. */
-+int logged_from_hostip = 0;
-+int logged_cert_hostip = 0;
-+
- extern ServerOptions options;
- 
- /* XXX refactor to be stateless */
- 
-+void
-+auth_start_parse_options(void)
-+{
-+       logged_from_hostip = 0;
-+       logged_cert_hostip = 0;
-+}
-+
- void
- auth_clear_options(void)
- {
-@@ -322,10 +333,13 @@ auth_parse_options(struct passwd *pw, char *opts, const char *file,
-                                /* FALLTHROUGH */
-                        case 0:
-                                free(patterns);
--                               logit("Authentication tried for %.100s with "
--                                   "correct key but not from a permitted "
--                                   "host (host=%.200s, ip=%.200s).",
--                                   pw->pw_name, remote_host, remote_ip);
-+                               if (!logged_from_hostip) {
-+                                       logit("Authentication tried for %.100s with "
-+                                           "correct key but not from a permitted "
-+                                           "host (host=%.200s, ip=%.200s).",
-+                                           pw->pw_name, remote_host, remote_ip);
-+                                       logged_from_hostip = 1;
-+                               }
-                                auth_debug_add("Your host '%.200s' is not "
-                                    "permitted to use this key for login.",
-                                    remote_host);
-@@ -549,11 +563,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
-                                        break;
-                                case 0:
-                                        /* no match */
--                                       logit("Authentication tried for %.100s "
--                                           "with valid certificate but not "
--                                           "from a permitted host "
--                                           "(ip=%.200s).", pw->pw_name,
--                                           remote_ip);
-+                                       if (!logged_cert_hostip) {
-+                                               logit("Authentication tried for %.100s "
-+                                                   "with valid certificate but not "
-+                                                   "from a permitted host "
-+                                                   "(ip=%.200s).", pw->pw_name,
-+                                                   remote_ip);
-+                                               logged_cert_hostip = 1;
-+                                       }
-                                        auth_debug_add("Your address '%.200s' "
-                                            "is not permitted to use this "
-                                            "certificate for login.",
-diff --git a/auth-options.h b/auth-options.h
-index 547f0163..4de0f14d 100644
---- a/auth-options.h
-+++ b/auth-options.h
-@@ -33,6 +33,7 @@ extern int forced_tun_device;
- extern int key_is_cert_authority;
- extern char *authorized_principals;
- 
-+void   auth_start_parse_options(void);
- int    auth_parse_options(struct passwd *, char *, const char *, u_long);
- void   auth_clear_options(void);
- int    auth_cert_options(struct sshkey *, struct passwd *, const char **);
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 169839b0..43f880b6 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -269,6 +269,7 @@ process_principals(FILE *f, const char *file, struct passwd *pw,
-        u_long linenum = 0;
-        u_int i, found_principal = 0;
- 
-+       auth_start_parse_options();
-        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-                /* Always consume entire input */
-                if (found_principal)
-@@ -471,6 +472,7 @@ check_authkeys_file(FILE *f, char *file, struct sshkey *key, struct passwd *pw)
-        u_long linenum = 0;
-        struct sshkey *found = NULL;
- 
-+       auth_start_parse_options();
-        while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-                char *cp, *key_options = NULL, *fp = NULL;
-                const char *reason = NULL;
-@@ -624,6 +626,7 @@ user_cert_trusted_ca(struct passwd *pw, struct sshkey *key)
-        if (sshkey_cert_check_authority(key, 0, 1,
-            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
-                goto fail_reason;
-+       auth_start_parse_options();
-        if (auth_cert_options(key, pw, &reason) != 0)
-                goto fail_reason;
- 
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 56f6de37f..ddd5cee27 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 312eb64a9faf4e8cdb95f2ae147ecbfa6c0efd83 Mon Sep 17 00:00:00 2001
+From 35b042aaa143ac815ada8cd746ef95ab538af1a7 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/Makefile.in b/Makefile.in
-index f6e9fe4c..08b989a4 100644
+index 6f3f042b..1afb4f79 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -340,6 +340,7 @@ install-files:
+@@ -352,6 +352,7 @@ install-files:
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 8134afba4..bc87d31b4 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From ae96c03ce51af2c529bfa2f2de57f4fa938ea552 Mon Sep 17 00:00:00 2001
+From 39e593d349cde42b6b5aac669a42eb1749ef70af Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
  4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/servconf.c b/servconf.c
-index 9889fb0a..b0146405 100644
+index 3fff3d53..5be47aec 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions *options)
+@@ -177,6 +177,7 @@ initialize_server_options(ServerOptions *options)
         options->fingerprint_hash = -1;
         options->disable_forwarding = -1;
         options->expose_userauth_info = -1;
@@ -30,7 +30,7 @@ index 9889fb0a..b0146405 100644
  }
  
  /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -393,6 +394,8 @@ fill_default_server_options(ServerOptions *options)
                 options->disable_forwarding = 0;
         if (options->expose_userauth_info == -1)
                 options->expose_userauth_info = 0;
@@ -39,25 +39,25 @@ index 9889fb0a..b0146405 100644
  
         assemble_algorithms(options);
  
-@@ -429,6 +432,7 @@ typedef enum {
+@@ -480,6 +483,7 @@ typedef enum {
         sStreamLocalBindMask, sStreamLocalBindUnlink,
         sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
-        sExposeAuthInfo,
+        sExposeAuthInfo, sRDomain,
 +       sDebianBanner,
         sDeprecated, sIgnore, sUnsupported
  } ServerOpCodes;
  
-@@ -582,6 +586,7 @@ static struct {
-        { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+@@ -634,6 +638,7 @@ static struct {
         { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
         { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
+        { "rdomain", sRDomain, SSHCFG_ALL },
 +       { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
         { NULL, sBadOption, 0 }
  };
  
-@@ -1907,6 +1912,10 @@ process_server_config_line(ServerOptions *options, char *line,
-                intptr = &options->expose_userauth_info;
-                goto parse_flag;
+@@ -2056,6 +2061,10 @@ process_server_config_line(ServerOptions *options, char *line,
+                        *charptr = xstrdup(arg);
+                break;
  
 +       case sDebianBanner:
 +               intptr = &options->debian_banner;
@@ -67,10 +67,10 @@ index 9889fb0a..b0146405 100644
         case sIgnore:
         case sUnsupported:
 diff --git a/servconf.h b/servconf.h
-index 641e93c8..410c4275 100644
+index 5dfc9bc0..b0fa7045 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -200,6 +200,8 @@ typedef struct {
+@@ -211,6 +211,8 @@ typedef struct {
  
         int     fingerprint_hash;
         int     expose_userauth_info;
@@ -80,10 +80,10 @@ index 641e93c8..410c4275 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index eccf81bb..a5a1193d 100644
+index 9a7f5495..1d645a17 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
         char remote_version[256];       /* Must be at least as big as buf. */
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -94,10 +94,10 @@ index eccf81bb..a5a1193d 100644
             options.version_addendum);
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index 7db25552..41e8c939 100644
+index 1a1c6dd0..45044a70 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -530,6 +530,11 @@ or
+@@ -531,6 +531,11 @@ or
  .Cm no .
  The default is
  .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index a3f595752..e90cbe8d9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 4847e512c0b94c615b838904a5f139a761bee284 Mon Sep 17 00:00:00 2001
+From 279cd9cd9a66daac701328cb0c53863e2bb5ab02 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
  6 files changed, 77 insertions(+), 9 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index be3d5873..41f36aa8 100644
+index 50349e23..efcf2d62 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1940,7 +1940,7 @@ fill_default_options(Options * options)
+@@ -1916,7 +1916,7 @@ fill_default_options(Options * options)
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
@@ -52,10 +52,10 @@ index be3d5873..41f36aa8 100644
                 options->forward_x11_timeout = 1200;
         /*
 diff --git a/ssh.1 b/ssh.1
-index 711fe608..f1b01c56 100644
+index f8fc26d2..8a03db95 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -764,6 +764,16 @@ directive in
+@@ -768,6 +768,16 @@ directive in
  .Xr ssh_config 5
  for more information.
  .Pp
@@ -72,7 +72,7 @@ index 711fe608..f1b01c56 100644
  .It Fl x
  Disables X11 forwarding.
  .Pp
-@@ -772,6 +782,17 @@ Enables trusted X11 forwarding.
+@@ -776,6 +786,17 @@ Enables trusted X11 forwarding.
  Trusted X11 forwardings are not subjected to the X11 SECURITY extension
  controls.
  .Pp
@@ -114,7 +114,7 @@ index bcb9f153..1b676fb2 100644
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 diff --git a/ssh_config.5 b/ssh_config.5
-index 1edfe761..2da7029a 100644
+index ca052884..ed6e5d02 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index 1edfe761..2da7029a 100644
  The file contains keyword-argument pairs, one per line.
  Lines starting with
  .Ql #
-@@ -683,11 +699,12 @@ elapsed.
+@@ -690,11 +706,12 @@ elapsed.
  .It Cm ForwardX11Trusted
  If this option is set to
  .Cm yes ,
@@ -155,10 +155,10 @@ index 1edfe761..2da7029a 100644
  from stealing or tampering with data belonging to trusted X11
  clients.
 diff --git a/sshd_config b/sshd_config
-index c01dd656..f68edf36 100644
+index 86263d71..de9cc9fe 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -58,8 +58,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
+@@ -57,8 +57,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
  
