summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:19 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 16:25:52 +0000
commitd26565af8589d88f824b26f31da493f1056efcf4 (patch)
treeff5e3b9c0fbb553f4f4c6e8836070659f266108e /debian/patches
parent16fb149cbb42efe0cb13f3edbafcb1a21ecfe574 (diff)
parentbb5616c94d6d6b97890e90dd01a7ad07c663dc0b (diff)
Initialize git-dpm
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/auth-log-verbosity.patch47
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch18
-rw-r--r--debian/patches/consolekit.patch186
-rw-r--r--debian/patches/debian-banner.patch52
-rw-r--r--debian/patches/debian-config.patch77
-rw-r--r--debian/patches/dnssec-sshfp.patch36
-rw-r--r--debian/patches/doc-hash-tab-completion.patch18
-rw-r--r--debian/patches/doc-upstart.patch18
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch18
-rw-r--r--debian/patches/gssapi.patch393
-rw-r--r--debian/patches/helpful-wait-terminate.patch18
-rw-r--r--debian/patches/keepalive-extensions.patch61
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch23
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch20
-rw-r--r--debian/patches/no-openssl-version-check.patch21
-rw-r--r--debian/patches/openbsd-docs.patch67
-rw-r--r--debian/patches/package-versioning.patch39
-rw-r--r--debian/patches/quieter-signals.patch33
-rw-r--r--debian/patches/scp-quoting.patch27
-rw-r--r--debian/patches/selinux-role.patch171
-rw-r--r--debian/patches/series21
-rw-r--r--debian/patches/shell-path.patch25
-rw-r--r--debian/patches/sigstop.patch18
-rw-r--r--debian/patches/ssh-agent-setgid.patch18
-rw-r--r--debian/patches/ssh-argv0.patch26
-rw-r--r--debian/patches/ssh-vulnkey.patch248
-rw-r--r--debian/patches/ssh1-keepalive.patch27
-rw-r--r--debian/patches/syslog-level-silent.patch38
-rw-r--r--debian/patches/user-group-modes.patch206
29 files changed, 1159 insertions, 811 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index a6a842ecd..5d98b81a2 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,14 +1,25 @@
1Description: Quieten logs when multiple from= restrictions are used 1From ec5991d73abdc0b3c43ea9f8a0e99da045e7beb1 Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used
5
3Bug-Debian: http://bugs.debian.org/630606 6Bug-Debian: http://bugs.debian.org/630606
4Forwarded: no 7Forwarded: no
5Last-Update: 2013-09-14 8Last-Update: 2013-09-14
6 9
7Index: b/auth-options.c 10Patch-Name: auth-log-verbosity.patch
8=================================================================== 11---
12 auth-options.c | 35 ++++++++++++++++++++++++++---------
13 auth-options.h | 1 +
14 auth-rsa.c | 2 ++
15 auth2-pubkey.c | 3 +++
16 4 files changed, 32 insertions(+), 9 deletions(-)
17
18diff --git a/auth-options.c b/auth-options.c
19index 12e2e1d..15c00d0 100644
9--- a/auth-options.c 20--- a/auth-options.c
10+++ b/auth-options.c 21+++ b/auth-options.c
11@@ -58,9 +58,20 @@ 22@@ -58,9 +58,20 @@ int forced_tun_device = -1;
12 /* "principals=" option. */ 23 /* "principals=" option. */
13 char *authorized_principals = NULL; 24 char *authorized_principals = NULL;
14 25
@@ -29,7 +40,7 @@ Index: b/auth-options.c
29 auth_clear_options(void) 40 auth_clear_options(void)
30 { 41 {
31 no_agent_forwarding_flag = 0; 42 no_agent_forwarding_flag = 0;
32@@ -288,10 +299,13 @@ 43@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
33 /* FALLTHROUGH */ 44 /* FALLTHROUGH */
34 case 0: 45 case 0:
35 free(patterns); 46 free(patterns);
@@ -47,7 +58,7 @@ Index: b/auth-options.c
47 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
48 "permitted to use this key for login.", 59 "permitted to use this key for login.",
49 remote_host); 60 remote_host);
50@@ -513,11 +527,14 @@ 61@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
51 break; 62 break;
52 case 0: 63 case 0:
53 /* no match */ 64 /* no match */
@@ -67,11 +78,11 @@ Index: b/auth-options.c
67 auth_debug_add("Your address '%.200s' " 78 auth_debug_add("Your address '%.200s' "
68 "is not permitted to use this " 79 "is not permitted to use this "
69 "certificate for login.", 80 "certificate for login.",
70Index: b/auth-options.h 81diff --git a/auth-options.h b/auth-options.h
71=================================================================== 82index 7455c94..a3f0a02 100644
72--- a/auth-options.h 83--- a/auth-options.h
73+++ b/auth-options.h 84+++ b/auth-options.h
74@@ -33,6 +33,7 @@ 85@@ -33,6 +33,7 @@ extern int forced_tun_device;
75 extern int key_is_cert_authority; 86 extern int key_is_cert_authority;
76 extern char *authorized_principals; 87 extern char *authorized_principals;
77 88
@@ -79,11 +90,11 @@ Index: b/auth-options.h
79 int auth_parse_options(struct passwd *, char *, char *, u_long); 90 int auth_parse_options(struct passwd *, char *, char *, u_long);
80 void auth_clear_options(void); 91 void auth_clear_options(void);
81 int auth_cert_options(Key *, struct passwd *); 92 int auth_cert_options(Key *, struct passwd *);
82Index: b/auth-rsa.c 93diff --git a/auth-rsa.c b/auth-rsa.c
83=================================================================== 94index 6ed152c..9b139c9 100644
84--- a/auth-rsa.c 95--- a/auth-rsa.c
85+++ b/auth-rsa.c 96+++ b/auth-rsa.c
86@@ -174,6 +174,8 @@ 97@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
87 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) 98 if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
88 return 0; 99 return 0;
89 100
@@ -92,11 +103,11 @@ Index: b/auth-rsa.c
92 /* 103 /*
93 * Go though the accepted keys, looking for the current key. If 104 * Go though the accepted keys, looking for the current key. If
94 * found, perform a challenge-response dialog to verify that the 105 * found, perform a challenge-response dialog to verify that the
95Index: b/auth2-pubkey.c 106diff --git a/auth2-pubkey.c b/auth2-pubkey.c
96=================================================================== 107index 12eb8a6..7c0ceee 100644
97--- a/auth2-pubkey.c 108--- a/auth2-pubkey.c
98+++ b/auth2-pubkey.c 109+++ b/auth2-pubkey.c
99@@ -257,6 +257,7 @@ 110@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
100 restore_uid(); 111 restore_uid();
101 return 0; 112 return 0;
102 } 113 }
@@ -104,7 +115,7 @@ Index: b/auth2-pubkey.c
104 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
105 /* Skip leading whitespace. */ 116 /* Skip leading whitespace. */
106 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
107@@ -318,6 +319,7 @@ 118@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
108 found_key = 0; 119 found_key = 0;
109 120
110 found = NULL; 121 found = NULL;
@@ -112,7 +123,7 @@ Index: b/auth2-pubkey.c
112 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
113 char *cp, *key_options = NULL; 124 char *cp, *key_options = NULL;
114 if (found != NULL) 125 if (found != NULL)
115@@ -453,6 +455,7 @@ 126@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
116 if (key_cert_check_authority(key, 0, 1, 127 if (key_cert_check_authority(key, 0, 1,
117 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 128 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
118 goto fail_reason; 129 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index e48a3cb3e..751ba841c 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,14 +1,22 @@
1Description: Install authorized_keys(5) as a symlink to sshd(8) 1From 6342b4c70310da7f73e1d54ddae0edde990d95d8 Mon Sep 17 00:00:00 2001
2Author: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8)
5
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
4Bug-Debian: http://bugs.debian.org/441817 7Bug-Debian: http://bugs.debian.org/441817
5Last-Update: 2013-09-14 8Last-Update: 2013-09-14
6 9
7Index: b/Makefile.in 10Patch-Name: authorized-keys-man-symlink.patch
8=================================================================== 11---
12 Makefile.in | 1 +
13 1 file changed, 1 insertion(+)
14
15diff --git a/Makefile.in b/Makefile.in
16index ca6eee5..7cd3a08 100644
9--- a/Makefile.in 17--- a/Makefile.in
10+++ b/Makefile.in 18+++ b/Makefile.in
11@@ -289,6 +289,7 @@ 19@@ -289,6 +289,7 @@ install-files:
12 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
13 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
14 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index fd064a848..f43e78500 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,13 +1,33 @@
1Description: Add support for registering ConsoleKit sessions on login 1From cfae2bfa1e95cbb6c7a9799f13b82e8e804ca869 Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:57 +0000
4Subject: Add support for registering ConsoleKit sessions on login
5
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
4Last-Updated: 2013-09-14 7Last-Updated: 2013-09-14
5 8
6Index: b/Makefile.in 9Patch-Name: consolekit.patch
7=================================================================== 10---
11 Makefile.in | 3 +-
12 configure | 132 +++++++++++++++++++++++++++++++
13 configure.ac | 25 ++++++
14 consolekit.c | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
15 consolekit.h | 24 ++++++
16 monitor.c | 43 +++++++++++
17 monitor.h | 2 +
18 monitor_wrap.c | 31 ++++++++
19 monitor_wrap.h | 4 +
20 session.c | 13 ++++
21 session.h | 6 ++
22 11 files changed, 522 insertions(+), 1 deletion(-)
23 create mode 100644 consolekit.c
24 create mode 100644 consolekit.h
25
26diff --git a/Makefile.in b/Makefile.in
27index b8f5099..ca6eee5 100644
8--- a/Makefile.in 28--- a/Makefile.in
9+++ b/Makefile.in 29+++ b/Makefile.in
10@@ -96,7 +96,8 @@ 30@@ -96,7 +96,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
11 sftp-server.o sftp-common.o \ 31 sftp-server.o sftp-common.o \
12 roaming_common.o roaming_serv.o \ 32 roaming_common.o roaming_serv.o \
13 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 33 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -17,54 +37,11 @@ Index: b/Makefile.in
17 37
18 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out 38 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out
19 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 39 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5
20Index: b/configure.ac 40diff --git a/configure b/configure
21=================================================================== 41index ceb1b5d..78bbcd0 100755
22--- a/configure.ac
23+++ b/configure.ac
24@@ -3841,6 +3841,30 @@
25 AC_SUBST([GSSLIBS])
26 AC_SUBST([K5LIBS])
27
28+# Check whether user wants ConsoleKit support
29+CONSOLEKIT_MSG="no"
30+LIBCK_CONNECTOR=""
31+AC_ARG_WITH(consolekit,
32+ [ --with-consolekit Enable ConsoleKit support],
33+ [ if test "x$withval" != "xno" ; then
34+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
35+ if test "$PKGCONFIG" != "no"; then
36+ AC_MSG_CHECKING([for ck-connector])
37+ if $PKGCONFIG --exists ck-connector; then
38+ CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
39+ CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
40+ CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
41+ SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
42+ AC_MSG_RESULT([yes])
43+ AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
44+ CONSOLEKIT_MSG="yes"
45+ else
46+ AC_MSG_RESULT([no])
47+ fi
48+ fi
49+ fi ]
50+)
51+
52 # Looking for programs, paths and files
53
54 PRIVSEP_PATH=/var/empty
55@@ -4641,6 +4665,7 @@
56 echo " libedit support: $LIBEDIT_MSG"
57 echo " Solaris process contract support: $SPC_MSG"
58 echo " Solaris project support: $SP_MSG"
59+echo " ConsoleKit support: $CONSOLEKIT_MSG"
60 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
61 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
62 echo " BSD Auth support: $BSD_AUTH_MSG"
63Index: b/configure
64===================================================================
65--- a/configure 42--- a/configure
66+++ b/configure 43+++ b/configure
67@@ -738,6 +738,7 @@ 44@@ -738,6 +738,7 @@ with_privsep_user
68 with_sandbox 45 with_sandbox
69 with_selinux 46 with_selinux
70 with_kerberos5 47 with_kerberos5
@@ -72,7 +49,7 @@ Index: b/configure
72 with_privsep_path 49 with_privsep_path
73 with_xauth 50 with_xauth
74 enable_strip 51 enable_strip
75@@ -1428,6 +1429,7 @@ 52@@ -1428,6 +1429,7 @@ Optional Packages:
76 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) 53 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter)
77 --with-selinux Enable SELinux support 54 --with-selinux Enable SELinux support
78 --with-kerberos5=PATH Enable Kerberos 5 support 55 --with-kerberos5=PATH Enable Kerberos 5 support
@@ -80,7 +57,7 @@ Index: b/configure
80 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 57 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
81 --with-xauth=PATH Specify path to xauth program 58 --with-xauth=PATH Specify path to xauth program
82 --with-maildir=/path/to/mail Specify your system mail directory 59 --with-maildir=/path/to/mail Specify your system mail directory
83@@ -16375,6 +16377,135 @@ 60@@ -16375,6 +16377,135 @@ fi
84 61
85 62
86 63
@@ -216,7 +193,50 @@ Index: b/configure
216 # Looking for programs, paths and files 193 # Looking for programs, paths and files
217 194
218 PRIVSEP_PATH=/var/empty 195 PRIVSEP_PATH=/var/empty
219@@ -18902,6 +19033,7 @@ 196@@ -18902,6 +19033,7 @@ echo " MD5 password support: $MD5_MSG"
197 echo " libedit support: $LIBEDIT_MSG"
198 echo " Solaris process contract support: $SPC_MSG"
199 echo " Solaris project support: $SP_MSG"
200+echo " ConsoleKit support: $CONSOLEKIT_MSG"
201 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
202 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
203 echo " BSD Auth support: $BSD_AUTH_MSG"
204diff --git a/configure.ac b/configure.ac
205index 4c1a658..d7d500a 100644
206--- a/configure.ac
207+++ b/configure.ac
208@@ -3841,6 +3841,30 @@ AC_ARG_WITH([kerberos5],
209 AC_SUBST([GSSLIBS])
210 AC_SUBST([K5LIBS])
211
212+# Check whether user wants ConsoleKit support
213+CONSOLEKIT_MSG="no"
214+LIBCK_CONNECTOR=""
215+AC_ARG_WITH(consolekit,
216+ [ --with-consolekit Enable ConsoleKit support],
217+ [ if test "x$withval" != "xno" ; then
218+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
219+ if test "$PKGCONFIG" != "no"; then
220+ AC_MSG_CHECKING([for ck-connector])
221+ if $PKGCONFIG --exists ck-connector; then
222+ CKCON_CFLAGS=`$PKGCONFIG --cflags ck-connector`
223+ CKCON_LIBS=`$PKGCONFIG --libs ck-connector`
224+ CPPFLAGS="$CPPFLAGS $CKCON_CFLAGS"
225+ SSHDLIBS="$SSHDLIBS $CKCON_LIBS"
226+ AC_MSG_RESULT([yes])
227+ AC_DEFINE(USE_CONSOLEKIT, 1, [Define if you want ConsoleKit support.])
228+ CONSOLEKIT_MSG="yes"
229+ else
230+ AC_MSG_RESULT([no])
231+ fi
232+ fi
233+ fi ]
234+)
235+
236 # Looking for programs, paths and files
237
238 PRIVSEP_PATH=/var/empty
239@@ -4641,6 +4665,7 @@ echo " MD5 password support: $MD5_MSG"
220 echo " libedit support: $LIBEDIT_MSG" 240 echo " libedit support: $LIBEDIT_MSG"
221 echo " Solaris process contract support: $SPC_MSG" 241 echo " Solaris process contract support: $SPC_MSG"
222 echo " Solaris project support: $SP_MSG" 242 echo " Solaris project support: $SP_MSG"
@@ -224,8 +244,9 @@ Index: b/configure
224 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" 244 echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
225 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 245 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
226 echo " BSD Auth support: $BSD_AUTH_MSG" 246 echo " BSD Auth support: $BSD_AUTH_MSG"
227Index: b/consolekit.c 247diff --git a/consolekit.c b/consolekit.c
228=================================================================== 248new file mode 100644
249index 0000000..f1039e6
229--- /dev/null 250--- /dev/null
230+++ b/consolekit.c 251+++ b/consolekit.c
231@@ -0,0 +1,240 @@ 252@@ -0,0 +1,240 @@
@@ -469,8 +490,9 @@ Index: b/consolekit.c
469+} 490+}
470+ 491+
471+#endif /* USE_CONSOLEKIT */ 492+#endif /* USE_CONSOLEKIT */
472Index: b/consolekit.h 493diff --git a/consolekit.h b/consolekit.h
473=================================================================== 494new file mode 100644
495index 0000000..8ce3716
474--- /dev/null 496--- /dev/null
475+++ b/consolekit.h 497+++ b/consolekit.h
476@@ -0,0 +1,24 @@ 498@@ -0,0 +1,24 @@
@@ -498,8 +520,8 @@ Index: b/consolekit.h
498+void consolekit_unregister(struct Session *); 520+void consolekit_unregister(struct Session *);
499+ 521+
500+#endif /* USE_CONSOLEKIT */ 522+#endif /* USE_CONSOLEKIT */
501Index: b/monitor.c 523diff --git a/monitor.c b/monitor.c
502=================================================================== 524index e8d63eb..9bc4f0b 100644
503--- a/monitor.c 525--- a/monitor.c
504+++ b/monitor.c 526+++ b/monitor.c
505@@ -98,6 +98,9 @@ 527@@ -98,6 +98,9 @@
@@ -512,7 +534,7 @@ Index: b/monitor.c
512 534
513 #ifdef GSSAPI 535 #ifdef GSSAPI
514 static Gssctxt *gsscontext = NULL; 536 static Gssctxt *gsscontext = NULL;
515@@ -193,6 +196,10 @@ 537@@ -193,6 +196,10 @@ int mm_answer_audit_command(int, Buffer *);
516 538
517 static int monitor_read_log(struct monitor *); 539 static int monitor_read_log(struct monitor *);
518 540
@@ -523,7 +545,7 @@ Index: b/monitor.c
523 static Authctxt *authctxt; 545 static Authctxt *authctxt;
524 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ 546 static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
525 547
526@@ -285,6 +292,9 @@ 548@@ -285,6 +292,9 @@ struct mon_table mon_dispatch_postauth20[] = {
527 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 549 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
528 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, 550 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
529 #endif 551 #endif
@@ -533,7 +555,7 @@ Index: b/monitor.c
533 {0, 0, NULL} 555 {0, 0, NULL}
534 }; 556 };
535 557
536@@ -327,6 +337,9 @@ 558@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = {
537 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, 559 {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
538 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, 560 {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
539 #endif 561 #endif
@@ -543,7 +565,7 @@ Index: b/monitor.c
543 {0, 0, NULL} 565 {0, 0, NULL}
544 }; 566 };
545 567
546@@ -514,6 +527,9 @@ 568@@ -514,6 +527,9 @@ monitor_child_postauth(struct monitor *pmonitor)
547 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 569 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
548 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); 570 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
549 } 571 }
@@ -553,7 +575,7 @@ Index: b/monitor.c
553 575
554 for (;;) 576 for (;;)
555 monitor_read(pmonitor, mon_dispatch, NULL); 577 monitor_read(pmonitor, mon_dispatch, NULL);
556@@ -2492,3 +2508,30 @@ 578@@ -2492,3 +2508,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
557 } 579 }
558 580
559 #endif /* JPAKE */ 581 #endif /* JPAKE */
@@ -584,11 +606,11 @@ Index: b/monitor.c
584+ return (0); 606+ return (0);
585+} 607+}
586+#endif /* USE_CONSOLEKIT */ 608+#endif /* USE_CONSOLEKIT */
587Index: b/monitor.h 609diff --git a/monitor.h b/monitor.h
588=================================================================== 610index 3c13706..cd83428 100644
589--- a/monitor.h 611--- a/monitor.h
590+++ b/monitor.h 612+++ b/monitor.h
591@@ -75,6 +75,8 @@ 613@@ -75,6 +75,8 @@ enum monitor_reqtype {
592 614
593 MONITOR_REQ_AUTHROLE = 154, 615 MONITOR_REQ_AUTHROLE = 154,
594 616
@@ -597,11 +619,11 @@ Index: b/monitor.h
597 }; 619 };
598 620
599 struct mm_master; 621 struct mm_master;
600Index: b/monitor_wrap.c 622diff --git a/monitor_wrap.c b/monitor_wrap.c
601=================================================================== 623index 69bc324..670b62d 100644
602--- a/monitor_wrap.c 624--- a/monitor_wrap.c
603+++ b/monitor_wrap.c 625+++ b/monitor_wrap.c
604@@ -1516,3 +1516,34 @@ 626@@ -1516,3 +1516,34 @@ mm_jpake_check_confirm(const BIGNUM *k,
605 return success; 627 return success;
606 } 628 }
607 #endif /* JPAKE */ 629 #endif /* JPAKE */
@@ -636,11 +658,11 @@ Index: b/monitor_wrap.c
636+ return (cookie); 658+ return (cookie);
637+} 659+}
638+#endif /* USE_CONSOLEKIT */ 660+#endif /* USE_CONSOLEKIT */
639Index: b/monitor_wrap.h 661diff --git a/monitor_wrap.h b/monitor_wrap.h
640=================================================================== 662index 4d12e29..360fb9f 100644
641--- a/monitor_wrap.h 663--- a/monitor_wrap.h
642+++ b/monitor_wrap.h 664+++ b/monitor_wrap.h
643@@ -131,4 +131,8 @@ 665@@ -131,4 +131,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
644 void mm_zfree(struct mm_master *, void *); 666 void mm_zfree(struct mm_master *, void *);
645 void mm_init_compression(struct mm_master *); 667 void mm_init_compression(struct mm_master *);
646 668
@@ -649,8 +671,8 @@ Index: b/monitor_wrap.h
649+#endif /* USE_CONSOLEKIT */ 671+#endif /* USE_CONSOLEKIT */
650+ 672+
651 #endif /* _MM_WRAP_H_ */ 673 #endif /* _MM_WRAP_H_ */
652Index: b/session.c 674diff --git a/session.c b/session.c
653=================================================================== 675index b4d74d9..15bdb1b 100644
654--- a/session.c 676--- a/session.c
655+++ b/session.c 677+++ b/session.c
656@@ -92,6 +92,7 @@ 678@@ -92,6 +92,7 @@
@@ -661,7 +683,7 @@ Index: b/session.c
661 683
662 #if defined(KRB5) && defined(USE_AFS) 684 #if defined(KRB5) && defined(USE_AFS)
663 #include <kafs.h> 685 #include <kafs.h>
664@@ -1132,6 +1133,9 @@ 686@@ -1132,6 +1133,9 @@ do_setup_env(Session *s, const char *shell)
665 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 687 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
666 char *path = NULL; 688 char *path = NULL;
667 #endif 689 #endif
@@ -671,7 +693,7 @@ Index: b/session.c
671 693
672 /* Initialize the environment. */ 694 /* Initialize the environment. */
673 envsize = 100; 695 envsize = 100;
674@@ -1276,6 +1280,11 @@ 696@@ -1276,6 +1280,11 @@ do_setup_env(Session *s, const char *shell)
675 child_set_env(&env, &envsize, "KRB5CCNAME", 697 child_set_env(&env, &envsize, "KRB5CCNAME",
676 s->authctxt->krb5_ccname); 698 s->authctxt->krb5_ccname);
677 #endif 699 #endif
@@ -683,7 +705,7 @@ Index: b/session.c
683 #ifdef USE_PAM 705 #ifdef USE_PAM
684 /* 706 /*
685 * Pull in any environment variables that may have 707 * Pull in any environment variables that may have
686@@ -2320,6 +2329,10 @@ 708@@ -2320,6 +2329,10 @@ session_pty_cleanup2(Session *s)
687 709
688 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 710 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
689 711
@@ -694,8 +716,8 @@ Index: b/session.c
694 /* Record that the user has logged out. */ 716 /* Record that the user has logged out. */
695 if (s->pid != 0) 717 if (s->pid != 0)
696 record_logout(s->pid, s->tty, s->pw->pw_name); 718 record_logout(s->pid, s->tty, s->pw->pw_name);
697Index: b/session.h 719diff --git a/session.h b/session.h
698=================================================================== 720index cb4f196..7e51b6a 100644
699--- a/session.h 721--- a/session.h
700+++ b/session.h 722+++ b/session.h
701@@ -26,6 +26,8 @@ 723@@ -26,6 +26,8 @@
@@ -707,7 +729,7 @@ Index: b/session.h
707 #define TTYSZ 64 729 #define TTYSZ 64
708 typedef struct Session Session; 730 typedef struct Session Session;
709 struct Session { 731 struct Session {
710@@ -60,6 +62,10 @@ 732@@ -60,6 +62,10 @@ struct Session {
711 char *name; 733 char *name;
712 char *val; 734 char *val;
713 } *env; 735 } *env;
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 981cdd697..d02e8ffcb 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,16 +1,28 @@
1Description: Add DebianBanner server configuration option 1From 8a75df792931443e868e574408ed1666208a28c2 Mon Sep 17 00:00:00 2001
2 Setting this to "no" causes sshd to omit the Debian revision from its 2From: Kees Cook <kees@debian.org>
3 initial protocol handshake, for those scared by package-versioning.patch. 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Author: Kees Cook <kees@debian.org> 4Subject: Add DebianBanner server configuration option
5
6Setting this to "no" causes sshd to omit the Debian revision from its
7initial protocol handshake, for those scared by package-versioning.patch.
