New upstream release (7.5p1)

40 files changed, 294 insertions, 736 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 6c8df34b8..81a664a6f 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-904bc482ad87648a2c799c441dc6a8449f24e15a
-904bc482ad87648a2c799c441dc6a8449f24e15a
-971a7653746a6972b907dfe0ce139c06e4a6f482
-971a7653746a6972b907dfe0ce139c06e4a6f482
-openssh_7.4p1.orig.tar.gz
-2330bbf82ed08cf3ac70e0acf00186ef3eeb97e0
-1511780
+ec338656a3d6b21bb87f3b6367b232d297f601e5
+ec338656a3d6b21bb87f3b6367b232d297f601e5
+6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
+6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
+openssh_7.5p1.orig.tar.gz
+5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd
+1510857
diff --git a/debian/NEWS b/debian/NEWS
index 77c594c5a..51944d2df 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,26 @@
+openssh (1:7.5p1-1) UNRELEASED; urgency=medium
+
+  OpenSSH 7.5 includes a number of changes that may affect existing
+  configurations:
+
+   * This release deprecates the sshd_config UsePrivilegeSeparation option,
+     thereby making privilege separation mandatory.
+
+   * The format of several log messages emitted by the packet code has
+     changed to include additional information about the user and their
+     authentication state. Software that monitors ssh/sshd logs may need to
+     account for these changes. For example:
+
+       Connection closed by user x 1.1.1.1 port 1234 [preauth]
+       Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
+       Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
+
+     Affected messages include connection closure, timeout, remote
+     disconnection, negotiation failure and some other fatal messages
+     generated by the packet code.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 02 Apr 2017 01:31:21 +0100
+
 openssh (1:7.4p1-7) unstable; urgency=medium
 
   This version restores the default for AuthorizedKeysFile to search both
diff --git a/debian/changelog b/debian/changelog
index 7be0100c2..9202f5e3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,84 @@
+openssh (1:7.5p1-1) UNRELEASED; urgency=medium
+
+  * New upstream release (https://www.openssh.com/txt/release-7.5):
+    - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
+      countermeasures that allowed a variant of the attack fixed in OpenSSH
+      7.3 to proceed.  Note that the OpenSSH client disables CBC ciphers by
+      default, sshd offers them as lowest-preference options and will remove
+      them by default entirely in the next release.
+    - This release deprecates the sshd_config UsePrivilegeSeparation option,
+      thereby making privilege separation mandatory (closes: #407754).
+    - The format of several log messages emitted by the packet code has
+      changed to include additional information about the user and their
+      authentication state.  Software that monitors ssh/sshd logs may need
+      to account for these changes.
+    - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
+      algorithm lists, e.g. Ciphers=-*cbc.
+    - sshd(1): Fix NULL dereference crash when key exchange start messages
+      are sent out of sequence.
+    - ssh(1), sshd(8): Allow form-feed characters to appear in configuration
+      files.
+    - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
+      extension, where SHA2 RSA signature methods were not being correctly
+      advertised.
+    - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
+      known_hosts processing.
+    - ssh(1): Allow ssh to use certificates accompanied by a private key
+      file but no corresponding plain *.pub public key.
+    - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
+      RSA keys if HostkeyAlgorithms contains any RSA keytype.  Previously,
+      ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
+      enabled in HostkeyAlgorithms and not the old ssh-rsa method.
+    - ssh(1): Detect and report excessively long configuration file lines.
+    - Merge a number of fixes found by Coverity and reported via Redhat and
+      FreeBSD.  Includes fixes for some memory and file descriptor leaks in
+      error paths.
+    - ssh(1), sshd(8): When logging long messages to stderr, don't truncate
+      "\r\n" if the length of the message exceeds the buffer.
+    - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
+      line; avoid confusion over IPv6 addresses and shells that treat square
+      bracket characters specially.
+    - Fix various fallout and sharp edges caused by removing SSH protocol 1
+      support from the server, including the server banner string being
+      incorrectly terminated with only \n (instead of \r\n), confusing error
+      messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
+      enabled for the client and sshd_config contained references to legacy
+      keys.
+    - ssh(1), sshd(8): Free fd_set on connection timeout.
+    - sftp(1): Fix division by zero crash in "df" output when server returns
+      zero total filesystem blocks/inodes.
+    - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
+      encountered during key loading to more meaningful error codes.
+    - ssh-keygen(1): Sanitise escape sequences in key comments sent to
+      printf but preserve valid UTF-8 when the locale supports it.
+    - ssh(1), sshd(8): Return reason for port forwarding failures where
+      feasible rather than always "administratively prohibited".
+    - sshd(8): Fix deadlock when AuthorizedKeysCommand or
+      AuthorizedPrincipalsCommand produces a lot of output and a key is
+      matched early.
+    - ssh(1): Fix typo in ~C error message for bad port forward
+      cancellation.
+    - ssh(1): Show a useful error message when included config files can't
+      be opened.
+    - sshd_config(5): Repair accidentally-deleted mention of %k token in
+      AuthorizedKeysCommand.
+    - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
+    - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
+      32-bit compatibility library directories.
+    - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
+      response handling.
+    - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
+      It was not possible to delete them except by specifying their full
+      physical path.
+    - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
+      crypto coprocessor.
+    - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
+      inspection.
+    - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
+      contain non-printable characters where the codeset in use is ASCII.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 02 Apr 2017 01:31:21 +0100
+
 openssh (1:7.4p1-10) unstable; urgency=medium
 
   * Move privilege separation directory and PID file from /var/run/ to /run/
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index cf6febf31..6b5653ca7 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From b2b04daa38b264f346acd81e08d224dbf33bac5b Mon Sep 17 00:00:00 2001
+From e08f96cf1105a3ee9a23de7102d593443e031e0c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
@@ -90,18 +90,18 @@ index 52cbb42a..82355276 100644
  void   auth_clear_options(void);
  int    auth_cert_options(struct sshkey *, struct passwd *, const char **);
 diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 20f3309e..add77136 100644
+index 3e5706f4..6dc5076e 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
 @@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
         u_long linenum = 0;
-        u_int i;
+        u_int i, found_principal = 0;
  
 +       auth_start_parse_options();
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-                /* Skip leading whitespace. */
-                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -764,6 +765,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+                /* Always consume entire input */
+                if (found_principal)
+@@ -771,6 +772,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
         found_key = 0;
  
         found = NULL;
@@ -109,7 +109,7 @@ index 20f3309e..add77136 100644
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 char *cp, *key_options = NULL, *fp = NULL;
                 const char *reason = NULL;
-@@ -911,6 +913,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
+@@ -921,6 +923,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
         if (key_cert_check_authority(key, 0, 1,
             use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index a3306e339..1875385e8 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 7ad6dd01af3f4531ccc8e918bc857738e195fd3d Mon Sep 17 00:00:00 2001
+From 983412e0c80c406705e3c65402868b0d15d8695b Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/Makefile.in b/Makefile.in
-index 00a320e1..a6eb81ec 100644
+index 6b774c1a..0577a6c4 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -335,6 +335,7 @@ install-files:
+@@ -339,6 +339,7 @@ install-files:
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 874728b02..784cdf746 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 2a1aeb898e4214f98acc210c992d33334e6710dd Mon Sep 17 00:00:00 2001
+From ddf05e4adc7feda2421bdf641bab79b76c1a918e Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -19,7 +19,7 @@ Patch-Name: debian-banner.patch
  4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/servconf.c b/servconf.c
-index 49d3bdc8..1cee3d6c 100644
+index ca73f7c5..a391cf4b 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options)
@@ -55,7 +55,7 @@ index 49d3bdc8..1cee3d6c 100644
         { NULL, sBadOption, 0 }
  };
  
-@@ -1860,6 +1865,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1866,6 +1871,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         options->fingerprint_hash = value;
                 break;
  
