New upstream release (8.1p1)

35 files changed, 319 insertions, 434 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 6b01a8e76..27dfe06fe 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
 # see git-dpm(1) from git-dpm package
-ceefaa8ee80b63c0890d24c42369dc51880f53ea
-ceefaa8ee80b63c0890d24c42369dc51880f53ea
-102062f825fb26a74295a1c089c00c4c4c76b68a
-102062f825fb26a74295a1c089c00c4c4c76b68a
-openssh_8.0p1.orig.tar.gz
-756dbb99193f9541c9206a667eaa27b0fa184a4f
-1597697
+efef12825b9582c1710da3b7e50135870963d4f4
+efef12825b9582c1710da3b7e50135870963d4f4
+4213eec74e74de6310c27a40c3e9759a08a73996
+4213eec74e74de6310c27a40c3e9759a08a73996
+openssh_8.1p1.orig.tar.gz
+c44b96094869f177735ae053d92bd5fcab1319de
+1625894
 debianTag="debian/%e%%%V"
 patchedTag="patched/%e%%%V"
 upstreamTag="upstream/%U"
-signature:a287987d9d505aaa8a89e693920f14b9b9e27a5f:683:openssh_8.0p1.orig.tar.gz.asc
+signature:8b241dee85731fb19e57622f160a4326da52a7a7:683:openssh_8.1p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 9c9bd7e78..17ec2c1be 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,16 @@
+openssh (1:8.1p1-1) UNRELEASED; urgency=medium
+
+  OpenSSH 8.1 includes a number of changes that may affect existing
+  configurations:
+
+   * ssh-keygen(1): when acting as a CA and signing certificates with an RSA
+     key, default to using the rsa-sha2-512 signature algorithm.
+     Certificates signed by RSA keys will therefore be incompatible with
+     OpenSSH versions prior to 7.2 unless the default is overridden (using
+     "ssh-keygen -t ssh-rsa -s ...").
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 09 Oct 2019 23:18:42 +0100
+
 openssh (1:8.0p1-1) experimental; urgency=medium
 
   OpenSSH 8.0 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 58b1f45e2..9f799969b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,83 @@
+openssh (1:8.1p1-1) UNRELEASED; urgency=medium
+
+  * New upstream release (https://www.openssh.com/txt/release-8.1):
+    - ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
+      in RAM against speculation and memory side-channel attacks like
+      Spectre, Meltdown and Rambleed.  This release encrypts private keys
+      when they are not in use with a symmetric key that is derived from a
+      relatively large "prekey" consisting of random data (currently 16KB).
+    - ssh(1): Allow %n to be expanded in ProxyCommand strings.
+    - ssh(1), sshd(8): Allow prepending a list of algorithms to the default
+      set by starting the list with the '^' character, e.g.
+      "HostKeyAlgorithms ^ssh-ed25519".
+    - ssh-keygen(1): Add an experimental lightweight signature and
+      verification ability.  Signatures may be made using regular ssh keys
+      held on disk or stored in a ssh-agent and verified against an
+      authorized_keys-like list of allowed keys.  Signatures embed a
+      namespace that prevents confusion and attacks between different usage
+      domains (e.g. files vs email).
+    - ssh-keygen(1): Print key comment when extracting public key from a
+      private key.
+    - ssh-keygen(1): Accept the verbose flag when searching for host keys in
+      known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
+      random-art signature too.
+    - All: Support PKCS8 as an optional format for storage of private keys
+      to disk.  The OpenSSH native key format remains the default, but PKCS8
+      is a superior format to PEM if interoperability with non-OpenSSH
+      software is required, as it may use a less insecure key derivation
+      function than PEM's.
+    - ssh(1): If a PKCS#11 token returns no keys then try to login and
+      refetch them.
+    - ssh(1): Produce a useful error message if the user's shell is set
+      incorrectly during "match exec" processing.
+    - sftp(1): Allow the maximum uint32 value for the argument passed to -b
+      which allows better error messages from later validation.
+    - ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
+      proposal; allows ssh-keyscan to harvest keys from servers that disable
+      old SHA1 ssh-rsa.
+    - sftp(1): Print explicit "not modified" message if a file was requested
+      for resumed download but was considered already complete.
+    - sftp(1): Fix a typo and make <esc><right> move right to the closest
+      end of a word just like <esc><left> moves left to the closest
+      beginning of a word.
+    - sshd(8): Cap the number of permitopen/permitlisten directives allowed
+      to appear on a single authorized_keys line.
+    - All: Fix a number of memory leaks (one-off or on exit paths).
+    - ssh(1), sshd(8): Check for convtime() refusing to accept times that
+      resolve to LONG_MAX.
+    - ssh(1): Slightly more instructive error message when the user
+      specifies multiple -J options on the command-line (closes: #929669).
+    - ssh-agent(1): Process agent requests for RSA certificate private keys
+      using correct signature algorithm when requested.
+    - sftp(1): Check for user@host when parsing sftp target.  This allows
+      user@[1.2.3.4] to work without a path.
+    - sshd(8): Enlarge format buffer size for certificate serial number so
+      the log message can record any 64-bit integer without truncation.
+    - sshd(8): For PermitOpen violations add the remote host and port to be
+      able to more easily ascertain the source of the request.  Add the same
+      logging for PermitListen violations which were not previously logged
+      at all.
+    - scp(1), sftp(1): Use the correct POSIX format style for left
+      justification for the transfer progress meter.
+    - sshd(8): When examining a configuration using sshd -T, assume any
+      attribute not provided by -C does not match, which allows it to work
+      when sshd_config contains a Match directive with or without -C.
+    - ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
+      warning from log level error to debug.  This is common when attempting
+      to enumerate keys on smartcard readers with no cards plugged in.
+    - ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
+      tokens.  Avoids spurious PIN prompts for keys not selected for
+      authentication in ssh(1) and when listing public keys available in a
+      token using ssh-keygen(1).
+    - ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
+    - sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
+      PROT_(READ|WRITE|NONE) only.  This syscall is used by some hardened
+      heap allocators.
+    - sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
+      ioctl for ECC hardware support.
+
+ -- Colin Watson <cjwatson@debian.org>  Wed, 09 Oct 2019 23:18:42 +0100
+
 openssh (1:8.0p1-7) unstable; urgency=medium
 