8
5Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
6Forwarded: not-needed 10Forwarded: not-needed
7Last-Update: 2013-09-14 11Last-Update: 2013-09-14
8 12
9Index: b/servconf.c 13Patch-Name: debian-banner.patch
10=================================================================== 14---
15 servconf.c | 9 +++++++++
16 servconf.h | 2 ++
17 sshd.c | 3 ++-
18 sshd_config.5 | 5 +++++
19 4 files changed, 18 insertions(+), 1 deletion(-)
20
21diff --git a/servconf.c b/servconf.c
22index 9155a8b..a2928ff 100644
11--- a/servconf.c 23--- a/servconf.c
12+++ b/servconf.c 24+++ b/servconf.c
13@@ -157,6 +157,7 @@ 25@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
14 options->ip_qos_interactive = -1; 26 options->ip_qos_interactive = -1;
15 options->ip_qos_bulk = -1; 27 options->ip_qos_bulk = -1;
16 options->version_addendum = NULL; 28 options->version_addendum = NULL;
@@ -18,7 +30,7 @@ Index: b/servconf.c
18 } 30 }
19 31
20 void 32 void
21@@ -310,6 +311,8 @@ 33@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
22 options->ip_qos_bulk = IPTOS_THROUGHPUT; 34 options->ip_qos_bulk = IPTOS_THROUGHPUT;
23 if (options->version_addendum == NULL) 35 if (options->version_addendum == NULL)
24 options->version_addendum = xstrdup(""); 36 options->version_addendum = xstrdup("");
@@ -27,7 +39,7 @@ Index: b/servconf.c
27 /* Turn privilege separation on by default */ 39 /* Turn privilege separation on by default */
28 if (use_privsep == -1) 40 if (use_privsep == -1)
29 use_privsep = PRIVSEP_NOSANDBOX; 41 use_privsep = PRIVSEP_NOSANDBOX;
30@@ -360,6 +363,7 @@ 42@@ -360,6 +363,7 @@ typedef enum {
31 sKexAlgorithms, sIPQoS, sVersionAddendum, 43 sKexAlgorithms, sIPQoS, sVersionAddendum,
32 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 44 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
33 sAuthenticationMethods, sHostKeyAgent, 45 sAuthenticationMethods, sHostKeyAgent,
@@ -35,7 +47,7 @@ Index: b/servconf.c
35 sDeprecated, sUnsupported 47 sDeprecated, sUnsupported
36 } ServerOpCodes; 48 } ServerOpCodes;
37 49
38@@ -501,6 +505,7 @@ 50@@ -501,6 +505,7 @@ static struct {
39 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 51 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
40 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 52 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
41 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 53 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -43,7 +55,7 @@ Index: b/servconf.c
43 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
44 }; 56 };
45 57
46@@ -1648,6 +1653,10 @@ 58@@ -1648,6 +1653,10 @@ process_server_config_line(ServerOptions *options, char *line,
47 } 59 }
48 return 0; 60 return 0;
49 61
@@ -54,11 +66,11 @@ Index: b/servconf.c
54 case sDeprecated: 66 case sDeprecated:
55 logit("%s line %d: Deprecated option %s", 67 logit("%s line %d: Deprecated option %s",
56 filename, linenum, arg); 68 filename, linenum, arg);
57Index: b/servconf.h 69diff --git a/servconf.h b/servconf.h
58=================================================================== 70index f655c5b..fd72ce2 100644
59--- a/servconf.h 71--- a/servconf.h
60+++ b/servconf.h 72+++ b/servconf.h
61@@ -188,6 +188,8 @@ 73@@ -188,6 +188,8 @@ typedef struct {
62 74
63 u_int num_auth_methods; 75 u_int num_auth_methods;
64 char *auth_methods[MAX_AUTH_METHODS]; 76 char *auth_methods[MAX_AUTH_METHODS];
@@ -67,11 +79,11 @@ Index: b/servconf.h
67 } ServerOptions; 79 } ServerOptions;
68 80
69 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
70Index: b/sshd.c 82diff --git a/sshd.c b/sshd.c
71=================================================================== 83index 7efa7ef..6b988fe 100644
72--- a/sshd.c 84--- a/sshd.c
73+++ b/sshd.c 85+++ b/sshd.c
74@@ -440,7 +440,8 @@ 86@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
75 } 87 }
76 88
77 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -81,11 +93,11 @@ Index: b/sshd.c
81 *options.version_addendum == '\0' ? "" : " ", 93 *options.version_addendum == '\0' ? "" : " ",
82 options.version_addendum, newline); 94 options.version_addendum, newline);
83 95
84Index: b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
85=================================================================== 97index 510cc7c..eaf8d01 100644
86--- a/sshd_config.5 98--- a/sshd_config.5
87+++ b/sshd_config.5 99+++ b/sshd_config.5
88@@ -404,6 +404,11 @@ 100@@ -404,6 +404,11 @@ or
89 .Dq no . 101 .Dq no .
90 The default is 102 The default is
91 .Dq delayed . 103 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index d005bdc2e..e706b4a02 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,30 +1,43 @@
1Description: Various Debian-specific configuration changes 1From bb5616c94d6d6b97890e90dd01a7ad07c663dc0b Mon Sep 17 00:00:00 2001
2 ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause 2From: Colin Watson <cjwatson@debian.org>
3 fewer problems with existing setups (http://bugs.debian.org/237021). 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4 . 4Subject: Various Debian-specific configuration changes
5 ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). 5
6 . 6ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
7 ssh: Enable HashKnownHosts by default to try to limit the spread of ssh 7fewer problems with existing setups (http://bugs.debian.org/237021).
8 worms. 8
9 . 9ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
10 ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by 10
11 default. 11ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
12 . 12worms.
13 sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside 13
14 PermitRootLogin default. 14ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
15 . 15default.
16 Document all of this, along with several sshd defaults set in 16
17 debian/openssh-server.postinst. 17sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
18Author: Colin Watson <cjwatson@debian.org> 18PermitRootLogin default.
19
20Document all of this, along with several sshd defaults set in
21debian/openssh-server.postinst.
22
19Author: Russ Allbery <rra@debian.org> 23Author: Russ Allbery <rra@debian.org>
20Forwarded: not-needed 24Forwarded: not-needed
21Last-Update: 2013-09-14 25Last-Update: 2013-09-14
22 26
23Index: b/readconf.c 27Patch-Name: debian-config.patch
24=================================================================== 28---
29 readconf.c | 2 +-
30 ssh_config | 7 ++++++-
31 ssh_config.5 | 19 ++++++++++++++++++-
32 sshd_config | 1 +
33 sshd_config.5 | 27 +++++++++++++++++++++++++++
34 5 files changed, 53 insertions(+), 3 deletions(-)
35
36diff --git a/readconf.c b/readconf.c
37index 389de7d..2778176 100644
25--- a/readconf.c 38--- a/readconf.c
26+++ b/readconf.c 39+++ b/readconf.c
27@@ -1298,7 +1298,7 @@ 40@@ -1298,7 +1298,7 @@ fill_default_options(Options * options)
28 if (options->forward_x11 == -1) 41 if (options->forward_x11 == -1)
29 options->forward_x11 = 0; 42 options->forward_x11 = 0;
30 if (options->forward_x11_trusted == -1) 43 if (options->forward_x11_trusted == -1)
@@ -33,8 +46,8 @@ Index: b/readconf.c
33 if (options->forward_x11_timeout == -1) 46 if (options->forward_x11_timeout == -1)
34 options->forward_x11_timeout = 1200; 47 options->forward_x11_timeout = 1200;
35 if (options->exit_on_forward_failure == -1) 48 if (options->exit_on_forward_failure == -1)
36Index: b/ssh_config 49diff --git a/ssh_config b/ssh_config
37=================================================================== 50index 3234321..064b593 100644
38--- a/ssh_config 51--- a/ssh_config
39+++ b/ssh_config 52+++ b/ssh_config
40@@ -17,9 +17,10 @@ 53@@ -17,9 +17,10 @@
@@ -57,11 +70,11 @@ Index: b/ssh_config
57+ HashKnownHosts yes 70+ HashKnownHosts yes
58+ GSSAPIAuthentication yes 71+ GSSAPIAuthentication yes
59+ GSSAPIDelegateCredentials no 72+ GSSAPIDelegateCredentials no
60Index: b/ssh_config.5 73diff --git a/ssh_config.5 b/ssh_config.5
61=================================================================== 74index 5bca932..127540a 100644
62--- a/ssh_config.5 75--- a/ssh_config.5
63+++ b/ssh_config.5 76+++ b/ssh_config.5
64@@ -71,6 +71,22 @@ 77@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
65 host-specific declarations should be given near the beginning of the 78 host-specific declarations should be given near the beginning of the
66 file, and general defaults at the end. 79 file, and general defaults at the end.
67 .Pp 80 .Pp
@@ -84,7 +97,7 @@ Index: b/ssh_config.5
84 The configuration file has the following format: 97 The configuration file has the following format:
85 .Pp 98 .Pp
86 Empty lines and lines starting with 99 Empty lines and lines starting with
87@@ -501,7 +517,8 @@ 100@@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes.
88 Remote clients will be refused access after this time. 101 Remote clients will be refused access after this time.
89 .Pp 102 .Pp
90 The default is 103 The default is
@@ -94,8 +107,8 @@ Index: b/ssh_config.5
94 .Pp 107 .Pp
95 See the X11 SECURITY extension specification for full details on 108 See the X11 SECURITY extension specification for full details on
96 the restrictions imposed on untrusted clients. 109 the restrictions imposed on untrusted clients.
97Index: b/sshd_config 110diff --git a/sshd_config b/sshd_config
98=================================================================== 111index 9450141..9cfe28d 100644
99--- a/sshd_config 112--- a/sshd_config
100+++ b/sshd_config 113+++ b/sshd_config
101@@ -40,6 +40,7 @@ 114@@ -40,6 +40,7 @@
@@ -106,11 +119,11 @@ Index: b/sshd_config
106 #PermitRootLogin yes 119 #PermitRootLogin yes
107 #StrictModes yes 120 #StrictModes yes
108 #MaxAuthTries 6 121 #MaxAuthTries 6
109Index: b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
110=================================================================== 123index ec4851a..faf93fc 100644
111--- a/sshd_config.5 124--- a/sshd_config.5
112+++ b/sshd_config.5 125+++ b/sshd_config.5
113@@ -57,6 +57,33 @@ 126@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
114 .Pq \&" 127 .Pq \&"
115 in order to represent arguments containing spaces. 128 in order to represent arguments containing spaces.
116 .Pp 129 .Pp
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 0615de097..3cb291e97 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,15 +1,27 @@
1Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 1From 145099bdca1b959e2ef3555cd6ce0bc44fb69ce8 Mon Sep 17 00:00:00 2001
2 This allows SSHFP DNS records to be verified if glibc 2.11 is installed. 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
5
6This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
7
3Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup 8Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
4Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 9Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
5Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 10Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
6Last-Update: 2010-04-06 11Last-Update: 2010-04-06
7 12
8Index: b/dns.c 13Patch-Name: dnssec-sshfp.patch
9=================================================================== 14---
15 dns.c | 14 +++++++++++++-
16 openbsd-compat/getrrsetbyname.c | 10 +++++-----
17 openbsd-compat/getrrsetbyname.h | 3 +++
18 3 files changed, 21 insertions(+), 6 deletions(-)
19
20diff --git a/dns.c b/dns.c
21index 630b97a..478c3d9 100644
10--- a/dns.c 22--- a/dns.c
11+++ b/dns.c 23+++ b/dns.c
12@@ -196,6 +196,7 @@ 24@@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
13 { 25 {
14 u_int counter; 26 u_int counter;
15 int result; 27 int result;
@@ -17,7 +29,7 @@ Index: b/dns.c
17 struct rrsetinfo *fingerprints = NULL; 29 struct rrsetinfo *fingerprints = NULL;
18 30
19 u_int8_t hostkey_algorithm; 31 u_int8_t hostkey_algorithm;
20@@ -219,8 +220,19 @@ 32@@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
21 return -1; 33 return -1;
22 } 34 }
23 35
@@ -38,11 +50,11 @@ Index: b/dns.c
38 if (result) { 50 if (result) {
39 verbose("DNS lookup error: %s", dns_result_totext(result)); 51 verbose("DNS lookup error: %s", dns_result_totext(result));
40 return -1; 52 return -1;
41Index: b/openbsd-compat/getrrsetbyname.c 53diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
42=================================================================== 54index dc6fe05..e061a29 100644
43--- a/openbsd-compat/getrrsetbyname.c 55--- a/openbsd-compat/getrrsetbyname.c
44+++ b/openbsd-compat/getrrsetbyname.c 56+++ b/openbsd-compat/getrrsetbyname.c
45@@ -209,8 +209,8 @@ 57@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
46 goto fail; 58 goto fail;
47 } 59 }
48 60
@@ -53,7 +65,7 @@ Index: b/openbsd-compat/getrrsetbyname.c
53 result = ERRSET_INVAL; 65 result = ERRSET_INVAL;
54 goto fail; 66 goto fail;
55 } 67 }
56@@ -226,9 +226,9 @@ 68@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
57 #endif /* DEBUG */ 69 #endif /* DEBUG */
58 70
59 #ifdef RES_USE_DNSSEC 71 #ifdef RES_USE_DNSSEC
@@ -66,8 +78,8 @@ Index: b/openbsd-compat/getrrsetbyname.c
66 #endif /* RES_USE_DNSEC */ 78 #endif /* RES_USE_DNSEC */
67 79
68 /* make query */ 80 /* make query */
69Index: b/openbsd-compat/getrrsetbyname.h 81diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
70=================================================================== 82index 1283f55..dbbc85a 100644
71--- a/openbsd-compat/getrrsetbyname.h 83--- a/openbsd-compat/getrrsetbyname.h
72+++ b/openbsd-compat/getrrsetbyname.h 84+++ b/openbsd-compat/getrrsetbyname.h
73@@ -72,6 +72,9 @@ 85@@ -72,6 +72,9 @@
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 4c197323c..4f9de88ec 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,14 +1,22 @@
1Description: Document that HashKnownHosts may break tab-completion 1From cee45b00a94730c9a49a52a967ec08b9c29b9ca2 Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion
5
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
4Bug-Debian: http://bugs.debian.org/430154 7Bug-Debian: http://bugs.debian.org/430154
5Last-Update: 2013-09-14 8Last-Update: 2013-09-14
6 9
7Index: b/ssh_config.5 10Patch-Name: doc-hash-tab-completion.patch
8=================================================================== 11---
12 ssh_config.5 | 3 +++
13 1 file changed, 3 insertions(+)
14
15diff --git a/ssh_config.5 b/ssh_config.5
16index 1497cfc..5bca932 100644
9--- a/ssh_config.5 17--- a/ssh_config.5
10+++ b/ssh_config.5 18+++ b/ssh_config.5
11@@ -587,6 +587,9 @@ 19@@ -587,6 +587,9 @@ Note that existing names and addresses in known hosts files
12 will not be converted automatically, 20 will not be converted automatically,
13 but may be manually hashed using 21 but may be manually hashed using
14 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index a471f9c4c..cb24998a2 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,13 +1,21 @@
1Description: Refer to ssh's Upstart job as well as its init script 1From c1e7260fe4ed36dddc317655a69a7d4a69b3170a Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script
5
3Forwarded: not-needed 6Forwarded: not-needed
4Last-Update: 2013-09-14 7Last-Update: 2013-09-14
5 8
6Index: b/sshd.8 9Patch-Name: doc-upstart.patch
7=================================================================== 10---
11 sshd.8 | 5 ++++-
12 1 file changed, 4 insertions(+), 1 deletion(-)
13
14diff --git a/sshd.8 b/sshd.8
15index 6bdd219..b91f08c 100644
8--- a/sshd.8 16--- a/sshd.8
9+++ b/sshd.8 17+++ b/sshd.8
10@@ -70,7 +70,10 @@ 18@@ -70,7 +70,10 @@ over an insecure network.
11 .Nm 19 .Nm
12 listens for connections from clients. 20 listens for connections from clients.
13 It is normally started at boot from 21 It is normally started at boot from
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 96bbf3a09..58966dd74 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,13 +1,21 @@
1Description: Give the ssh-askpass-gnome window a default icon 1From 52e810085e196c457dfda9cad08ce76191d11fe7 Mon Sep 17 00:00:00 2001
2Author: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon
5
3Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 6Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
4Last-Update: 2010-02-28 7Last-Update: 2010-02-28
5 8
6Index: b/contrib/gnome-ssh-askpass2.c 9Patch-Name: gnome-ssh-askpass2-icon.patch
7=================================================================== 10---
11 contrib/gnome-ssh-askpass2.c | 2 ++
12 1 file changed, 2 insertions(+)
13
14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
15index 9d97c30..04b3a11 100644
8--- a/contrib/gnome-ssh-askpass2.c 16--- a/contrib/gnome-ssh-askpass2.c
9+++ b/contrib/gnome-ssh-askpass2.c 17+++ b/contrib/gnome-ssh-askpass2.c
10@@ -209,6 +209,8 @@ 18@@ -209,6 +209,8 @@ main(int argc, char **argv)
11 19
12 gtk_init(&argc, &argv); 20 gtk_init(&argc, &argv);
13 21
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index b9221f94f..8a919382e 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,22 +1,67 @@
1Description: GSSAPI key exchange support 1From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001
2 This patch has been rejected upstream: "None of the OpenSSH developers are 2From: Simon Wilkinson <simon@sxw.org.uk>
3 in favour of adding this, and this situation has not changed for several 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4 years. This is not a slight on Simon's patch, which is of fine quality, 4Subject: GSSAPI key exchange support
5 but just that a) we don't trust GSSAPI implementations that much and b) we 5
6 don't like adding new KEX since they are pre-auth attack surface. This one 6This patch has been rejected upstream: "None of the OpenSSH developers are
7 is particularly scary, since it requires hooks out to typically root-owned 7in favour of adding this, and this situation has not changed for several
8 system resources." 8years. This is not a slight on Simon's patch, which is of fine quality, but
9 . 9just that a) we don't trust GSSAPI implementations that much and b) we don't
10 However, quite a lot of people rely on this in Debian, and it's better to 10like adding new KEX since they are pre-auth attack surface. This one is
11 have it merged into the main openssh package rather than having separate 11particularly scary, since it requires hooks out to typically root-owned
12 -krb5 packages (as we used to have). It seems to have a generally good 12system resources."
13 security history. 13
14Author: Simon Wilkinson <simon@sxw.org.uk> 14However, quite a lot of people rely on this in Debian, and it's better to
15have it merged into the main openssh package rather than having separate
16-krb5 packages (as we used to have). It seems to have a generally good
17security history.
18
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
16Last-Updated: 2013-11-09 20Last-Updated: 2013-11-09
17 21
18Index: b/ChangeLog.gssapi 22Patch-Name: gssapi.patch
19=================================================================== 23---
24 ChangeLog.gssapi | 113 +++++++++++++++++++
25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++-
27 auth2-gss.c | 48 +++++++-
28 auth2.c | 2 +
29 clientloop.c | 13 +++
30 config.h.in | 6 +
31 configure | 57 ++++++++++
32 configure.ac | 24 ++++
33 gss-genr.c | 276 ++++++++++++++++++++++++++++++++++++++++++++-
34 gss-serv-krb5.c | 84 +++++++++++++-
35 gss-serv.c | 221 +++++++++++++++++++++++++++++++-----
36 kex.c | 16 +++
37 kex.h | 14 +++
38 kexgssc.c | 333 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
39 kexgsss.c | 289 +++++++++++++++++++++++++++++++++++++++++++++++
40 key.c | 1 +
41 key.h | 1 +
42 monitor.c | 108 +++++++++++++++++-
43 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++-
45 monitor_wrap.h | 4 +-
46 readconf.c | 42 +++++++
47 readconf.h | 5 +
48 servconf.c | 38 ++++++-
49 servconf.h | 3 +
50 ssh-gss.h | 39 ++++++-
51 ssh_config | 2 +
52 ssh_config.5 | 34 +++++-
53 sshconnect2.c | 124 ++++++++++++++++++++-
54 sshd.c | 110 ++++++++++++++++++
55 sshd_config | 2 +
56 sshd_config.5 | 28 +++++
57 33 files changed, 2050 insertions(+), 57 deletions(-)
58 create mode 100644 ChangeLog.gssapi
59 create mode 100644 kexgssc.c
60 create mode 100644 kexgsss.c
61
62diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
63new file mode 100644
64index 0000000..f117a33
20--- /dev/null 65--- /dev/null
21+++ b/ChangeLog.gssapi 66+++ b/ChangeLog.gssapi
22@@ -0,0 +1,113 @@ 67@@ -0,0 +1,113 @@
@@ -133,11 +178,11 @@ Index: b/ChangeLog.gssapi
133+ add support for GssapiTrustDns option for gssapi-with-mic 178+ add support for GssapiTrustDns option for gssapi-with-mic
134+ (from jbasney AT ncsa.uiuc.edu) 179+ (from jbasney AT ncsa.uiuc.edu)
135+ <gssapi-with-mic support is Bugzilla #1008> 180+ <gssapi-with-mic support is Bugzilla #1008>
136Index: b/Makefile.in 181diff --git a/Makefile.in b/Makefile.in
137=================================================================== 182index 92c95a9..f979926 100644
138--- a/Makefile.in 183--- a/Makefile.in
139+++ b/Makefile.in 184+++ b/Makefile.in
140@@ -72,6 +72,7 @@ 185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
141 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ 186 atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
142 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ 187 monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
143 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -145,7 +190,7 @@ Index: b/Makefile.in
145 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
146 jpake.o schnorr.o ssh-pkcs11.o krl.o 191 jpake.o schnorr.o ssh-pkcs11.o krl.o
147 192
148@@ -88,7 +89,7 @@ 193@@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
149 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 194 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
150 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
151 auth-krb5.o \ 196 auth-krb5.o \
@@ -154,11 +199,11 @@ Index: b/Makefile.in
154 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 199 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
155 sftp-server.o sftp-common.o \ 200 sftp-server.o sftp-common.o \
156 roaming_common.o roaming_serv.o \ 201 roaming_common.o roaming_serv.o \
157Index: b/auth-krb5.c 202diff --git a/auth-krb5.c b/auth-krb5.c
158=================================================================== 203index 7c83f59..5613b57 100644
159--- a/auth-krb5.c 204--- a/auth-krb5.c
160+++ b/auth-krb5.c 205+++ b/auth-krb5.c
161@@ -181,8 +181,13 @@ 206@@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
162 207
163 len = strlen(authctxt->krb5_ticket_file) + 6; 208 len = strlen(authctxt->krb5_ticket_file) + 6;
164 authctxt->krb5_ccname = xmalloc(len); 209 authctxt->krb5_ccname = xmalloc(len);
@@ -172,7 +217,7 @@ Index: b/auth-krb5.c
172 217
173 #ifdef USE_PAM 218 #ifdef USE_PAM
174 if (options.use_pam) 219 if (options.use_pam)
175@@ -239,15 +244,22 @@ 220@@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
176 #ifndef HEIMDAL 221 #ifndef HEIMDAL
177 krb5_error_code 222 krb5_error_code
178 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -197,7 +242,7 @@ Index: b/auth-krb5.c
197 old_umask = umask(0177); 242 old_umask = umask(0177);
198 tmpfd = mkstemp(ccname + strlen("FILE:")); 243 tmpfd = mkstemp(ccname + strlen("FILE:"));
199 oerrno = errno; 244 oerrno = errno;
200@@ -264,6 +276,7 @@ 245@@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
201 return oerrno; 246 return oerrno;
202 } 247 }
203 close(tmpfd); 248 close(tmpfd);
@@ -205,8 +250,8 @@ Index: b/auth-krb5.c
205 250
206 return (krb5_cc_resolve(ctx, ccname, ccache)); 251 return (krb5_cc_resolve(ctx, ccname, ccache));
207 } 252 }
208Index: b/auth2-gss.c 253diff --git a/auth2-gss.c b/auth2-gss.c
209=================================================================== 254index 638d8f8..b8db820 100644
210--- a/auth2-gss.c 255--- a/auth2-gss.c
211+++ b/auth2-gss.c 256+++ b/auth2-gss.c
212@@ -1,7 +1,7 @@ 257@@ -1,7 +1,7 @@
@@ -218,7 +263,7 @@ Index: b/auth2-gss.c
218 * 263 *
219 * Redistribution and use in source and binary forms, with or without 264 * Redistribution and use in source and binary forms, with or without
220 * modification, are permitted provided that the following conditions 265 * modification, are permitted provided that the following conditions
221@@ -52,6 +52,40 @@ 266@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
222 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 267 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
223 static void input_gssapi_errtok(int, u_int32_t, void *); 268 static void input_gssapi_errtok(int, u_int32_t, void *);
224 269
@@ -259,7 +304,7 @@ Index: b/auth2-gss.c
259 /* 304 /*
260 * We only support those mechanisms that we know about (ie ones that we know 305 * We only support those mechanisms that we know about (ie ones that we know
261 * how to check local user kuserok and the like) 306 * how to check local user kuserok and the like)
262@@ -240,7 +274,8 @@ 307@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
263 308
264 packet_check_eom(); 309 packet_check_eom();
265 310
@@ -269,7 +314,7 @@ Index: b/auth2-gss.c
269 314
270 authctxt->postponed = 0; 315 authctxt->postponed = 0;
271 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 316 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
272@@ -275,7 +310,8 @@ 317@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
273 gssbuf.length = buffer_len(&b); 318 gssbuf.length = buffer_len(&b);