@@ -170,7 +170,7 @@ index c01dd656..f68edf36 100644
  
  # Kerberos options
  #KerberosAuthentication no
-@@ -82,16 +83,16 @@ AuthorizedKeysFile  .ssh/authorized_keys
+@@ -81,16 +82,16 @@ AuthorizedKeysFile  .ssh/authorized_keys
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
@@ -190,7 +190,7 @@ index c01dd656..f68edf36 100644
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
-@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -108,8 +109,11 @@ AuthorizedKeysFile .ssh/authorized_keys
  # no default banner path
  #Banner none
  
@@ -204,10 +204,10 @@ index c01dd656..f68edf36 100644
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index 79676a95..16be4f62 100644
+index 44b91846..4c7ee425 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -55,6 +55,28 @@ Arguments may optionally be enclosed in double quotes
+@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
  .Pq \&"
  in order to represent arguments containing spaces.
  .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index a8d98855a..0ba825f4e 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From f500e89e2310f6308a998357d72d767e3b01553c Mon Sep 17 00:00:00 2001
+From 8c11a03efd47de883b52838735d6890ca8d4d9f8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch
  3 files changed, 21 insertions(+), 6 deletions(-)
 
 diff --git a/dns.c b/dns.c
-index 6e1abb53..8e0ca691 100644
+index ff1a2c41..82ec9719 100644
 --- a/dns.c
 +++ b/dns.c
-@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
+@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
  {
         u_int counter;
         int result;
@@ -29,7 +29,7 @@ index 6e1abb53..8e0ca691 100644
         struct rrsetinfo *fingerprints = NULL;
  
         u_int8_t hostkey_algorithm;
-@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
+@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                 return -1;
         }
  
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index c4342181d..5c0b0d8f8 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From a07f7c1fe9d8dc3bfe4cb8bbe6bb5a27b638d024 Mon Sep 17 00:00:00 2001
+From 4fc40c98c57ecd166f87008261357810a21178e6 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index 7810a418..1edfe761 100644
+index 84dcd52c..ca052884 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -777,6 +777,9 @@ Note that existing names and addresses in known hosts files
+@@ -784,6 +784,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/fix-regress-putty-transfer.patch b/debian/patches/fix-regress-putty-transfer.patch
deleted file mode 100644
index cfec3a9d2..000000000
--- a/debian/patches/fix-regress-putty-transfer.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From bd081a1ae125c7c6b2cfec89746d1298a306ad78 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Tue, 16 Jan 2018 17:38:36 +0000
-Subject: Fix putty-transfer regression test
-
-The test key file is still called putty.rsa2, not putty.rsa.
-
-Forwarded: no
-Last-Update: 2018-01-16
-
-Patch-Name: fix-regress-putty-transfer.patch
----
- regress/putty-transfer.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
-index 32c79f9e..57e46540 100644
---- a/regress/putty-transfer.sh
-+++ b/regress/putty-transfer.sh
-@@ -15,7 +15,7 @@ for c in 0 1 ; do
-            ${OBJ}/.putty/sessions/compression_$c
-        echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
-        env HOME=$PWD ${PLINK} -load compression_$c -batch \
--           -i putty.rsa cat ${DATA} > ${COPY}
-+           -i putty.rsa2 cat ${DATA} > ${COPY}
-        if [ $? -ne 0 ]; then
-                fail "ssh cat $DATA failed"
-        fi
-@@ -26,7 +26,7 @@ for c in 0 1 ; do
-                rm -f ${COPY}
-                dd if=$DATA obs=${s} 2> /dev/null | \
-                        env HOME=$PWD ${PLINK} -load compression_$c \
--                           -batch -i putty.rsa \
-+                           -batch -i putty.rsa2 \
-                            "cat > ${COPY}"
-                if [ $? -ne 0 ]; then
-                        fail "ssh cat $DATA failed"
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index e46c0f8b2..a679a4ed8 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 18950b79898be885c6b77d463367639647e54e28 Mon Sep 17 00:00:00 2001
+From 8e54091347c2c94ab3872e1b9448b40038a63bfb Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 0726a5020..a67ebced0 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 4e70490950e5c5134df48848affaf73685bf0284 Mon Sep 17 00:00:00 2001
+From cb427e23bf78d65407c78d868c4ef525dbfaa68f Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -181,10 +181,10 @@ index 00000000..f117a336
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff --git a/Makefile.in b/Makefile.in
-index c52ce191..f6e9fe4c 100644
+index 04e1c8e5..6f3f042b 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
         kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
         kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
         kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
@@ -192,7 +192,7 @@ index c52ce191..f6e9fe4c 100644
         platform-pledge.o platform-tracing.o platform-misc.o
  
  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-@@ -105,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
+@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
         auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
         auth2-none.o auth2-passwd.o auth2-pubkey.o \
         monitor.o monitor_wrap.o auth-krb5.o \
@@ -253,10 +253,10 @@ index a5a81ed2..38e7fee2 100644
         return (krb5_cc_resolve(ctx, ccname, ccache));
  }
 diff --git a/auth.c b/auth.c
-index a4490617..6aec3605 100644
+index 63366768..76d586e3 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -395,7 +395,8 @@ auth_root_allowed(const char *method)
+@@ -396,7 +396,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
         case PERMIT_NO_PASSWD:
                 if (strcmp(method, "publickey") == 0 ||
                     strcmp(method, "hostbased") == 0 ||
@@ -266,7 +266,7 @@ index a4490617..6aec3605 100644
                         return 1;
                 break;
         case PERMIT_FORCED_ONLY:
-@@ -727,99 +728,6 @@ fakepw(void)
+@@ -728,99 +729,6 @@ fakepw(void)
         return (&fake);
  }
  
@@ -455,7 +455,7 @@ index 589283b7..fd411d3a 100644
         "gssapi-with-mic",
         userauth_gssapi,
 diff --git a/auth2.c b/auth2.c
-index 862e0996..54070e3a 100644
+index e0034229..c34f58c4 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -72,6 +72,7 @@ extern Authmethod method_passwd;
@@ -593,7 +593,7 @@ index 26d62855..0cadc9f1 100644
  int             get_peer_port(int);
  char           *get_local_ipaddr(int);
 diff --git a/clientloop.c b/clientloop.c
-index 791d336e..0010b833 100644
+index 7bcf22e3..ef803e98 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -112,6 +112,10 @@
@@ -607,7 +607,7 @@ index 791d336e..0010b833 100644
  /* import options */
  extern Options options;
  
-@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+@@ -1335,9 +1339,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
                         break;
  