   [ Daniel Kahn Gillmor ]
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index d70269813..01f1bf35c 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From df7d113a48bd33e42754ee5e83d3cda84cc219f9 Mon Sep 17 00:00:00 2001
+From 7febe5a4b6bcb94d887ac1fe22e8a1742ffb609f Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/Makefile.in b/Makefile.in
-index c31821acc..0960a6a03 100644
+index ab29e4f05..9b8a42c1e 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -357,6 +357,7 @@ install-files:
+@@ -362,6 +362,7 @@ install-files:
         $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
         $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
         $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index 3eaac8054..25c16526b 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
-From a20835ce2f9899305421bc478ba29d6524e89433 Mon Sep 17 00:00:00 2001
+From 46352085d71fe406537828a1cee3c2ce896eccb9 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Thu, 30 Aug 2018 00:58:56 +0100
 Subject: Work around conch interoperability failure
@@ -8,7 +8,7 @@ Twisted Conch fails to read private keys in the new format
 can be fixed in Twisted.
 
 Forwarded: not-needed
-Last-Update: 2019-06-14
+Last-Update: 2019-10-09
 
 Patch-Name: conch-old-privkey-format.patch
 ---
@@ -18,20 +18,20 @@ Patch-Name: conch-old-privkey-format.patch
  3 files changed, 14 insertions(+), 2 deletions(-)
 
 diff --git a/regress/Makefile b/regress/Makefile
-index 781400fd0..491a3a46a 100644
+index 34c47e8cb..17e0a06e8 100644
 --- a/regress/Makefile
 +++ b/regress/Makefile
-@@ -114,7 +114,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
+@@ -119,7 +119,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
                 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
                 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
-                sftp-server.sh sftp.log ssh-log-wrapper.sh \
+                sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
 -               ssh-rsa_oldfmt \
 +               ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
-                ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
+                ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
                 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
                 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
 diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
-index 51e3b705f..fa24552b0 100644
+index 6678813a2..6ff5da20b 100644
 --- a/regress/conch-ciphers.sh
 +++ b/regress/conch-ciphers.sh
 @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
@@ -44,10 +44,10 @@ index 51e3b705f..fa24552b0 100644
             127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
         if [ $? -ne 0 ]; then
 diff --git a/regress/test-exec.sh b/regress/test-exec.sh
-index efde6a173..83c7d02e6 100644
+index 508b93284..5e48bfbe3 100644
 --- a/regress/test-exec.sh
 +++ b/regress/test-exec.sh
-@@ -500,6 +500,18 @@ REGRESS_INTEROP_CONCH=no
+@@ -510,6 +510,18 @@ REGRESS_INTEROP_CONCH=no
  if test -x "$CONCH" ; then
         REGRESS_INTEROP_CONCH=yes
  fi
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index d28573ed4..acf995e27 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 0a938d856d024bfff79fac63e65df382ffa444a4 Mon Sep 17 00:00:00 2001
+From 4eb06adf69f21f387e4f2d29dad01b2ca1303094 Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -22,10 +22,10 @@ Patch-Name: debian-banner.patch
  7 files changed, 23 insertions(+), 5 deletions(-)
 