274 319
275 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 320 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -279,7 +324,7 @@ Index: b/auth2-gss.c
279 else 324 else
280 logit("GSSAPI MIC check failed"); 325 logit("GSSAPI MIC check failed");
281 326
282@@ -290,6 +326,12 @@ 327@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
283 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 328 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
284 } 329 }
285 330
@@ -292,11 +337,11 @@ Index: b/auth2-gss.c
292 Authmethod method_gssapi = { 337 Authmethod method_gssapi = {
293 "gssapi-with-mic", 338 "gssapi-with-mic",
294 userauth_gssapi, 339 userauth_gssapi,
295Index: b/auth2.c 340diff --git a/auth2.c b/auth2.c
296=================================================================== 341index f0cab8c..6ed8f04 100644
297--- a/auth2.c 342--- a/auth2.c
298+++ b/auth2.c 343+++ b/auth2.c
299@@ -69,6 +69,7 @@ 344@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
300 extern Authmethod method_kbdint; 345 extern Authmethod method_kbdint;
301 extern Authmethod method_hostbased; 346 extern Authmethod method_hostbased;
302 #ifdef GSSAPI 347 #ifdef GSSAPI
@@ -304,7 +349,7 @@ Index: b/auth2.c
304 extern Authmethod method_gssapi; 349 extern Authmethod method_gssapi;
305 #endif 350 #endif
306 #ifdef JPAKE 351 #ifdef JPAKE
307@@ -79,6 +80,7 @@ 352@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
308 &method_none, 353 &method_none,
309 &method_pubkey, 354 &method_pubkey,
310 #ifdef GSSAPI 355 #ifdef GSSAPI
@@ -312,8 +357,8 @@ Index: b/auth2.c
312 &method_gssapi, 357 &method_gssapi,
313 #endif 358 #endif
314 #ifdef JPAKE 359 #ifdef JPAKE
315Index: b/clientloop.c 360diff --git a/clientloop.c b/clientloop.c
316=================================================================== 361index 23c2f23..311dc13 100644
317--- a/clientloop.c 362--- a/clientloop.c
318+++ b/clientloop.c 363+++ b/clientloop.c
319@@ -111,6 +111,10 @@ 364@@ -111,6 +111,10 @@
@@ -327,7 +372,7 @@ Index: b/clientloop.c
327 /* import options */ 372 /* import options */
328 extern Options options; 373 extern Options options;
329 374
330@@ -1608,6 +1612,15 @@ 375@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
331 /* Do channel operations unless rekeying in progress. */ 376 /* Do channel operations unless rekeying in progress. */
332 if (!rekeying) { 377 if (!rekeying) {
333 channel_after_select(readset, writeset); 378 channel_after_select(readset, writeset);
@@ -343,8 +388,8 @@ Index: b/clientloop.c
343 if (need_rekeying || packet_need_rekeying()) { 388 if (need_rekeying || packet_need_rekeying()) {
344 debug("need rekeying"); 389 debug("need rekeying");
345 xxx_kex->done = 0; 390 xxx_kex->done = 0;
346Index: b/config.h.in 391diff --git a/config.h.in b/config.h.in
347=================================================================== 392index b75e501..34f1c9c 100644
348--- a/config.h.in 393--- a/config.h.in
349+++ b/config.h.in 394+++ b/config.h.in
350@@ -1546,6 +1546,9 @@ 395@@ -1546,6 +1546,9 @@
@@ -367,11 +412,11 @@ Index: b/config.h.in
367 /* Define if you have Solaris process contracts */ 412 /* Define if you have Solaris process contracts */
368 #undef USE_SOLARIS_PROCESS_CONTRACTS 413 #undef USE_SOLARIS_PROCESS_CONTRACTS
369 414
370Index: b/configure 415diff --git a/configure b/configure
371=================================================================== 416index 0d6fad5..ceb1b5d 100755
372--- a/configure 417--- a/configure
373+++ b/configure 418+++ b/configure
374@@ -6780,6 +6780,63 @@ 419@@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
375 420
376 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
377 422
@@ -435,11 +480,11 @@ Index: b/configure
435 480
436 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" 481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
437 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : 482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
438Index: b/configure.ac 483diff --git a/configure.ac b/configure.ac
439=================================================================== 484index 4a1b503..4c1a658 100644
440--- a/configure.ac 485--- a/configure.ac
441+++ b/configure.ac 486+++ b/configure.ac
442@@ -548,6 +548,30 @@ 487@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
443 [Use tunnel device compatibility to OpenBSD]) 488 [Use tunnel device compatibility to OpenBSD])
444 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 489 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
445 [Prepend the address family to IP tunnel traffic]) 490 [Prepend the address family to IP tunnel traffic])
@@ -470,8 +515,8 @@ Index: b/configure.ac
470 m4_pattern_allow([AU_IPv]) 515 m4_pattern_allow([AU_IPv])
471 AC_CHECK_DECL([AU_IPv4], [], 516 AC_CHECK_DECL([AU_IPv4], [],
472 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 517 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
473Index: b/gss-genr.c 518diff --git a/gss-genr.c b/gss-genr.c
474=================================================================== 519index b39281b..b7d1b7d 100644
475--- a/gss-genr.c 520--- a/gss-genr.c
476+++ b/gss-genr.c 521+++ b/gss-genr.c
477@@ -1,7 +1,7 @@ 522@@ -1,7 +1,7 @@
@@ -651,7 +696,7 @@ Index: b/gss-genr.c
651 /* Check that the OID in a data stream matches that in the context */ 696 /* Check that the OID in a data stream matches that in the context */
652 int 697 int
653 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 698 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
654@@ -197,7 +352,7 @@ 699@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
655 } 700 }
656 701
657 ctx->major = gss_init_sec_context(&ctx->minor, 702 ctx->major = gss_init_sec_context(&ctx->minor,
@@ -660,7 +705,7 @@ Index: b/gss-genr.c
660 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 705 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
661 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 706 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
662 707
663@@ -227,8 +382,42 @@ 708@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
664 } 709 }
665 710
666 OM_uint32 711 OM_uint32
@@ -703,7 +748,7 @@ Index: b/gss-genr.c
703 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 748 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
704 GSS_C_QOP_DEFAULT, buffer, hash))) 749 GSS_C_QOP_DEFAULT, buffer, hash)))
705 ssh_gssapi_error(ctx); 750 ssh_gssapi_error(ctx);
706@@ -236,6 +425,19 @@ 751@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
707 return (ctx->major); 752 return (ctx->major);
708 } 753 }
709 754
@@ -723,7 +768,7 @@ Index: b/gss-genr.c
723 void 768 void
724 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 769 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
725 const char *context) 770 const char *context)
726@@ -249,11 +451,16 @@ 771@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
727 } 772 }
728 773
729 int 774 int
@@ -741,7 +786,7 @@ Index: b/gss-genr.c
741 786
742 /* RFC 4462 says we MUST NOT do SPNEGO */ 787 /* RFC 4462 says we MUST NOT do SPNEGO */
743 if (oid->length == spnego_oid.length && 788 if (oid->length == spnego_oid.length &&
744@@ -263,6 +470,10 @@ 789@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
745 ssh_gssapi_build_ctx(ctx); 790 ssh_gssapi_build_ctx(ctx);
746 ssh_gssapi_set_oid(*ctx, oid); 791 ssh_gssapi_set_oid(*ctx, oid);
747 major = ssh_gssapi_import_name(*ctx, host); 792 major = ssh_gssapi_import_name(*ctx, host);
@@ -752,7 +797,7 @@ Index: b/gss-genr.c
752 if (!GSS_ERROR(major)) { 797 if (!GSS_ERROR(major)) {
753 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 798 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
754 NULL); 799 NULL);
755@@ -272,10 +483,67 @@ 800@@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
756 GSS_C_NO_BUFFER); 801 GSS_C_NO_BUFFER);
757 } 802 }
758 803
@@ -821,8 +866,8 @@ Index: b/gss-genr.c
821+} 866+}
822+ 867+
823 #endif /* GSSAPI */ 868 #endif /* GSSAPI */
824Index: b/gss-serv-krb5.c 869diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
825=================================================================== 870index 87f2683..c55446a 100644
826--- a/gss-serv-krb5.c 871--- a/gss-serv-krb5.c
827+++ b/gss-serv-krb5.c 872+++ b/gss-serv-krb5.c
828@@ -1,7 +1,7 @@ 873@@ -1,7 +1,7 @@
@@ -834,7 +879,7 @@ Index: b/gss-serv-krb5.c
834 * 879 *
835 * Redistribution and use in source and binary forms, with or without 880 * Redistribution and use in source and binary forms, with or without
836 * modification, are permitted provided that the following conditions 881 * modification, are permitted provided that the following conditions
837@@ -122,6 +122,7 @@ 882@@ -122,6 +122,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
838 OM_uint32 maj_status, min_status; 883 OM_uint32 maj_status, min_status;
839 int len; 884 int len;
840 const char *errmsg; 885 const char *errmsg;
@@ -842,7 +887,7 @@ Index: b/gss-serv-krb5.c
842 887
843 if (client->creds == NULL) { 888 if (client->creds == NULL) {
844 debug("No credentials stored"); 889 debug("No credentials stored");
845@@ -174,11 +175,16 @@ 890@@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
846 return; 891 return;
847 } 892 }
848 893
@@ -863,7 +908,7 @@ Index: b/gss-serv-krb5.c
863 908
864 #ifdef USE_PAM 909 #ifdef USE_PAM
865 if (options.use_pam) 910 if (options.use_pam)
866@@ -190,6 +196,71 @@ 911@@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
867 return; 912 return;
868 } 913 }
869 914
@@ -935,7 +980,7 @@ Index: b/gss-serv-krb5.c
935 ssh_gssapi_mech gssapi_kerberos_mech = { 980 ssh_gssapi_mech gssapi_kerberos_mech = {
936 "toWM5Slw5Ew8Mqkay+al2g==", 981 "toWM5Slw5Ew8Mqkay+al2g==",
937 "Kerberos", 982 "Kerberos",
938@@ -197,7 +268,8 @@ 983@@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
939 NULL, 984 NULL,
940 &ssh_gssapi_krb5_userok, 985 &ssh_gssapi_krb5_userok,
941 NULL, 986 NULL,
@@ -945,8 +990,8 @@ Index: b/gss-serv-krb5.c
945 }; 990 };
946 991
947 #endif /* KRB5 */ 992 #endif /* KRB5 */
948Index: b/gss-serv.c 993diff --git a/gss-serv.c b/gss-serv.c
949=================================================================== 994index 95348e2..97f366f 100644
950--- a/gss-serv.c 995--- a/gss-serv.c
951+++ b/gss-serv.c 996+++ b/gss-serv.c
952@@ -1,7 +1,7 @@ 997@@ -1,7 +1,7 @@
@@ -982,7 +1027,7 @@ Index: b/gss-serv.c
982 1027
983 #ifdef KRB5 1028 #ifdef KRB5
984 extern ssh_gssapi_mech gssapi_kerberos_mech; 1029 extern ssh_gssapi_mech gssapi_kerberos_mech;
985@@ -81,25 +87,32 @@ 1030@@ -81,25 +87,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
986 char lname[MAXHOSTNAMELEN]; 1031 char lname[MAXHOSTNAMELEN];
987 gss_OID_set oidset; 1032 gss_OID_set oidset;
988 1033
@@ -991,16 +1036,16 @@ Index: b/gss-serv.c
991+ if (options.gss_strict_acceptor) { 1036+ if (options.gss_strict_acceptor) {
992+ gss_create_empty_oid_set(&status, &oidset); 1037+ gss_create_empty_oid_set(&status, &oidset);
993+ gss_add_oid_set_member(&status, ctx->oid, &oidset); 1038+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
994+
995+ if (gethostname(lname, MAXHOSTNAMELEN)) {
996+ gss_release_oid_set(&status, &oidset);
997+ return (-1);
998+ }
999 1039
1000- if (gethostname(lname, MAXHOSTNAMELEN)) { 1040- if (gethostname(lname, MAXHOSTNAMELEN)) {
1001- gss_release_oid_set(&status, &oidset); 1041- gss_release_oid_set(&status, &oidset);
1002- return (-1); 1042- return (-1);
1003- } 1043- }
1044+ if (gethostname(lname, MAXHOSTNAMELEN)) {
1045+ gss_release_oid_set(&status, &oidset);
1046+ return (-1);
1047+ }
1048+
1004+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { 1049+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
1005+ gss_release_oid_set(&status, &oidset); 1050+ gss_release_oid_set(&status, &oidset);
1006+ return (ctx->major); 1051+ return (ctx->major);
@@ -1029,7 +1074,7 @@ Index: b/gss-serv.c
1029 } 1074 }
1030 1075
1031 /* Privileged */ 1076 /* Privileged */
1032@@ -114,6 +127,29 @@ 1077@@ -114,6 +127,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1033 } 1078 }
1034 1079
1035 /* Unprivileged */ 1080 /* Unprivileged */
@@ -1059,7 +1104,7 @@ Index: b/gss-serv.c
1059 void 1104 void
1060 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1105 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1061 { 1106 {
1062@@ -123,7 +159,9 @@ 1107@@ -123,7 +159,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1063 gss_OID_set supported; 1108 gss_OID_set supported;
1064 1109
1065 gss_create_empty_oid_set(&min_status, oidset); 1110 gss_create_empty_oid_set(&min_status, oidset);
@@ -1070,7 +1115,7 @@ Index: b/gss-serv.c
1070 1115
1071 while (supported_mechs[i]->name != NULL) { 1116 while (supported_mechs[i]->name != NULL) {
1072 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 1117 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
1073@@ -249,8 +287,48 @@ 1118@@ -249,8 +287,48 @@ OM_uint32
1074 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) 1119 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1075 { 1120 {
1076 int i = 0; 1121 int i = 0;
@@ -1120,7 +1165,7 @@ Index: b/gss-serv.c
1120 1165
1121 client->mech = NULL; 1166 client->mech = NULL;
1122 1167
1123@@ -265,6 +343,13 @@ 1168@@ -265,6 +343,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1124 if (client->mech == NULL) 1169 if (client->mech == NULL)
1125 return GSS_S_FAILURE; 1170 return GSS_S_FAILURE;
1126 1171
@@ -1134,7 +1179,7 @@ Index: b/gss-serv.c
1134 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, 1179 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
1135 &client->displayname, NULL))) { 1180 &client->displayname, NULL))) {
1136 ssh_gssapi_error(ctx); 1181 ssh_gssapi_error(ctx);
1137@@ -282,6 +367,8 @@ 1182@@ -282,6 +367,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
1138 return (ctx->major); 1183 return (ctx->major);
1139 } 1184 }
1140 1185
@@ -1143,7 +1188,7 @@ Index: b/gss-serv.c
1143 /* We can't copy this structure, so we just move the pointer to it */ 1188 /* We can't copy this structure, so we just move the pointer to it */
1144 client->creds = ctx->client_creds; 1189 client->creds = ctx->client_creds;
1145 ctx->client_creds = GSS_C_NO_CREDENTIAL; 1190 ctx->client_creds = GSS_C_NO_CREDENTIAL;
1146@@ -329,7 +416,7 @@ 1191@@ -329,7 +416,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
1147 1192
1148 /* Privileged */ 1193 /* Privileged */
1149 int 1194 int
@@ -1152,7 +1197,7 @@ Index: b/gss-serv.c
1152 { 1197 {
1153 OM_uint32 lmin; 1198 OM_uint32 lmin;
1154 1199
1155@@ -339,9 +426,11 @@ 1200@@ -339,9 +426,11 @@ ssh_gssapi_userok(char *user)
1156 return 0; 1201 return 0;
1157 } 1202 }
1158 if (gssapi_client.mech && gssapi_client.mech->userok) 1203 if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1166,7 +1211,7 @@ Index: b/gss-serv.c
1166 /* Destroy delegated credentials if userok fails */ 1211 /* Destroy delegated credentials if userok fails */
1167 gss_release_buffer(&lmin, &gssapi_client.displayname); 1212 gss_release_buffer(&lmin, &gssapi_client.displayname);
1168 gss_release_buffer(&lmin, &gssapi_client.exportedname); 1213 gss_release_buffer(&lmin, &gssapi_client.exportedname);
1169@@ -354,14 +443,90 @@ 1214@@ -354,14 +443,90 @@ ssh_gssapi_userok(char *user)
1170 return (0); 1215 return (0);
1171 } 1216 }
1172 1217
@@ -1263,8 +1308,8 @@ Index: b/gss-serv.c
1263 } 1308 }
1264 1309
1265 #endif 1310 #endif
1266Index: b/kex.c 1311diff --git a/kex.c b/kex.c
1267=================================================================== 1312index 54bd1a4..1ec2782 100644
1268--- a/kex.c 1313--- a/kex.c
1269+++ b/kex.c 1314+++ b/kex.c
1270@@ -50,6 +50,10 @@ 1315@@ -50,6 +50,10 @@
@@ -1278,7 +1323,7 @@ Index: b/kex.c
1278 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1323 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1279 # if defined(HAVE_EVP_SHA256) 1324 # if defined(HAVE_EVP_SHA256)
1280 # define evp_ssh_sha256 EVP_sha256 1325 # define evp_ssh_sha256 EVP_sha256
1281@@ -82,6 +86,14 @@ 1326@@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = {
1282 #endif 1327 #endif
1283 { NULL, -1, -1, NULL}, 1328 { NULL, -1, -1, NULL},
1284 }; 1329 };
@@ -1293,7 +1338,7 @@ Index: b/kex.c
1293 1338
1294 char * 1339 char *
1295 kex_alg_list(void) 1340 kex_alg_list(void)
1296@@ -110,6 +122,10 @@ 1341@@ -110,6 +122,10 @@ kex_alg_by_name(const char *name)
1297 if (strcmp(k->name, name) == 0) 1342 if (strcmp(k->name, name) == 0)
1298 return k; 1343 return k;
1299 } 1344 }
@@ -1304,11 +1349,11 @@ Index: b/kex.c
1304 return NULL; 1349 return NULL;
1305 } 1350 }
1306 1351
1307Index: b/kex.h 1352diff --git a/kex.h b/kex.h
1308=================================================================== 1353index 9f1e1ad..d5046c6 100644
1309--- a/kex.h 1354--- a/kex.h
1310+++ b/kex.h 1355+++ b/kex.h
1311@@ -74,6 +74,9 @@ 1356@@ -74,6 +74,9 @@ enum kex_exchange {
1312 KEX_DH_GEX_SHA1, 1357 KEX_DH_GEX_SHA1,
1313 KEX_DH_GEX_SHA256, 1358 KEX_DH_GEX_SHA256,
1314 KEX_ECDH_SHA2, 1359 KEX_ECDH_SHA2,
@@ -1318,7 +1363,7 @@ Index: b/kex.h
1318 KEX_MAX 1363 KEX_MAX
1319 }; 1364 };
1320 1365
1321@@ -133,6 +136,12 @@ 1366@@ -133,6 +136,12 @@ struct Kex {
1322 int flags; 1367 int flags;
1323 const EVP_MD *evp_md; 1368 const EVP_MD *evp_md;
1324 int ec_nid; 1369 int ec_nid;
@@ -1331,7 +1376,7 @@ Index: b/kex.h
1331 char *client_version_string; 1376 char *client_version_string;
1332 char *server_version_string; 1377 char *server_version_string;
1333 int (*verify_host_key)(Key *); 1378 int (*verify_host_key)(Key *);
1334@@ -162,6 +171,11 @@ 1379@@ -162,6 +171,11 @@ void kexgex_server(Kex *);
1335 void kexecdh_client(Kex *); 1380 void kexecdh_client(Kex *);
1336 void kexecdh_server(Kex *); 1381 void kexecdh_server(Kex *);
1337 1382
@@ -1343,8 +1388,9 @@ Index: b/kex.h
1343 void 1388 void
1344 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, 1389 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
1345 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); 1390 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
1346Index: b/kexgssc.c 1391diff --git a/kexgssc.c b/kexgssc.c
1347=================================================================== 1392new file mode 100644
1393index 0000000..616893c
1348--- /dev/null 1394--- /dev/null
1349+++ b/kexgssc.c 1395+++ b/kexgssc.c
1350@@ -0,0 +1,333 @@ 1396@@ -0,0 +1,333 @@
@@ -1681,8 +1727,9 @@ Index: b/kexgssc.c
1681+} 1727+}
1682+ 1728+
1683+#endif /* GSSAPI */ 1729+#endif /* GSSAPI */
1684Index: b/kexgsss.c 1730diff --git a/kexgsss.c b/kexgsss.c
1685=================================================================== 1731new file mode 100644
1732index 0000000..18b065b
1686--- /dev/null 1733--- /dev/null
1687+++ b/kexgsss.c 1734+++ b/kexgsss.c
1688@@ -0,0 +1,289 @@ 1735@@ -0,0 +1,289 @@
@@ -1975,11 +2022,11 @@ Index: b/kexgsss.c
1975+ ssh_gssapi_rekey_creds(); 2022+ ssh_gssapi_rekey_creds();
1976+} 2023+}
1977+#endif /* GSSAPI */ 2024+#endif /* GSSAPI */
1978Index: b/key.c 2025diff --git a/key.c b/key.c
1979=================================================================== 2026index 55ee789..2591635 100644
1980--- a/key.c 2027--- a/key.c
1981+++ b/key.c 2028+++ b/key.c
1982@@ -933,6 +933,7 @@ 2029@@ -933,6 +933,7 @@ static const struct keytype keytypes[] = {
1983 KEY_RSA_CERT_V00, 0, 1 }, 2030 KEY_RSA_CERT_V00, 0, 1 },
1984 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 2031 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
1985 KEY_DSA_CERT_V00, 0, 1 }, 2032 KEY_DSA_CERT_V00, 0, 1 },
@@ -1987,11 +2034,11 @@ Index: b/key.c
1987 { NULL, NULL, -1, -1, 0 } 2034 { NULL, NULL, -1, -1, 0 }
1988 }; 2035 };
1989 2036
1990Index: b/key.h 2037diff --git a/key.h b/key.h
1991=================================================================== 2038index 17358ae..b57d6a4 100644
1992--- a/key.h 2039--- a/key.h
1993+++ b/key.h 2040+++ b/key.h
1994@@ -44,6 +44,7 @@ 2041@@ -44,6 +44,7 @@ enum types {
1995 KEY_ECDSA_CERT, 2042 KEY_ECDSA_CERT,
1996 KEY_RSA_CERT_V00, 2043 KEY_RSA_CERT_V00,
1997 KEY_DSA_CERT_V00, 2044 KEY_DSA_CERT_V00,
@@ -1999,11 +2046,11 @@ Index: b/key.h
1999 KEY_UNSPEC 2046 KEY_UNSPEC
2000 }; 2047 };
2001 enum fp_type { 2048 enum fp_type {
2002Index: b/monitor.c 2049diff --git a/monitor.c b/monitor.c
2003=================================================================== 2050index 44dff98..9079c97 100644
2004--- a/monitor.c 2051--- a/monitor.c
2005+++ b/monitor.c 2052+++ b/monitor.c
2006@@ -181,6 +181,8 @@ 2053@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
2007 int mm_answer_gss_accept_ctx(int, Buffer *); 2054 int mm_answer_gss_accept_ctx(int, Buffer *);
2008 int mm_answer_gss_userok(int, Buffer *); 2055 int mm_answer_gss_userok(int, Buffer *);
2009 int mm_answer_gss_checkmic(int, Buffer *); 2056 int mm_answer_gss_checkmic(int, Buffer *);
@@ -2012,7 +2059,7 @@ Index: b/monitor.c
2012 #endif 2059 #endif
2013 2060
2014 #ifdef SSH_AUDIT_EVENTS 2061 #ifdef SSH_AUDIT_EVENTS
2015@@ -253,6 +255,7 @@ 2062@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
2016 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, 2063 {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
2017 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, 2064 {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
2018 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, 2065 {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -2020,7 +2067,7 @@ Index: b/monitor.c
2020 #endif 2067 #endif
2021 #ifdef JPAKE 2068 #ifdef JPAKE
2022 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, 2069 {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
2023@@ -265,6 +268,12 @@ 2070@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
2024 }; 2071 };
2025 2072
2026 struct mon_table mon_dispatch_postauth20[] = { 2073 struct mon_table mon_dispatch_postauth20[] = {
@@ -2033,7 +2080,7 @@ Index: b/monitor.c
2033 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2080 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2034 {MONITOR_REQ_SIGN, 0, mm_answer_sign}, 2081 {MONITOR_REQ_SIGN, 0, mm_answer_sign},
2035 {MONITOR_REQ_PTY, 0, mm_answer_pty}, 2082 {MONITOR_REQ_PTY, 0, mm_answer_pty},
2036@@ -373,6 +382,10 @@ 2083@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2037 /* Permit requests for moduli and signatures */ 2084 /* Permit requests for moduli and signatures */
2038 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2085 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2039 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2086 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2044,7 +2091,7 @@ Index: b/monitor.c
2044 } else { 2091 } else {
2045 mon_dispatch = mon_dispatch_proto15; 2092 mon_dispatch = mon_dispatch_proto15;
2046 2093
2047@@ -487,6 +500,10 @@ 2094@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2048 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2095 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2049 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2096 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2050 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2097 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2055,7 +2102,7 @@ Index: b/monitor.c
2055 } else { 2102 } else {
2056 mon_dispatch = mon_dispatch_postauth15; 2103 mon_dispatch = mon_dispatch_postauth15;
2057 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2104 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2058@@ -1855,6 +1872,13 @@ 2105@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m)
2059 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 2106 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2060 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2107 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2061 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2108 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -2069,7 +2116,7 @@ Index: b/monitor.c
2069 kex->server = 1; 2116 kex->server = 1;
2070 kex->hostkey_type = buffer_get_int(m); 2117 kex->hostkey_type = buffer_get_int(m);
2071 kex->kex_type = buffer_get_int(m); 2118 kex->kex_type = buffer_get_int(m);
2072@@ -2062,6 +2086,9 @@ 2119@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2073 OM_uint32 major; 2120 OM_uint32 major;
2074 u_int len; 2121 u_int len;
2075 2122
@@ -2079,7 +2126,7 @@ Index: b/monitor.c
2079 goid.elements = buffer_get_string(m, &len); 2126 goid.elements = buffer_get_string(m, &len);
2080 goid.length = len; 2127 goid.length = len;
2081 2128
2082@@ -2089,6 +2116,9 @@ 2129@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2083 OM_uint32 flags = 0; /* GSI needs this */ 2130 OM_uint32 flags = 0; /* GSI needs this */
2084 u_int len; 2131 u_int len;
2085 2132
@@ -2089,7 +2136,7 @@ Index: b/monitor.c
2089 in.value = buffer_get_string(m, &len); 2136 in.value = buffer_get_string(m, &len);
2090 in.length = len; 2137 in.length = len;
2091 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2138 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2092@@ -2106,6 +2136,7 @@ 2139@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2093 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2140 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2094 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2141 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2095 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2142 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2097,7 +2144,7 @@ Index: b/monitor.c