                 /* Do channel operations unless rekeying in progress. */
@@ -628,10 +628,10 @@ index 791d336e..0010b833 100644
                 client_process_net_input(readset);
  
 diff --git a/config.h.in b/config.h.in
-index 63fc548b..0b244fd5 100644
+index 57208740..4c9545c7 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1696,6 +1696,9 @@
+@@ -1746,6 +1746,9 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -641,7 +641,7 @@ index 63fc548b..0b244fd5 100644
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
-@@ -1711,6 +1714,9 @@
+@@ -1761,6 +1764,9 @@
  /* Use PIPES instead of a socketpair() */
  #undef USE_PIPES
  
@@ -652,10 +652,10 @@ index 63fc548b..0b244fd5 100644
  #undef USE_SOLARIS_PRIVS
  
 diff --git a/configure.ac b/configure.ac
-index 889f5063..84bfad8c 100644
+index 663062be..1cd5eab6 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -621,6 +621,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
             [Use tunnel device compatibility to OpenBSD])
         AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
             [Prepend the address family to IP tunnel traffic])
@@ -1435,7 +1435,7 @@ index 6cae720e..967c6cfb 100644
  
  /* Privileged */
 diff --git a/kex.c b/kex.c
-index d5d5a9da..bb1bd661 100644
+index 15ea28b0..6cc2935f 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -54,6 +54,10 @@
@@ -1475,7 +1475,7 @@ index d5d5a9da..bb1bd661 100644
         return NULL;
  }
  
-@@ -601,6 +617,9 @@ kex_free(struct kex *kex)
+@@ -599,6 +615,9 @@ kex_free(struct kex *kex)
         sshbuf_free(kex->peer);
         sshbuf_free(kex->my);
         free(kex->session_id);
@@ -2170,10 +2170,10 @@ index 00000000..38ca082b
 +}
 +#endif /* GSSAPI */
 diff --git a/monitor.c b/monitor.c
-index f517da48..cabfeb8a 100644
+index c68e1b0d..868fb0d2 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
+@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
  int mm_answer_gss_checkmic(int, Buffer *);
@@ -2182,7 +2182,7 @@ index f517da48..cabfeb8a 100644
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
-@@ -230,11 +232,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -232,11 +234,18 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2201,7 +2201,7 @@ index f517da48..cabfeb8a 100644
  #ifdef WITH_OPENSSL
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
  #endif
-@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -306,6 +315,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
         /* Permit requests for moduli and signatures */
         monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
         monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2212,7 +2212,7 @@ index f517da48..cabfeb8a 100644
  
         /* The first few requests do not require asynchronous access */
         while (!authenticated) {
-@@ -408,6 +421,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -415,6 +428,10 @@ monitor_child_postauth(struct monitor *pmonitor)
         monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
         monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
         monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2221,9 +2221,9 @@ index f517da48..cabfeb8a 100644
 +       monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
 +#endif         
  
-        if (!no_pty_flag) {
+        if (auth_opts->permit_pty_flag) {
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1626,6 +1643,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
+@@ -1652,6 +1669,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
  # endif
  #endif /* WITH_OPENSSL */
                 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2237,7 +2237,7 @@ index f517da48..cabfeb8a 100644
                 kex->load_host_public_key=&get_hostkey_public_by_type;
                 kex->load_host_private_key=&get_hostkey_private_by_type;
                 kex->host_key_index=&get_hostkey_index;
-@@ -1714,8 +1738,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -1740,8 +1764,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
  
@@ -2248,7 +2248,7 @@ index f517da48..cabfeb8a 100644
  
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
-@@ -1744,8 +1768,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1770,8 +1794,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2259,7 +2259,7 @@ index f517da48..cabfeb8a 100644
  
         in.value = buffer_get_string(m, &len);
         in.length = len;
-@@ -1764,6 +1788,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1790,6 +1814,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2267,7 +2267,7 @@ index f517da48..cabfeb8a 100644
         }
         return (0);
  }
-@@ -1775,8 +1800,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -1801,8 +1826,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
  
@@ -2278,7 +2278,7 @@ index f517da48..cabfeb8a 100644
  
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
-@@ -1805,10 +1830,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -1831,10 +1856,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
         int authenticated;
         const char *displayname;
  
@@ -2293,7 +2293,7 @@ index f517da48..cabfeb8a 100644
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -1824,5 +1850,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -1850,5 +1876,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2385,10 +2385,10 @@ index d68f6745..ec41404c 100644
  
  struct monitor {
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 69212aaf..0e171a6a 100644
+index 9666bda4..e749efc1 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -937,7 +937,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
  }
  
  int
@@ -2397,7 +2397,7 @@ index 69212aaf..0e171a6a 100644
  {
         Buffer m;
         int authenticated = 0;
-@@ -954,5 +954,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
         debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
         return (authenticated);
  }
@@ -2449,10 +2449,10 @@ index 69212aaf..0e171a6a 100644
  #endif /* GSSAPI */
  
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 9e032d20..7b2e8945 100644
+index 76233270..0970d1f8 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -57,8 +57,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
  OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
  OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
     gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2465,7 +2465,7 @@ index 9e032d20..7b2e8945 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index f63894f9..99e03ee1 100644
+index 88051db5..c8e79299 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -160,6 +160,8 @@ typedef enum {
@@ -2498,7 +2498,7 @@ index f63894f9..99e03ee1 100644
  #endif
  #ifdef ENABLE_PKCS11
         { "smartcarddevice", oPKCS11Provider },
-@@ -976,10 +988,30 @@ parse_time:
+@@ -950,10 +962,30 @@ parse_time:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2529,7 +2529,7 @@ index f63894f9..99e03ee1 100644
         case oBatchMode:
                 intptr = &options->batch_mode;
                 goto parse_flag;
-@@ -1790,7 +1822,12 @@ initialize_options(Options * options)
+@@ -1765,7 +1797,12 @@ initialize_options(Options * options)
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
         options->gss_authentication = -1;
@@ -2542,7 +2542,7 @@ index f63894f9..99e03ee1 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
-@@ -1930,8 +1967,14 @@ fill_default_options(Options * options)
+@@ -1906,8 +1943,14 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2558,7 +2558,7 @@ index f63894f9..99e03ee1 100644
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index 22fe5c18..d61161a8 100644
+index f4d9e2b2..f469daaf 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -42,7 +42,12 @@ typedef struct {
@@ -2575,10 +2575,10 @@ index 22fe5c18..d61161a8 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 2c321a4a..8ba74517 100644
+index 0f0d0906..cbbea05b 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
+@@ -123,8 +123,10 @@ initialize_server_options(ServerOptions *options)
         options->kerberos_ticket_cleanup = -1;
         options->kerberos_get_afs_token = -1;
         options->gss_authentication=-1;
@@ -2589,7 +2589,7 @@ index 2c321a4a..8ba74517 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
-@@ -268,10 +270,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -315,10 +317,14 @@ fill_default_server_options(ServerOptions *options)
                 options->kerberos_get_afs_token = 0;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2604,7 +2604,7 @@ index 2c321a4a..8ba74517 100644
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -410,6 +416,7 @@ typedef enum {
+@@ -461,6 +467,7 @@ typedef enum {
         sHostKeyAlgorithms,
         sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2612,7 +2612,7 @@ index 2c321a4a..8ba74517 100644
         sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -484,12 +491,20 @@ static struct {
+@@ -535,12 +542,20 @@ static struct {
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2633,7 +2633,7 @@ index 2c321a4a..8ba74517 100644
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1253,6 +1268,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1407,6 +1422,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2644,7 +2644,7 @@ index 2c321a4a..8ba74517 100644
         case sGssCleanupCreds:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
-@@ -1261,6 +1280,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1415,6 +1434,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_strict_acceptor;
                 goto parse_flag;
  