@@ -80,24 +80,24 @@ index 90dfa4c2..913a21b3 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index 49f3a2e5..eebf1984 100644
+index 602f4740..f2f54b51 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
         char remote_version[256];       /* Must be at least as big as buf. */
  
-        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
 -           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
 +           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
 +           options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
             *options.version_addendum == '\0' ? "" : " ",
-            options.version_addendum, newline);
+            options.version_addendum);
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index 283ba889..4ea0a9c3 100644
+index 41ec6688..5f316481 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -526,6 +526,11 @@ or
+@@ -530,6 +530,11 @@ or
  .Cm no .
  The default is
  .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ff3f5f42d..b8483b4e9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 2b53482aec037f0747198f19e449f51d921acd30 Mon Sep 17 00:00:00 2001
+From 78fc8282e021b0236697caedb612cab78831755f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
  6 files changed, 77 insertions(+), 9 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index c02cdf63..d1091cbd 100644
+index 70fac682..4d92d174 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1927,7 +1927,7 @@ fill_default_options(Options * options)
+@@ -1950,7 +1950,7 @@ fill_default_options(Options * options)
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
@@ -114,7 +114,7 @@ index 4e879cd2..093c8366 100644
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 diff --git a/ssh_config.5 b/ssh_config.5
-index 8698c28e..26f983a3 100644
+index 093ea8a7..fc13fa51 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index 8698c28e..26f983a3 100644
  The file contains keyword-argument pairs, one per line.
  Lines starting with
  .Ql #
-@@ -711,11 +727,12 @@ elapsed.
+@@ -715,11 +731,12 @@ elapsed.
  .It Cm ForwardX11Trusted
  If this option is set to
  .Cm yes ,
@@ -155,7 +155,7 @@ index 8698c28e..26f983a3 100644
  from stealing or tampering with data belonging to trusted X11
  clients.
 diff --git a/sshd_config b/sshd_config
-index 00e5a728..13cbe2c6 100644
+index c01dd656..f68edf36 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -58,8 +58,9 @@ AuthorizedKeysFile    .ssh/authorized_keys
@@ -190,7 +190,7 @@ index 00e5a728..13cbe2c6 100644
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
-@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
  # no default banner path
  #Banner none
  
@@ -204,7 +204,7 @@ index 00e5a728..13cbe2c6 100644
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index e45a8937..703a9cdd 100644
+index 603c2ba7..cc5d9fb0 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 2e2f9610d..8f1f9bada 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From c1248ea6dcbbf5702d65efc1750763f66a97ba19 Mon Sep 17 00:00:00 2001
+From 1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 814d8ad7b..7af55869b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 87e480b4f405f3249d7f8a912849eb6263456353 Mon Sep 17 00:00:00 2001
+From 0d5ad9fa8d9270ddaaed964edac35b99e7eed067 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index 0483a1ee..8698c28e 100644
+index a04e5757..093ea8a7 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -805,6 +805,9 @@ Note that existing names and addresses in known hosts files
+@@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 14d6ff88d..37e9b09d6 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From 7ea8a3c1e0c2ff4998b3fe3caaaba8ff42e513ff Mon Sep 17 00:00:00 2001
+From d35329b23dd567076999470e346f49ef6e56f367 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
  1 file changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/sshd.8 b/sshd.8
-index e6915141..38a72540 100644
+index 6355178f..dd4b8fc3 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -65,7 +65,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 1558dbd8f..079169d5f 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 0327e9b3a5f6d1e945f1f028e742e14cf5823962 Mon Sep 17 00:00:00 2001
+From abf7f03362e0cc4855355a7b7c9b76b6963a75cd Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 7196d16b6..c74926dc6 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 48fbb156bdc676fb6ba6817770e4e971fbf85b1f Mon Sep 17 00:00:00 2001
+From d51c7ac3328464dec21514fb398ab5c140a0664f Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -43,9 +43,9 @@ Patch-Name: gssapi.patch
  monitor.h        |   3 +
  monitor_wrap.c   |  47 +++++++-
  monitor_wrap.h   |   4 +-
- readconf.c       |  42 +++++++
+ readconf.c       |  43 +++++++
  readconf.h       |   5 +
- servconf.c       |  28 ++++-
+ servconf.c       |  26 +++++
  servconf.h       |   2 +
  ssh-gss.h        |  41 ++++++-
  ssh_config       |   2 +
@@ -56,7 +56,7 @@ Patch-Name: gssapi.patch
  sshd_config.5    |  10 ++
  sshkey.c         |   3 +-
  sshkey.h         |   1 +
- 35 files changed, 2062 insertions(+), 148 deletions(-)
+ 35 files changed, 2062 insertions(+), 147 deletions(-)
  create mode 100644 ChangeLog.gssapi
  create mode 100644 kexgssc.c
  create mode 100644 kexgsss.c
@@ -181,7 +181,7 @@ index 00000000..f117a336
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff --git a/Makefile.in b/Makefile.in
-index e10f3742..00a320e1 100644
+index 5870e9e6..6b774c1a 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -454,7 +454,7 @@ index 1ca83577..3b5036df 100644
         "gssapi-with-mic",
         userauth_gssapi,
 diff --git a/auth2.c b/auth2.c
-index 9108b861..ce0d3760 100644
+index 97dd2ef0..946e9235 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -70,6 +70,7 @@ extern Authmethod method_passwd;
@@ -592,7 +592,7 @@ index 26d62855..0cadc9f1 100644
  int             get_peer_port(int);
  char           *get_local_ipaddr(int);
 diff --git a/clientloop.c b/clientloop.c
-index 4289a408..99c68b69 100644
+index 06481623..38b0330e 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -113,6 +113,10 @@
@@ -627,10 +627,10 @@ index 4289a408..99c68b69 100644
                 client_process_net_input(readset);
  
 diff --git a/config.h.in b/config.h.in
-index 75e02ab4..afe540e9 100644
+index b65420e4..fd8a73f1 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1667,6 +1667,9 @@
+@@ -1670,6 +1670,9 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -640,7 +640,7 @@ index 75e02ab4..afe540e9 100644
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
-@@ -1682,6 +1685,9 @@
+@@ -1685,6 +1688,9 @@
  /* Use PIPES instead of a socketpair() */
  #undef USE_PIPES
  
@@ -651,7 +651,7 @@ index 75e02ab4..afe540e9 100644
  #undef USE_SOLARIS_PRIVS
  
 diff --git a/configure.ac b/configure.ac
-index eb9f45dc..5fdc696c 100644
+index c2878e3d..ead34acf 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -1433,7 +1433,7 @@ index 53993d67..2e27cbf9 100644
  
  #endif
 diff --git a/kex.c b/kex.c
-index 6a94bc53..d8708684 100644
+index cf4ac0dc..556a32e9 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -54,6 +54,10 @@
@@ -1473,7 +1473,7 @@ index 6a94bc53..d8708684 100644
         return NULL;
  }
  
-@@ -597,6 +613,9 @@ kex_free(struct kex *kex)
+@@ -605,6 +621,9 @@ kex_free(struct kex *kex)
         sshbuf_free(kex->peer);
         sshbuf_free(kex->my);
         free(kex->session_id);
@@ -2168,7 +2168,7 @@ index 00000000..38ca082b
 +}
 +#endif /* GSSAPI */
 diff --git a/monitor.c b/monitor.c
-index 43f48470..76d9e346 100644
+index 96d22b7e..506645c7 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2199,7 +2199,7 @@ index 43f48470..76d9e346 100644
  #ifdef WITH_OPENSSL
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
  #endif
-@@ -301,6 +310,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
         /* Permit requests for moduli and signatures */
         monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
         monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2210,7 +2210,7 @@ index 43f48470..76d9e346 100644
  