2097 } 2144 }
2098 return (0); 2145 return (0);
2099 } 2146 }
2100@@ -2117,6 +2148,9 @@ 2147@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2101 OM_uint32 ret; 2148 OM_uint32 ret;
2102 u_int len; 2149 u_int len;
2103 2150
@@ -2107,7 +2154,7 @@ Index: b/monitor.c
2107 gssbuf.value = buffer_get_string(m, &len); 2154 gssbuf.value = buffer_get_string(m, &len);
2108 gssbuf.length = len; 2155 gssbuf.length = len;
2109 mic.value = buffer_get_string(m, &len); 2156 mic.value = buffer_get_string(m, &len);
2110@@ -2143,7 +2177,11 @@ 2157@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2111 { 2158 {
2112 int authenticated; 2159 int authenticated;
2113 2160
@@ -2120,7 +2167,7 @@ Index: b/monitor.c
2120 2167
2121 buffer_clear(m); 2168 buffer_clear(m);
2122 buffer_put_int(m, authenticated); 2169 buffer_put_int(m, authenticated);
2123@@ -2156,6 +2194,74 @@ 2170@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
2124 /* Monitor loop will terminate if authenticated */ 2171 /* Monitor loop will terminate if authenticated */
2125 return (authenticated); 2172 return (authenticated);
2126 } 2173 }
@@ -2195,11 +2242,11 @@ Index: b/monitor.c
2195 #endif /* GSSAPI */ 2242 #endif /* GSSAPI */
2196 2243
2197 #ifdef JPAKE 2244 #ifdef JPAKE
2198Index: b/monitor.h 2245diff --git a/monitor.h b/monitor.h
2199=================================================================== 2246index 2caa469..315ef99 100644
2200--- a/monitor.h 2247--- a/monitor.h
2201+++ b/monitor.h 2248+++ b/monitor.h
2202@@ -70,6 +70,9 @@ 2249@@ -70,6 +70,9 @@ enum monitor_reqtype {
2203 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, 2250 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
2204 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, 2251 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
2205 2252
@@ -2209,11 +2256,11 @@ Index: b/monitor.h
2209 }; 2256 };
2210 2257
2211 struct mm_master; 2258 struct mm_master;
2212Index: b/monitor_wrap.c 2259diff --git a/monitor_wrap.c b/monitor_wrap.c
2213=================================================================== 2260index 4ce4696..44019f3 100644
2214--- a/monitor_wrap.c 2261--- a/monitor_wrap.c
2215+++ b/monitor_wrap.c 2262+++ b/monitor_wrap.c
2216@@ -1273,7 +1273,7 @@ 2263@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
2217 } 2264 }
2218 2265
2219 int 2266 int
@@ -2222,7 +2269,7 @@ Index: b/monitor_wrap.c
2222 { 2269 {
2223 Buffer m; 2270 Buffer m;
2224 int authenticated = 0; 2271 int authenticated = 0;
2225@@ -1290,6 +1290,51 @@ 2272@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
2226 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); 2273 debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
2227 return (authenticated); 2274 return (authenticated);
2228 } 2275 }
@@ -2274,11 +2321,11 @@ Index: b/monitor_wrap.c
2274 #endif /* GSSAPI */ 2321 #endif /* GSSAPI */
2275 2322
2276 #ifdef JPAKE 2323 #ifdef JPAKE
2277Index: b/monitor_wrap.h 2324diff --git a/monitor_wrap.h b/monitor_wrap.h
2278=================================================================== 2325index 0c7f2e3..ec9b9b1 100644
2279--- a/monitor_wrap.h 2326--- a/monitor_wrap.h
2280+++ b/monitor_wrap.h 2327+++ b/monitor_wrap.h
2281@@ -58,8 +58,10 @@ 2328@@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
2282 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); 2329 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
2283 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, 2330 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
2284 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); 2331 gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2290,11 +2337,11 @@ Index: b/monitor_wrap.h
2290 #endif 2337 #endif
2291 2338
2292 #ifdef USE_PAM 2339 #ifdef USE_PAM
2293Index: b/readconf.c 2340diff --git a/readconf.c b/readconf.c
2294=================================================================== 2341index 1464430..2695fd6 100644
2295--- a/readconf.c 2342--- a/readconf.c
2296+++ b/readconf.c 2343+++ b/readconf.c
2297@@ -132,6 +132,8 @@ 2344@@ -132,6 +132,8 @@ typedef enum {
2298 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2345 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2299 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2346 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2300 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2347 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2303,7 +2350,7 @@ Index: b/readconf.c
2303 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2350 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2304 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2351 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2305 oHashKnownHosts, 2352 oHashKnownHosts,
2306@@ -172,10 +174,19 @@ 2353@@ -172,10 +174,19 @@ static struct {
2307 { "afstokenpassing", oUnsupported }, 2354 { "afstokenpassing", oUnsupported },
2308 #if defined(GSSAPI) 2355 #if defined(GSSAPI)
2309 { "gssapiauthentication", oGssAuthentication }, 2356 { "gssapiauthentication", oGssAuthentication },
@@ -2323,7 +2370,7 @@ Index: b/readconf.c
2323 #endif 2370 #endif
2324 { "fallbacktorsh", oDeprecated }, 2371 { "fallbacktorsh", oDeprecated },
2325 { "usersh", oDeprecated }, 2372 { "usersh", oDeprecated },
2326@@ -516,10 +527,30 @@ 2373@@ -516,10 +527,30 @@ parse_flag:
2327 intptr = &options->gss_authentication; 2374 intptr = &options->gss_authentication;
2328 goto parse_flag; 2375 goto parse_flag;
2329 2376
@@ -2354,7 +2401,7 @@ Index: b/readconf.c
2354 case oBatchMode: 2401 case oBatchMode:
2355 intptr = &options->batch_mode; 2402 intptr = &options->batch_mode;
2356 goto parse_flag; 2403 goto parse_flag;
2357@@ -1168,7 +1199,12 @@ 2404@@ -1168,7 +1199,12 @@ initialize_options(Options * options)
2358 options->pubkey_authentication = -1; 2405 options->pubkey_authentication = -1;
2359 options->challenge_response_authentication = -1; 2406 options->challenge_response_authentication = -1;
2360 options->gss_authentication = -1; 2407 options->gss_authentication = -1;
@@ -2367,7 +2414,7 @@ Index: b/readconf.c
2367 options->password_authentication = -1; 2414 options->password_authentication = -1;
2368 options->kbd_interactive_authentication = -1; 2415 options->kbd_interactive_authentication = -1;
2369 options->kbd_interactive_devices = NULL; 2416 options->kbd_interactive_devices = NULL;
2370@@ -1268,8 +1304,14 @@ 2417@@ -1268,8 +1304,14 @@ fill_default_options(Options * options)
2371 options->challenge_response_authentication = 1; 2418 options->challenge_response_authentication = 1;
2372 if (options->gss_authentication == -1) 2419 if (options->gss_authentication == -1)
2373 options->gss_authentication = 0; 2420 options->gss_authentication = 0;
@@ -2382,11 +2429,11 @@ Index: b/readconf.c
2382 if (options->password_authentication == -1) 2429 if (options->password_authentication == -1)
2383 options->password_authentication = 1; 2430 options->password_authentication = 1;
2384 if (options->kbd_interactive_authentication == -1) 2431 if (options->kbd_interactive_authentication == -1)
2385Index: b/readconf.h 2432diff --git a/readconf.h b/readconf.h
2386=================================================================== 2433index 23fc500..675b35d 100644
2387--- a/readconf.h 2434--- a/readconf.h
2388+++ b/readconf.h 2435+++ b/readconf.h
2389@@ -48,7 +48,12 @@ 2436@@ -48,7 +48,12 @@ typedef struct {
2390 int challenge_response_authentication; 2437 int challenge_response_authentication;
2391 /* Try S/Key or TIS, authentication. */ 2438 /* Try S/Key or TIS, authentication. */
2392 int gss_authentication; /* Try GSS authentication */ 2439 int gss_authentication; /* Try GSS authentication */
@@ -2399,11 +2446,11 @@ Index: b/readconf.h
2399 int password_authentication; /* Try password 2446 int password_authentication; /* Try password
2400 * authentication. */ 2447 * authentication. */
2401 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2448 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2402Index: b/servconf.c 2449diff --git a/servconf.c b/servconf.c
2403=================================================================== 2450index 747edde..c938ae3 100644
2404--- a/servconf.c 2451--- a/servconf.c
2405+++ b/servconf.c 2452+++ b/servconf.c
2406@@ -107,7 +107,10 @@ 2453@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options)
2407 options->kerberos_ticket_cleanup = -1; 2454 options->kerberos_ticket_cleanup = -1;
2408 options->kerberos_get_afs_token = -1; 2455 options->kerberos_get_afs_token = -1;
2409 options->gss_authentication=-1; 2456 options->gss_authentication=-1;
@@ -2414,7 +2461,7 @@ Index: b/servconf.c
2414 options->password_authentication = -1; 2461 options->password_authentication = -1;
2415 options->kbd_interactive_authentication = -1; 2462 options->kbd_interactive_authentication = -1;
2416 options->challenge_response_authentication = -1; 2463 options->challenge_response_authentication = -1;
2417@@ -240,8 +243,14 @@ 2464@@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options)
2418 options->kerberos_get_afs_token = 0; 2465 options->kerberos_get_afs_token = 0;
2419 if (options->gss_authentication == -1) 2466 if (options->gss_authentication == -1)
2420 options->gss_authentication = 0; 2467 options->gss_authentication = 0;
@@ -2429,7 +2476,7 @@ Index: b/servconf.c
2429 if (options->password_authentication == -1) 2476 if (options->password_authentication == -1)
2430 options->password_authentication = 1; 2477 options->password_authentication = 1;
2431 if (options->kbd_interactive_authentication == -1) 2478 if (options->kbd_interactive_authentication == -1)
2432@@ -338,7 +347,9 @@ 2479@@ -338,7 +347,9 @@ typedef enum {
2433 sBanner, sUseDNS, sHostbasedAuthentication, 2480 sBanner, sUseDNS, sHostbasedAuthentication,
2434 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2481 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2435 sClientAliveCountMax, sAuthorizedKeysFile, 2482 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2440,7 +2487,7 @@ Index: b/servconf.c
2440 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2487 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2441 sUsePrivilegeSeparation, sAllowAgentForwarding, 2488 sUsePrivilegeSeparation, sAllowAgentForwarding,
2442 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2489 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2443@@ -405,10 +416,20 @@ 2490@@ -405,10 +416,20 @@ static struct {
2444 #ifdef GSSAPI 2491 #ifdef GSSAPI
2445 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2492 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2446 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2493 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2461,7 +2508,7 @@ Index: b/servconf.c
2461 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2508 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2462 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2509 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2463 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2510 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2464@@ -1073,10 +1094,22 @@ 2511@@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line,
2465 intptr = &options->gss_authentication; 2512 intptr = &options->gss_authentication;
2466 goto parse_flag; 2513 goto parse_flag;
2467 2514
@@ -2484,7 +2531,7 @@ Index: b/servconf.c
2484 case sPasswordAuthentication: 2531 case sPasswordAuthentication:
2485 intptr = &options->password_authentication; 2532 intptr = &options->password_authentication;
2486 goto parse_flag; 2533 goto parse_flag;
2487@@ -1983,7 +2016,10 @@ 2534@@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o)
2488 #endif 2535 #endif
2489 #ifdef GSSAPI 2536 #ifdef GSSAPI
2490 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2537 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2495,11 +2542,11 @@ Index: b/servconf.c
2495 #endif 2542 #endif
2496 #ifdef JPAKE 2543 #ifdef JPAKE
2497 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 2544 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2498Index: b/servconf.h 2545diff --git a/servconf.h b/servconf.h
2499=================================================================== 2546index 98aad8b..ab6e346 100644
2500--- a/servconf.h 2547--- a/servconf.h
2501+++ b/servconf.h 2548+++ b/servconf.h
2502@@ -111,7 +111,10 @@ 2549@@ -111,7 +111,10 @@ typedef struct {
2503 int kerberos_get_afs_token; /* If true, try to get AFS token if 2550 int kerberos_get_afs_token; /* If true, try to get AFS token if
2504 * authenticated with Kerberos. */ 2551 * authenticated with Kerberos. */
2505 int gss_authentication; /* If true, permit GSSAPI authentication */ 2552 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2510,8 +2557,8 @@ Index: b/servconf.h
2510 int password_authentication; /* If true, permit password 2557 int password_authentication; /* If true, permit password
2511 * authentication. */ 2558 * authentication. */
2512 int kbd_interactive_authentication; /* If true, permit */ 2559 int kbd_interactive_authentication; /* If true, permit */
2513Index: b/ssh-gss.h 2560diff --git a/ssh-gss.h b/ssh-gss.h
2514=================================================================== 2561index 077e13c..bc6e8f9 100644
2515--- a/ssh-gss.h 2562--- a/ssh-gss.h
2516+++ b/ssh-gss.h 2563+++ b/ssh-gss.h
2517@@ -1,6 +1,6 @@ 2564@@ -1,6 +1,6 @@
@@ -2545,7 +2592,7 @@ Index: b/ssh-gss.h
2545 void *data; 2592 void *data;
2546 } ssh_gssapi_ccache; 2593 } ssh_gssapi_ccache;
2547 2594
2548@@ -72,8 +84,11 @@ 2595@@ -72,8 +84,11 @@ typedef struct {
2549 gss_buffer_desc displayname; 2596 gss_buffer_desc displayname;
2550 gss_buffer_desc exportedname; 2597 gss_buffer_desc exportedname;
2551 gss_cred_id_t creds; 2598 gss_cred_id_t creds;
@@ -2557,7 +2604,7 @@ Index: b/ssh-gss.h
2557 } ssh_gssapi_client; 2604 } ssh_gssapi_client;
2558 2605
2559 typedef struct ssh_gssapi_mech_struct { 2606 typedef struct ssh_gssapi_mech_struct {
2560@@ -84,6 +99,7 @@ 2607@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct {
2561 int (*userok) (ssh_gssapi_client *, char *); 2608 int (*userok) (ssh_gssapi_client *, char *);
2562 int (*localname) (ssh_gssapi_client *, char **); 2609 int (*localname) (ssh_gssapi_client *, char **);
2563 void (*storecreds) (ssh_gssapi_client *); 2610 void (*storecreds) (ssh_gssapi_client *);
@@ -2565,7 +2612,7 @@ Index: b/ssh-gss.h
2565 } ssh_gssapi_mech; 2612 } ssh_gssapi_mech;
2566 2613
2567 typedef struct { 2614 typedef struct {
2568@@ -94,10 +110,11 @@ 2615@@ -94,10 +110,11 @@ typedef struct {
2569 gss_OID oid; /* client */ 2616 gss_OID oid; /* client */
2570 gss_cred_id_t creds; /* server */ 2617 gss_cred_id_t creds; /* server */
2571 gss_name_t client; /* server */ 2618 gss_name_t client; /* server */
@@ -2578,7 +2625,7 @@ Index: b/ssh-gss.h
2578 2625
2579 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); 2626 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
2580 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); 2627 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
2581@@ -117,16 +134,30 @@ 2628@@ -117,16 +134,30 @@ void ssh_gssapi_build_ctx(Gssctxt **);
2582 void ssh_gssapi_delete_ctx(Gssctxt **); 2629 void ssh_gssapi_delete_ctx(Gssctxt **);
2583 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); 2630 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
2584 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); 2631 void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2611,8 +2658,8 @@ Index: b/ssh-gss.h
2611 #endif /* GSSAPI */ 2658 #endif /* GSSAPI */
2612 2659
2613 #endif /* _SSH_GSS_H */ 2660 #endif /* _SSH_GSS_H */
2614Index: b/ssh_config 2661diff --git a/ssh_config b/ssh_config
2615=================================================================== 2662index bb40819..3234321 100644
2616--- a/ssh_config 2663--- a/ssh_config
2617+++ b/ssh_config 2664+++ b/ssh_config
2618@@ -26,6 +26,8 @@ 2665@@ -26,6 +26,8 @@
@@ -2624,11 +2671,11 @@ Index: b/ssh_config
2624 # BatchMode no 2671 # BatchMode no
2625 # CheckHostIP yes 2672 # CheckHostIP yes
2626 # AddressFamily any 2673 # AddressFamily any
2627Index: b/ssh_config.5 2674diff --git a/ssh_config.5 b/ssh_config.5
2628=================================================================== 2675index 5d76c6d..e72919a 100644
2629--- a/ssh_config.5 2676--- a/ssh_config.5
2630+++ b/ssh_config.5 2677+++ b/ssh_config.5
2631@@ -529,11 +529,43 @@ 2678@@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
2632 The default is 2679 The default is
2633 .Dq no . 2680 .Dq no .
2634 Note that this option applies to protocol version 2 only. 2681 Note that this option applies to protocol version 2 only.
@@ -2673,11 +2720,11 @@ Index: b/ssh_config.5
2673 .It Cm HashKnownHosts 2720 .It Cm HashKnownHosts
2674 Indicates that 2721 Indicates that
2675 .Xr ssh 1 2722 .Xr ssh 1
2676Index: b/sshconnect2.c 2723diff --git a/sshconnect2.c b/sshconnect2.c
2677=================================================================== 2724index 70e3cd8..0b13530 100644
2678--- a/sshconnect2.c 2725--- a/sshconnect2.c
2679+++ b/sshconnect2.c 2726+++ b/sshconnect2.c
2680@@ -160,9 +160,34 @@ 2727@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2681 { 2728 {
2682 Kex *kex; 2729 Kex *kex;
2683 2730
@@ -2712,7 +2759,7 @@ Index: b/sshconnect2.c
2712 if (options.ciphers == (char *)-1) { 2759 if (options.ciphers == (char *)-1) {
2713 logit("No valid ciphers for protocol version 2 given, using defaults."); 2760 logit("No valid ciphers for protocol version 2 given, using defaults.");
2714 options.ciphers = NULL; 2761 options.ciphers = NULL;
2715@@ -197,6 +222,17 @@ 2762@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2716 if (options.kex_algorithms != NULL) 2763 if (options.kex_algorithms != NULL)
2717 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2764 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2718 2765
@@ -2730,7 +2777,7 @@ Index: b/sshconnect2.c
2730 if (options.rekey_limit || options.rekey_interval) 2777 if (options.rekey_limit || options.rekey_interval)
2731 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2778 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2732 (time_t)options.rekey_interval); 2779 (time_t)options.rekey_interval);
2733@@ -208,10 +244,30 @@ 2780@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2734 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; 2781 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2735 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2782 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2736 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2783 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
@@ -2761,7 +2808,7 @@ Index: b/sshconnect2.c
2761 xxx_kex = kex; 2808 xxx_kex = kex;
2762 2809
2763 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2810 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2764@@ -307,6 +363,7 @@ 2811@@ -307,6 +363,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
2765 void input_gssapi_hash(int type, u_int32_t, void *); 2812 void input_gssapi_hash(int type, u_int32_t, void *);
2766 void input_gssapi_error(int, u_int32_t, void *); 2813 void input_gssapi_error(int, u_int32_t, void *);
2767 void input_gssapi_errtok(int, u_int32_t, void *); 2814 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2769,7 +2816,7 @@ Index: b/sshconnect2.c
2769 #endif 2816 #endif
2770 2817
2771 void userauth(Authctxt *, char *); 2818 void userauth(Authctxt *, char *);
2772@@ -322,6 +379,11 @@ 2819@@ -322,6 +379,11 @@ static char *authmethods_get(void);
2773 2820
2774 Authmethod authmethods[] = { 2821 Authmethod authmethods[] = {
2775 #ifdef GSSAPI 2822 #ifdef GSSAPI
@@ -2781,7 +2828,7 @@ Index: b/sshconnect2.c
2781 {"gssapi-with-mic", 2828 {"gssapi-with-mic",
2782 userauth_gssapi, 2829 userauth_gssapi,
2783 NULL, 2830 NULL,
2784@@ -625,19 +687,31 @@ 2831@@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt)
2785 static u_int mech = 0; 2832 static u_int mech = 0;
2786 OM_uint32 min; 2833 OM_uint32 min;
2787 int ok = 0; 2834 int ok = 0;
@@ -2815,7 +2862,7 @@ Index: b/sshconnect2.c
2815 ok = 1; /* Mechanism works */ 2862 ok = 1; /* Mechanism works */
2816 } else { 2863 } else {
2817 mech++; 2864 mech++;
2818@@ -734,8 +808,8 @@ 2865@@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2819 { 2866 {
2820 Authctxt *authctxt = ctxt; 2867 Authctxt *authctxt = ctxt;
2821 Gssctxt *gssctxt; 2868 Gssctxt *gssctxt;
@@ -2826,7 +2873,7 @@ Index: b/sshconnect2.c
2826 2873
2827 if (authctxt == NULL) 2874 if (authctxt == NULL)
2828 fatal("input_gssapi_response: no authentication context"); 2875 fatal("input_gssapi_response: no authentication context");
2829@@ -844,6 +918,48 @@ 2876@@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2830 free(msg); 2877 free(msg);
2831 free(lang); 2878 free(lang);
2832 } 2879 }
@@ -2875,8 +2922,8 @@ Index: b/sshconnect2.c
2875 #endif /* GSSAPI */ 2922 #endif /* GSSAPI */
2876 2923
2877 int 2924 int
2878Index: b/sshd.c 2925diff --git a/sshd.c b/sshd.c
2879=================================================================== 2926index 174cc7a..4eddeb8 100644
2880--- a/sshd.c 2927--- a/sshd.c
2881+++ b/sshd.c 2928+++ b/sshd.c
2882@@ -122,6 +122,10 @@ 2929@@ -122,6 +122,10 @@
@@ -2890,7 +2937,7 @@ Index: b/sshd.c
2890 #ifdef LIBWRAP 2937 #ifdef LIBWRAP
2891 #include <tcpd.h> 2938 #include <tcpd.h>
2892 #include <syslog.h> 2939 #include <syslog.h>
2893@@ -1703,10 +1707,13 @@ 2940@@ -1703,10 +1707,13 @@ main(int ac, char **av)
2894 logit("Disabling protocol version 1. Could not load host key"); 2941 logit("Disabling protocol version 1. Could not load host key");
2895 options.protocol &= ~SSH_PROTO_1; 2942 options.protocol &= ~SSH_PROTO_1;
2896 } 2943 }
@@ -2904,7 +2951,7 @@ Index: b/sshd.c
2904 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2951 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2905 logit("sshd: no hostkeys available -- exiting."); 2952 logit("sshd: no hostkeys available -- exiting.");
2906 exit(1); 2953 exit(1);
2907@@ -2035,6 +2042,60 @@ 2954@@ -2035,6 +2042,60 @@ main(int ac, char **av)
2908 /* Log the connection. */ 2955 /* Log the connection. */
2909 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2956 verbose("Connection from %.500s port %d", remote_ip, remote_port);
2910 2957
@@ -2965,7 +3012,7 @@ Index: b/sshd.c
2965 /* 3012 /*
2966 * We don't want to listen forever unless the other side 3013 * We don't want to listen forever unless the other side
2967 * successfully authenticates itself. So we set up an alarm which is 3014 * successfully authenticates itself. So we set up an alarm which is
2968@@ -2439,6 +2500,48 @@ 3015@@ -2439,6 +2500,48 @@ do_ssh2_kex(void)
2969 3016
2970 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 3017 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
2971 3018
@@ -3014,7 +3061,7 @@ Index: b/sshd.c
3014 /* start key exchange */ 3061 /* start key exchange */
3015 kex = kex_setup(myproposal); 3062 kex = kex_setup(myproposal);
3016 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3063 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3017@@ -2446,6 +2549,13 @@ 3064@@ -2446,6 +2549,13 @@ do_ssh2_kex(void)
3018 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 3065 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3019 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3066 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3020 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3067 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
@@ -3028,11 +3075,11 @@ Index: b/sshd.c
3028 kex->server = 1; 3075 kex->server = 1;
3029 kex->client_version_string=client_version_string; 3076 kex->client_version_string=client_version_string;
3030 kex->server_version_string=server_version_string; 3077 kex->server_version_string=server_version_string;
3031Index: b/sshd_config 3078diff --git a/sshd_config b/sshd_config
3032=================================================================== 3079index b786361..9450141 100644
3033--- a/sshd_config 3080--- a/sshd_config
3034+++ b/sshd_config 3081+++ b/sshd_config
3035@@ -83,6 +83,8 @@ 3082@@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys
3036 # GSSAPI options 3083 # GSSAPI options
3037 #GSSAPIAuthentication no 3084 #GSSAPIAuthentication no
3038 #GSSAPICleanupCredentials yes 3085 #GSSAPICleanupCredentials yes
@@ -3041,11 +3088,11 @@ Index: b/sshd_config
3041 3088
3042 # Set this to 'yes' to enable PAM authentication, account processing, 3089 # Set this to 'yes' to enable PAM authentication, account processing,
3043 # and session processing. If this is enabled, PAM authentication will 3090 # and session processing. If this is enabled, PAM authentication will
3044Index: b/sshd_config.5 3091diff --git a/sshd_config.5 b/sshd_config.5
3045=================================================================== 3092index 3abac6c..525d9c8 100644
3046--- a/sshd_config.5 3093--- a/sshd_config.5
3047+++ b/sshd_config.5 3094+++ b/sshd_config.5
3048@@ -484,12 +484,40 @@ 3095@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
3049 The default is 3096 The default is
3050 .Dq no . 3097 .Dq no .