@@ -2655,7 +2655,7 @@ index 2c321a4a..8ba74517 100644
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -2301,7 +2324,10 @@ dump_config(ServerOptions *o)
+@@ -2453,7 +2476,10 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2667,10 +2667,10 @@ index 2c321a4a..8ba74517 100644
         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
         dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 1dca702e..641e93c8 100644
+index 37a0fb1a..5dfc9bc0 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -119,8 +119,10 @@ typedef struct {
+@@ -130,8 +130,10 @@ typedef struct {
         int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                  * authenticated with Kerberos. */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2799,10 +2799,10 @@ index c12f5ef5..bcb9f153 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index eab8dd01..9a06a757 100644
+index 71705cab..66826aa7 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -720,10 +720,42 @@ The default is
+@@ -727,10 +727,42 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Cm no .
@@ -2846,7 +2846,7 @@ index eab8dd01..9a06a757 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index be9397e4..c22477f5 100644
+index 1f4a74cf..83562c68 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2959,7 +2959,7 @@ index be9397e4..c22477f5 100644
         {"gssapi-with-mic",
                 userauth_gssapi,
                 NULL,
-@@ -654,25 +720,40 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -643,25 +709,40 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
@@ -3002,7 +3002,7 @@ index be9397e4..c22477f5 100644
         if (!ok)
                 return 0;
  
-@@ -763,8 +844,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh)
+@@ -752,8 +833,8 @@ input_gssapi_response(int type, u_int32_t plen, struct ssh *ssh)
  {
         Authctxt *authctxt = ssh->authctxt;
         Gssctxt *gssctxt;
@@ -3013,7 +3013,7 @@ index be9397e4..c22477f5 100644
  
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
-@@ -877,6 +958,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -866,6 +947,48 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
         free(lang);
         return 0;
  }
@@ -3063,10 +3063,10 @@ index be9397e4..c22477f5 100644
  
  int
 diff --git a/sshd.c b/sshd.c
-index 51a1aaf6..45e50fac 100644
+index fd95b681..e88185ef 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -122,6 +122,10 @@
+@@ -123,6 +123,10 @@
  #include "version.h"
  #include "ssherr.h"
  
@@ -3077,7 +3077,7 @@ index 51a1aaf6..45e50fac 100644
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
-@@ -529,7 +533,7 @@ privsep_preauth_child(void)
+@@ -531,7 +535,7 @@ privsep_preauth_child(void)
  
  #ifdef GSSAPI
         /* Cache supported mechanism OIDs for later use */
@@ -3086,7 +3086,7 @@ index 51a1aaf6..45e50fac 100644
                 ssh_gssapi_prepare_supported_oids();
  #endif
  
-@@ -1708,10 +1712,13 @@ main(int ac, char **av)
+@@ -1753,10 +1757,13 @@ main(int ac, char **av)
                     key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
                 free(fp);
         }
@@ -3100,8 +3100,8 @@ index 51a1aaf6..45e50fac 100644
  
         /*
          * Load certificates. They are stored in an array at identical
-@@ -1987,6 +1994,60 @@ main(int ac, char **av)
-            remote_ip, remote_port, laddr,  ssh_local_port(ssh));
+@@ -2047,6 +2054,60 @@ main(int ac, char **av)
+            rdomain == NULL ? "" : "\"");
         free(laddr);
  
 +#ifdef USE_SECURITY_SESSION_API
@@ -3161,7 +3161,7 @@ index 51a1aaf6..45e50fac 100644
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2170,6 +2231,48 @@ do_ssh2_kex(void)
+@@ -2234,6 +2295,48 @@ do_ssh2_kex(void)
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
             list_hostkey_types());
  
@@ -3210,7 +3210,7 @@ index 51a1aaf6..45e50fac 100644
         /* start key exchange */
         if ((r = kex_setup(active_state, myproposal)) != 0)
                 fatal("kex_setup: %s", ssh_err(r));
-@@ -2187,6 +2290,13 @@ do_ssh2_kex(void)
+@@ -2251,6 +2354,13 @@ do_ssh2_kex(void)
  # endif
  #endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3225,10 +3225,10 @@ index 51a1aaf6..45e50fac 100644
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index 4eb2e02e..c01dd656 100644
+index 3109d5d7..86263d71 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -70,6 +70,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
+@@ -69,6 +69,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
@@ -3238,10 +3238,10 @@ index 4eb2e02e..c01dd656 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 251b7467..0dbcb8da 100644
+index e3c7c393..c4a3f3cb 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -635,6 +635,11 @@ The default is
+@@ -636,6 +636,11 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Cm no .
@@ -3253,7 +3253,7 @@ index 251b7467..0dbcb8da 100644
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
-@@ -654,6 +659,11 @@ machine's default store.
+@@ -655,6 +660,11 @@ machine's default store.
  This facility is provided to assist with operation on multi homed machines.
  The default is
  .Cm yes .
@@ -3266,10 +3266,10 @@ index 251b7467..0dbcb8da 100644
  Specifies the key types that will be accepted for hostbased authentication
  as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index e91c54f5..c2cf0e03 100644
+index 7712fba2..08887286 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = {
+@@ -122,6 +122,7 @@ static const struct keytype keytypes[] = {
  #  endif /* OPENSSL_HAS_NISTP521 */
  # endif /* OPENSSL_HAS_ECC */
  #endif /* WITH_OPENSSL */
@@ -3277,7 +3277,7 @@ index e91c54f5..c2cf0e03 100644
         { NULL, NULL, -1, -1, 0, 0 }
  };
  
-@@ -200,7 +201,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -210,7 +211,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
         const struct keytype *kt;
  
         for (kt = keytypes; kt->type != -1; kt++) {
@@ -3287,13 +3287,13 @@ index e91c54f5..c2cf0e03 100644
                 if (!include_sigonly && kt->sigonly)
                         continue;
 diff --git a/sshkey.h b/sshkey.h
-index 9093eac5..b5d020cb 100644
+index 155cd45a..4e89049f 100644
 --- a/sshkey.h
 +++ b/sshkey.h
-@@ -61,6 +61,7 @@ enum sshkey_types {
-        KEY_DSA_CERT,
-        KEY_ECDSA_CERT,
+@@ -63,6 +63,7 @@ enum sshkey_types {
         KEY_ED25519_CERT,
+        KEY_XMSS,
+        KEY_XMSS_CERT,
 +       KEY_NULL,
         KEY_UNSPEC
  };
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index d3eca5924..68fa28e5c 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From c147d4dbab74e0dbf738beb9d9f4220534ae9da6 Mon Sep 17 00:00:00 2001
+From a7045c36e6e072c8f9250fbe11cf2f9db9f51a08 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index d2b28a41..45caa095 100644
+index 1f1be778..7f2b5c17 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -174,6 +174,7 @@ typedef enum {
@@ -37,7 +37,7 @@ index d2b28a41..45caa095 100644
         oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -318,6 +319,8 @@ static struct {
+@@ -319,6 +320,8 @@ static struct {
         { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
         { "ignoreunknown", oIgnoreUnknown },
         { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index d2b28a41..45caa095 100644
  
         { NULL, oBadOption }
  };
-@@ -1406,6 +1409,8 @@ parse_keytypes:
+@@ -1378,6 +1381,8 @@ parse_keytypes:
                 goto parse_flag;
  
         case oServerAliveInterval:
@@ -55,7 +55,7 @@ index d2b28a41..45caa095 100644
                 intptr = &options->server_alive_interval;
                 goto parse_time;
  