         /* The first few requests do not require asynchronous access */
         while (!authenticated) {
-@@ -400,6 +413,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -402,6 +415,10 @@ monitor_child_postauth(struct monitor *pmonitor)
         monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
         monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
         monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2221,7 +2221,7 @@ index 43f48470..76d9e346 100644
  
         if (!no_pty_flag) {
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1601,6 +1618,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
+@@ -1606,6 +1623,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
  # endif
  #endif /* WITH_OPENSSL */
                 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2235,7 +2235,7 @@ index 43f48470..76d9e346 100644
                 kex->load_host_public_key=&get_hostkey_public_by_type;
                 kex->load_host_private_key=&get_hostkey_private_by_type;
                 kex->host_key_index=&get_hostkey_index;
-@@ -1680,8 +1704,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -1685,8 +1709,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
  
@@ -2246,7 +2246,7 @@ index 43f48470..76d9e346 100644
  
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
-@@ -1710,8 +1734,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1715,8 +1739,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2257,7 +2257,7 @@ index 43f48470..76d9e346 100644
  
         in.value = buffer_get_string(m, &len);
         in.length = len;
-@@ -1730,6 +1754,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1735,6 +1759,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2265,7 +2265,7 @@ index 43f48470..76d9e346 100644
         }
         return (0);
  }
-@@ -1741,8 +1766,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -1746,8 +1771,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
  
@@ -2276,7 +2276,7 @@ index 43f48470..76d9e346 100644
  
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
-@@ -1770,10 +1795,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -1775,10 +1800,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
  {
         int authenticated;
  
@@ -2291,7 +2291,7 @@ index 43f48470..76d9e346 100644
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -1786,5 +1812,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -1791,5 +1817,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2463,7 +2463,7 @@ index db5902f5..8f9dd896 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index fa3fab8f..7902ef26 100644
+index 9d59493f..00d9cc30 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -160,6 +160,8 @@ typedef enum {
@@ -2475,8 +2475,8 @@ index fa3fab8f..7902ef26 100644
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
-@@ -205,10 +207,19 @@ static struct {
-        { "afstokenpassing", oUnsupported },
+@@ -196,10 +198,20 @@ static struct {
+        /* Sometimes-unsupported options */
  #if defined(GSSAPI)
         { "gssapiauthentication", oGssAuthentication },
 +       { "gssapikeyexchange", oGssKeyEx },
@@ -2485,17 +2485,18 @@ index fa3fab8f..7902ef26 100644
 +       { "gssapiclientidentity", oGssClientIdentity },
 +       { "gssapiserveridentity", oGssServerIdentity },
 +       { "gssapirenewalforcesrekey", oGssRenewalRekey },
- #else
+ # else
         { "gssapiauthentication", oUnsupported },
 +       { "gssapikeyexchange", oUnsupported },
         { "gssapidelegatecredentials", oUnsupported },
 +       { "gssapitrustdns", oUnsupported },
 +       { "gssapiclientidentity", oUnsupported },
++       { "gssapiserveridentity", oUnsupported },
 +       { "gssapirenewalforcesrekey", oUnsupported },
  #endif
-        { "fallbacktorsh", oDeprecated },
-        { "usersh", oDeprecated },
-@@ -961,10 +972,30 @@ parse_time:
+ #ifdef ENABLE_PKCS11
+        { "smartcarddevice", oPKCS11Provider },
+@@ -973,10 +985,30 @@ parse_time:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2526,7 +2527,7 @@ index fa3fab8f..7902ef26 100644
         case oBatchMode:
                 intptr = &options->batch_mode;
                 goto parse_flag;
-@@ -1776,7 +1807,12 @@ initialize_options(Options * options)
+@@ -1798,7 +1830,12 @@ initialize_options(Options * options)
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
         options->gss_authentication = -1;
@@ -2539,7 +2540,7 @@ index fa3fab8f..7902ef26 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
-@@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
+@@ -1942,8 +1979,14 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2572,7 +2573,7 @@ index cef55f71..fd3d7c75 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 795ddbab..14c81fa9 100644
+index 56b83165..d796b7c8 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
@@ -2595,8 +2596,7 @@ index 795ddbab..14c81fa9 100644
         if (options->gss_cleanup_creds == -1)
                 options->gss_cleanup_creds = 1;
         if (options->gss_strict_acceptor == -1)
--               options->gss_strict_acceptor = 0;
-+               options->gss_strict_acceptor = 1;
+                options->gss_strict_acceptor = 1;
 +       if (options->gss_store_rekey == -1)
 +               options->gss_store_rekey = 0;
         if (options->password_authentication == -1)
@@ -2631,7 +2631,7 @@ index 795ddbab..14c81fa9 100644
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1207,6 +1222,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1217,6 +1232,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2642,7 +2642,7 @@ index 795ddbab..14c81fa9 100644
         case sGssCleanupCreds:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
-@@ -1215,6 +1234,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1225,6 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_strict_acceptor;
                 goto parse_flag;
  
@@ -2653,7 +2653,7 @@ index 795ddbab..14c81fa9 100644
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -2248,7 +2271,10 @@ dump_config(ServerOptions *o)
+@@ -2250,7 +2273,10 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2796,10 +2796,10 @@ index 90fb63f0..4e879cd2 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 591365f3..a7703fc7 100644
+index 532745b2..ec60273e 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -748,10 +748,42 @@ The default is
+@@ -752,10 +752,42 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Cm no .
@@ -2843,7 +2843,7 @@ index 591365f3..a7703fc7 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 103a2b36..c35a0bd5 100644
+index f8a54bee..5743c2c4 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2892,8 +2892,8 @@ index 103a2b36..c35a0bd5 100644
 +#endif
 +
         if (options.rekey_limit || options.rekey_interval)
-                packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-                    (time_t)options.rekey_interval);
+                packet_set_rekey_limits(options.rekey_limit,
+                    options.rekey_interval);
 @@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  # endif
  #endif
@@ -3060,7 +3060,7 @@ index 103a2b36..c35a0bd5 100644
  
  int
 diff --git a/sshd.c b/sshd.c
-index 1dc4d182..0970f297 100644
+index 010a2c38..20a7a5f3 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -123,6 +123,10 @@
@@ -3083,7 +3083,7 @@ index 1dc4d182..0970f297 100644
                 ssh_gssapi_prepare_supported_oids();
  #endif
  
-@@ -1705,10 +1709,13 @@ main(int ac, char **av)
+@@ -1719,10 +1723,13 @@ main(int ac, char **av)
                     key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
                 free(fp);
         }
@@ -3097,7 +3097,7 @@ index 1dc4d182..0970f297 100644
  
         /*
          * Load certificates. They are stored in an array at identical
-@@ -1978,6 +1985,60 @@ main(int ac, char **av)
+@@ -1992,6 +1999,60 @@ main(int ac, char **av)
             remote_ip, remote_port, laddr,  ssh_local_port(ssh));
         free(laddr);
  
@@ -3158,7 +3158,7 @@ index 1dc4d182..0970f297 100644
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2159,6 +2220,48 @@ do_ssh2_kex(void)
+@@ -2173,6 +2234,48 @@ do_ssh2_kex(void)
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
             list_hostkey_types());
  