3051 Note that this option applies to protocol version 2 only. 3098 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 298e8e216..66a59a053 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,13 +1,21 @@
1Description: Mention ~& when waiting for forwarded connections to terminate 1From ea2e0af0bc3a683edb32b508c03eb793617f6f31 Mon Sep 17 00:00:00 2001
2Author: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate
5
3Bug-Debian: http://bugs.debian.org/50308 6Bug-Debian: http://bugs.debian.org/50308
4Last-Update: 2010-02-27 7Last-Update: 2010-02-27
5 8
6Index: b/serverloop.c 9Patch-Name: helpful-wait-terminate.patch
7=================================================================== 10---
11 serverloop.c | 2 +-
12 1 file changed, 1 insertion(+), 1 deletion(-)
13
14diff --git a/serverloop.c b/serverloop.c
15index ccbad61..5f22df3 100644
8--- a/serverloop.c 16--- a/serverloop.c
9+++ b/serverloop.c 17+++ b/serverloop.c
10@@ -686,7 +686,7 @@ 18@@ -686,7 +686,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
11 if (!channel_still_open()) 19 if (!channel_still_open())
12 break; 20 break;
13 if (!waiting_termination) { 21 if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index a851a91bf..61389cc44 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,24 +1,35 @@
1Description: Various keepalive extensions 1From affb41e3cf23b79a3d165ae0d97689a46a965b6f Mon Sep 17 00:00:00 2001
2 Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, 2From: Richard Kettlewell <rjk@greenend.org.uk>
3 supported in previous versions of Debian's OpenSSH package but since 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4 superseded by ServerAliveInterval. (We're probably stuck with this bit for 4Subject: Various keepalive extensions
5 compatibility.) 5
6 . 6Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
7 In batch mode, default ServerAliveInterval to five minutes. 7in previous versions of Debian's OpenSSH package but since superseded by
8 . 8ServerAliveInterval. (We're probably stuck with this bit for
9 Adjust documentation to match and to give some more advice on use of 9compatibility.)
10 keepalives. 10
11Author: Richard Kettlewell <rjk@greenend.org.uk> 11In batch mode, default ServerAliveInterval to five minutes.
12
13Adjust documentation to match and to give some more advice on use of
14keepalives.
15
12Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
13Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
14Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
15Last-Update: 2013-09-14 19Last-Update: 2013-09-14
16 20
17Index: b/readconf.c 21Patch-Name: keepalive-extensions.patch
18=================================================================== 22---
23 readconf.c | 14 ++++++++++++--
24 ssh_config.5 | 21 +++++++++++++++++++--
25 sshd_config.5 | 3 +++
26 3 files changed, 34 insertions(+), 4 deletions(-)
27
28diff --git a/readconf.c b/readconf.c
29index 22e5a3a..2dcbf31 100644
19--- a/readconf.c 30--- a/readconf.c
20+++ b/readconf.c 31+++ b/readconf.c
21@@ -141,6 +141,7 @@ 32@@ -141,6 +141,7 @@ typedef enum {
22 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 33 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
23 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 34 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
24 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, 35 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown,
@@ -26,7 +37,7 @@ Index: b/readconf.c
26 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
27 } OpCodes; 38 } OpCodes;
28 39
29@@ -263,6 +264,8 @@ 40@@ -263,6 +264,8 @@ static struct {
30 { "ipqos", oIPQoS }, 41 { "ipqos", oIPQoS },
31 { "requesttty", oRequestTTY }, 42 { "requesttty", oRequestTTY },
32 { "ignoreunknown", oIgnoreUnknown }, 43 { "ignoreunknown", oIgnoreUnknown },
@@ -35,7 +46,7 @@ Index: b/readconf.c
35 46
36 { NULL, oBadOption } 47 { NULL, oBadOption }
37 }; 48 };
38@@ -939,6 +942,8 @@ 49@@ -939,6 +942,8 @@ parse_int:
39 goto parse_flag; 50 goto parse_flag;
40 51
41 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -44,7 +55,7 @@ Index: b/readconf.c
44 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
45 goto parse_time; 56 goto parse_time;
46 57
47@@ -1404,8 +1409,13 @@ 58@@ -1404,8 +1409,13 @@ fill_default_options(Options * options)
48 options->rekey_interval = 0; 59 options->rekey_interval = 0;
49 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
50 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -60,11 +71,11 @@ Index: b/readconf.c
60 if (options->server_alive_count_max == -1) 71 if (options->server_alive_count_max == -1)
61 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
62 if (options->control_master == -1) 73 if (options->control_master == -1)
63Index: b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
64=================================================================== 75index 89b25cd..135d833 100644
65--- a/ssh_config.5 76--- a/ssh_config.5
66+++ b/ssh_config.5 77+++ b/ssh_config.5
67@@ -136,8 +136,12 @@ 78@@ -136,8 +136,12 @@ Valid arguments are
68 If set to 79 If set to
69 .Dq yes , 80 .Dq yes ,
70 passphrase/password querying will be disabled. 81 passphrase/password querying will be disabled.
@@ -78,7 +89,7 @@ Index: b/ssh_config.5
78 The argument must be 89 The argument must be
79 .Dq yes 90 .Dq yes
80 or 91 or
81@@ -1141,8 +1145,15 @@ 92@@ -1141,8 +1145,15 @@ from the server,
82 will send a message through the encrypted 93 will send a message through the encrypted
83 channel to request a response from the server. 94 channel to request a response from the server.
84 The default 95 The default
@@ -95,7 +106,7 @@ Index: b/ssh_config.5
95 .It Cm StrictHostKeyChecking 106 .It Cm StrictHostKeyChecking
96 If this flag is set to 107 If this flag is set to
97 .Dq yes , 108 .Dq yes ,
98@@ -1181,6 +1192,12 @@ 109@@ -1181,6 +1192,12 @@ Specifies whether the system should send TCP keepalive messages to the
99 other side. 110 other side.
100 If they are sent, death of the connection or crash of one 111 If they are sent, death of the connection or crash of one
101 of the machines will be properly noticed. 112 of the machines will be properly noticed.
@@ -108,11 +119,11 @@ Index: b/ssh_config.5
108 However, this means that 119 However, this means that
109 connections will die if the route is down temporarily, and some people 120 connections will die if the route is down temporarily, and some people
110 find it annoying. 121 find it annoying.
111Index: b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
112=================================================================== 123index 18ec81f..510cc7c 100644
113--- a/sshd_config.5 124--- a/sshd_config.5
114+++ b/sshd_config.5 125+++ b/sshd_config.5
115@@ -1161,6 +1161,9 @@ 126@@ -1161,6 +1161,9 @@ This avoids infinitely hanging sessions.
116 .Pp 127 .Pp
117 To disable TCP keepalive messages, the value should be set to 128 To disable TCP keepalive messages, the value should be set to
118 .Dq no . 129 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 19ae33b22..b3b549cc8 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,15 +1,24 @@
1Description: Fix picky lintian errors about slogin symlinks 1From 6d50dc6d561af1bcf41eaf1dc69e7920abe5aa4b Mon Sep 17 00:00:00 2001
2 Apparently this breaks some SVR4 packaging systems, so upstream can't win 2From: Colin Watson <cjwatson@debian.org>
3 either way and opted to keep the status quo. We need this patch anyway. 3Date: Sun, 9 Feb 2014 16:10:08 +0000
4Author: Colin Watson <cjwatson@debian.org> 4Subject: Fix picky lintian errors about slogin symlinks
5
6Apparently this breaks some SVR4 packaging systems, so upstream can't win
7either way and opted to keep the status quo. We need this patch anyway.
8
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728
6Last-Update: 2013-09-14 10Last-Update: 2013-09-14
7 11
8Index: b/Makefile.in 12Patch-Name: lintian-symlink-pickiness.patch
9=================================================================== 13---
14 Makefile.in | 4 ++--
15 1 file changed, 2 insertions(+), 2 deletions(-)
16
17diff --git a/Makefile.in b/Makefile.in
18index 7cd3a08..839abbd 100644
10--- a/Makefile.in 19--- a/Makefile.in
11+++ b/Makefile.in 20+++ b/Makefile.in
12@@ -296,9 +296,9 @@ 21@@ -296,9 +296,9 @@ install-files:
13 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 22 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
14 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 23 $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1
15 -rm -f $(DESTDIR)$(bindir)/slogin 24 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 55c277031..07682155c 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,14 +1,22 @@
1Description: Mention ssh-keygen in ssh fingerprint changed warning 1From 7a20ce0712e7b7174a0c079e84568a9e8321c42b Mon Sep 17 00:00:00 2001
2Author: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning
5
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
4Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 7Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
5Last-Update: 2013-09-14 8Last-Update: 2013-09-14
6 9
7Index: b/sshconnect.c 10Patch-Name: mention-ssh-keygen-on-keychange.patch
8=================================================================== 11---
12 sshconnect.c | 7 ++++++-
13 1 file changed, 6 insertions(+), 1 deletion(-)
14
15diff --git a/sshconnect.c b/sshconnect.c
16index 91fd59a..bda83b2 100644
9--- a/sshconnect.c 17--- a/sshconnect.c
10+++ b/sshconnect.c 18+++ b/sshconnect.c
11@@ -981,9 +981,12 @@ 19@@ -981,9 +981,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
12 error("%s. This could either mean that", key_msg); 20 error("%s. This could either mean that", key_msg);
13 error("DNS SPOOFING is happening or the IP address for the host"); 21 error("DNS SPOOFING is happening or the IP address for the host");
14 error("and its host key have changed at the same time."); 22 error("and its host key have changed at the same time.");
@@ -22,7 +30,7 @@ Index: b/sshconnect.c
22 } 30 }
23 /* The host key has changed. */ 31 /* The host key has changed. */
24 warn_changed_key(host_key); 32 warn_changed_key(host_key);
25@@ -991,6 +994,8 @@ 33@@ -991,6 +994,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
26 user_hostfiles[0]); 34 user_hostfiles[0]);
27 error("Offending %s key in %s:%lu", key_type(host_found->key), 35 error("Offending %s key in %s:%lu", key_type(host_found->key),
28 host_found->file, host_found->line); 36 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
index 8c7b6538e..f45e2b959 100644
--- a/debian/patches/no-openssl-version-check.patch
+++ b/debian/patches/no-openssl-version-check.patch
@@ -1,17 +1,26 @@
1Description: Disable OpenSSL version check 1From bc87a22e258193138419d6615c0e92e4124dbe90 Mon Sep 17 00:00:00 2001
2 OpenSSL's SONAME is sufficient nowadays. 2From: Philip Hands <phil@hands.com>
3Author: Philip Hands <phil@hands.com> 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Disable OpenSSL version check
5
6OpenSSL's SONAME is sufficient nowadays.
7
4Author: Colin Watson <cjwatson@debian.org> 8Author: Colin Watson <cjwatson@debian.org>
5Bug-Debian: http://bugs.debian.org/93581 9Bug-Debian: http://bugs.debian.org/93581
6Bug-Debian: http://bugs.debian.org/664383 10Bug-Debian: http://bugs.debian.org/664383
7Forwarded: not-needed 11Forwarded: not-needed
8Last-Update: 2013-12-23 12Last-Update: 2013-12-23
9 13
10Index: b/entropy.c 14Patch-Name: no-openssl-version-check.patch
11=================================================================== 15---
16 entropy.c | 12 ------------
17 1 file changed, 12 deletions(-)
18
19diff --git a/entropy.c b/entropy.c
20index 2d483b3..2aee2d9 100644
12--- a/entropy.c 21--- a/entropy.c
13+++ b/entropy.c 22+++ b/entropy.c
14@@ -209,18 +209,6 @@ 23@@ -209,18 +209,6 @@ seed_rng(void)
15 #ifndef OPENSSL_PRNG_ONLY 24 #ifndef OPENSSL_PRNG_ONLY
16 unsigned char buf[RANDOM_SEED_SIZE]; 25 unsigned char buf[RANDOM_SEED_SIZE];
17 #endif 26 #endif
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index d4eeee6e8..afc1fe306 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,15 +1,28 @@
1Description: Adjust various OpenBSD-specific references in manual pages 1From 98517b1b99dceff74e4a1e50d5a345f5b569ad6f Mon Sep 17 00:00:00 2001
2 No single bug reference for this patch, but history includes: 2From: Colin Watson <cjwatson@debian.org>
3 http://bugs.debian.org/154434 (login.conf(5)) 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4 http://bugs.debian.org/513417 (/etc/rc) 4Subject: Adjust various OpenBSD-specific references in manual pages
5 http://bugs.debian.org/530692 (ssl(8)) 5
6 https://bugs.launchpad.net/bugs/456660 (ssl(8)) 6No single bug reference for this patch, but history includes:
7Author: Colin Watson <cjwatson@debian.org> 7 http://bugs.debian.org/154434 (login.conf(5))
8 http://bugs.debian.org/513417 (/etc/rc)
9 http://bugs.debian.org/530692 (ssl(8))
10 https://bugs.launchpad.net/bugs/456660 (ssl(8))
11
8Forwarded: not-needed 12Forwarded: not-needed
9Last-Update: 2013-09-14 13Last-Update: 2013-09-14
10 14
11Index: b/moduli.5 15Patch-Name: openbsd-docs.patch
12=================================================================== 16---
17 moduli.5 | 4 ++--
18 ssh-keygen.1 | 12 ++++--------
19 ssh.1 | 4 ++++
20 sshd.8 | 5 ++---
21 sshd_config.5 | 3 +--
22 5 files changed, 13 insertions(+), 15 deletions(-)
23
24diff --git a/moduli.5 b/moduli.5
25index ef0de08..149846c 100644
13--- a/moduli.5 26--- a/moduli.5
14+++ b/moduli.5 27+++ b/moduli.5
15@@ -21,7 +21,7 @@ 28@@ -21,7 +21,7 @@
@@ -21,7 +34,7 @@ Index: b/moduli.5
21 file contains prime numbers and generators for use by 34 file contains prime numbers and generators for use by
22 .Xr sshd 8 35 .Xr sshd 8
23 in the Diffie-Hellman Group Exchange key exchange method. 36 in the Diffie-Hellman Group Exchange key exchange method.
24@@ -110,7 +110,7 @@ 37@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
25 Diffie-Hellman output to sufficiently key the selected symmetric cipher. 38 Diffie-Hellman output to sufficiently key the selected symmetric cipher.
26 .Xr sshd 8 39 .Xr sshd 8
27 then randomly selects a modulus from 40 then randomly selects a modulus from
@@ -30,11 +43,11 @@ Index: b/moduli.5
30 that best meets the size requirement. 43 that best meets the size requirement.
31 .Sh SEE ALSO 44 .Sh SEE ALSO
32 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
33Index: b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
34=================================================================== 47index 144be7d..753cc62 100644
35--- a/ssh-keygen.1 48--- a/ssh-keygen.1
36+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
37@@ -171,9 +171,7 @@ 50@@ -171,9 +171,7 @@ key in
38 .Pa ~/.ssh/id_dsa 51 .Pa ~/.ssh/id_dsa
39 or 52 or
40 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
@@ -45,7 +58,7 @@ Index: b/ssh-keygen.1
45 .Pp 58 .Pp
46 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
47 to store the private key. 60 to store the private key.
48@@ -219,9 +217,7 @@ 61@@ -219,9 +217,7 @@ The options are as follows:
49 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 62 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
50 do not exist, generate the host keys with the default key file path, 63 do not exist, generate the host keys with the default key file path,
51 an empty passphrase, default bits for the key type, and default comment. 64 an empty passphrase, default bits for the key type, and default comment.
@@ -56,7 +69,7 @@ Index: b/ssh-keygen.1
56 .It Fl a Ar trials 69 .It Fl a Ar trials
57 Specifies the number of primality tests to perform when screening DH-GEX 70 Specifies the number of primality tests to perform when screening DH-GEX
58 candidates using the 71 candidates using the
59@@ -605,7 +601,7 @@ 72@@ -605,7 +601,7 @@ option.
60 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
61 .Pp 74 .Pp
62 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -65,7 +78,7 @@ Index: b/ssh-keygen.1
65 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
66 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
67 .Sh CERTIFICATES 80 .Sh CERTIFICATES
68@@ -800,7 +796,7 @@ 81@@ -800,7 +796,7 @@ on all machines
69 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
70 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
71 .Pp 84 .Pp
@@ -74,11 +87,11 @@ Index: b/ssh-keygen.1
74 Contains Diffie-Hellman groups used for DH-GEX. 87 Contains Diffie-Hellman groups used for DH-GEX.
75 The file format is described in 88 The file format is described in
76 .Xr moduli 5 . 89 .Xr moduli 5 .
77Index: b/ssh.1 90diff --git a/ssh.1 b/ssh.1
78=================================================================== 91index 0b38ae1..b3c3924 100644
79--- a/ssh.1 92--- a/ssh.1
80+++ b/ssh.1 93+++ b/ssh.1
81@@ -756,6 +756,10 @@ 94@@ -756,6 +756,10 @@ Protocol 1 is restricted to using only RSA keys,
82 but protocol 2 may use any. 95 but protocol 2 may use any.
83 The HISTORY section of 96 The HISTORY section of
84 .Xr ssl 8 97 .Xr ssl 8
@@ -89,11 +102,11 @@ Index: b/ssh.1
89 contains a brief discussion of the DSA and RSA algorithms. 102 contains a brief discussion of the DSA and RSA algorithms.
90 .Pp 103 .Pp
91 The file 104 The file
92Index: b/sshd.8 105diff --git a/sshd.8 b/sshd.8
93=================================================================== 106index a604429..6bdd219 100644
94--- a/sshd.8 107--- a/sshd.8
95+++ b/sshd.8 108+++ b/sshd.8
96@@ -70,7 +70,7 @@ 109@@ -70,7 +70,7 @@ over an insecure network.
97 .Nm 110 .Nm
98 listens for connections from clients. 111 listens for connections from clients.
99 It is normally started at boot from 112 It is normally started at boot from
@@ -102,7 +115,7 @@ Index: b/sshd.8
102 It forks a new 115 It forks a new
103 daemon for each incoming connection. 116 daemon for each incoming connection.
104 The forked daemons handle 117 The forked daemons handle
105@@ -859,7 +859,7 @@ 118@@ -859,7 +859,7 @@ This file is for host-based authentication (see
106 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
107 It should only be writable by root. 120 It should only be writable by root.
108 .Pp 121 .Pp
@@ -111,7 +124,7 @@ Index: b/sshd.8
111 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
112 The file format is described in 125 The file format is described in
113 .Xr moduli 5 . 126 .Xr moduli 5 .
114@@ -957,7 +957,6 @@ 127@@ -957,7 +957,6 @@ The content of this file is not sensitive; it can be world-readable.
115 .Xr ssh-vulnkey 1 , 128 .Xr ssh-vulnkey 1 ,
116 .Xr chroot 2 , 129 .Xr chroot 2 ,
117 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -119,11 +132,11 @@ Index: b/sshd.8
119 .Xr moduli 5 , 132 .Xr moduli 5 ,
120 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
121 .Xr inetd 8 , 134 .Xr inetd 8 ,
122Index: b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
123=================================================================== 136index eaf8d01..ec4851a 100644
124--- a/sshd_config.5 137--- a/sshd_config.5
125+++ b/sshd_config.5 138+++ b/sshd_config.5
126@@ -283,8 +283,7 @@ 139@@ -283,8 +283,7 @@ This option is only available for protocol version 2.
127 By default, no banner is displayed. 140 By default, no banner is displayed.
128 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
129 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 392afc073..df97fa40f 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,17 +1,28 @@
1Description: Include the Debian version in our identification 1From da3ff9786c4c03b2aac4936b28f06b3c152e230d Mon Sep 17 00:00:00 2001
2 This makes it easier to audit networks for versions patched against 2From: Matthew Vernon <matthew@debian.org>
3 security vulnerabilities. It has little detrimental effect, as attackers 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4 will generally just try attacks rather than bothering to scan for 4Subject: Include the Debian version in our identification
5 vulnerable-looking version strings. (However, see debian-banner.patch.) 5
6Author: Matthew Vernon <matthew@debian.org> 6This makes it easier to audit networks for versions patched against security
7vulnerabilities. It has little detrimental effect, as attackers will
8generally just try attacks rather than bothering to scan for
9vulnerable-looking version strings. (However, see debian-banner.patch.)
10
7Forwarded: not-needed 11Forwarded: not-needed
8Last-Update: 2013-09-14 12Last-Update: 2013-09-14
9 13
10Index: b/sshconnect.c 14Patch-Name: package-versioning.patch
11=================================================================== 15---
16 sshconnect.c | 4 ++--
17 sshd.c | 2 +-
18 version.h | 7 ++++++-
19 3 files changed, 9 insertions(+), 4 deletions(-)
20
21diff --git a/sshconnect.c b/sshconnect.c
22index bda83b2..ad960fd 100644
12--- a/sshconnect.c 23--- a/sshconnect.c
13+++ b/sshconnect.c 24+++ b/sshconnect.c
14@@ -442,10 +442,10 @@ 25@@ -442,10 +442,10 @@ send_client_banner(int connection_out, int minor1)
15 /* Send our own protocol version identification. */ 26 /* Send our own protocol version identification. */
16 if (compat20) { 27 if (compat20) {
17 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -24,11 +35,11 @@ Index: b/sshconnect.c
24 } 35 }
25 if (roaming_atomicio(vwrite, connection_out, client_version_string, 36 if (roaming_atomicio(vwrite, connection_out, client_version_string,
26 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
27Index: b/sshd.c 38diff --git a/sshd.c b/sshd.c
28=================================================================== 39index fbe3284..7efa7ef 100644
29--- a/sshd.c 40--- a/sshd.c
30+++ b/sshd.c 41+++ b/sshd.c
31@@ -440,7 +440,7 @@ 42@@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
32 } 43 }
33 44
34 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -37,8 +48,8 @@ Index: b/sshd.c
37 *options.version_addendum == '\0' ? "" : " ", 48 *options.version_addendum == '\0' ? "" : " ",
38 options.version_addendum, newline); 49 options.version_addendum, newline);
39 50
40Index: b/version.h 51diff --git a/version.h b/version.h
41=================================================================== 52index 39033ed..036277d 100644
42--- a/version.h 53--- a/version.h
43+++ b/version.h 54+++ b/version.h
44@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 32f4cfc67..5cb0146d8 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,22 +1,31 @@
1Description: Reduce severity of "Killed by signal %d" 1From da5b4ce7296ada332d70133a9ec02ba71c742b7d Mon Sep 17 00:00:00 2001
2 This produces irritating messages when using ProxyCommand or other programs 2From: Peter Samuelson <peter@p12n.org>
3 that use ssh under the covers (e.g. Subversion). These messages are more 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4 normally printed by the calling program, such as the shell. 4Subject: Reduce severity of "Killed by signal %d"
5 . 5
6 According to the upstream bug, the right way to avoid this is to use the -q 6This produces irritating messages when using ProxyCommand or other programs
7 option, so we may drop this patch after further investigation into whether 7that use ssh under the covers (e.g. Subversion). These messages are more
8 any software in Debian is still relying on it. 8normally printed by the calling program, such as the shell.
9Author: Peter Samuelson <peter@p12n.org> 9
10According to the upstream bug, the right way to avoid this is to use the -q
11option, so we may drop this patch after further investigation into whether
12any software in Debian is still relying on it.
13
10Author: Colin Watson <cjwatson@debian.org> 14Author: Colin Watson <cjwatson@debian.org>
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1118
12Bug-Debian: http://bugs.debian.org/313371 16Bug-Debian: http://bugs.debian.org/313371
13Last-Update: 2013-09-14 17Last-Update: 2013-09-14
14 18
15Index: b/clientloop.c 19Patch-Name: quieter-signals.patch
16=================================================================== 20---
21 clientloop.c | 6 ++++--
22 1 file changed, 4 insertions(+), 2 deletions(-)
23
24diff --git a/clientloop.c b/clientloop.c
25index dc76d69..f2f474e 100644
17--- a/clientloop.c 26--- a/clientloop.c
18+++ b/clientloop.c 27+++ b/clientloop.c
19@@ -1717,8 +1717,10 @@ 28@@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
20 exit_status = 0; 29 exit_status = 0;
21 } 30 }
22 31
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 239c1b599..887164beb 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,17 +1,26 @@
1Description: Adjust scp quoting in verbose mode 1From 7531f41888f9e40be95a319fb325f6f05dd50751 Mon Sep 17 00:00:00 2001
2 Tweak scp's reporting of filenames in verbose mode to be a bit less 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3 confusing with spaces. 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4 . 4Subject: Adjust scp quoting in verbose mode
5 This should be revised to mimic real shell quoting. 5
6Author: Nicolas Valcárcel <nvalcarcel@ubuntu.com> 6Tweak scp's reporting of filenames in verbose mode to be a bit less
7confusing with spaces.
8
9This should be revised to mimic real shell quoting.
10
7Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 11Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
8Last-Update: 2010-02-27 12Last-Update: 2010-02-27
9 13
10Index: b/scp.c 14Patch-Name: scp-quoting.patch
11=================================================================== 15---
16 scp.c | 12 ++++++++++--
17 1 file changed, 10 insertions(+), 2 deletions(-)
18
19diff --git a/scp.c b/scp.c
20index 28ded5e..b7a17ab 100644
12--- a/scp.c 21--- a/scp.c
13+++ b/scp.c 22+++ b/scp.c
14@@ -189,8 +189,16 @@ 23@@ -189,8 +189,16 @@ do_local_cmd(arglist *a)
15 24
16 if (verbose_mode) { 25 if (verbose_mode) {
17 fprintf(stderr, "Executing:"); 26 fprintf(stderr, "Executing:");
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index f3376c20a..8aa8f614e 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,17 +1,41 @@
1Description: Handle SELinux authorisation roles 1From 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 Mon Sep 17 00:00:00 2001
2 Rejected upstream due to discomfort with magic usernames; a better approach 2From: Manoj Srivastava <srivasta@debian.org>
3 will need an SSH protocol change. In the meantime, this came from Debian's 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4 SELinux maintainer, so we'll keep it until we have something better. 4Subject: Handle SELinux authorisation roles
5Author: Manoj Srivastava <srivasta@debian.org> 5
6Rejected upstream due to discomfort with magic usernames; a better approach
7will need an SSH protocol change. In the meantime, this came from Debian's
8SELinux maintainer, so we'll keep it until we have something better.