-@@ -2042,8 +2047,13 @@ fill_default_options(Options * options)
+@@ -2019,8 +2024,13 @@ fill_default_options(Options * options)
                 options->rekey_interval = 0;
         if (options->verify_host_key_dns == -1)
                 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index d2b28a41..45caa095 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index 9a06a757..d6f43c2d 100644
+index 66826aa7..32c3632c 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -247,8 +247,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index 9a06a757..d6f43c2d 100644
  The argument must be
  .Cm yes
  or
-@@ -1455,7 +1459,14 @@ from the server,
+@@ -1463,7 +1467,14 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -105,7 +105,7 @@ index 9a06a757..d6f43c2d 100644
  .It Cm StreamLocalBindMask
  Sets the octal file creation mode mask
  .Pq umask
-@@ -1529,6 +1540,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1537,6 +1548,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index 9a06a757..d6f43c2d 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 0dbcb8da..7db25552 100644
+index c4a3f3cb..1a1c6dd0 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1454,6 +1454,9 @@ This avoids infinitely hanging sessions.
+@@ -1495,6 +1495,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 3edb37705..542b42ae9 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 19be4218cdb262f7b584b0104ee430de0e24eeb8 Mon Sep 17 00:00:00 2001
+From 76ab788bcf265360e1b88f8ced6085198c320fdd Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
  1 file changed, 8 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 5eed5880..7ce2716c 100644
+index 8ab01c0e..58f9eac8 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -1022,9 +1022,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1141,9 +1141,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                         error("%s. This could either mean that", key_msg);
                         error("DNS SPOOFING is happening or the IP address for the host");
                         error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 5eed5880..7ce2716c 100644
                 }
                 /* The host key has changed. */
                 warn_changed_key(host_key);
-@@ -1033,6 +1037,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1152,6 +1156,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                 error("Offending %s key in %s:%lu",
                     sshkey_type(host_found->key),
                     host_found->file, host_found->line);
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
deleted file mode 100644
index c24ff4e3f..000000000
--- a/debian/patches/no-dsa-host-key-by-default.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 922f3a7599d03234b6bb2ffb22a33624e7cf1953 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Mon, 16 Jan 2017 13:53:04 +0000
-Subject: Remove ssh_host_dsa_key from HostKey default
-
-The client no longer accepts DSA host keys, and servers using the
-default HostKey setting should have better host keys available.
-
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2662
-Bug-Debian: https://bugs.debian.org/850614
-Last-Update: 2017-01-16
-
-Patch-Name: no-dsa-host-key-by-default.patch
----
- servconf.c    | 2 --
- sshd.8        | 7 +++----
- sshd_config   | 1 -
- sshd_config.5 | 7 +++----
- 4 files changed, 6 insertions(+), 11 deletions(-)
-
-diff --git a/servconf.c b/servconf.c
-index b0146405..5e996cf8 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -205,8 +205,6 @@ fill_default_server_options(ServerOptions *options)
-                /* fill default hostkeys for protocols */
-                options->host_key_files[options->num_host_key_files++] =
-                    _PATH_HOST_RSA_KEY_FILE;
--               options->host_key_files[options->num_host_key_files++] =
--                   _PATH_HOST_DSA_KEY_FILE;
- #ifdef OPENSSL_HAS_ECC
-                options->host_key_files[options->num_host_key_files++] =
-                    _PATH_HOST_ECDSA_KEY_FILE;
-diff --git a/sshd.8 b/sshd.8
-index 02c5e1df..8c230657 100644
---- a/sshd.8
-+++ b/sshd.8
-@@ -164,11 +164,10 @@ This option must be given if
- is not run as root (as the normal
- host key files are normally not readable by anyone but root).
- The default is
--.Pa /etc/ssh/ssh_host_dsa_key ,
--.Pa /etc/ssh/ssh_host_ecdsa_key ,
--.Pa /etc/ssh/ssh_host_ed25519_key
-+.Pa /etc/ssh/ssh_host_rsa_key ,
-+.Pa /etc/ssh/ssh_host_ecdsa_key
- and
--.Pa /etc/ssh/ssh_host_rsa_key .
-+.Pa /etc/ssh/ssh_host_ed25519_key .
- It is possible to have multiple host key files for
- the different host key algorithms.
- .It Fl i
-diff --git a/sshd_config b/sshd_config
-index f68edf36..92822959 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -16,7 +16,6 @@
- #ListenAddress ::
- 
- #HostKey /etc/ssh/ssh_host_rsa_key
--#HostKey /etc/ssh/ssh_host_dsa_key
- #HostKey /etc/ssh/ssh_host_ecdsa_key
- #HostKey /etc/ssh/ssh_host_ed25519_key
- 
-diff --git a/sshd_config.5 b/sshd_config.5
-index 16be4f62..ef520680 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -749,11 +749,10 @@ is not to load any certificates.
- Specifies a file containing a private host key
- used by SSH.
- The defaults are
--.Pa /etc/ssh/ssh_host_dsa_key ,
--.Pa /etc/ssh/ssh_host_ecdsa_key ,
--.Pa /etc/ssh/ssh_host_ed25519_key
-+.Pa /etc/ssh/ssh_host_rsa_key ,
-+.Pa /etc/ssh/ssh_host_ecdsa_key
- and
--.Pa /etc/ssh/ssh_host_rsa_key .
-+.Pa /etc/ssh/ssh_host_ed25519_key .
- .Pp
- Note that
- .Xr sshd 8
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index cbfaebfe0..b65e9a51b 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From b614a7f9148af821919165be47c6c29f59dc6b44 Mon Sep 17 00:00:00 2001
+From 3854c30a0cb51e5ad753cd638fdee6690234dfa2 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9297decd6..bb6b52666 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 7e53354725eeb002e6126a73fd5f294ed9f9b03e Mon Sep 17 00:00:00 2001
+From aac4f0438e6fb33bbcda11e50483aa38f657d5f1 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de085..149846c8 100644
  .Sh SEE ALSO
  .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 5f1ec09b..dfbc65dd 100644
+index 3525d7d1..39767e62 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
 @@ -176,9 +176,7 @@ key in
@@ -69,7 +69,7 @@ index 5f1ec09b..dfbc65dd 100644
  .It Fl a Ar rounds
  When saving a new-format private key (i.e. an ed25519 key or when the
  .Fl o
-@@ -676,7 +672,7 @@ option.
+@@ -685,7 +681,7 @@ option.
  Valid generator values are 2, 3, and 5.
  .Pp
  Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 5f1ec09b..dfbc65dd 100644
  It is important that this file contains moduli of a range of bit lengths and
  that both ends of a connection share common moduli.
  .Sh CERTIFICATES
-@@ -863,7 +859,7 @@ on all machines
+@@ -872,7 +868,7 @@ on all machines
  where the user wishes to log in using public key authentication.
  There is no need to keep the contents of this file secret.
  .Pp
@@ -88,10 +88,10 @@ index 5f1ec09b..dfbc65dd 100644
  The file format is described in
  .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index 3cc94688..2a2aab30 100644
+index 0ef7c170..54e21d88 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -842,6 +842,10 @@ implements public key authentication protocol automatically,
+@@ -846,6 +846,10 @@ implements public key authentication protocol automatically,
  using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
  The HISTORY section of
  .Xr ssl 8
@@ -103,7 +103,7 @@ index 3cc94688..2a2aab30 100644
  .Pp
  The file
 diff --git a/sshd.8 b/sshd.8
-index 2ed523a2..02c5e1df 100644
+index c8299d5e..378aeb9f 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -65,7 +65,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index 2ed523a2..02c5e1df 100644
  It forks a new
  daemon for each incoming connection.
  The forked daemons handle
-@@ -850,7 +850,7 @@ This file is for host-based authentication (see
+@@ -856,7 +856,7 @@ This file is for host-based authentication (see
  .Xr ssh 1 ) .
  It should only be writable by root.
  .Pp
@@ -124,7 +124,7 @@ index 2ed523a2..02c5e1df 100644
  Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
  key exchange method.
  The file format is described in
-@@ -950,7 +950,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -954,7 +954,6 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index 2ed523a2..02c5e1df 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index 41e8c939..79676a95 100644
+index 45044a70..44b91846 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -382,8 +382,7 @@ then no banner is displayed.
+@@ -383,8 +383,7 @@ then no banner is displayed.
  By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 0d851e68c..db144f505 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 326b09bce8058629980cc92f289fd7912269eb98 Mon Sep 17 00:00:00 2001
+From 52359fc0d6ee73ee6e24332b2777dc8abdaed652 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
  3 files changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 7ce2716c..3280b310 100644
+index 58f9eac8..15d8b807 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -517,7 +517,7 @@ send_client_banner(int connection_out, int minor1)
+@@ -638,7 +638,7 @@ send_client_banner(int connection_out, int minor1)
  {
         /* Send our own protocol version identification. */
         xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -32,10 +32,10 @@ index 7ce2716c..3280b310 100644
             strlen(client_version_string)) != strlen(client_version_string))
                 fatal("write: %.100s", strerror(errno));
 diff --git a/sshd.c b/sshd.c
-index af1ec337..eccf81bb 100644
+index 6d911c19..9a7f5495 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
+@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
         char remote_version[256];       /* Must be at least as big as buf. */
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -45,11 +45,11 @@ index af1ec337..eccf81bb 100644
             options.version_addendum);
  