@@ -3207,7 +3207,7 @@ index 1dc4d182..0970f297 100644
         /* start key exchange */
         if ((r = kex_setup(active_state, myproposal)) != 0)
                 fatal("kex_setup: %s", ssh_err(r));
-@@ -2176,6 +2279,13 @@ do_ssh2_kex(void)
+@@ -2190,6 +2293,13 @@ do_ssh2_kex(void)
  # endif
  #endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3222,7 +3222,7 @@ index 1dc4d182..0970f297 100644
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index 9f09e4a6..00e5a728 100644
+index 4eb2e02e..c01dd656 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -70,6 +70,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
@@ -3235,10 +3235,10 @@ index 9f09e4a6..00e5a728 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 32b29d24..dd765b39 100644
+index ac6ccc79..3f819c76 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -623,6 +623,11 @@ The default is
+@@ -627,6 +627,11 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Cm no .
@@ -3250,7 +3250,7 @@ index 32b29d24..dd765b39 100644
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
-@@ -642,6 +647,11 @@ machine's default store.
+@@ -646,6 +651,11 @@ machine's default store.
  This facility is provided to assist with operation on multi homed machines.
  The default is
  .Cm yes .
@@ -3263,10 +3263,10 @@ index 32b29d24..dd765b39 100644
  Specifies the key types that will be accepted for hostbased authentication
  as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index c01da6c3..377d72fa 100644
+index 53a7674b..54001989 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -114,6 +114,7 @@ static const struct keytype keytypes[] = {
+@@ -116,6 +116,7 @@ static const struct keytype keytypes[] = {
  #  endif /* OPENSSL_HAS_NISTP521 */
  # endif /* OPENSSL_HAS_ECC */
  #endif /* WITH_OPENSSL */
@@ -3274,17 +3274,17 @@ index c01da6c3..377d72fa 100644
         { NULL, NULL, -1, -1, 0, 0 }
  };
  
-@@ -202,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, char sep)
+@@ -204,7 +205,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
         const struct keytype *kt;
  
         for (kt = keytypes; kt->type != -1; kt++) {
--               if (kt->name == NULL || kt->sigonly)
-+               if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL)
+-               if (kt->name == NULL)
++               if (kt->name == NULL || kt->type == KEY_NULL)
                         continue;
-                if ((certs_only && !kt->cert) || (plain_only && kt->cert))
+                if (!include_sigonly && kt->sigonly)
                         continue;
 diff --git a/sshkey.h b/sshkey.h
-index f3936384..7eb2a139 100644
+index 1b9e42f4..f91e4a08 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -62,6 +62,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 59b39cd84..8748ac286 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 9078d9722d24a42b8f86621d20a6a6b42ba18d37 Mon Sep 17 00:00:00 2001
+From 74415628b380db26961259a25dcc47c4f02e8703 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index c1c3aae0..3efba242 100644
+index 32a72957..0b1370a8 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -173,6 +173,7 @@ typedef enum {
@@ -37,7 +37,7 @@ index c1c3aae0..3efba242 100644
         oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -308,6 +309,8 @@ static struct {
+@@ -321,6 +322,8 @@ static struct {
         { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
         { "ignoreunknown", oIgnoreUnknown },
         { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index c1c3aae0..3efba242 100644
  
         { NULL, oBadOption }
  };
-@@ -1402,6 +1405,8 @@ parse_keytypes:
+@@ -1417,6 +1420,8 @@ parse_keytypes:
                 goto parse_flag;
  
         case oServerAliveInterval:
@@ -55,7 +55,7 @@ index c1c3aae0..3efba242 100644
                 intptr = &options->server_alive_interval;
                 goto parse_time;
  
-@@ -2047,8 +2052,13 @@ fill_default_options(Options * options)
+@@ -2070,8 +2075,13 @@ fill_default_options(Options * options)
                 options->rekey_interval = 0;
         if (options->verify_host_key_dns == -1)
                 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index c1c3aae0..3efba242 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index a7703fc7..a0457314 100644
+index ec60273e..e4eaa5ae 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -250,8 +250,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index a7703fc7..a0457314 100644
  The argument must be
  .Cm yes
  or
-@@ -1485,7 +1489,14 @@ from the server,
+@@ -1509,7 +1513,14 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -105,7 +105,7 @@ index a7703fc7..a0457314 100644
  .It Cm StreamLocalBindMask
  Sets the octal file creation mode mask
  .Pq umask
-@@ -1544,6 +1555,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1568,6 +1579,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index a7703fc7..a0457314 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index dd765b39..283ba889 100644
+index 3f819c76..41ec6688 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1427,6 +1427,9 @@ This avoids infinitely hanging sessions.
+@@ -1447,6 +1447,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 4d27c68ab..f2274cb7f 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 360c4ebd14706887879f1c6d542cd092afffb07b Mon Sep 17 00:00:00 2001
+From 315c5a460b33d076edc27a41b0e790ea73cc3b9d Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,7 +13,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 698a0711..1cc556e8 100644
+index 7f169a8f..66c495f4 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -1080,9 +1080,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
index bfe6033b1..b20cb22d5 100644
--- a/debian/patches/no-dsa-host-key-by-default.patch
+++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -1,4 +1,4 @@
-From 3f1016b4535faf6e48aa71e21569aa714a25193f Mon Sep 17 00:00:00 2001
+From 417f561eac9f391661ad23a27f1d711f56566176 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 16 Jan 2017 13:53:04 +0000
 Subject: Remove ssh_host_dsa_key from HostKey default
@@ -19,7 +19,7 @@ Patch-Name: no-dsa-host-key-by-default.patch
  4 files changed, 6 insertions(+), 11 deletions(-)
 
 diff --git a/servconf.c b/servconf.c
-index 1cee3d6c..202c4506 100644
+index a391cf4b..1a7a5f18 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
@@ -32,7 +32,7 @@ index 1cee3d6c..202c4506 100644
                 options->host_key_files[options->num_host_key_files++] =
                     _PATH_HOST_ECDSA_KEY_FILE;
 diff --git a/sshd.8 b/sshd.8
-index 38a72540..e8f1fde8 100644
+index dd4b8fc3..79a7e080 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -167,11 +167,10 @@ This option must be given if
@@ -51,7 +51,7 @@ index 38a72540..e8f1fde8 100644
  the different host key algorithms.
  .It Fl i
 diff --git a/sshd_config b/sshd_config
-index 13cbe2c6..4aea6c72 100644
+index f68edf36..92822959 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -16,7 +16,6 @@
@@ -63,10 +63,10 @@ index 13cbe2c6..4aea6c72 100644
  #HostKey /etc/ssh/ssh_host_ed25519_key
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index 703a9cdd..8f8fbb66 100644
+index cc5d9fb0..0747cc8b 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -733,11 +733,10 @@ is not to load any certificates.
+@@ -741,11 +741,10 @@ is not to load any certificates.
  Specifies a file containing a private host key
  used by SSH.
  The defaults are
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index b1c045643..0c12e2acf 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 48c127fe8f40037d0f33efa8da19cb32514b440e Mon Sep 17 00:00:00 2001
+From 3ccc29568299d597b2753a4a04ad082814b9c8e8 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9a7edf949..94574e321 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 4badfe75ad62ee50394afa9aaac62b3465fd384e Mon Sep 17 00:00:00 2001
+From 22fa108c15a43eb80d5fa7114208ab813019954e Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -103,7 +103,7 @@ index feef81a5..b1f128c2 100644
  .Pp
  The file
 diff --git a/sshd.8 b/sshd.8
-index c6784602..e6915141 100644
+index 989dd4bf..6355178f 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -65,7 +65,7 @@ over an insecure network.
@@ -133,7 +133,7 @@ index c6784602..e6915141 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index 4ea0a9c3..e45a8937 100644
+index 5f316481..603c2ba7 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -372,8 +372,7 @@ then no banner is displayed.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index fcc231fc9..1a1036fa8 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From c89c88a0bcada4616262e3d7d9b165aca709927b Mon Sep 17 00:00:00 2001
+From 8f127a3c84d2eae8d1fb5529887c880c22c5cf75 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch
  3 files changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 1cc556e8..c64c51bb 100644
+index 66c495f4..120f0945 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -526,10 +526,10 @@ send_client_banner(int connection_out, int minor1)
@@ -36,24 +36,24 @@ index 1cc556e8..c64c51bb 100644
         if (atomicio(vwrite, connection_out, client_version_string,
             strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index 9aab36c3..49f3a2e5 100644
+index 9221632e..602f4740 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
         char remote_version[256];       /* Must be at least as big as buf. */
  