9
6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
7Bug-Debian: http://bugs.debian.org/394795 11Bug-Debian: http://bugs.debian.org/394795
8Last-Update: 2013-09-14 12Last-Update: 2013-09-14
9 13
10Index: b/auth.h 14Patch-Name: selinux-role.patch
11=================================================================== 15---
16 auth.h | 1 +
17 auth1.c | 8 +++++++-
18 auth2.c | 10 ++++++++--
19 monitor.c | 32 +++++++++++++++++++++++++++++---
20 monitor.h | 2 ++
21 monitor_wrap.c | 22 ++++++++++++++++++++--
22 monitor_wrap.h | 3 ++-
23 openbsd-compat/port-linux.c | 27 ++++++++++++++++++++-------
24 openbsd-compat/port-linux.h | 4 ++--
25 platform.c | 4 ++--
26 platform.h | 2 +-
27 session.c | 10 +++++-----
28 session.h | 2 +-
29 sshd.c | 2 +-
30 sshpty.c | 4 ++--
31 sshpty.h | 2 +-
32 16 files changed, 104 insertions(+), 31 deletions(-)
33
34diff --git a/auth.h b/auth.h
35index 80f0898..5b6824f 100644
12--- a/auth.h 36--- a/auth.h
13+++ b/auth.h 37+++ b/auth.h
14@@ -59,6 +59,7 @@ 38@@ -59,6 +59,7 @@ struct Authctxt {
15 char *service; 39 char *service;
16 struct passwd *pw; /* set if 'valid' */ 40 struct passwd *pw; /* set if 'valid' */
17 char *style; 41 char *style;
@@ -19,11 +43,11 @@ Index: b/auth.h
19 void *kbdintctxt; 43 void *kbdintctxt;
20 char *info; /* Extra info for next auth_log */ 44 char *info; /* Extra info for next auth_log */
21 void *jpake_ctx; 45 void *jpake_ctx;
22Index: b/auth1.c 46diff --git a/auth1.c b/auth1.c
23=================================================================== 47index f1ac598..2803a3c 100644
24--- a/auth1.c 48--- a/auth1.c
25+++ b/auth1.c 49+++ b/auth1.c
26@@ -380,7 +380,7 @@ 50@@ -380,7 +380,7 @@ void
27 do_authentication(Authctxt *authctxt) 51 do_authentication(Authctxt *authctxt)
28 { 52 {
29 u_int ulen; 53 u_int ulen;
@@ -32,7 +56,7 @@ Index: b/auth1.c
32 56
33 /* Get the name of the user that we wish to log in as. */ 57 /* Get the name of the user that we wish to log in as. */
34 packet_read_expect(SSH_CMSG_USER); 58 packet_read_expect(SSH_CMSG_USER);
35@@ -389,11 +389,17 @@ 59@@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt)
36 user = packet_get_cstring(&ulen); 60 user = packet_get_cstring(&ulen);
37 packet_check_eom(); 61 packet_check_eom();
38 62
@@ -50,11 +74,11 @@ Index: b/auth1.c
50 74
51 /* Verify that the user is a valid user. */ 75 /* Verify that the user is a valid user. */
52 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
53Index: b/auth2.c 77diff --git a/auth2.c b/auth2.c
54=================================================================== 78index 6ed8f04..b55bbcd 100644
55--- a/auth2.c 79--- a/auth2.c
56+++ b/auth2.c 80+++ b/auth2.c
57@@ -222,7 +222,7 @@ 81@@ -222,7 +222,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
58 { 82 {
59 Authctxt *authctxt = ctxt; 83 Authctxt *authctxt = ctxt;
60 Authmethod *m = NULL; 84 Authmethod *m = NULL;
@@ -63,7 +87,7 @@ Index: b/auth2.c
63 int authenticated = 0; 87 int authenticated = 0;
64 88
65 if (authctxt == NULL) 89 if (authctxt == NULL)
66@@ -234,8 +234,13 @@ 90@@ -234,8 +234,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
67 debug("userauth-request for user %s service %s method %s", user, service, method); 91 debug("userauth-request for user %s service %s method %s", user, service, method);
68 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
69 93
@@ -77,7 +101,7 @@ Index: b/auth2.c
77 101
78 if (authctxt->attempt++ == 0) { 102 if (authctxt->attempt++ == 0) {
79 /* setup auth context */ 103 /* setup auth context */
80@@ -259,8 +264,9 @@ 104@@ -259,8 +264,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
81 use_privsep ? " [net]" : ""); 105 use_privsep ? " [net]" : "");
82 authctxt->service = xstrdup(service); 106 authctxt->service = xstrdup(service);
83 authctxt->style = style ? xstrdup(style) : NULL; 107 authctxt->style = style ? xstrdup(style) : NULL;
@@ -88,11 +112,11 @@ Index: b/auth2.c
88 userauth_banner(); 112 userauth_banner();
89 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
90 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
91Index: b/monitor.c 115diff --git a/monitor.c b/monitor.c
92=================================================================== 116index 9079c97..e8d63eb 100644
93--- a/monitor.c 117--- a/monitor.c
94+++ b/monitor.c 118+++ b/monitor.c
95@@ -146,6 +146,7 @@ 119@@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *);
96 int mm_answer_pwnamallow(int, Buffer *); 120 int mm_answer_pwnamallow(int, Buffer *);
97 int mm_answer_auth2_read_banner(int, Buffer *); 121 int mm_answer_auth2_read_banner(int, Buffer *);
98 int mm_answer_authserv(int, Buffer *); 122 int mm_answer_authserv(int, Buffer *);
@@ -100,7 +124,7 @@ Index: b/monitor.c
100 int mm_answer_authpassword(int, Buffer *); 124 int mm_answer_authpassword(int, Buffer *);
101 int mm_answer_bsdauthquery(int, Buffer *); 125 int mm_answer_bsdauthquery(int, Buffer *);
102 int mm_answer_bsdauthrespond(int, Buffer *); 126 int mm_answer_bsdauthrespond(int, Buffer *);
103@@ -227,6 +228,7 @@ 127@@ -227,6 +228,7 @@ struct mon_table mon_dispatch_proto20[] = {
104 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
105 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
106 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -108,7 +132,7 @@ Index: b/monitor.c
108 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
109 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
110 #ifdef USE_PAM 134 #ifdef USE_PAM
111@@ -844,6 +846,7 @@ 135@@ -844,6 +846,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
112 else { 136 else {
113 /* Allow service/style information on the auth context */ 137 /* Allow service/style information on the auth context */
114 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -116,7 +140,7 @@ Index: b/monitor.c
116 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
117 } 141 }
118 #ifdef USE_PAM 142 #ifdef USE_PAM
119@@ -874,14 +877,37 @@ 143@@ -874,14 +877,37 @@ mm_answer_authserv(int sock, Buffer *m)
120 144
121 authctxt->service = buffer_get_string(m, NULL); 145 authctxt->service = buffer_get_string(m, NULL);
122 authctxt->style = buffer_get_string(m, NULL); 146 authctxt->style = buffer_get_string(m, NULL);
@@ -156,7 +180,7 @@ Index: b/monitor.c
156 return (0); 180 return (0);
157 } 181 }
158 182
159@@ -1486,7 +1512,7 @@ 183@@ -1486,7 +1512,7 @@ mm_answer_pty(int sock, Buffer *m)
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0) 185 if (res == 0)
162 goto error; 186 goto error;
@@ -165,11 +189,11 @@ Index: b/monitor.c
165 189
166 buffer_put_int(m, 1); 190 buffer_put_int(m, 1);
167 buffer_put_cstring(m, s->tty); 191 buffer_put_cstring(m, s->tty);
168Index: b/monitor.h 192diff --git a/monitor.h b/monitor.h
169=================================================================== 193index 315ef99..3c13706 100644
170--- a/monitor.h 194--- a/monitor.h
171+++ b/monitor.h 195+++ b/monitor.h
172@@ -73,6 +73,8 @@ 196@@ -73,6 +73,8 @@ enum monitor_reqtype {
173 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, 197 MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
174 MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, 198 MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
175 199
@@ -178,11 +202,11 @@ Index: b/monitor.h
178 }; 202 };
179 203
180 struct mm_master; 204 struct mm_master;
181Index: b/monitor_wrap.c 205diff --git a/monitor_wrap.c b/monitor_wrap.c
182=================================================================== 206index 44019f3..69bc324 100644
183--- a/monitor_wrap.c 207--- a/monitor_wrap.c
184+++ b/monitor_wrap.c 208+++ b/monitor_wrap.c
185@@ -320,10 +320,10 @@ 209@@ -320,10 +320,10 @@ mm_auth2_read_banner(void)
186 return (banner); 210 return (banner);
187 } 211 }
188 212
@@ -195,7 +219,7 @@ Index: b/monitor_wrap.c
195 { 219 {
196 Buffer m; 220 Buffer m;
197 221
198@@ -332,11 +332,29 @@ 222@@ -332,12 +332,30 @@ mm_inform_authserv(char *service, char *style)
199 buffer_init(&m); 223 buffer_init(&m);
200 buffer_put_cstring(&m, service); 224 buffer_put_cstring(&m, service);
201 buffer_put_cstring(&m, style ? style : ""); 225 buffer_put_cstring(&m, style ? style : "");
@@ -205,7 +229,7 @@ Index: b/monitor_wrap.c
205 229
206 buffer_free(&m); 230 buffer_free(&m);
207 } 231 }
208+ 232
209+/* Inform the privileged process about role */ 233+/* Inform the privileged process about role */
210+ 234+
211+void 235+void
@@ -222,14 +246,15 @@ Index: b/monitor_wrap.c
222+ 246+
223+ buffer_free(&m); 247+ buffer_free(&m);
224+} 248+}
225 249+
226 /* Do the password authentication */ 250 /* Do the password authentication */
227 int 251 int
228Index: b/monitor_wrap.h 252 mm_auth_password(Authctxt *authctxt, char *password)
229=================================================================== 253diff --git a/monitor_wrap.h b/monitor_wrap.h
254index ec9b9b1..4d12e29 100644
230--- a/monitor_wrap.h 255--- a/monitor_wrap.h
231+++ b/monitor_wrap.h 256+++ b/monitor_wrap.h
232@@ -41,7 +41,8 @@ 257@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
233 int mm_is_monitor(void); 258 int mm_is_monitor(void);
234 DH *mm_choose_dh(int, int, int); 259 DH *mm_choose_dh(int, int, int);
235 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); 260 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@@ -239,8 +264,8 @@ Index: b/monitor_wrap.h
239 struct passwd *mm_getpwnamallow(const char *); 264 struct passwd *mm_getpwnamallow(const char *);
240 char *mm_auth2_read_banner(void); 265 char *mm_auth2_read_banner(void);
241 int mm_auth_password(struct Authctxt *, char *); 266 int mm_auth_password(struct Authctxt *, char *);
242Index: b/openbsd-compat/port-linux.c 267diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
243=================================================================== 268index 4637a7a..de6ad3f 100644
244--- a/openbsd-compat/port-linux.c 269--- a/openbsd-compat/port-linux.c
245+++ b/openbsd-compat/port-linux.c 270+++ b/openbsd-compat/port-linux.c
246@@ -29,6 +29,12 @@ 271@@ -29,6 +29,12 @@
@@ -256,7 +281,7 @@ Index: b/openbsd-compat/port-linux.c
256 #include "log.h" 281 #include "log.h"
257 #include "xmalloc.h" 282 #include "xmalloc.h"
258 #include "port-linux.h" 283 #include "port-linux.h"
259@@ -58,7 +64,7 @@ 284@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
260 285
261 /* Return the default security context for the given username */ 286 /* Return the default security context for the given username */
262 static security_context_t 287 static security_context_t
@@ -265,7 +290,7 @@ Index: b/openbsd-compat/port-linux.c
265 { 290 {
266 security_context_t sc = NULL; 291 security_context_t sc = NULL;
267 char *sename = NULL, *lvl = NULL; 292 char *sename = NULL, *lvl = NULL;
268@@ -73,9 +79,16 @@ 293@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
269 #endif 294 #endif
270 295
271 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 296 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -284,7 +309,7 @@ Index: b/openbsd-compat/port-linux.c
284 #endif 309 #endif
285 310
286 if (r != 0) { 311 if (r != 0) {
287@@ -105,7 +118,7 @@ 312@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
288 313
289 /* Set the execution context to the default for the specified user */ 314 /* Set the execution context to the default for the specified user */
290 void 315 void
@@ -293,7 +318,7 @@ Index: b/openbsd-compat/port-linux.c
293 { 318 {
294 security_context_t user_ctx = NULL; 319 security_context_t user_ctx = NULL;
295 320
296@@ -114,7 +127,7 @@ 321@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
297 322
298 debug3("%s: setting execution context", __func__); 323 debug3("%s: setting execution context", __func__);
299 324
@@ -302,7 +327,7 @@ Index: b/openbsd-compat/port-linux.c
302 if (setexeccon(user_ctx) != 0) { 327 if (setexeccon(user_ctx) != 0) {
303 switch (security_getenforce()) { 328 switch (security_getenforce()) {
304 case -1: 329 case -1:
305@@ -136,7 +149,7 @@ 330@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
306 331
307 /* Set the TTY context for the specified user */ 332 /* Set the TTY context for the specified user */
308 void 333 void
@@ -311,7 +336,7 @@ Index: b/openbsd-compat/port-linux.c
311 { 336 {
312 security_context_t new_tty_ctx = NULL; 337 security_context_t new_tty_ctx = NULL;
313 security_context_t user_ctx = NULL; 338 security_context_t user_ctx = NULL;
314@@ -147,7 +160,7 @@ 339@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
315 340
316 debug3("%s: setting TTY context on %s", __func__, tty); 341 debug3("%s: setting TTY context on %s", __func__, tty);
317 342
@@ -320,8 +345,8 @@ Index: b/openbsd-compat/port-linux.c
320 345
321 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 346 /* XXX: should these calls fatal() upon failure in enforcing mode? */
322 347
323Index: b/openbsd-compat/port-linux.h 348diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
324=================================================================== 349index e3d1004..80ce13a 100644
325--- a/openbsd-compat/port-linux.h 350--- a/openbsd-compat/port-linux.h
326+++ b/openbsd-compat/port-linux.h 351+++ b/openbsd-compat/port-linux.h
327@@ -21,8 +21,8 @@ 352@@ -21,8 +21,8 @@
@@ -335,11 +360,11 @@ Index: b/openbsd-compat/port-linux.h
335 void ssh_selinux_change_context(const char *); 360 void ssh_selinux_change_context(const char *);
336 void ssh_selinux_setfscreatecon(const char *); 361 void ssh_selinux_setfscreatecon(const char *);
337 #endif 362 #endif
338Index: b/platform.c 363diff --git a/platform.c b/platform.c
339=================================================================== 364index 3262b24..a962f15 100644
340--- a/platform.c 365--- a/platform.c
341+++ b/platform.c 366+++ b/platform.c
342@@ -134,7 +134,7 @@ 367@@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw)
343 * called if sshd is running as root. 368 * called if sshd is running as root.
344 */ 369 */
345 void 370 void
@@ -348,7 +373,7 @@ Index: b/platform.c
348 { 373 {
349 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
350 /* 375 /*
351@@ -181,7 +181,7 @@ 376@@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
352 } 377 }
353 #endif /* HAVE_SETPCRED */ 378 #endif /* HAVE_SETPCRED */
354 #ifdef WITH_SELINUX 379 #ifdef WITH_SELINUX
@@ -357,11 +382,11 @@ Index: b/platform.c
357 #endif 382 #endif
358 } 383 }
359 384
360Index: b/platform.h 385diff --git a/platform.h b/platform.h
361=================================================================== 386index 19f6bfd..3188a3d 100644
362--- a/platform.h 387--- a/platform.h
363+++ b/platform.h 388+++ b/platform.h
364@@ -26,7 +26,7 @@ 389@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid);
365 void platform_post_fork_child(void); 390 void platform_post_fork_child(void);
366 int platform_privileged_uidswap(void); 391 int platform_privileged_uidswap(void);
367 void platform_setusercontext(struct passwd *); 392 void platform_setusercontext(struct passwd *);
@@ -370,11 +395,11 @@ Index: b/platform.h
370 char *platform_get_krb5_client(const char *); 395 char *platform_get_krb5_client(const char *);
371 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
372 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
373Index: b/session.c 398diff --git a/session.c b/session.c
374=================================================================== 399index d4b57bd..b4d74d9 100644
375--- a/session.c 400--- a/session.c
376+++ b/session.c 401+++ b/session.c
377@@ -1474,7 +1474,7 @@ 402@@ -1474,7 +1474,7 @@ safely_chroot(const char *path, uid_t uid)
378 403
379 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
380 void 405 void
@@ -383,7 +408,7 @@ Index: b/session.c
383 { 408 {
384 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
385 410
386@@ -1502,7 +1502,7 @@ 411@@ -1502,7 +1502,7 @@ do_setusercontext(struct passwd *pw)
387 endgrent(); 412 endgrent();
388 #endif 413 #endif
389 414
@@ -392,7 +417,7 @@ Index: b/session.c
392 417
393 if (options.chroot_directory != NULL && 418 if (options.chroot_directory != NULL &&
394 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
395@@ -1646,7 +1646,7 @@ 420@@ -1646,7 +1646,7 @@ do_child(Session *s, const char *command)
396 421
397 /* Force a password change */ 422 /* Force a password change */
398 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -401,7 +426,7 @@ Index: b/session.c
401 child_close_fds(); 426 child_close_fds();
402 do_pwchange(s); 427 do_pwchange(s);
403 exit(1); 428 exit(1);
404@@ -1673,7 +1673,7 @@ 429@@ -1673,7 +1673,7 @@ do_child(Session *s, const char *command)
405 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
406 if (!options.use_pam) 431 if (!options.use_pam)
407 do_nologin(pw); 432 do_nologin(pw);
@@ -410,7 +435,7 @@ Index: b/session.c
410 /* 435 /*
411 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
412 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
413@@ -2084,7 +2084,7 @@ 438@@ -2084,7 +2084,7 @@ session_pty_req(Session *s)
414 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
415 440
416 if (!use_privsep) 441 if (!use_privsep)
@@ -419,11 +444,11 @@ Index: b/session.c
419 444
420 /* Set window size from the packet. */ 445 /* Set window size from the packet. */
421 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
422Index: b/session.h 447diff --git a/session.h b/session.h
423=================================================================== 448index cbb8e3a..cb4f196 100644
424--- a/session.h 449--- a/session.h
425+++ b/session.h 450+++ b/session.h
426@@ -76,7 +76,7 @@ 451@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
427 Session *session_new(void); 452 Session *session_new(void);
428 Session *session_by_tty(char *); 453 Session *session_by_tty(char *);
429 void session_close(Session *); 454 void session_close(Session *);
@@ -432,11 +457,11 @@ Index: b/session.h
432 void child_set_env(char ***envp, u_int *envsizep, const char *name, 457 void child_set_env(char ***envp, u_int *envsizep, const char *name,
433 const char *value); 458 const char *value);
434 459
435Index: b/sshd.c 460diff --git a/sshd.c b/sshd.c
436=================================================================== 461index 4eddeb8..e5c9835 100644
437--- a/sshd.c 462--- a/sshd.c
438+++ b/sshd.c 463+++ b/sshd.c
439@@ -753,7 +753,7 @@ 464@@ -753,7 +753,7 @@ privsep_postauth(Authctxt *authctxt)
440 RAND_seed(rnd, sizeof(rnd)); 465 RAND_seed(rnd, sizeof(rnd));
441 466
442 /* Drop privileges */ 467 /* Drop privileges */
@@ -445,11 +470,11 @@ Index: b/sshd.c
445 470
446 skip: 471 skip:
447 /* It is safe now to apply the key state */ 472 /* It is safe now to apply the key state */
448Index: b/sshpty.c 473diff --git a/sshpty.c b/sshpty.c
449=================================================================== 474index bbbc0fe..8cc26a2 100644
450--- a/sshpty.c 475--- a/sshpty.c
451+++ b/sshpty.c 476+++ b/sshpty.c
452@@ -200,7 +200,7 @@ 477@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
453 } 478 }
454 479
455 void 480 void
@@ -458,7 +483,7 @@ Index: b/sshpty.c
458 { 483 {
459 struct group *grp; 484 struct group *grp;
460 gid_t gid; 485 gid_t gid;
461@@ -227,7 +227,7 @@ 486@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty)
462 strerror(errno)); 487 strerror(errno));
463 488
464 #ifdef WITH_SELINUX 489 #ifdef WITH_SELINUX
@@ -467,11 +492,11 @@ Index: b/sshpty.c
467 #endif 492 #endif
468 493
469 if (st.st_uid != pw->pw_uid || st.st_gid != gid) { 494 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
470Index: b/sshpty.h 495diff --git a/sshpty.h b/sshpty.h
471=================================================================== 496index cfa3224..edf2436 100644
472--- a/sshpty.h 497--- a/sshpty.h
473+++ b/sshpty.h 498+++ b/sshpty.h
474@@ -24,4 +24,4 @@ 499@@ -24,4 +24,4 @@ int pty_allocate(int *, int *, char *, size_t);
475 void pty_release(const char *); 500 void pty_release(const char *);
476 void pty_make_controlling_tty(int *, const char *); 501 void pty_make_controlling_tty(int *, const char *);
477 void pty_change_window_size(int, u_int, u_int, u_int, u_int); 502 void pty_change_window_size(int, u_int, u_int, u_int, u_int);
diff --git a/debian/patches/series b/debian/patches/series
index 4d2080a37..ced2bbd1e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,48 +1,27 @@
1# GSSAPI
2gssapi.patch 1gssapi.patch
3
4# SELinux
5selinux-role.patch 2selinux-role.patch
6
7# Key blacklisting
8ssh-vulnkey.patch 3ssh-vulnkey.patch
9
10# Keepalive handling
11ssh1-keepalive.patch 4ssh1-keepalive.patch
12keepalive-extensions.patch 5keepalive-extensions.patch
13
14# Message adjustments
15syslog-level-silent.patch 6syslog-level-silent.patch
16quieter-signals.patch 7quieter-signals.patch
17helpful-wait-terminate.patch 8helpful-wait-terminate.patch
18
19# ConsoleKit
20consolekit.patch 9consolekit.patch
21
22# Miscellaneous bug fixes
23user-group-modes.patch 10user-group-modes.patch
24scp-quoting.patch 11scp-quoting.patch
25shell-path.patch 12shell-path.patch
26dnssec-sshfp.patch 13dnssec-sshfp.patch
27auth-log-verbosity.patch 14auth-log-verbosity.patch
28mention-ssh-keygen-on-keychange.patch 15mention-ssh-keygen-on-keychange.patch
29
30# Versioning
31package-versioning.patch 16package-versioning.patch
32debian-banner.patch 17debian-banner.patch
33
34# File system layout
35authorized-keys-man-symlink.patch 18authorized-keys-man-symlink.patch
36lintian-symlink-pickiness.patch 19lintian-symlink-pickiness.patch
37
38# Documentation
39openbsd-docs.patch 20openbsd-docs.patch
40ssh-argv0.patch 21ssh-argv0.patch
41doc-hash-tab-completion.patch 22doc-hash-tab-completion.patch
42doc-upstart.patch 23doc-upstart.patch
43ssh-agent-setgid.patch 24ssh-agent-setgid.patch
44
45# Debian-specific configuration
46no-openssl-version-check.patch 25no-openssl-version-check.patch
47gnome-ssh-askpass2-icon.patch 26gnome-ssh-askpass2-icon.patch
48sigstop.patch 27sigstop.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index a1c6efc8d..8f09b936a 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,16 +1,25 @@
1Description: Look for $SHELL on the path for ProxyCommand/LocalCommand 1From b5f3be892e6d7150e7885133228fd03af69a11bc Mon Sep 17 00:00:00 2001
2 There's some debate on the upstream bug about whether POSIX requires this. 2From: Colin Watson <cjwatson@debian.org>
3 I (Colin Watson) agree with Vincent and think it does. 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Author: Colin Watson <cjwatson@debian.org> 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
5
6There's some debate on the upstream bug about whether POSIX requires this.
7I (Colin Watson) agree with Vincent and think it does.
8
5Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 9Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
6Bug-Debian: http://bugs.debian.org/492728 10Bug-Debian: http://bugs.debian.org/492728
7Last-Update: 2013-09-14 11Last-Update: 2013-09-14
8 12
9Index: b/sshconnect.c 13Patch-Name: shell-path.patch
10=================================================================== 14---
15 sshconnect.c | 4 ++--
16 1 file changed, 2 insertions(+), 2 deletions(-)
17
18diff --git a/sshconnect.c b/sshconnect.c
19index 483eb85..91fd59a 100644
11--- a/sshconnect.c 20--- a/sshconnect.c
12+++ b/sshconnect.c 21+++ b/sshconnect.c
13@@ -151,7 +151,7 @@ 22@@ -151,7 +151,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
14 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
15 extra privileges above. */ 24 extra privileges above. */
16 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -19,7 +28,7 @@ Index: b/sshconnect.c
19 perror(argv[0]); 28 perror(argv[0]);
20 exit(1); 29 exit(1);
21 } 30 }
22@@ -1298,7 +1298,7 @@ 31@@ -1298,7 +1298,7 @@ ssh_local_cmd(const char *args)
23 if (pid == 0) { 32 if (pid == 0) {
24 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
25 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 3311a797c..febcbc86a 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,13 +1,21 @@
1Description: Support synchronisation with service supervisor using SIGSTOP 1From 6fba9b85d3529fd3e1ca03dff3e457f04b3e39dd Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP
5
3Forwarded: no 6Forwarded: no
4Last-Update: 2013-09-14 7Last-Update: 2013-09-14
5 8
6Index: b/sshd.c 9Patch-Name: sigstop.patch
7=================================================================== 10---
11 sshd.c | 4 ++++
12 1 file changed, 4 insertions(+)
13
14diff --git a/sshd.c b/sshd.c
15index 6b988fe..72e9eaf 100644
8--- a/sshd.c 16--- a/sshd.c
9+++ b/sshd.c 17+++ b/sshd.c
10@@ -1914,6 +1914,10 @@ 18@@ -1914,6 +1914,10 @@ main(int ac, char **av)
11 } 19 }
12 } 20 }
13 21
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 7e909a165..3760e8c14 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,14 +1,22 @@
1Description: Document consequences of ssh-agent being setgid in ssh-agent(1) 1From 92a81c0caf44c15d3a07cf1f36470ca05c11ff1e Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
5
3Bug-Debian: http://bugs.debian.org/711623 6Bug-Debian: http://bugs.debian.org/711623
4Forwarded: no 7Forwarded: no
5Last-Update: 2013-06-08 8Last-Update: 2013-06-08
6 9
7Index: b/ssh-agent.1 10Patch-Name: ssh-agent-setgid.patch
8=================================================================== 11---
12 ssh-agent.1 | 15 +++++++++++++++
13 1 file changed, 15 insertions(+)
14
15diff --git a/ssh-agent.1 b/ssh-agent.1
16index bb801c9..d370531 100644
9--- a/ssh-agent.1 17--- a/ssh-agent.1
10+++ b/ssh-agent.1 18+++ b/ssh-agent.1
11@@ -182,6 +182,21 @@ 19@@ -182,6 +182,21 @@ environment variable holds the agent's process ID.