 diff --git a/version.h b/version.h
-index e093f623..b7c5ad2a 100644
+index ea52b26f..a3fa6e0b 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_7.6"
+ #define SSH_VERSION    "OpenSSH_7.7"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/permitopen-argument-handling.patch b/debian/patches/permitopen-argument-handling.patch
deleted file mode 100644
index 6369c395c..000000000
--- a/debian/patches/permitopen-argument-handling.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From e293f21da513a7db59fe1997c9e90e2e9cdbceda Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Wed, 4 Oct 2017 18:49:30 +0000
-Subject: Fix PermitOpen argument handling
-
-fix (another) problem in PermitOpen introduced during the
-channels.c refactor: the third and subsequent arguments to PermitOpen were
-being silently ignored; ok markus@
-
-Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
-
-Origin: https://anongit.mindrot.org/openssh.git/commit/?id=7c9613fac3371cf65fb07739212cdd1ebf6575da
-Last-Update: 2017-10-07
-
-Patch-Name: permitopen-argument-handling.patch
----
- servconf.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/servconf.c b/servconf.c
-index 5e996cf8..9daa182c 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -1,5 +1,5 @@
- 
--/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
-+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
- /*
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-  *                    All rights reserved
-@@ -1690,9 +1690,9 @@ process_server_config_line(ServerOptions *options, char *line,
-                if (!arg || *arg == '\0')
-                        fatal("%s line %d: missing PermitOpen specification",
-                            filename, linenum);
--               i = options->num_permitted_opens;       /* modified later */
-+               value = options->num_permitted_opens;   /* modified later */
-                if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
--                       if (*activep && i == 0) {
-+                       if (*activep && value == 0) {
-                                options->num_permitted_opens = 1;
-                                options->permitted_opens = xcalloc(1,
-                                    sizeof(*options->permitted_opens));
-@@ -1710,7 +1710,7 @@ process_server_config_line(ServerOptions *options, char *line,
-                        if (arg == NULL || ((port = permitopen_port(arg)) < 0))
-                                fatal("%s line %d: bad port number in "
-                                    "PermitOpen", filename, linenum);
--                       if (*activep && i == 0) {
-+                       if (*activep && value == 0) {
-                                options->permitted_opens = xrecallocarray(
-                                    options->permitted_opens,
-                                    options->num_permitted_opens,
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 098f9d681..0082aaa15 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 6c2e9847f608cc9c36236eecc58241cd3358dd5b Mon Sep 17 00:00:00 2001
+From efe3fd6e6d460836cd705c5746700fadb6751c0d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
@@ -18,7 +18,7 @@ Patch-Name: restore-authorized_keys2.patch
  1 file changed, 2 insertions(+), 3 deletions(-)
 
 diff --git a/sshd_config b/sshd_config
-index 92822959..a32dc1d4 100644
+index de9cc9fe..31e14a4f 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -36,9 +36,8 @@
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 5832897d2..4132937da 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From cdd9076a145a95c21538eedb3f728a897480c5de Mon Sep 17 00:00:00 2001
+From 398af3d66bfe8dc7d436570026571e522a0a13a0 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
  3 files changed, 89 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 84bfad8c..3b30736b 100644
+index 1cd5eab6..3e23e60d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1503,6 +1503,62 @@ AC_ARG_WITH([skey],
+@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey],
         ]
  )
  
@@ -94,19 +94,19 @@ index 84bfad8c..3b30736b 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5133,6 +5189,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -5240,6 +5296,7 @@ echo "                   OSF SIA support: $SIA_MSG"
+ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "                   libldns support: $LDNS_MSG"
 diff --git a/sshd.8 b/sshd.8
-index a4201146..2ed523a2 100644
+index 968ba66b..c8299d5e 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -839,6 +839,12 @@ the user's home directory becomes accessible.
+@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
  This file should be writable only by the user, and need not be
  readable by anyone else.
  .Pp
@@ -119,7 +119,7 @@ index a4201146..2ed523a2 100644
  .It Pa /etc/hosts.equiv
  This file is for host-based authentication (see
  .Xr ssh 1 ) .
-@@ -943,6 +949,7 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -947,6 +953,7 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index a4201146..2ed523a2 100644
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index 45e50fac..a66e9ca6 100644
+index e88185ef..4ed0364f 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -126,6 +126,13 @@
+@@ -127,6 +127,13 @@
  #include <Security/AuthSession.h>
  #endif
  
@@ -145,7 +145,7 @@ index 45e50fac..a66e9ca6 100644
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
-@@ -1987,6 +1994,24 @@ main(int ac, char **av)
+@@ -2042,6 +2049,24 @@ main(int ac, char **av)
  #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
  #endif
@@ -168,5 +168,5 @@ index 45e50fac..a66e9ca6 100644
 +       }
 +#endif /* LIBWRAP */
  
-        /* Log the connection. */
-        laddr = get_local_ipaddr(sock_in);
+        rdomain = ssh_packet_rdomain_in(ssh);
+ 
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 43153ec04..d969d5e8e 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From ef7aa8189491e0b43f14f7f15fb5e66903f7e185 Mon Sep 17 00:00:00 2001
+From e800454207f4d7a0c402f129029b8282209cdf74 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
@@ -17,10 +17,10 @@ Patch-Name: scp-quoting.patch
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/scp.c b/scp.c
-index a533eb09..12e3199d 100644
+index 31e6709f..2bbf6938 100644
 --- a/scp.c
 +++ b/scp.c
-@@ -194,8 +194,16 @@ do_local_cmd(arglist *a)
+@@ -198,8 +198,16 @@ do_local_cmd(arglist *a)
  
         if (verbose_mode) {
                 fprintf(stderr, "Executing:");
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
index 41455aa83..eca78b26a 100644
--- a/debian/patches/seccomp-getuid-geteuid.patch
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -1,4 +1,4 @@
-From 8165600205696cca8a080a5cb6746070512174e9 Mon Sep 17 00:00:00 2001
+From 979c7c92111e0682d02888be50a3322c7de6520a Mon Sep 17 00:00:00 2001
 From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 Date: Tue, 9 May 2017 13:31:05 -0300
 Subject: Allow getuid and geteuid calls
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index 5fb94137d..4a800709f 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
-From a5a99443e190a90eb511215aa7c1fa940f79b901 Mon Sep 17 00:00:00 2001
+From a8dba2230bc3de444c48e48d1bfd57aca1db82b1 Mon Sep 17 00:00:00 2001
 From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 Date: Tue, 9 May 2017 10:53:04 -0300
 Subject: Allow flock and ipc syscall for s390 architecture
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
index 595b3d6ec..8ccf61508 100644
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -1,4 +1,4 @@
-From 801a62eedaaf47b20dbf4b426dc3e084bf0c8d49 Mon Sep 17 00:00:00 2001
+From 76aa43d2298f322f0371b74462418d0461537131 Mon Sep 17 00:00:00 2001
 From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 Date: Tue, 9 May 2017 13:33:30 -0300
 Subject: Enable specific ioctl call for EP11 crypto card (s390)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 1402b9025..5662207cd 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 4b276122c04aed0726803a92c8ca955e614a4d3a Mon Sep 17 00:00:00 2001
+From 7da968d97beba5fb80a5488516563ea1376db907 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -31,10 +31,10 @@ Patch-Name: selinux-role.patch
  15 files changed, 97 insertions(+), 30 deletions(-)
 
 diff --git a/auth.h b/auth.h
-index 29835ae9..27a1a88e 100644
+index 23ce67ca..15ba7073 100644
 --- a/auth.h
 +++ b/auth.h
-@@ -63,6 +63,7 @@ struct Authctxt {
+@@ -65,6 +65,7 @@ struct Authctxt {
         char            *service;
         struct passwd   *pw;            /* set if 'valid' */
         char            *style;
@@ -43,10 +43,10 @@ index 29835ae9..27a1a88e 100644
         /* Method lists for multiple authentication */
         char            **auth_methods; /* modified from server config */
 diff --git a/auth2.c b/auth2.c
-index 54070e3a..1f9ec632 100644
+index c34f58c4..be5e9f15 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -221,7 +221,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -218,7 +218,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
  {
         Authctxt *authctxt = ssh->authctxt;
         Authmethod *m = NULL;
@@ -55,7 +55,7 @@ index 54070e3a..1f9ec632 100644
         int authenticated = 0;
  