-        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+        xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
 -           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
 +           PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
             *options.version_addendum == '\0' ? "" : " ",
-            options.version_addendum, newline);
+            options.version_addendum);
  
 diff --git a/version.h b/version.h
-index 269ebcda..850a2f7d 100644
+index c86e2097..f4d8b13a 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_7.4"
+ #define SSH_VERSION    "OpenSSH_7.5"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index c19fc46fe..55dd37fb9 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 71809791262478c78d1db2ca1004604c39db8150 Mon Sep 17 00:00:00 2001
+From 980646a9f7f03b43b678272b2a56e30906c6ddec Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
@@ -22,7 +22,7 @@ Patch-Name: quieter-signals.patch
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index 99c68b69..5876cc9a 100644
+index 38b0330e..06845280 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -1755,8 +1755,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
diff --git a/debian/patches/regress-forwarding-race.patch b/debian/patches/regress-forwarding-race.patch
deleted file mode 100644
index f1a535fb2..000000000
--- a/debian/patches/regress-forwarding-race.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 166f04046035ffca27c820649df360eaa5dd1b99 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Mon, 2 Jan 2017 14:55:16 +0000
-Subject: Fix race conditions in forwarding tests
-
-The forwarding tests sometimes seem to fail in a way that suggests ports
-are in use even though they shouldn't be.  Convert more of them to use a
-mux socket rather than relying on sleeps in the hope that that makes
-behaviour more consistent.
-
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2659
-Patch-Name: regress-forwarding-race.patch
-
-Last-Update: 2017-01-02
----
- regress/forwarding.sh | 32 +++++++++++++++++++-------------
- 1 file changed, 19 insertions(+), 13 deletions(-)
-
-diff --git a/regress/forwarding.sh b/regress/forwarding.sh
-index 2539db9b..a1a4b13f 100644
---- a/regress/forwarding.sh
-+++ b/regress/forwarding.sh
-@@ -11,7 +11,6 @@ base=33
- last=$PORT
- fwd=""
- CTL=$OBJ/ctl-sock
--rm -f $CTL
- 
- for j in 0 1 2; do
-        for i in 0 1 2; do
-@@ -29,7 +28,8 @@ for p in ${SSH_PROTOCOLS}; do
-                q=$p
-        fi
-        trace "start forwarding, fork to background"
--       ${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
-+       rm -f $CTL
-+       ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
- 
-        trace "transfer over forwarded channels and check result"
-        ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
-@@ -37,7 +37,7 @@ for p in ${SSH_PROTOCOLS}; do
-        test -s ${COPY}         || fail "failed copy of ${DATA}"
-        cmp ${DATA} ${COPY}     || fail "corrupted copy of ${DATA}"
- 
--       sleep 10
-+       ${SSH} -S $CTL -O exit somehost
- done
- 
- for p in ${SSH_PROTOCOLS}; do
-@@ -75,7 +75,8 @@ for p in ${SSH_PROTOCOLS}; do
-        ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
- 
-        trace "clear local forward proto $p"
--       ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-+       rm -f $CTL
-+       ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-            -oClearAllForwardings=yes somehost sleep 10
-        if [ $? != 0 ]; then
-                fail "connection failed with cleared local forwarding"
-@@ -85,10 +86,11 @@ for p in ${SSH_PROTOCOLS}; do
-                     >>$TEST_REGRESS_LOGFILE 2>&1 && \
-                        fail "local forwarding not cleared"
-        fi
--       sleep 10
-+       ${SSH} -S $CTL -O exit somehost
-        
-        trace "clear remote forward proto $p"
--       ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-+       rm -f $CTL
-+       ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-            -oClearAllForwardings=yes somehost sleep 10
-        if [ $? != 0 ]; then
-                fail "connection failed with cleared remote forwarding"
-@@ -98,7 +100,7 @@ for p in ${SSH_PROTOCOLS}; do
-                     >>$TEST_REGRESS_LOGFILE 2>&1 && \
-                        fail "remote forwarding not cleared"
-        fi
--       sleep 10
-+       ${SSH} -S $CTL -O exit somehost
- done
- 
- for p in 2; do
-@@ -115,6 +117,7 @@ echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
- echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
- for p in ${SSH_PROTOCOLS}; do
-        trace "config file: start forwarding, fork to background"
-+       rm -f $CTL
-        ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
- 
-        trace "config file: transfer over forwarded channels and check result"
-@@ -129,15 +132,18 @@ done
- for p in 2; do
-        trace "transfer over chained unix domain socket forwards and check result"
-        rm -f $OBJ/unix-[123].fwd
--       ${SSH} -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
--       ${SSH} -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
--       ${SSH} -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
--       ${SSH} -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
-+       rm -f $CTL $CTL.[123]
-+       ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
-+       ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
-+       ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
-+       ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
-        ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
-                somehost cat ${DATA} > ${COPY}
-        test -s ${COPY}                 || fail "failed copy ${DATA}"
-        cmp ${DATA} ${COPY}             || fail "corrupted copy of ${DATA}"
- 
--       #wait
--       sleep 10
-+       ${SSH} -S $CTL -O exit somehost
-+       ${SSH} -S $CTL.1 -O exit somehost
-+       ${SSH} -S $CTL.2 -O exit somehost
-+       ${SSH} -S $CTL.3 -O exit somehost
- done
diff --git a/debian/patches/regress-integrity-robust.patch b/debian/patches/regress-integrity-robust.patch
index 651a7a88e..2c515e317 100644
--- a/debian/patches/regress-integrity-robust.patch
+++ b/debian/patches/regress-integrity-robust.patch
@@ -1,4 +1,4 @@
-From 7ce93c802065cd926e7cbfd10e629f3a2d352301 Mon Sep 17 00:00:00 2001
+From c210daa1ae77904f57478315e75af3f82a5d69f2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 1 Jan 2017 15:21:10 +0000
 Subject: Make integrity tests more robust against timeouts
@@ -12,31 +12,14 @@ Patch-Name: regress-integrity-robust.patch
 