12 .Pp 20 .Pp
13 The agent exits automatically when the command given on the command 21 The agent exits automatically when the command given on the command
14 line terminates. 22 line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 28d144221..b15f251ef 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,17 +1,27 @@
1Description: ssh(1): Refer to ssh-argv0(1) 1From b339802cbe8c304541273029a1c9c3c639725643 Mon Sep 17 00:00:00 2001
2 Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating 2From: Colin Watson <cjwatson@debian.org>
3 symlinks to ssh with the name of the host you want to connect to. Debian 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4 ships an ssh-argv0 script restoring this feature; this patch refers to its 4Subject: ssh(1): Refer to ssh-argv0(1)
5 manual page from ssh(1). 5
6Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
7to ssh with the name of the host you want to connect to. Debian ships an
8ssh-argv0 script restoring this feature; this patch refers to its manual
9page from ssh(1).
10
6Bug-Debian: http://bugs.debian.org/111341 11Bug-Debian: http://bugs.debian.org/111341
7Forwarded: not-needed 12Forwarded: not-needed
8Last-Update: 2013-09-14 13Last-Update: 2013-09-14
9 14
10Index: b/ssh.1 15Patch-Name: ssh-argv0.patch
11=================================================================== 16---
17 ssh.1 | 1 +
18 1 file changed, 1 insertion(+)
19
20diff --git a/ssh.1 b/ssh.1
21index b3c3924..c0cc12f 100644
12--- a/ssh.1 22--- a/ssh.1
13+++ b/ssh.1 23+++ b/ssh.1
14@@ -1451,6 +1451,7 @@ 24@@ -1451,6 +1451,7 @@ if an error occurred.
15 .Xr sftp 1 , 25 .Xr sftp 1 ,
16 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
17 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index a1e8c20f9..ae262083d 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -1,20 +1,56 @@
1Description: Reject vulnerable keys to mitigate Debian OpenSSL flaw 1From 8909ff0e3cd07d1b042d1be1c8b8828dbf6c9a83 Mon Sep 17 00:00:00 2001
2 In 2008, Debian (and derived distributions such as Ubuntu) shipped an 2From: Colin Watson <cjwatson@ubuntu.com>
3 OpenSSL package with a flawed random number generator, causing OpenSSH to 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4 generate only a very limited set of keys which were subject to private half 4Subject: Reject vulnerable keys to mitigate Debian OpenSSL flaw
5 precomputation. To mitigate this, this patch checks key authentications 5
6 against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey 6In 2008, Debian (and derived distributions such as Ubuntu) shipped an
7 program which can be used to explicitly check keys against that blacklist. 7OpenSSL package with a flawed random number generator, causing OpenSSH to
8 See CVE-2008-0166. 8generate only a very limited set of keys which were subject to private half
9Author: Colin Watson <cjwatson@ubuntu.com> 9precomputation. To mitigate this, this patch checks key authentications
10against a blacklist of known-vulnerable keys, and adds a new ssh-vulnkey
11program which can be used to explicitly check keys against that blacklist.
12See CVE-2008-0166.
13
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469 14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1469
11Last-Update: 2013-09-14 15Last-Update: 2013-09-14
12 16
13Index: b/Makefile.in 17Patch-Name: ssh-vulnkey.patch
14=================================================================== 18---
19 Makefile.in | 17 ++-
20 auth-rh-rsa.c | 2 +-
21 auth-rsa.c | 2 +-
22 auth.c | 27 +++-
23 auth.h | 2 +-
24 auth2-hostbased.c | 2 +-
25 auth2-pubkey.c | 5 +-
26 authfile.c | 136 +++++++++++++++++++
27 authfile.h | 2 +
28 pathnames.h | 7 +
29 readconf.c | 9 ++
30 readconf.h | 1 +
31 servconf.c | 11 +-
32 servconf.h | 1 +
33 ssh-add.1 | 5 +
34 ssh-add.c | 10 +-
35 ssh-keygen.1 | 1 +
36 ssh-vulnkey.1 | 242 ++++++++++++++++++++++++++++++++++
37 ssh-vulnkey.c | 386 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
38 ssh.1 | 1 +
39 ssh.c | 18 ++-
40 ssh_config.5 | 17 +++
41 sshconnect2.c | 4 +-
42 sshd.8 | 1 +
43 sshd.c | 5 +
44 sshd_config.5 | 14 ++
45 26 files changed, 913 insertions(+), 15 deletions(-)
46 create mode 100644 ssh-vulnkey.1
47 create mode 100644 ssh-vulnkey.c
48
49diff --git a/Makefile.in b/Makefile.in
50index f979926..b8f5099 100644
15--- a/Makefile.in 51--- a/Makefile.in
16+++ b/Makefile.in 52+++ b/Makefile.in
17@@ -26,6 +26,7 @@ 53@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
18 SFTP_SERVER=$(libexecdir)/sftp-server 54 SFTP_SERVER=$(libexecdir)/sftp-server
19 SSH_KEYSIGN=$(libexecdir)/ssh-keysign 55 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
20 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper 56 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -22,7 +58,7 @@ Index: b/Makefile.in
22 PRIVSEP_PATH=@PRIVSEP_PATH@ 58 PRIVSEP_PATH=@PRIVSEP_PATH@
23 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ 59 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
24 STRIP_OPT=@STRIP_OPT@ 60 STRIP_OPT=@STRIP_OPT@
25@@ -37,7 +38,8 @@ 61@@ -37,7 +38,8 @@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \
26 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \ 62 -D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
27 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ 63 -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
28 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ 64 -D_PATH_SSH_PIDDIR=\"$(piddir)\" \
@@ -32,7 +68,7 @@ Index: b/Makefile.in
32 68
33 CC=@CC@ 69 CC=@CC@
34 LD=@LD@ 70 LD=@LD@
35@@ -61,7 +63,7 @@ 71@@ -61,7 +63,7 @@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
36 EXEEXT=@EXEEXT@ 72 EXEEXT=@EXEEXT@
37 MANFMT=@MANFMT@ 73 MANFMT=@MANFMT@
38 74
@@ -41,7 +77,7 @@ Index: b/Makefile.in
41 77
42 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 78 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
43 canohost.o channels.o cipher.o cipher-aes.o \ 79 canohost.o channels.o cipher.o cipher-aes.o \
44@@ -96,8 +98,8 @@ 80@@ -96,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
45 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 81 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
46 sandbox-seccomp-filter.o 82 sandbox-seccomp-filter.o
47 83
@@ -52,7 +88,7 @@ Index: b/Makefile.in
52 MANTYPE = @MANTYPE@ 88 MANTYPE = @MANTYPE@
53 89
54 CONFIGFILES=sshd_config.out ssh_config.out moduli.out 90 CONFIGFILES=sshd_config.out ssh_config.out moduli.out
55@@ -176,6 +178,9 @@ 91@@ -176,6 +178,9 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o s
56 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o 92 sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
57 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) 93 $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
58 94
@@ -62,7 +98,7 @@ Index: b/Makefile.in
62 # test driver for the loginrec code - not built by default 98 # test driver for the loginrec code - not built by default
63 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o 99 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
64 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) 100 $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
65@@ -272,6 +277,7 @@ 101@@ -272,6 +277,7 @@ install-files:
66 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) 102 $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
67 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) 103 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
68 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 104 $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -70,7 +106,7 @@ Index: b/Makefile.in
70 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 106 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
71 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 107 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
72 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 108 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
73@@ -286,6 +292,7 @@ 109@@ -286,6 +292,7 @@ install-files:
74 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 110 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
75 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 111 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
76 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 112 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -78,7 +114,7 @@ Index: b/Makefile.in
78 -rm -f $(DESTDIR)$(bindir)/slogin 114 -rm -f $(DESTDIR)$(bindir)/slogin
79 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin 115 ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
80 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 116 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
81@@ -367,6 +374,7 @@ 117@@ -367,6 +374,7 @@ uninstall:
82 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) 118 -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
83 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) 119 -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
84 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) 120 -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
@@ -86,7 +122,7 @@ Index: b/Makefile.in
86 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) 122 -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
87 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) 123 -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
88 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) 124 -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
89@@ -379,6 +387,7 @@ 125@@ -379,6 +387,7 @@ uninstall:
90 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 126 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
91 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 127 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
92 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 128 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
@@ -94,11 +130,11 @@ Index: b/Makefile.in
94 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 130 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
95 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 131 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
96 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 132 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
97Index: b/auth-rh-rsa.c 133diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
98=================================================================== 134index b21a0f4..891ec32 100644
99--- a/auth-rh-rsa.c 135--- a/auth-rh-rsa.c
100+++ b/auth-rh-rsa.c 136+++ b/auth-rh-rsa.c
101@@ -44,7 +44,7 @@ 137@@ -44,7 +44,7 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
102 { 138 {
103 HostStatus host_status; 139 HostStatus host_status;
104 140
@@ -107,11 +143,11 @@ Index: b/auth-rh-rsa.c
107 return 0; 143 return 0;
108 144
109 /* Check if we would accept it using rhosts authentication. */ 145 /* Check if we would accept it using rhosts authentication. */
110Index: b/auth-rsa.c 146diff --git a/auth-rsa.c b/auth-rsa.c
111=================================================================== 147index 545aa49..6ed152c 100644
112--- a/auth-rsa.c 148--- a/auth-rsa.c
113+++ b/auth-rsa.c 149+++ b/auth-rsa.c
114@@ -237,7 +237,7 @@ 150@@ -237,7 +237,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
115 free(fp); 151 free(fp);
116 152
117 /* Never accept a revoked key */ 153 /* Never accept a revoked key */
@@ -120,8 +156,8 @@ Index: b/auth-rsa.c
120 break; 156 break;
121 157
122 /* We have found the desired key. */ 158 /* We have found the desired key. */
123Index: b/auth.c 159diff --git a/auth.c b/auth.c
124=================================================================== 160index 9a36f1d..6662e9a 100644
125--- a/auth.c 161--- a/auth.c
126+++ b/auth.c 162+++ b/auth.c
127@@ -59,6 +59,7 @@ 163@@ -59,6 +59,7 @@
@@ -132,7 +168,7 @@ Index: b/auth.c
132 #include "auth.h" 168 #include "auth.h"
133 #include "auth-options.h" 169 #include "auth-options.h"
134 #include "canohost.h" 170 #include "canohost.h"
135@@ -657,10 +658,34 @@ 171@@ -657,10 +658,34 @@ getpwnamallow(const char *user)
136 172
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 173 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 174 int
@@ -168,11 +204,11 @@ Index: b/auth.c
168 if (options.revoked_keys_file == NULL) 204 if (options.revoked_keys_file == NULL)
169 return 0; 205 return 0;
170 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { 206 switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
171Index: b/auth.h 207diff --git a/auth.h b/auth.h
172=================================================================== 208index 5b6824f..ec95460 100644
173--- a/auth.h 209--- a/auth.h
174+++ b/auth.h 210+++ b/auth.h
175@@ -191,7 +191,7 @@ 211@@ -191,7 +191,7 @@ char *authorized_principals_file(struct passwd *);
176 212
177 FILE *auth_openkeyfile(const char *, struct passwd *, int); 213 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int); 214 FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -181,11 +217,11 @@ Index: b/auth.h
181 217
182 HostStatus 218 HostStatus
183 check_key_in_hostfiles(struct passwd *, Key *, const char *, 219 check_key_in_hostfiles(struct passwd *, Key *, const char *,
184Index: b/auth2-hostbased.c 220diff --git a/auth2-hostbased.c b/auth2-hostbased.c
185=================================================================== 221index a344dcc..3a17f1b 100644
186--- a/auth2-hostbased.c 222--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 223+++ b/auth2-hostbased.c
188@@ -150,7 +150,7 @@ 224@@ -150,7 +150,7 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
189 int len; 225 int len;
190 char *fp; 226 char *fp;
191 227
@@ -194,11 +230,11 @@ Index: b/auth2-hostbased.c
194 return 0; 230 return 0;
195 231
196 resolvedname = get_canonical_hostname(options.use_dns); 232 resolvedname = get_canonical_hostname(options.use_dns);
197Index: b/auth2-pubkey.c 233diff --git a/auth2-pubkey.c b/auth2-pubkey.c
198=================================================================== 234index 2b3ecb1..12eb8a6 100644
199--- a/auth2-pubkey.c 235--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 236+++ b/auth2-pubkey.c
201@@ -647,9 +647,10 @@ 237@@ -647,9 +647,10 @@ user_key_allowed(struct passwd *pw, Key *key)
202 u_int success, i; 238 u_int success, i;
203 char *file; 239 char *file;
204 240
@@ -211,8 +247,8 @@ Index: b/auth2-pubkey.c
211 return 0; 247 return 0;
212 248
213 success = user_cert_trusted_ca(pw, key); 249 success = user_cert_trusted_ca(pw, key);
214Index: b/authfile.c 250diff --git a/authfile.c b/authfile.c
215=================================================================== 251index 63ae16b..9833591 100644
216--- a/authfile.c 252--- a/authfile.c
217+++ b/authfile.c 253+++ b/authfile.c
218@@ -68,6 +68,7 @@ 254@@ -68,6 +68,7 @@
@@ -223,7 +259,7 @@ Index: b/authfile.c
223 259
224 #define MAX_KEY_FILE_SIZE (1024 * 1024) 260 #define MAX_KEY_FILE_SIZE (1024 * 1024)
225 261
226@@ -944,3 +945,138 @@ 262@@ -944,3 +945,138 @@ key_in_file(Key *key, const char *filename, int strict_type)
227 return ret; 263 return ret;
228 } 264 }
229 265
@@ -362,19 +398,19 @@ Index: b/authfile.c
362+ key_free(public); 398+ key_free(public);
363+ return ret; 399+ return ret;
364+} 400+}
365Index: b/authfile.h 401diff --git a/authfile.h b/authfile.h
366=================================================================== 402index 78349be..3f2bdcb 100644
367--- a/authfile.h 403--- a/authfile.h
368+++ b/authfile.h 404+++ b/authfile.h
369@@ -28,4 +28,6 @@ 405@@ -28,4 +28,6 @@ Key *key_load_private_pem(int, int, const char *, char **);
370 int key_perm_ok(int, const char *); 406 int key_perm_ok(int, const char *);
371 int key_in_file(Key *, const char *, int); 407 int key_in_file(Key *, const char *, int);
372 408
373+int blacklisted_key(Key *key, char **fp); 409+int blacklisted_key(Key *key, char **fp);
374+ 410+
375 #endif 411 #endif
376Index: b/pathnames.h 412diff --git a/pathnames.h b/pathnames.h
377=================================================================== 413index 5027fba..47f7867 100644
378--- a/pathnames.h 414--- a/pathnames.h
379+++ b/pathnames.h 415+++ b/pathnames.h
380@@ -18,6 +18,10 @@ 416@@ -18,6 +18,10 @@
@@ -398,11 +434,11 @@ Index: b/pathnames.h
398 #ifndef _PATH_SSH_PROGRAM 434 #ifndef _PATH_SSH_PROGRAM
399 #define _PATH_SSH_PROGRAM "/usr/bin/ssh" 435 #define _PATH_SSH_PROGRAM "/usr/bin/ssh"
400 #endif 436 #endif
401Index: b/readconf.c 437diff --git a/readconf.c b/readconf.c
402=================================================================== 438index 2695fd6..22e5a3a 100644
403--- a/readconf.c 439--- a/readconf.c
404+++ b/readconf.c 440+++ b/readconf.c
405@@ -128,6 +128,7 @@ 441@@ -128,6 +128,7 @@ typedef enum {
406 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, 442 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
407 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, 443 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
408 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, 444 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -410,7 +446,7 @@ Index: b/readconf.c
410 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 446 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
411 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 447 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
412 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 448 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
413@@ -161,6 +162,7 @@ 449@@ -161,6 +162,7 @@ static struct {
414 { "passwordauthentication", oPasswordAuthentication }, 450 { "passwordauthentication", oPasswordAuthentication },
415 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 451 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
416 { "kbdinteractivedevices", oKbdInteractiveDevices }, 452 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -418,7 +454,7 @@ Index: b/readconf.c
418 { "rsaauthentication", oRSAAuthentication }, 454 { "rsaauthentication", oRSAAuthentication },
419 { "pubkeyauthentication", oPubkeyAuthentication }, 455 { "pubkeyauthentication", oPubkeyAuthentication },
420 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 456 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
421@@ -523,6 +525,10 @@ 457@@ -523,6 +525,10 @@ parse_flag:
422 intptr = &options->challenge_response_authentication; 458 intptr = &options->challenge_response_authentication;
423 goto parse_flag; 459 goto parse_flag;
424 460
@@ -429,7 +465,7 @@ Index: b/readconf.c
429 case oGssAuthentication: 465 case oGssAuthentication:
430 intptr = &options->gss_authentication; 466 intptr = &options->gss_authentication;
431 goto parse_flag; 467 goto parse_flag;
432@@ -1210,6 +1216,7 @@ 468@@ -1210,6 +1216,7 @@ initialize_options(Options * options)
433 options->kbd_interactive_devices = NULL; 469 options->kbd_interactive_devices = NULL;
434 options->rhosts_rsa_authentication = -1; 470 options->rhosts_rsa_authentication = -1;
435 options->hostbased_authentication = -1; 471 options->hostbased_authentication = -1;
@@ -437,7 +473,7 @@ Index: b/readconf.c
437 options->batch_mode = -1; 473 options->batch_mode = -1;
438 options->check_host_ip = -1; 474 options->check_host_ip = -1;
439 options->strict_host_key_checking = -1; 475 options->strict_host_key_checking = -1;
440@@ -1320,6 +1327,8 @@ 476@@ -1320,6 +1327,8 @@ fill_default_options(Options * options)
441 options->rhosts_rsa_authentication = 0; 477 options->rhosts_rsa_authentication = 0;
442 if (options->hostbased_authentication == -1) 478 if (options->hostbased_authentication == -1)
443 options->hostbased_authentication = 0; 479 options->hostbased_authentication = 0;
@@ -446,11 +482,11 @@ Index: b/readconf.c
446 if (options->batch_mode == -1) 482 if (options->batch_mode == -1)
447 options->batch_mode = 0; 483 options->batch_mode = 0;
448 if (options->check_host_ip == -1) 484 if (options->check_host_ip == -1)
449Index: b/readconf.h 485diff --git a/readconf.h b/readconf.h
450=================================================================== 486index 675b35d..a508151 100644
451--- a/readconf.h 487--- a/readconf.h
452+++ b/readconf.h 488+++ b/readconf.h
453@@ -59,6 +59,7 @@ 489@@ -59,6 +59,7 @@ typedef struct {
454 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 490 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
455 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ 491 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
456 int zero_knowledge_password_authentication; /* Try jpake */ 492 int zero_knowledge_password_authentication; /* Try jpake */
@@ -458,11 +494,11 @@ Index: b/readconf.h
458 int batch_mode; /* Batch mode: do not ask for passwords. */ 494 int batch_mode; /* Batch mode: do not ask for passwords. */
459 int check_host_ip; /* Also keep track of keys for IP address */ 495 int check_host_ip; /* Also keep track of keys for IP address */
460 int strict_host_key_checking; /* Strict host key checking. */ 496 int strict_host_key_checking; /* Strict host key checking. */
461Index: b/servconf.c 497diff --git a/servconf.c b/servconf.c
462=================================================================== 498index c938ae3..9155a8b 100644
463--- a/servconf.c 499--- a/servconf.c
464+++ b/servconf.c 500+++ b/servconf.c
465@@ -114,6 +114,7 @@ 501@@ -114,6 +114,7 @@ initialize_server_options(ServerOptions *options)
466 options->password_authentication = -1; 502 options->password_authentication = -1;
467 options->kbd_interactive_authentication = -1; 503 options->kbd_interactive_authentication = -1;
468 options->challenge_response_authentication = -1; 504 options->challenge_response_authentication = -1;
@@ -470,7 +506,7 @@ Index: b/servconf.c
470 options->permit_empty_passwd = -1; 506 options->permit_empty_passwd = -1;
471 options->permit_user_env = -1; 507 options->permit_user_env = -1;
472 options->use_login = -1; 508 options->use_login = -1;
473@@ -257,6 +258,8 @@ 509@@ -257,6 +258,8 @@ fill_default_server_options(ServerOptions *options)
474 options->kbd_interactive_authentication = 0; 510 options->kbd_interactive_authentication = 0;
475 if (options->challenge_response_authentication == -1) 511 if (options->challenge_response_authentication == -1)
476 options->challenge_response_authentication = 1; 512 options->challenge_response_authentication = 1;
@@ -479,7 +515,7 @@ Index: b/servconf.c
479 if (options->permit_empty_passwd == -1) 515 if (options->permit_empty_passwd == -1)
480 options->permit_empty_passwd = 0; 516 options->permit_empty_passwd = 0;
481 if (options->permit_user_env == -1) 517 if (options->permit_user_env == -1)
482@@ -338,7 +341,7 @@ 518@@ -338,7 +341,7 @@ typedef enum {
483 sListenAddress, sAddressFamily, 519 sListenAddress, sAddressFamily,
484 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 520 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
485 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 521 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -488,7 +524,7 @@ Index: b/servconf.c
488 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 524 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
489 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 525 sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
490 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 526 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
491@@ -451,6 +454,7 @@ 527@@ -451,6 +454,7 @@ static struct {
492 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 528 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
493 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 529 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
494 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 530 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -496,7 +532,7 @@ Index: b/servconf.c
496 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 532 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
497 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 533 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
498 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 534 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
499@@ -1158,6 +1162,10 @@ 535@@ -1158,6 +1162,10 @@ process_server_config_line(ServerOptions *options, char *line,
500 intptr = &options->tcp_keep_alive; 536 intptr = &options->tcp_keep_alive;
501 goto parse_flag; 537 goto parse_flag;
502 538
@@ -507,7 +543,7 @@ Index: b/servconf.c
507 case sEmptyPasswd: 543 case sEmptyPasswd:
508 intptr = &options->permit_empty_passwd; 544 intptr = &options->permit_empty_passwd;
509 goto parse_flag; 545 goto parse_flag;
510@@ -2036,6 +2044,7 @@ 546@@ -2036,6 +2044,7 @@ dump_config(ServerOptions *o)
511 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 547 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
512 dump_cfg_fmtint(sStrictModes, o->strict_modes); 548 dump_cfg_fmtint(sStrictModes, o->strict_modes);
513 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 549 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -515,11 +551,11 @@ Index: b/servconf.c
515 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd); 551 dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
516 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env); 552 dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
517 dump_cfg_fmtint(sUseLogin, o->use_login); 553 dump_cfg_fmtint(sUseLogin, o->use_login);
518Index: b/servconf.h 554diff --git a/servconf.h b/servconf.h
519=================================================================== 555index ab6e346..f655c5b 100644
520--- a/servconf.h 556--- a/servconf.h
521+++ b/servconf.h 557+++ b/servconf.h
522@@ -121,6 +121,7 @@ 558@@ -121,6 +121,7 @@ typedef struct {
523 int challenge_response_authentication; 559 int challenge_response_authentication;
524 int zero_knowledge_password_authentication; 560 int zero_knowledge_password_authentication;
525 /* If true, permit jpake auth */ 561 /* If true, permit jpake auth */
@@ -527,11 +563,11 @@ Index: b/servconf.h
527 int permit_empty_passwd; /* If false, do not permit empty 563 int permit_empty_passwd; /* If false, do not permit empty
528 * passwords. */ 564 * passwords. */
529 int permit_user_env; /* If true, read ~/.ssh/environment */ 565 int permit_user_env; /* If true, read ~/.ssh/environment */
530Index: b/ssh-add.1 566diff --git a/ssh-add.1 b/ssh-add.1
531=================================================================== 567index 44846b6..d394b26 100644
532--- a/ssh-add.1 568--- a/ssh-add.1
533+++ b/ssh-add.1 569+++ b/ssh-add.1
534@@ -81,6 +81,10 @@ 570@@ -81,6 +81,10 @@ environment variable must contain the name of its socket for
535 .Nm 571 .Nm
536 to work. 572 to work.
537 .Pp 573 .Pp
@@ -542,7 +578,7 @@ Index: b/ssh-add.1
542 The options are as follows: 578 The options are as follows:
543 .Bl -tag -width Ds 579 .Bl -tag -width Ds
544 .It Fl c 580 .It Fl c
545@@ -186,6 +190,7 @@ 581@@ -186,6 +190,7 @@ is unable to contact the authentication agent.