         if (authctxt == NULL)
-@@ -233,8 +233,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -230,8 +230,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -69,7 +69,7 @@ index 54070e3a..1f9ec632 100644
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -261,8 +266,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -258,8 +263,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,10 +81,10 @@ index 54070e3a..1f9ec632 100644
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index cabfeb8a..510e3496 100644
+index 868fb0d2..ed37458f 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
+@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *);
  int mm_answer_pwnamallow(int, Buffer *);
  int mm_answer_auth2_read_banner(int, Buffer *);
  int mm_answer_authserv(int, Buffer *);
@@ -92,7 +92,7 @@ index cabfeb8a..510e3496 100644
  int mm_answer_authpassword(int, Buffer *);
  int mm_answer_bsdauthquery(int, Buffer *);
  int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -206,6 +207,7 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index cabfeb8a..510e3496 100644
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -799,6 +801,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -806,6 +808,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
  
         /* Allow service/style information on the auth context */
         monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index cabfeb8a..510e3496 100644
         monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
  
  #ifdef USE_PAM
-@@ -829,14 +832,37 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -836,14 +839,37 @@ mm_answer_authserv(int sock, Buffer *m)
  
         authctxt->service = buffer_get_string(m, NULL);
         authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index cabfeb8a..510e3496 100644
         return (0);
  }
  
-@@ -1471,7 +1497,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1497,7 +1523,7 @@ mm_answer_pty(int sock, Buffer *m)
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -171,10 +171,10 @@ index ec41404c..4c7955d7 100644
  
  struct monitor {
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 0e171a6a..d806bb2e 100644
+index e749efc1..7b2d06c6 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -336,10 +336,10 @@ mm_auth2_read_banner(void)
+@@ -331,10 +331,10 @@ mm_auth2_read_banner(void)
         return (banner);
  }
  
@@ -187,7 +187,7 @@ index 0e171a6a..d806bb2e 100644
  {
         Buffer m;
  
-@@ -348,12 +348,30 @@ mm_inform_authserv(char *service, char *style)
+@@ -343,12 +343,30 @@ mm_inform_authserv(char *service, char *style)
         buffer_init(&m);
         buffer_put_cstring(&m, service);
         buffer_put_cstring(&m, style ? style : "");
@@ -217,12 +217,12 @@ index 0e171a6a..d806bb2e 100644
 +
  /* Do the password authentication */
  int
- mm_auth_password(Authctxt *authctxt, char *password)
+ mm_auth_password(struct ssh *ssh, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 7b2e8945..a9ccb243 100644
+index 0970d1f8..492de5c8 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -41,7 +41,8 @@ int mm_is_monitor(void);
+@@ -43,7 +43,8 @@ int mm_is_monitor(void);
  DH *mm_choose_dh(int, int, int);
  int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
      const char *);
@@ -231,9 +231,9 @@ index 7b2e8945..a9ccb243 100644
 +void mm_inform_authrole(char *);
  struct passwd *mm_getpwnamallow(const char *);
  char *mm_auth2_read_banner(void);
- int mm_auth_password(struct Authctxt *, char *);
+ int mm_auth_password(struct ssh *, char *);
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index e4c5d1b7..e26faf08 100644
+index 8c5325cc..8a3e5c68 100644
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
 @@ -27,6 +27,12 @@
@@ -249,7 +249,7 @@ index e4c5d1b7..e26faf08 100644
  #include "log.h"
  #include "xmalloc.h"
  #include "port-linux.h"
-@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
+@@ -55,7 +61,7 @@ ssh_selinux_enabled(void)
  
  /* Return the default security context for the given username */
  static security_context_t
@@ -258,7 +258,7 @@ index e4c5d1b7..e26faf08 100644
  {
         security_context_t sc = NULL;
         char *sename = NULL, *lvl = NULL;
-@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -70,9 +76,16 @@ ssh_selinux_getctxbyname(char *pwname)
  #endif
  
  #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -277,7 +277,7 @@ index e4c5d1b7..e26faf08 100644
  #endif
  
         if (r != 0) {
-@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -102,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname)
  
  /* Set the execution context to the default for the specified user */
  void
@@ -286,7 +286,7 @@ index e4c5d1b7..e26faf08 100644
  {
         security_context_t user_ctx = NULL;
  
-@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+@@ -111,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname)
  
         debug3("%s: setting execution context", __func__);
  
@@ -295,7 +295,7 @@ index e4c5d1b7..e26faf08 100644
         if (setexeccon(user_ctx) != 0) {
                 switch (security_getenforce()) {
                 case -1:
-@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+@@ -133,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname)
  
  /* Set the TTY context for the specified user */
  void
@@ -364,10 +364,10 @@ index ea4f9c58..60d72ffe 100644
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 4bccb62d..d40afe4f 100644
+index 58826db1..ff301c98 100644
 --- a/session.c
 +++ b/session.c
-@@ -1312,7 +1312,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1322,7 +1322,7 @@ safely_chroot(const char *path, uid_t uid)
  
  /* Set login name, uid, gid, and groups. */
  void
@@ -376,7 +376,7 @@ index 4bccb62d..d40afe4f 100644
  {
         char *chroot_path, *tmp;
  
-@@ -1340,7 +1340,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1350,7 +1350,7 @@ do_setusercontext(struct passwd *pw)
                 endgrent();
  #endif
  
@@ -385,7 +385,7 @@ index 4bccb62d..d40afe4f 100644
  
                 if (!in_chroot && options.chroot_directory != NULL &&
                     strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1477,7 +1477,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1487,7 +1487,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
  
         /* Force a password change */
         if (s->authctxt->force_pwchange) {
@@ -394,7 +394,7 @@ index 4bccb62d..d40afe4f 100644
                 child_close_fds(ssh);
                 do_pwchange(s);
                 exit(1);
-@@ -1499,7 +1499,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1505,7 +1505,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
         /* When PAM is enabled we rely on it to do the nologin check */
         if (!options.use_pam)
                 do_nologin(pw);
@@ -403,7 +403,7 @@ index 4bccb62d..d40afe4f 100644
         /*
          * PAM session modules in do_setusercontext may have
          * generated messages, so if this in an interactive
-@@ -1891,7 +1891,7 @@ session_pty_req(struct ssh *ssh, Session *s)
+@@ -1897,7 +1897,7 @@ session_pty_req(struct ssh *ssh, Session *s)
         tty_parse_modes(s->ttyfd, &n_bytes);
  
         if (!use_privsep)
@@ -426,10 +426,10 @@ index 54dd1f0c..8535ebce 100644
  const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
  
 diff --git a/sshd.c b/sshd.c
-index a66e9ca6..af1ec337 100644
+index 4ed0364f..6d911c19 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -677,7 +677,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -679,7 +679,7 @@ privsep_postauth(Authctxt *authctxt)
         reseed_prngs();
  
         /* Drop privileges */
@@ -439,10 +439,10 @@ index a66e9ca6..af1ec337 100644
   skip:
         /* It is safe now to apply the key state */
 diff --git a/sshpty.c b/sshpty.c
-index fe2fb5aa..feb22b06 100644
+index 4da84d05..676ade50 100644
 --- a/sshpty.c
 +++ b/sshpty.c
-@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
+@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
  }
  
  void
@@ -451,7 +451,7 @@ index fe2fb5aa..feb22b06 100644
  {
         struct group *grp;
         gid_t gid;
-@@ -209,7 +209,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty)
                     strerror(errno));
  