 Last-Update: 2017-01-01
 ---
- regress/integrity.sh | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
+ regress/integrity.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/regress/integrity.sh b/regress/integrity.sh
-index 39d310de..fd7d58bc 100644
+index 1df2924f..ed378337 100644
 --- a/regress/integrity.sh
 +++ b/regress/integrity.sh
-@@ -5,8 +5,6 @@ tid="integrity"
- cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
- 
- # start at byte 2900 (i.e. after kex) and corrupt at different offsets
--# XXX the test hangs if we modify the low bytes of the packet length
--# XXX and ssh tries to read...
- tries=10
- startoffset=2900
- macs=`${SSH} -Q mac`
-@@ -27,6 +25,7 @@ for m in $macs; do
-        elen=0
-        epad=0
-        emac=0
-+       etmo=0
-        ecnt=0
-        skip=0
-        for off in `jot $tries $startoffset`; do
-@@ -61,14 +60,16 @@ for m in $macs; do
+@@ -60,14 +60,16 @@ for m in $macs; do
                 Corrupted?MAC* | *message?authentication?code?incorrect*)
                                 emac=`expr $emac + 1`; skip=0;;
                 padding*)       epad=`expr $epad + 1`; skip=0;;
diff --git a/debian/patches/regress-mktemp.patch b/debian/patches/regress-mktemp.patch
deleted file mode 100644
index f5cfde1e8..000000000
--- a/debian/patches/regress-mktemp.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-From 6ca09916439a58f0789deb79960ee5defc05a946 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Tue, 3 Jan 2017 12:09:42 +0000
-Subject: Create mux socket for regress in temp directory
-
-In some setups, creating the socket under OBJ may result in a path that
-is too long for a Unix domain socket.  Add a helper to let us portably
-create a temporary directory instead.
-
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2660
-Last-Update: 2017-01-03
-
-Patch-Name: regress-mktemp.patch
----
- Makefile.in           |  5 +++++
- regress/forwarding.sh |  3 ++-
- regress/mkdtemp.c     | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++
- regress/multiplex.sh  |  3 ++-
- regress/test-exec.sh  | 11 ++++++++++
- 5 files changed, 79 insertions(+), 2 deletions(-)
- create mode 100644 regress/mkdtemp.c
-
-diff --git a/Makefile.in b/Makefile.in
-index a6eb81ec..a00347e2 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -459,6 +459,10 @@ regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c $(REGRESSLIBS)
-        $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/check-perm.c \
-        $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
- 
-+regress/mkdtemp$(EXEEXT): $(srcdir)/regress/mkdtemp.c $(REGRESSLIBS)
-+       $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/mkdtemp.c \
-+       $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-+
- UNITTESTS_TEST_HELPER_OBJS=\
-        regress/unittests/test_helper/test_helper.o \
-        regress/unittests/test_helper/fuzz.o
-@@ -557,6 +561,7 @@ regress-binaries: regress/modpipe$(EXEEXT) \
-        regress/setuid-allowed$(EXEEXT) \
-        regress/netcat$(EXEEXT) \
-        regress/check-perm$(EXEEXT) \
-+       regress/mkdtemp$(EXEEXT) \
-        regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
-        regress/unittests/sshkey/test_sshkey$(EXEEXT) \
-        regress/unittests/bitmap/test_bitmap$(EXEEXT) \
-diff --git a/regress/forwarding.sh b/regress/forwarding.sh
-index a1a4b13f..592de7bc 100644
---- a/regress/forwarding.sh
-+++ b/regress/forwarding.sh
-@@ -10,7 +10,8 @@ start_sshd
- base=33
- last=$PORT
- fwd=""
--CTL=$OBJ/ctl-sock
-+make_tmpdir
-+CTL=$TMP/ctl-sock
- 
- for j in 0 1 2; do
-        for i in 0 1 2; do
-diff --git a/regress/mkdtemp.c b/regress/mkdtemp.c
-new file mode 100644
-index 00000000..8c7d2e21
---- /dev/null
-+++ b/regress/mkdtemp.c
-@@ -0,0 +1,59 @@
-+/*
-+ * Copyright (c) 2017 Colin Watson <cjwatson@debian.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+
-+/* Roughly equivalent to "mktemp -d -t TEMPLATE", but portable. */
-+
-+#include "includes.h"
-+
-+#include <limits.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+
-+#include "log.h"
-+
-+static void
-+usage(void)
-+{
-+       fprintf(stderr, "mkdtemp template\n");
-+       exit(1);
-+}
-+
-+int
-+main(int argc, char **argv)
-+{
-+       const char *base;
-+       const char *tmpdir;
-+       char template[PATH_MAX];
-+       int r;
-+       char *dir;
-+
-+       if (argc != 2)
-+               usage();
-+       base = argv[1];
-+
-+       if ((tmpdir = getenv("TMPDIR")) == NULL)
-+               tmpdir = "/tmp";
-+       r = snprintf(template, sizeof(template), "%s/%s", tmpdir, base);
-+       if (r < 0 || (size_t)r >= sizeof(template))
-+               fatal("template string too long");
-+       dir = mkdtemp(template);
-+       if (dir == NULL) {
-+               perror("mkdtemp");
-+               exit(1);
-+       }
-+       puts(dir);
-+       return 0;
-+}
-diff --git a/regress/multiplex.sh b/regress/multiplex.sh
-index acb9234d..0ac4065e 100644
---- a/regress/multiplex.sh
-+++ b/regress/multiplex.sh
-@@ -1,7 +1,8 @@
- #      $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $
- #      Placed in the Public Domain.
- 
--CTL=/tmp/openssh.regress.ctl-sock.$$
-+make_tmpdir
-+CTL=$TMP/ctl-sock
- 
- tid="connection multiplexing"
- 
-diff --git a/regress/test-exec.sh b/regress/test-exec.sh
-index bfa48803..13a8e18f 100644
---- a/regress/test-exec.sh
-+++ b/regress/test-exec.sh
-@@ -317,6 +317,14 @@ stop_sshd ()
-        fi
- }
- 
-+TMP=
-+
-+make_tmpdir ()
-+{
-+       TMP="$($OBJ/mkdtemp openssh-regress-XXXXXXXXXXXX)" || \
-+           fatal "failed to create temporary directory"
-+}
-+
- # helper
- cleanup ()
- {
-@@ -327,6 +335,9 @@ cleanup ()
-                        kill $SSH_PID
-                fi
-        fi
-+       if [ "x$TMP" != "x" ]; then
-+               rm -rf "$TMP"
-+       fi
-        stop_sshd
- }
- 
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 86da09c7e..4aec2ddc9 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001
+From ec338656a3d6b21bb87f3b6367b232d297f601e5 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
@@ -18,7 +18,7 @@ Patch-Name: restore-authorized_keys2.patch
  1 file changed, 2 insertions(+), 3 deletions(-)
 
 diff --git a/sshd_config b/sshd_config
-index 4aea6c72..bcf3ac17 100644
+index 92822959..a32dc1d4 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -36,9 +36,8 @@
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index ec958d3ab..67711c5f8 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 5488e924267d7a845fb86a0b6b4db1e340799a5a Mon Sep 17 00:00:00 2001
+From 9d91ede3c03c99b6584038aa07d095d7c277ad3a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
  3 files changed, 89 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 5fdc696c..4747ce4a 100644
+index ead34acf..a92425db 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
+@@ -1494,6 +1494,62 @@ AC_ARG_WITH([skey],
         ]
  )
  
@@ -94,16 +94,16 @@ index 5fdc696c..4747ce4a 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5105,6 +5161,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -5117,6 +5173,7 @@ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
 +echo "              TCP Wrappers support: $TCPW_MSG"
  echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
+ echo "                   libldns support: $LDNS_MSG"
 diff --git a/sshd.8 b/sshd.8
-index 41fc5051..c6784602 100644
+index 7725a692..989dd4bf 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -825,6 +825,12 @@ the user's home directory becomes accessible.
@@ -128,7 +128,7 @@ index 41fc5051..c6784602 100644
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index 0970f297..72d85de1 100644
+index 20a7a5f3..38cf9b49 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -127,6 +127,13 @@
@@ -145,7 +145,7 @@ index 0970f297..72d85de1 100644
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
-@@ -1978,6 +1985,24 @@ main(int ac, char **av)
+@@ -1992,6 +1999,24 @@ main(int ac, char **av)
  #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
  #endif
diff --git a/debian/patches/sandbox-x32-workaround.patch b/debian/patches/sandbox-x32-workaround.patch
deleted file mode 100644
index 340363de9..000000000
--- a/debian/patches/sandbox-x32-workaround.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 8c1a0893f0e55a793071af9734d2fa2eb1f3a2a6 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Tue, 3 Jan 2017 14:01:56 +0000
-Subject: Work around clock_gettime kernel bug on Linux x32
-
-On Linux x32, the clock_gettime VDSO currently falls back to the x86-64
-syscall, so allow that as well as its x32 sibling.
-
-Bug-Debian: https://bugs.debian.org/849923
-Forwarded: no
-Last-Update: 2017-01-03
-
-Patch-Name: sandbox-x32-workaround.patch
----
- sandbox-seccomp-filter.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 2e1ed2c5..62c578d3 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -137,6 +137,15 @@ static const struct sock_filter preauth_insns[] = {
- #endif
- #ifdef __NR_clock_gettime
-        SC_ALLOW(clock_gettime),
-+# if defined(__x86_64__) && defined(__ILP32__)
-+       /* On Linux x32, the clock_gettime VDSO currently falls back to the
-+        * x86-64 syscall (see https://bugs.debian.org/849923), so allow
-+        * that too.
-+        */
-+       BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,
-+           __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1),
-+       BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
-+# endif
- #endif
- #ifdef __NR_close
-        SC_ALLOW(close),
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index f318c49fb..f48709864 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From cfc11fb9604f8049957a409ff0835f642a047496 Mon Sep 17 00:00:00 2001
+From 17d18d2f87eaa6c781356a78800ee17ccd12218b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 98be50fad..ae83d23b0 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From a01822fe1c50668ef7918dfd28b1c7e88ff16254 Mon Sep 17 00:00:00 2001
+From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -43,11 +43,11 @@ index 338a62da..8c658d16 100644
         char            *info;          /* Extra info for next auth_log */
  #ifdef BSD_AUTH
 diff --git a/auth2.c b/auth2.c
-index ce0d3760..461311bd 100644
+index 946e9235..2f51be23 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
- {
+@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+        struct ssh *ssh = active_state; /* XXX */
         Authctxt *authctxt = ctxt;
         Authmethod *m = NULL;
 -       char *user, *service, *method, *style = NULL;
@@ -55,7 +55,7 @@ index ce0d3760..461311bd 100644
         int authenticated = 0;
  