 diff --git a/kex.c b/kex.c
-index be354206d..bbb7a2340 100644
+index 65ed6af02..f450bc2c7 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -1168,7 +1168,7 @@ send_error(struct ssh *ssh, char *msg)
+@@ -1221,7 +1221,7 @@ send_error(struct ssh *ssh, char *msg)
   */
  int
  kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -34,7 +34,7 @@ index be354206d..bbb7a2340 100644
  {
         int remote_major, remote_minor, mismatch;
         size_t len, i, n;
-@@ -1186,7 +1186,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1239,7 +1239,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
         if (version_addendum != NULL && *version_addendum == '\0')
                 version_addendum = NULL;
         if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -45,10 +45,10 @@ index be354206d..bbb7a2340 100644
             version_addendum == NULL ? "" : version_addendum)) != 0) {
                 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
 diff --git a/kex.h b/kex.h
-index 2d5f1d4ed..39f67bbc1 100644
+index fe7141414..938dca03b 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -195,7 +195,7 @@ char        *kex_names_cat(const char *, const char *);
+@@ -194,7 +194,7 @@ char        *kex_names_cat(const char *, const char *);
  int     kex_assemble_names(char **, const char *, const char *);
  int     kex_gss_names_valid(const char *);
  
@@ -58,7 +58,7 @@ index 2d5f1d4ed..39f67bbc1 100644
  struct kex *kex_new(void);
  int     kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
 diff --git a/servconf.c b/servconf.c
-index c01e0690e..8d2bced52 100644
+index 73b93c636..5576098a5 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options)
@@ -94,7 +94,7 @@ index c01e0690e..8d2bced52 100644
         { NULL, sBadOption, 0 }
  };
  
-@@ -2211,6 +2216,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -2217,6 +2222,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         *charptr = xstrdup(arg);
                 break;
  
@@ -106,7 +106,7 @@ index c01e0690e..8d2bced52 100644
         case sIgnore:
         case sUnsupported:
 diff --git a/servconf.h b/servconf.h
-index a476d5220..986093ffa 100644
+index 29329ba1f..d5ad19065 100644
 --- a/servconf.h
 +++ b/servconf.h
 @@ -214,6 +214,8 @@ typedef struct {
@@ -119,10 +119,10 @@ index a476d5220..986093ffa 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshconnect.c b/sshconnect.c
-index 0b6f6af4b..1183ffe0e 100644
+index 41e75a275..27daef74f 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -1287,7 +1287,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
+@@ -1291,7 +1291,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
         lowercase(host);
  
         /* Exchange protocol version identification strings with the server. */
@@ -132,10 +132,10 @@ index 0b6f6af4b..1183ffe0e 100644
  
         /* Put the connection into non-blocking mode. */
 diff --git a/sshd.c b/sshd.c
-index e3e96426e..1e7ece588 100644
+index ea8beacb4..4e8ff0662 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -2160,7 +2160,8 @@ main(int ac, char **av)
+@@ -2165,7 +2165,8 @@ main(int ac, char **av)
         if (!debug_flag)
                 alarm(options.login_grace_time);
  