546 .Xr ssh 1 , 582 .Xr ssh 1 ,
547 .Xr ssh-agent 1 , 583 .Xr ssh-agent 1 ,
548 .Xr ssh-keygen 1 , 584 .Xr ssh-keygen 1 ,
@@ -550,11 +586,11 @@ Index: b/ssh-add.1
550 .Xr sshd 8 586 .Xr sshd 8
551 .Sh AUTHORS 587 .Sh AUTHORS
552 OpenSSH is a derivative of the original and free 588 OpenSSH is a derivative of the original and free
553Index: b/ssh-add.c 589diff --git a/ssh-add.c b/ssh-add.c
554=================================================================== 590index 5e8166f..b309582 100644
555--- a/ssh-add.c 591--- a/ssh-add.c
556+++ b/ssh-add.c 592+++ b/ssh-add.c
557@@ -167,7 +167,7 @@ 593@@ -167,7 +167,7 @@ static int
558 add_file(AuthenticationConnection *ac, const char *filename, int key_only) 594 add_file(AuthenticationConnection *ac, const char *filename, int key_only)
559 { 595 {
560 Key *private, *cert; 596 Key *private, *cert;
@@ -563,7 +599,7 @@ Index: b/ssh-add.c
563 char msg[1024], *certpath = NULL; 599 char msg[1024], *certpath = NULL;
564 int fd, perms_ok, ret = -1; 600 int fd, perms_ok, ret = -1;
565 Buffer keyblob; 601 Buffer keyblob;
566@@ -243,6 +243,14 @@ 602@@ -243,6 +243,14 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
567 } else { 603 } else {
568 fprintf(stderr, "Could not add identity: %s\n", filename); 604 fprintf(stderr, "Could not add identity: %s\n", filename);
569 } 605 }
@@ -578,11 +614,11 @@ Index: b/ssh-add.c
578 614
579 /* Skip trying to load the cert if requested */ 615 /* Skip trying to load the cert if requested */
580 if (key_only) 616 if (key_only)
581Index: b/ssh-keygen.1 617diff --git a/ssh-keygen.1 b/ssh-keygen.1
582=================================================================== 618index 0d55854..144be7d 100644
583--- a/ssh-keygen.1 619--- a/ssh-keygen.1
584+++ b/ssh-keygen.1 620+++ b/ssh-keygen.1
585@@ -809,6 +809,7 @@ 621@@ -809,6 +809,7 @@ The file format is described in
586 .Xr ssh 1 , 622 .Xr ssh 1 ,
587 .Xr ssh-add 1 , 623 .Xr ssh-add 1 ,
588 .Xr ssh-agent 1 , 624 .Xr ssh-agent 1 ,
@@ -590,8 +626,9 @@ Index: b/ssh-keygen.1
590 .Xr moduli 5 , 626 .Xr moduli 5 ,
591 .Xr sshd 8 627 .Xr sshd 8
592 .Rs 628 .Rs
593Index: b/ssh-vulnkey.1 629diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1
594=================================================================== 630new file mode 100644
631index 0000000..bcb9d31
595--- /dev/null 632--- /dev/null
596+++ b/ssh-vulnkey.1 633+++ b/ssh-vulnkey.1
597@@ -0,0 +1,242 @@ 634@@ -0,0 +1,242 @@
@@ -837,8 +874,9 @@ Index: b/ssh-vulnkey.1
837+of processing 874+of processing
838+.Xr ssh-keyscan 1 875+.Xr ssh-keyscan 1
839+output. 876+output.
840Index: b/ssh-vulnkey.c 877diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
841=================================================================== 878new file mode 100644
879index 0000000..ca1a5be
842--- /dev/null 880--- /dev/null
843+++ b/ssh-vulnkey.c 881+++ b/ssh-vulnkey.c
844@@ -0,0 +1,386 @@ 882@@ -0,0 +1,386 @@
@@ -1228,11 +1266,11 @@ Index: b/ssh-vulnkey.c
1228+ 1266+
1229+ return ret; 1267+ return ret;
1230+} 1268+}
1231Index: b/ssh.1 1269diff --git a/ssh.1 b/ssh.1
1232=================================================================== 1270index 62292cc..66a7007 100644
1233--- a/ssh.1 1271--- a/ssh.1
1234+++ b/ssh.1 1272+++ b/ssh.1
1235@@ -1447,6 +1447,7 @@ 1273@@ -1447,6 +1447,7 @@ if an error occurred.
1236 .Xr ssh-agent 1 , 1274 .Xr ssh-agent 1 ,
1237 .Xr ssh-keygen 1 , 1275 .Xr ssh-keygen 1 ,
1238 .Xr ssh-keyscan 1 , 1276 .Xr ssh-keyscan 1 ,
@@ -1240,11 +1278,11 @@ Index: b/ssh.1
1240 .Xr tun 4 , 1278 .Xr tun 4 ,
1241 .Xr hosts.equiv 5 , 1279 .Xr hosts.equiv 5 ,
1242 .Xr ssh_config 5 , 1280 .Xr ssh_config 5 ,
1243Index: b/ssh.c 1281diff --git a/ssh.c b/ssh.c
1244=================================================================== 1282index 87233bc..567248d 100644
1245--- a/ssh.c 1283--- a/ssh.c
1246+++ b/ssh.c 1284+++ b/ssh.c
1247@@ -1525,7 +1525,7 @@ 1285@@ -1525,7 +1525,7 @@ ssh_session2(void)
1248 static void 1286 static void
1249 load_public_identity_files(void) 1287 load_public_identity_files(void)
1250 { 1288 {
@@ -1253,7 +1291,7 @@ Index: b/ssh.c
1253 char *pwdir = NULL, *pwname = NULL; 1291 char *pwdir = NULL, *pwname = NULL;
1254 int i = 0; 1292 int i = 0;
1255 Key *public; 1293 Key *public;
1256@@ -1583,6 +1583,22 @@ 1294@@ -1583,6 +1583,22 @@ load_public_identity_files(void)
1257 public = key_load_public(filename, NULL); 1295 public = key_load_public(filename, NULL);
1258 debug("identity file %s type %d", filename, 1296 debug("identity file %s type %d", filename,
1259 public ? public->type : -1); 1297 public ? public->type : -1);
@@ -1276,11 +1314,11 @@ Index: b/ssh.c
1276 free(options.identity_files[i]); 1314 free(options.identity_files[i]);
1277 identity_files[n_ids] = filename; 1315 identity_files[n_ids] = filename;
1278 identity_keys[n_ids] = public; 1316 identity_keys[n_ids] = public;
1279Index: b/ssh_config.5 1317diff --git a/ssh_config.5 b/ssh_config.5
1280=================================================================== 1318index e72919a..8d806c7 100644
1281--- a/ssh_config.5 1319--- a/ssh_config.5
1282+++ b/ssh_config.5 1320+++ b/ssh_config.5
1283@@ -1229,6 +1229,23 @@ 1321@@ -1229,6 +1229,23 @@ is not specified, it defaults to
1284 .Dq any . 1322 .Dq any .
1285 The default is 1323 The default is
1286 .Dq any:any . 1324 .Dq any:any .
@@ -1304,11 +1342,11 @@ Index: b/ssh_config.5
1304 .It Cm UsePrivilegedPort 1342 .It Cm UsePrivilegedPort
1305 Specifies whether to use a privileged port for outgoing connections. 1343 Specifies whether to use a privileged port for outgoing connections.
1306 The argument must be 1344 The argument must be
1307Index: b/sshconnect2.c 1345diff --git a/sshconnect2.c b/sshconnect2.c
1308=================================================================== 1346index 0b13530..93818c9 100644
1309--- a/sshconnect2.c 1347--- a/sshconnect2.c
1310+++ b/sshconnect2.c 1348+++ b/sshconnect2.c
1311@@ -1491,6 +1491,8 @@ 1349@@ -1491,6 +1491,8 @@ pubkey_prepare(Authctxt *authctxt)
1312 1350
1313 /* list of keys stored in the filesystem and PKCS#11 */ 1351 /* list of keys stored in the filesystem and PKCS#11 */
1314 for (i = 0; i < options.num_identity_files; i++) { 1352 for (i = 0; i < options.num_identity_files; i++) {
@@ -1317,7 +1355,7 @@ Index: b/sshconnect2.c
1317 key = options.identity_keys[i]; 1355 key = options.identity_keys[i];
1318 if (key && key->type == KEY_RSA1) 1356 if (key && key->type == KEY_RSA1)
1319 continue; 1357 continue;
1320@@ -1608,7 +1610,7 @@ 1358@@ -1608,7 +1610,7 @@ userauth_pubkey(Authctxt *authctxt)
1321 debug("Offering %s public key: %s", key_type(id->key), 1359 debug("Offering %s public key: %s", key_type(id->key),
1322 id->filename); 1360 id->filename);
1323 sent = send_pubkey_test(authctxt, id); 1361 sent = send_pubkey_test(authctxt, id);
@@ -1326,11 +1364,11 @@ Index: b/sshconnect2.c
1326 debug("Trying private key: %s", id->filename); 1364 debug("Trying private key: %s", id->filename);
1327 id->key = load_identity_file(id->filename, 1365 id->key = load_identity_file(id->filename,
1328 id->userprovided); 1366 id->userprovided);
1329Index: b/sshd.8 1367diff --git a/sshd.8 b/sshd.8
1330=================================================================== 1368index b0c7ab6..a604429 100644
1331--- a/sshd.8 1369--- a/sshd.8
1332+++ b/sshd.8 1370+++ b/sshd.8
1333@@ -954,6 +954,7 @@ 1371@@ -954,6 +954,7 @@ The content of this file is not sensitive; it can be world-readable.
1334 .Xr ssh-agent 1 , 1372 .Xr ssh-agent 1 ,
1335 .Xr ssh-keygen 1 , 1373 .Xr ssh-keygen 1 ,
1336 .Xr ssh-keyscan 1 , 1374 .Xr ssh-keyscan 1 ,
@@ -1338,11 +1376,11 @@ Index: b/sshd.8
1338 .Xr chroot 2 , 1376 .Xr chroot 2 ,
1339 .Xr hosts_access 5 , 1377 .Xr hosts_access 5 ,
1340 .Xr login.conf 5 , 1378 .Xr login.conf 5 ,
1341Index: b/sshd.c 1379diff --git a/sshd.c b/sshd.c
1342=================================================================== 1380index e5c9835..fbe3284 100644
1343--- a/sshd.c 1381--- a/sshd.c
1344+++ b/sshd.c 1382+++ b/sshd.c
1345@@ -1688,6 +1688,11 @@ 1383@@ -1688,6 +1688,11 @@ main(int ac, char **av)
1346 sensitive_data.host_pubkeys[i] = NULL; 1384 sensitive_data.host_pubkeys[i] = NULL;
1347 continue; 1385 continue;
1348 } 1386 }
@@ -1354,11 +1392,11 @@ Index: b/sshd.c
1354 1392
1355 switch (keytype) { 1393 switch (keytype) {
1356 case KEY_RSA1: 1394 case KEY_RSA1:
1357Index: b/sshd_config.5 1395diff --git a/sshd_config.5 b/sshd_config.5
1358=================================================================== 1396index 525d9c8..18ec81f 100644
1359--- a/sshd_config.5 1397--- a/sshd_config.5
1360+++ b/sshd_config.5 1398+++ b/sshd_config.5
1361@@ -885,6 +885,20 @@ 1399@@ -885,6 +885,20 @@ are refused if the number of unauthenticated connections reaches
1362 Specifies whether password authentication is allowed. 1400 Specifies whether password authentication is allowed.
1363 The default is 1401 The default is
1364 .Dq yes . 1402 .Dq yes .
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index de61e1dd9..e563bda7c 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,13 +1,22 @@
1Description: Partial server keep-alive implementation for SSH1 1From 4c7ed5c80e5f67277620ac973317cc516b67d0e7 Mon Sep 17 00:00:00 2001
2Author: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:51 +0000
4Subject: Partial server keep-alive implementation for SSH1
5
3Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712 6Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1712
4Last-Update: 2013-09-14 7Last-Update: 2013-09-14
5 8
6Index: b/clientloop.c 9Patch-Name: ssh1-keepalive.patch
7=================================================================== 10---
11 clientloop.c | 25 +++++++++++++++----------
12 ssh_config.5 | 5 ++++-
13 2 files changed, 19 insertions(+), 11 deletions(-)
14
15diff --git a/clientloop.c b/clientloop.c
16index 311dc13..dc76d69 100644
8--- a/clientloop.c 17--- a/clientloop.c
9+++ b/clientloop.c 18+++ b/clientloop.c
10@@ -563,16 +563,21 @@ 19@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
11 static void 20 static void
12 server_alive_check(void) 21 server_alive_check(void)
13 { 22 {
@@ -38,7 +47,7 @@ Index: b/clientloop.c
38 } 47 }
39 48
40 /* 49 /*
41@@ -634,7 +639,7 @@ 50@@ -634,7 +639,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
42 */ 51 */
43 52
44 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ 53 timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -47,11 +56,11 @@ Index: b/clientloop.c
47 timeout_secs = options.server_alive_interval; 56 timeout_secs = options.server_alive_interval;
48 server_alive_time = now + options.server_alive_interval; 57 server_alive_time = now + options.server_alive_interval;
49 } 58 }
50Index: b/ssh_config.5 59diff --git a/ssh_config.5 b/ssh_config.5
51=================================================================== 60index 8d806c7..89b25cd 100644
52--- a/ssh_config.5 61--- a/ssh_config.5
53+++ b/ssh_config.5 62+++ b/ssh_config.5
54@@ -1130,7 +1130,10 @@ 63@@ -1130,7 +1130,10 @@ If, for example,
55 .Cm ServerAliveCountMax 64 .Cm ServerAliveCountMax
56 is left at the default, if the server becomes unresponsive, 65 is left at the default, if the server becomes unresponsive,
57 ssh will disconnect after approximately 45 seconds. 66 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index f8be76c89..a1eaa7513 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,20 +1,30 @@
1Description: "LogLevel SILENT" compatibility 1From bbddcd71a027a33919f859f35dae800335a2de6a Mon Sep 17 00:00:00 2001
2 "LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3 match the behaviour of non-free SSH, in which -q does not suppress fatal 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4 errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody 4Subject: "LogLevel SILENT" compatibility
5 complained, so we've dropped most of it. The parts that remain are basic 5
6 configuration file compatibility, and an adjustment to "Pseudo-terminal 6"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
7 will not be allocated ..." which should be split out into a separate patch. 7match the behaviour of non-free SSH, in which -q does not suppress fatal
8Author: Jonathan David Amery <jdamery@ysolde.ucam.org> 8errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
9complained, so we've dropped most of it. The parts that remain are basic
10configuration file compatibility, and an adjustment to "Pseudo-terminal will
11not be allocated ..." which should be split out into a separate patch.
12
9Author: Matthew Vernon <matthew@debian.org> 13Author: Matthew Vernon <matthew@debian.org>
10Author: Colin Watson <cjwatson@debian.org> 14Author: Colin Watson <cjwatson@debian.org>
11Last-Update: 2013-09-14 15Last-Update: 2013-09-14
12 16
13Index: b/log.c 17Patch-Name: syslog-level-silent.patch
14=================================================================== 18---
19 log.c | 1 +
20 ssh.c | 2 +-
21 2 files changed, 2 insertions(+), 1 deletion(-)
22
23diff --git a/log.c b/log.c
24index 32e1d2e..53e7b65 100644
15--- a/log.c 25--- a/log.c
16+++ b/log.c 26+++ b/log.c
17@@ -94,6 +94,7 @@ 27@@ -94,6 +94,7 @@ static struct {
18 LogLevel val; 28 LogLevel val;
19 } log_levels[] = 29 } log_levels[] =
20 { 30 {
@@ -22,11 +32,11 @@ Index: b/log.c
22 { "QUIET", SYSLOG_LEVEL_QUIET }, 32 { "QUIET", SYSLOG_LEVEL_QUIET },
23 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
24 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
25Index: b/ssh.c 35diff --git a/ssh.c b/ssh.c
26=================================================================== 36index 567248d..219a466 100644
27--- a/ssh.c 37--- a/ssh.c
28+++ b/ssh.c 38+++ b/ssh.c
29@@ -740,7 +740,7 @@ 39@@ -740,7 +740,7 @@ main(int ac, char **av)
30 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
31 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
32 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index ac00edac6..9382d5086 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,70 +1,61 @@
1Description: Allow harmless group-writability 1From 7016a7e8a6b854833132db253fd5e392984bd4ea Mon Sep 17 00:00:00 2001
2 Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be 2From: Colin Watson <cjwatson@debian.org>
3 group-writable, provided that the group in question contains only the 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4 file's owner. Rejected upstream for IMO incorrect reasons (e.g. a 4Subject: Allow harmless group-writability
5 misunderstanding about the contents of gr->gr_mem). Given that 5
6 per-user groups and umask 002 are the default setup in Debian (for good 6Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
7 reasons - this makes operating in setgid directories with other groups 7group-writable, provided that the group in question contains only the file's
8 much easier), we need to permit this by default. 8owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
9Author: Colin Watson <cjwatson@debian.org> 9about the contents of gr->gr_mem). Given that per-user groups and umask 002
10are the default setup in Debian (for good reasons - this makes operating in
11setgid directories with other groups much easier), we need to permit this by
12default.
13
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 14Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
11Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 15Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
12Last-Update: 2013-09-14 16Last-Update: 2013-09-14
13 17
14Index: b/readconf.c 18Patch-Name: user-group-modes.patch
15=================================================================== 19---
16--- a/readconf.c 20 auth-rhosts.c | 6 ++----
17+++ b/readconf.c 21 auth.c | 9 +++-----
18@@ -30,6 +30,8 @@ 22 misc.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
19 #include <stdio.h> 23 misc.h | 2 ++
20 #include <string.h> 24 platform.c | 16 --------------
21 #include <unistd.h> 25 readconf.c | 5 +++--
22+#include <pwd.h> 26 ssh.1 | 2 ++
23+#include <grp.h> 27 ssh_config.5 | 2 ++
24 #ifdef HAVE_UTIL_H 28 8 files changed, 82 insertions(+), 29 deletions(-)
25 #include <util.h> 29
26 #endif 30diff --git a/auth-rhosts.c b/auth-rhosts.c
27@@ -1160,8 +1162,7 @@ 31index 06ae7f0..f202787 100644
28 32--- a/auth-rhosts.c
29 if (fstat(fileno(f), &sb) == -1) 33+++ b/auth-rhosts.c
30 fatal("fstat %s: %s", filename, strerror(errno)); 34@@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
31- if (((sb.st_uid != 0 && sb.st_uid != getuid()) || 35 return 0;
32- (sb.st_mode & 022) != 0))
33+ if (!secure_permissions(&sb, getuid()))
34 fatal("Bad owner or permissions on %s", filename);
35 } 36 }
36 37 if (options.strict_modes &&
37Index: b/ssh.1 38- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
38=================================================================== 39- (st.st_mode & 022) != 0)) {
39--- a/ssh.1 40+ !secure_permissions(&st, pw->pw_uid)) {
40+++ b/ssh.1 41 logit("Rhosts authentication refused for %.100s: "
41@@ -1338,6 +1338,8 @@ 42 "bad ownership or modes for home directory.", pw->pw_name);
42 .Xr ssh_config 5 . 43 auth_debug_add("Rhosts authentication refused for %.100s: "
43 Because of the potential for abuse, this file must have strict permissions: 44@@ -283,8 +282,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam
44 read/write for the user, and not writable by others. 45 * allowing access to their account by anyone.
45+It may be group-writable provided that the group in question contains only 46 */
46+the user. 47 if (options.strict_modes &&
47 .Pp 48- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
48 .It Pa ~/.ssh/environment 49- (st.st_mode & 022) != 0)) {
49 Contains additional definitions for environment variables; see 50+ !secure_permissions(&st, pw->pw_uid)) {
50Index: b/ssh_config.5 51 logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
51=================================================================== 52 pw->pw_name, buf);
52--- a/ssh_config.5 53 auth_debug_add("Bad file modes for %.200s", buf);
53+++ b/ssh_config.5 54diff --git a/auth.c b/auth.c
54@@ -1382,6 +1382,8 @@ 55index 6662e9a..7f6c6c8 100644
55 This file is used by the SSH client.
56 Because of the potential for abuse, this file must have strict permissions:
57 read/write for the user, and not accessible by others.
58+It may be group-writable provided that the group in question contains only
59+the user.
60 .It Pa /etc/ssh/ssh_config
61 Systemwide configuration file.
62 This file provides defaults for those
63Index: b/auth.c
64===================================================================
65--- a/auth.c 56--- a/auth.c
66+++ b/auth.c 57+++ b/auth.c
67@@ -408,8 +408,7 @@ 58@@ -408,8 +408,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
68 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 59 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
69 if (options.strict_modes && 60 if (options.strict_modes &&
70 (stat(user_hostfile, &st) == 0) && 61 (stat(user_hostfile, &st) == 0) &&
@@ -74,7 +65,7 @@ Index: b/auth.c
74 logit("Authentication refused for %.100s: " 65 logit("Authentication refused for %.100s: "
75 "bad owner or modes for %.200s", 66 "bad owner or modes for %.200s",
76 pw->pw_name, user_hostfile); 67 pw->pw_name, user_hostfile);
77@@ -471,8 +470,7 @@ 68@@ -471,8 +470,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
78 snprintf(err, errlen, "%s is not a regular file", buf); 69 snprintf(err, errlen, "%s is not a regular file", buf);
79 return -1; 70 return -1;
80 } 71 }
@@ -84,7 +75,7 @@ Index: b/auth.c
84 snprintf(err, errlen, "bad ownership or modes for file %s", 75 snprintf(err, errlen, "bad ownership or modes for file %s",
85 buf); 76 buf);
86 return -1; 77 return -1;
87@@ -487,8 +485,7 @@ 78@@ -487,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
88 strlcpy(buf, cp, sizeof(buf)); 79 strlcpy(buf, cp, sizeof(buf));
89 80
90 if (stat(buf, &st) < 0 || 81 if (stat(buf, &st) < 0 ||
@@ -94,8 +85,8 @@ Index: b/auth.c
94 snprintf(err, errlen, 85 snprintf(err, errlen,
95 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
96 return -1; 87 return -1;
97Index: b/misc.c 88diff --git a/misc.c b/misc.c
98=================================================================== 89index c3c8099..eb57bfc 100644
99--- a/misc.c 90--- a/misc.c
100+++ b/misc.c 91+++ b/misc.c
101@@ -48,8 +48,9 @@ 92@@ -48,8 +48,9 @@
@@ -117,7 +108,7 @@ Index: b/misc.c
117 108
118 /* remove newline at end of string */ 109 /* remove newline at end of string */
119 char * 110 char *
120@@ -642,6 +644,71 @@ 111@@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
121 return -1; 112 return -1;
122 } 113 }
123 114
@@ -189,46 +180,22 @@ Index: b/misc.c
189 int 180 int
190 tun_open(int tun, int mode) 181 tun_open(int tun, int mode)
191 { 182 {
192Index: b/misc.h 183diff --git a/misc.h b/misc.h
193=================================================================== 184index fceb306..51ba182 100644
194--- a/misc.h 185--- a/misc.h
195+++ b/misc.h 186+++ b/misc.h
196@@ -104,4 +104,6 @@ 187@@ -104,4 +104,6 @@ char *read_passphrase(const char *, int);
197 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
198 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
199 190
200+int secure_permissions(struct stat *st, uid_t uid); 191+int secure_permissions(struct stat *st, uid_t uid);
201+ 192+
202 #endif /* _MISC_H */ 193 #endif /* _MISC_H */
203Index: b/auth-rhosts.c 194diff --git a/platform.c b/platform.c
204=================================================================== 195index a962f15..0b3bee1 100644
205--- a/auth-rhosts.c
206+++ b/auth-rhosts.c
207@@ -256,8 +256,7 @@
208 return 0;
209 }
210 if (options.strict_modes &&
211- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
212- (st.st_mode & 022) != 0)) {
213+ !secure_permissions(&st, pw->pw_uid)) {
214 logit("Rhosts authentication refused for %.100s: "
215 "bad ownership or modes for home directory.", pw->pw_name);
216 auth_debug_add("Rhosts authentication refused for %.100s: "
217@@ -283,8 +282,7 @@
218 * allowing access to their account by anyone.
219 */
220 if (options.strict_modes &&
221- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
222- (st.st_mode & 022) != 0)) {
223+ !secure_permissions(&st, pw->pw_uid)) {
224 logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
225 pw->pw_name, buf);
226 auth_debug_add("Bad file modes for %.200s", buf);
227Index: b/platform.c
228===================================================================
229--- a/platform.c 196--- a/platform.c
230+++ b/platform.c 197+++ b/platform.c
231@@ -194,19 +194,3 @@ 198@@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name)
232 return NULL; 199 return NULL;
233 #endif 200 #endif
234 } 201 }
@@ -248,3 +215,52 @@ Index: b/platform.c
248-#endif 215-#endif
249- return 0; 216- return 0;
250-} 217-}
218diff --git a/readconf.c b/readconf.c
219index 2dcbf31..389de7d 100644
220--- a/readconf.c
221+++ b/readconf.c
222@@ -30,6 +30,8 @@
223 #include <stdio.h>
224 #include <string.h>
225 #include <unistd.h>
226+#include <pwd.h>
227+#include <grp.h>
228 #ifdef HAVE_UTIL_H
229 #include <util.h>
230 #endif
231@@ -1160,8 +1162,7 @@ read_config_file(const char *filename, const char *host, Options *options,
232
233 if (fstat(fileno(f), &sb) == -1)
234 fatal("fstat %s: %s", filename, strerror(errno));
235- if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
236- (sb.st_mode & 022) != 0))
237+ if (!secure_permissions(&sb, getuid()))
238 fatal("Bad owner or permissions on %s", filename);
239 }
240
241diff --git a/ssh.1 b/ssh.1
242index 66a7007..0b38ae1 100644
243--- a/ssh.1
244+++ b/ssh.1
245@@ -1338,6 +1338,8 @@ The file format and configuration options are described in
246 .Xr ssh_config 5 .
247 Because of the potential for abuse, this file must have strict permissions:
248 read/write for the user, and not writable by others.
249+It may be group-writable provided that the group in question contains only
250+the user.
251 .Pp
252 .It Pa ~/.ssh/environment
253 Contains additional definitions for environment variables; see
254diff --git a/ssh_config.5 b/ssh_config.5
255index 135d833..1497cfc 100644
256--- a/ssh_config.5
257+++ b/ssh_config.5
258@@ -1382,6 +1382,8 @@ The format of this file is described above.
259 This file is used by the SSH client.
260 Because of the potential for abuse, this file must have strict permissions:
261 read/write for the user, and not accessible by others.
262+It may be group-writable provided that the group in question contains only
263+the user.
264 .It Pa /etc/ssh/ssh_config
265 Systemwide configuration file.
266 This file provides defaults for those