         if (authctxt == NULL)
-@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -69,7 +69,7 @@ index ce0d3760..461311bd 100644
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index ce0d3760..461311bd 100644
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index 76d9e346..64286a12 100644
+index 506645c7..7452e20e 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -100,7 +100,7 @@ index 76d9e346..64286a12 100644
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
  
         /* Allow service/style information on the auth context */
         monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index 76d9e346..64286a12 100644
         monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
  
  #ifdef USE_PAM
-@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m)
  
         authctxt->service = buffer_get_string(m, NULL);
         authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index 76d9e346..64286a12 100644
         return (0);
  }
  
-@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m)
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -426,7 +426,7 @@ index 98e1dafe..0a31dce4 100644
                        const char *value);
  
 diff --git a/sshd.c b/sshd.c
-index 72d85de1..9aab36c3 100644
+index 38cf9b49..9221632e 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
diff --git a/debian/patches/series b/debian/patches/series
index c5fc81486..52a8f50b1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,12 +25,5 @@ sigstop.patch
 systemd-readiness.patch
 debian-config.patch
 regress-integrity-robust.patch
-regress-forwarding-race.patch
-regress-mktemp.patch
-sandbox-x32-workaround.patch
 no-dsa-host-key-by-default.patch
 restore-authorized_keys2.patch
-ssh-keygen-hash-corruption.patch
-ssh-keyscan-hash-port.patch
-ssh-keygen-null-deref.patch
-unbreak-unix-forwarding-for-root.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index c263dd7f1..1fecd756e 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 5ec0d5f79166a7e2aeab5c7f13d64bb08c4621bd Mon Sep 17 00:00:00 2001
+From ce9a126fdaa8ef6488364107cc66d04ecabc8cc4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 96b91ce1..698a0711 100644
+index 948b638a..7f169a8f 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index fa4d0a8cc..43d3937e5 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 218ecbc433b69b8584000380626a9d9aa31c095b Mon Sep 17 00:00:00 2001
+From a91715df66fc2a0b7792e87a864c334f4cb15043 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
  1 file changed, 10 insertions(+)
 
 diff --git a/sshd.c b/sshd.c
-index eebf1984..b6826c84 100644
+index f2f54b51..a2ca2d3e 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1878,6 +1878,16 @@ main(int ac, char **av)
+@@ -1892,6 +1892,16 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index b14ec01d4..472eb2fa7 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 0ae30d0171b789953318670ac8679127ddfb3cd1 Mon Sep 17 00:00:00 2001
+From 583919799c3946c5fa89f8907349c1443639b6bd Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 7fbaa25dd..b637b7bda 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From e39339d49d1b05e1db45c6420d7e6da29cf483dc Mon Sep 17 00:00:00 2001
+From dce48f6795b6f0b1d4c2e069f26a21419ba4d575 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-keygen-hash-corruption.patch b/debian/patches/ssh-keygen-hash-corruption.patch
deleted file mode 100644
index 7ef3c637c..000000000
--- a/debian/patches/ssh-keygen-hash-corruption.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Fri, 3 Mar 2017 06:13:11 +0000
-Subject: upstream commit
-
-fix ssh-keygen -H accidentally corrupting known_hosts that
-contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
-hostkeys_foreach() when hostname matching is in use, so we need to look for
-the hash marker explicitly.
-
-Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
-
-Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9
-Bug-Debian: https://bugs.debian.org/851734
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093
-Last-Update: 2017-03-09
-
-Patch-Name: ssh-keygen-hash-corruption.patch
----
- ssh-keygen.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 2a7939bf..0833ee61 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
-        struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
-        char *hashed, *cp, *hosts, *ohosts;
-        int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
-+       int was_hashed = l->hosts[0] == HASH_DELIM;
- 
-        switch (l->status) {
-        case HKF_STATUS_OK:
-@@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
-                 * Don't hash hosts already already hashed, with wildcard
-                 * characters or a CA/revocation marker.
-                 */
--               if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
--                   has_wild || l->marker != MRK_NONE) {
-+               if (was_hashed || has_wild || l->marker != MRK_NONE) {
-                        fprintf(ctx->out, "%s\n", l->line);
-                        if (has_wild && !find_host) {
-                                logit("%s:%ld: ignoring host name "
diff --git a/debian/patches/ssh-keygen-null-deref.patch b/debian/patches/ssh-keygen-null-deref.patch
deleted file mode 100644
index 0220d7c66..000000000
--- a/debian/patches/ssh-keygen-null-deref.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 35b2ea77a74348b575d680061f35ec7992b26ec8 Mon Sep 17 00:00:00 2001
-From: "dtucker@openbsd.org" <dtucker@openbsd.org>
-Date: Mon, 6 Mar 2017 02:03:20 +0000
-Subject: upstream commit
-
-Check l->hosts before dereferencing; fixes potential null
-pointer deref. ok djm@
-
-Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
-
-Origin: https://anongit.mindrot.org/openssh.git/commit/?id=18501151cf272a15b5f2c5e777f2e0933633c513
-Last-Update: 2017-03-16
-
-Patch-Name: ssh-keygen-null-deref.patch
----
- ssh-keygen.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 0833ee61..a7c1e80b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -1082,7 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
-        struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
-        char *hashed, *cp, *hosts, *ohosts;
-        int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
--       int was_hashed = l->hosts[0] == HASH_DELIM;
-+       int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM;
- 
-        switch (l->status) {
-        case HKF_STATUS_OK:
diff --git a/debian/patches/ssh-keyscan-hash-port.patch b/debian/patches/ssh-keyscan-hash-port.patch
deleted file mode 100644
index 32a2f6a01..000000000
--- a/debian/patches/ssh-keyscan-hash-port.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Fri, 10 Mar 2017 03:18:24 +0000
-Subject: upstream commit
-
-correctly hash hosts with a port number. Reported by Josh
-Powers in bz#2692; ok dtucker@
-
-Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
-
-Origin: https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692
-Bug-Debian: https://bugs.debian.org/857736
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745
-Last-Update: 2017-03-14
-
-Patch-Name: ssh-keyscan-hash-port.patch
----
- ssh-keyscan.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index c30d54e6..24b51ff1 100644
---- a/ssh-keyscan.c
-+++ b/ssh-keyscan.c
-@@ -321,16 +321,17 @@ keygrab_ssh2(con *c)
- }
- 
- static void
--keyprint_one(char *host, struct sshkey *key)
-+keyprint_one(const char *host, struct sshkey *key)
- {
-        char *hostport;
--
--       if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
--               fatal("host_hash failed");
-+       const char *known_host, *hashed;
- 
-        hostport = put_host_port(host, ssh_port);
-+       if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
-+               fatal("host_hash failed");
-+       known_host = hash_hosts ? hashed : hostport;
-        if (!get_cert)
--               fprintf(stdout, "%s ", hostport);
-+               fprintf(stdout, "%s ", known_host);
-        sshkey_write(key, stdout);
-        fputs("\n", stdout);
-        free(hostport);
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index fbe64336b..d8f4ec973 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From ffecece153b7caedf997dccf17747633675631fd Mon Sep 17 00:00:00 2001
+From fb7c3c37876359b7a110e1386a6b7887cd2c8ca2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,19 +17,19 @@ Patch-Name: ssh-vulnkey-compat.patch
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
-index 7902ef26..c1c3aae0 100644
+index 00d9cc30..32a72957 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -194,6 +194,7 @@ static struct {
-        { "passwordauthentication", oPasswordAuthentication },
-        { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
-        { "kbdinteractivedevices", oKbdInteractiveDevices },
+@@ -186,6 +186,7 @@ static struct {
+        { "fallbacktorsh", oDeprecated },
+        { "globalknownhostsfile2", oDeprecated },
+        { "rhostsauthentication", oDeprecated },
 +       { "useblacklistedkeys", oDeprecated },
-        { "rsaauthentication", oRSAAuthentication },
-        { "pubkeyauthentication", oPubkeyAuthentication },
-        { "dsaauthentication", oPubkeyAuthentication },             /* alias */
+        { "userknownhostsfile2", oDeprecated },
+        { "useroaming", oDeprecated },
+        { "usersh", oDeprecated },
 diff --git a/servconf.c b/servconf.c
-index 14c81fa9..49d3bdc8 100644
+index d796b7c8..ca73f7c5 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -521,6 +521,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 7a4839c03..3f012c99c 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From f4d9efefeae948e1e00212bf9702245c3c51c8c5 Mon Sep 17 00:00:00 2001
+From b5695a565e466477305d2ae0059b09e94ae6f44e Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
  2 files changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/log.c b/log.c
-index 2b59c427..ffc8ffbb 100644
+index d0f86cf6..0e515e26 100644
 --- a/log.c
 +++ b/log.c
 @@ -93,6 +93,7 @@ static struct {
@@ -33,7 +33,7 @@ index 2b59c427..ffc8ffbb 100644
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index ee0b16dc..39609e79 100644
+index 32b27bbc..b65f35ac 100644
 --- a/ssh.c
 +++ b/ssh.c
 @@ -1167,7 +1167,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 6c8cf9b6d..1d7a14168 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From 0fd4134a3ef467e1e69db5b19b7903cf306ec64b Mon Sep 17 00:00:00 2001
+From bd5c1cc302550e4caf8c3a6942f48a784f347b58 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
  2 files changed, 33 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 4747ce4a..9f59794b 100644
+index a92425db..9d89bc35 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4364,6 +4364,29 @@ AC_ARG_WITH([kerberos5],
+@@ -4376,6 +4376,29 @@ AC_ARG_WITH([kerberos5],
  AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
  