  #ifdef WITH_SELINUX
diff --git a/debian/patches/series b/debian/patches/series
index 01aa2c87c..e409902b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,7 +8,6 @@ user-group-modes.patch
 scp-quoting.patch
 shell-path.patch
 dnssec-sshfp.patch
-auth-log-verbosity.patch
 mention-ssh-keygen-on-keychange.patch
 package-versioning.patch
 debian-banner.patch
@@ -21,10 +20,7 @@ no-openssl-version-status.patch
 gnome-ssh-askpass2-icon.patch
 systemd-readiness.patch
 debian-config.patch
-no-dsa-host-key-by-default.patch
 restore-authorized_keys2.patch
 seccomp-s390-flock-ipc.patch
 seccomp-getuid-geteuid.patch
 seccomp-s390-ioctl-ep11-crypto.patch
-permitopen-argument-handling.patch
-fix-regress-putty-transfer.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 29abf10f2..638d348f2 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From c239ba6fa4560704a237779f82445d5f125847e1 Mon Sep 17 00:00:00 2001
+From 72fead7f622b074c9b92dbdb8ae745faf2702b3d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index dc7a704d..5eed5880 100644
+index 3805d35d..8ab01c0e 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -235,7 +235,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
+@@ -239,7 +239,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
                 /* Execute the proxy command.  Note that we gave up any
                    extra privileges above. */
                 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index dc7a704d..5eed5880 100644
                 perror(argv[0]);
                 exit(1);
         }
-@@ -1435,7 +1435,7 @@ ssh_local_cmd(const char *args)
+@@ -1554,7 +1554,7 @@ ssh_local_cmd(const char *args)
         if (pid == 0) {
                 signal(SIGPIPE, SIG_DFL);
                 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 9ac4977b5..d9b86e20e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From b37d4f364f9c9bfbaf372e903ebbe80ef8ae2264 Mon Sep 17 00:00:00 2001
+From 3fe0881b32198fc6121c6ded59beb1433236982a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 3a560ad78..771410ba9 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 7e5cf5d27a7be47203280c665ca7311269f53671 Mon Sep 17 00:00:00 2001
+From e55358f350ef1183679c845a4f9913b2866cf847 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/ssh.1 b/ssh.1
-index 2a2aab30..711fe608 100644
+index 54e21d88..f8fc26d2 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1556,6 +1556,7 @@ if an error occurred.
+@@ -1571,6 +1571,7 @@ if an error occurred.
  .Xr sftp 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index ef1ce4e99..34ff8a497 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 19971fb92159a621b55f0b9da76dd38a56d7247c Mon Sep 17 00:00:00 2001
+From 4fb99d4eb8936b6ffae3749717abfc2dccbaa162 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
-index 99e03ee1..d2b28a41 100644
+index c8e79299..1f1be778 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -189,6 +189,7 @@ static struct {
@@ -29,10 +29,10 @@ index 99e03ee1..d2b28a41 100644
         { "useroaming", oDeprecated },
         { "usersh", oDeprecated },
 diff --git a/servconf.c b/servconf.c
-index 8ba74517..9889fb0a 100644
+index cbbea05b..3fff3d53 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -525,6 +525,7 @@ static struct {
+@@ -576,6 +576,7 @@ static struct {
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 3ed6287a9..897433408 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 215bd91f12b0ddb9754483ee6e3c3b4751256dca Mon Sep 17 00:00:00 2001
+From 027619c6b05713e3f08a51e7232389383900e5d8 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 99450dd1..1559091d 100644
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index ae37432b..9cb21171 100644
+index d3619fe2..e36debf6 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1166,7 +1166,7 @@ main(int ac, char **av)
+@@ -1252,7 +1252,7 @@ main(int ac, char **av)
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 537a5cab6..8c9832cdd 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From ba3f6b85ede72ef42987f0069f5ed2b88ebe69fd Mon Sep 17 00:00:00 2001
+From 293675c88b02f0a5ba3896db73b2716e70d87b31 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
  2 files changed, 33 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 3b30736b..483a9038 100644
+index 3e23e60d..eac143b4 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4389,6 +4389,29 @@ AC_ARG_WITH([kerberos5],
+@@ -4496,6 +4496,29 @@ AC_ARG_WITH([kerberos5],
  AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
  
@@ -47,7 +47,7 @@ index 3b30736b..483a9038 100644
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -5196,6 +5219,7 @@ echo "                   libldns support: $LDNS_MSG"
+@@ -5303,6 +5326,7 @@ echo "                   libldns support: $LDNS_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
  echo "         Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 3b30736b..483a9038 100644
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/sshd.c b/sshd.c
-index a5a1193d..1fde5a63 100644
+index 1d645a17..3a86e66e 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index a5a1193d..1fde5a63 100644
  #include "xmalloc.h"
  #include "ssh.h"
  #include "ssh2.h"
-@@ -1881,6 +1885,11 @@ main(int ac, char **av)
+@@ -1933,6 +1937,11 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 338c7567d..a7201b318 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From b1033fed87fd9fa24dccab45f00cadcbc7144c47 Mon Sep 17 00:00:00 2001
+From 9e45701c5d6105444cc2f4f5d6c44b0f69969479 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -51,10 +51,10 @@ index ecf956f0..4dccd5e6 100644
                             pw->pw_name, buf);
                         auth_debug_add("Bad file modes for %.200s", buf);
 diff --git a/auth.c b/auth.c
-index 6aec3605..68a1e4a7 100644
+index 76d586e3..68b9fe79 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -467,8 +467,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
+@@ -468,8 +468,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
                 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                 if (options.strict_modes &&
                     (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index 6aec3605..68a1e4a7 100644
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
 diff --git a/misc.c b/misc.c
-index 05950a47..40aeeef3 100644
+index 874dcc8a..75c4113f 100644
 --- a/misc.c
 +++ b/misc.c
 @@ -57,8 +57,9 @@
@@ -79,7 +79,7 @@ index 05950a47..40aeeef3 100644
  #ifdef SSH_TUN_OPENBSD
  #include <net/if.h>
  #endif
-@@ -723,6 +724,55 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
+@@ -1030,6 +1031,55 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
         return -1;
  }
  
@@ -133,9 +133,9 @@ index 05950a47..40aeeef3 100644
 +}
 +
  int
- tun_open(int tun, int mode)
+ tun_open(int tun, int mode, char **ifname)
  {
-@@ -1626,8 +1676,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -1797,8 +1847,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
                 snprintf(err, errlen, "%s is not a regular file", buf);
                 return -1;
         }
@@ -145,7 +145,7 @@ index 05950a47..40aeeef3 100644
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -1642,8 +1691,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -1813,8 +1862,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
                 strlcpy(buf, cp, sizeof(buf));
  
                 if (stat(buf, &st) < 0 ||
@@ -156,10 +156,10 @@ index 05950a47..40aeeef3 100644
                             "bad ownership or modes for directory %s", buf);
                         return -1;
 diff --git a/misc.h b/misc.h
-index 153d1137..d8759ab1 100644
+index cdafea73..51943db9 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -163,6 +163,8 @@ char        *read_passphrase(const char *, int);
+@@ -168,6 +168,8 @@ char        *read_passphrase(const char *, int);
  int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
  int     read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
  
@@ -169,10 +169,10 @@ index 153d1137..d8759ab1 100644
  #define MAXIMUM(a, b)  (((a) > (b)) ? (a) : (b))
  #define ROUNDUP(x, y)   ((((x)+((y)-1))/(y))*(y))
 diff --git a/readconf.c b/readconf.c
-index 45caa095..be3d5873 100644
+index 7f2b5c17..50349e23 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1766,8 +1766,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+@@ -1741,8 +1741,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
  
                 if (fstat(fileno(f), &sb) == -1)
                         fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 45caa095..be3d5873 100644
         }
  
 diff --git a/ssh.1 b/ssh.1
-index 2ab1697f..3cc94688 100644
+index b4078525..0ef7c170 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1456,6 +1456,8 @@ The file format and configuration options are described in
+@@ -1471,6 +1471,8 @@ The file format and configuration options are described in
  .Xr ssh_config 5 .
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index 2ab1697f..3cc94688 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index d6f43c2d..7810a418 100644
+index 32c3632c..84dcd52c 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1786,6 +1786,8 @@ The format of this file is described above.
+@@ -1818,6 +1818,8 @@ The format of this file is described above.
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.