@@ -47,7 +47,7 @@ index 4747ce4a..9f59794b 100644
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -5167,6 +5190,7 @@ echo "                   libedit support: $LIBEDIT_MSG"
+@@ -5180,6 +5203,7 @@ echo "                   libldns support: $LDNS_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
  echo "         Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 4747ce4a..9f59794b 100644
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/sshd.c b/sshd.c
-index b6826c84..027daa9d 100644
+index a2ca2d3e..8996e0e8 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index b6826c84..027daa9d 100644
  #include "xmalloc.h"
  #include "ssh.h"
  #include "ssh2.h"
-@@ -1888,6 +1892,11 @@ main(int ac, char **av)
+@@ -1902,6 +1906,11 @@ main(int ac, char **av)
                         unsetenv("SSH_SIGSTOP");
                 }
  
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch
deleted file mode 100644
index 8408a118a..000000000
--- a/debian/patches/unbreak-unix-forwarding-for-root.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Wed, 4 Jan 2017 05:37:40 +0000
-Subject: upstream commit
-
-unbreak Unix domain socket forwarding for root; ok
-markus@
-
-Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
-
-Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
-Bug-Debian: https://bugs.debian.org/858252
-Last-Update: 2017-03-30
-
-Patch-Name: unbreak-unix-forwarding-for-root.patch
----
- serverloop.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/serverloop.c b/serverloop.c
-index c4e4699d..c55d203b 100644
---- a/serverloop.c
-+++ b/serverloop.c
-@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
-        Channel *c = NULL;
-        char *target, *originator;
-        u_short originator_port;
-+       struct passwd *pw = the_authctxt->pw;
-+
-+       if (pw == NULL || !the_authctxt->valid)
-+               fatal("server_input_global_request: no/invalid user");
- 
-        target = packet_get_string(NULL);
-        originator = packet_get_string(NULL);
-@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
-        /* XXX fine grained permissions */
-        if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-            !no_port_forwarding_flag && !options.disable_forwarding &&
--           use_privsep) {
-+           (pw->pw_uid == 0 || use_privsep)) {
-                c = channel_connect_to_path(target,
-                    "direct-streamlocal@openssh.com", "direct-streamlocal");
-        } else {
-@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
-        int want_reply;
-        int r, success = 0, allocated_listen_port = 0;
-        struct sshbuf *resp = NULL;
-+       struct passwd *pw = the_authctxt->pw;
-+
-+       if (pw == NULL || !the_authctxt->valid)
-+               fatal("server_input_global_request: no/invalid user");
- 
-        rtype = packet_get_string(NULL);
-        want_reply = packet_get_char();
-@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
- 
-        /* -R style forwarding */
-        if (strcmp(rtype, "tcpip-forward") == 0) {
--               struct passwd *pw;
-                struct Forward fwd;
- 
--               pw = the_authctxt->pw;
--               if (pw == NULL || !the_authctxt->valid)
--                       fatal("server_input_global_request: no/invalid user");
-                memset(&fwd, 0, sizeof(fwd));
-                fwd.listen_host = packet_get_string(NULL);
-                fwd.listen_port = (u_short)packet_get_int();
-@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
-                /* check permissions */
-                if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-                    || no_port_forwarding_flag || options.disable_forwarding ||
--                   !use_privsep) {
-+                   (pw->pw_uid != 0 && !use_privsep)) {
-                        success = 0;
--                       packet_send_debug("Server has disabled port forwarding.");
-+                       packet_send_debug("Server has disabled "
-+                           "streamlocal forwarding.");
-                } else {
-                        /* Start listening on the socket */
-                        success = channel_setup_remote_fwd_listener(
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 2e32f9d76..17e7126ca 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From c20ad02ad58a523c6f4974e1ca124e71b7b801b1 Mon Sep 17 00:00:00 2001
+From 0b9c0482cbff9ce16384e4247d955676d4d77df3 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -86,7 +86,7 @@ index c6390687..90390724 100644
                             "bad ownership or modes for directory %s", buf);
                         return -1;
 diff --git a/misc.c b/misc.c
-index 65c9222a..bf9153a6 100644
+index cfd32729..6e972f56 100644
 --- a/misc.c
 +++ b/misc.c
 @@ -51,8 +51,9 @@
@@ -108,7 +108,7 @@ index 65c9222a..bf9153a6 100644
  
  /* remove newline at end of string */
  char *
-@@ -708,6 +710,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
+@@ -713,6 +715,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
         return -1;
  }
  
@@ -218,10 +218,10 @@ index cd7bf566..380ee3a4 100644
 -       return 0;
 -}
 diff --git a/readconf.c b/readconf.c
-index 3efba242..c02cdf63 100644
+index 0b1370a8..70fac682 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1752,8 +1752,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+@@ -1773,8 +1773,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
  
                 if (fstat(fileno(f), &sb) == -1)
                         fatal("fstat %s: %s", filename, strerror(errno));
@@ -245,10 +245,10 @@ index 4011c65a..feef81a5 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index a0457314..0483a1ee 100644
+index e4eaa5ae..a04e5757 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1803,6 +1803,8 @@ The format of this file is described above.
+@@ -1827,6 +1827,8 @@ The format of this file is described above.
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.