@@ -146,10 +146,10 @@ index e3e96426e..1e7ece588 100644
  
         ssh_packet_set_nonblocking(ssh);
 diff --git a/sshd_config.5 b/sshd_config.5
-index 2ef671d1b..addea54a0 100644
+index eec224158..46537f177 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -543,6 +543,11 @@ or
+@@ -545,6 +545,11 @@ or
  .Cm no .
  The default is
  .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 2a28586b0..fe1e3f550 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From d9eede9b2c86ddaccb35477f2904bfbdf223ffd4 Mon Sep 17 00:00:00 2001
+From 7abde40896668ce9debfe056c7dabc6a70ef7da4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
  6 files changed, 77 insertions(+), 9 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index cd60007f8..f35bde6e6 100644
+index 16d2729dd..253574ce0 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2028,7 +2028,7 @@ fill_default_options(Options * options)
+@@ -2037,7 +2037,7 @@ fill_default_options(Options * options)
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
@@ -52,7 +52,7 @@ index cd60007f8..f35bde6e6 100644
                 options->forward_x11_timeout = 1200;
         /*
 diff --git a/ssh.1 b/ssh.1
-index 8d2b08a29..4e298cb56 100644
+index 24530e511..fd495da2c 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -795,6 +795,16 @@ directive in
@@ -114,7 +114,7 @@ index 1ff999b68..6dd6ecf87 100644
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 diff --git a/ssh_config.5 b/ssh_config.5
-index 39535c4f8..a27631ae9 100644
+index 4b42aab9d..d27655e15 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index 39535c4f8..a27631ae9 100644
  The file contains keyword-argument pairs, one per line.
  Lines starting with
  .Ql #
-@@ -717,11 +733,12 @@ elapsed.
+@@ -721,11 +737,12 @@ elapsed.
  .It Cm ForwardX11Trusted
  If this option is set to
  .Cm yes ,
@@ -204,7 +204,7 @@ index 2c48105f8..ed8272f6d 100644
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index f995e4ab0..c0c4ebd66 100644
+index 270805060..02e29cb6f 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index e3e362ee3..6e8f0ae2f 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 6397deaa7d0951552afa7dbd6898d6172850378a Mon Sep 17 00:00:00 2001
+From 6220be7f65137290fbe3ad71b83667e71e4ccd03 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch
  3 files changed, 21 insertions(+), 6 deletions(-)
 
 diff --git a/dns.c b/dns.c
-index ff1a2c41c..82ec97199 100644
+index e4f9bf830..9c9fe6413 100644
 --- a/dns.c
 +++ b/dns.c
-@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
+@@ -210,6 +210,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
  {
         u_int counter;
         int result;
@@ -29,7 +29,7 @@ index ff1a2c41c..82ec97199 100644
         struct rrsetinfo *fingerprints = NULL;
  
         u_int8_t hostkey_algorithm;
-@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
+@@ -233,8 +234,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                 return -1;
         }
  
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 162776395..d5ddbbd26 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 63f45f055fe3b0b1edd31a94b7627ee4e40647e8 Mon Sep 17 00:00:00 2001
+From 944653642de12f09baa546011429fb69ffc0065a Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index bd1e9311d..39535c4f8 100644
+index 2c74b57c0..4b42aab9d 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -836,6 +836,9 @@ Note that existing names and addresses in known hosts files
+@@ -840,6 +840,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/fix-interop-tests.patch b/debian/patches/fix-interop-tests.patch
deleted file mode 100644
index e00842290..000000000
--- a/debian/patches/fix-interop-tests.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 42519a0f32765726ccd18a14aa6e877413a69662 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson@debian.org>
-Date: Fri, 14 Jun 2019 11:57:15 +0100
-Subject: Fix interop tests for recent regress changes
-
-A recent regress change (2a9b3a2ce411d16cda9c79ab713c55f65b0ec257 in
-portable) broke the PuTTY and Twisted Conch interop tests, because the
-key they want to use is now called ssh-rsa rather than rsa.  Fix them.
-
-Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3020
-Last-Update: 2019-06-14
-
-Patch-Name: fix-interop-tests.patch
----
- regress/Makefile         |  5 +++--
- regress/conch-ciphers.sh |  2 +-
- regress/test-exec.sh     | 10 +++++-----
- 3 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/regress/Makefile b/regress/Makefile
-index 925edf71a..781400fd0 100644
---- a/regress/Makefile
-+++ b/regress/Makefile
-@@ -113,8 +113,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
-                rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
-                rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
-                scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
--               sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
--               ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
-+               sftp-server.sh sftp.log ssh-log-wrapper.sh \
-+               ssh-rsa_oldfmt \
-+               ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
-                ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
-                sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
-                sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
-diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
-index 199d863a0..51e3b705f 100644
---- a/regress/conch-ciphers.sh
-+++ b/regress/conch-ciphers.sh
-@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
-        rm -f ${COPY}
-        # XXX the 2nd "cat" seems to be needed because of buggy FD handling
-        # in conch
--       ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER  -e none \
-+       ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \
-            --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
-            127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
-        if [ $? -ne 0 ]; then
-diff --git a/regress/test-exec.sh b/regress/test-exec.sh
-index b8e2009de..efde6a173 100644
---- a/regress/test-exec.sh
-+++ b/regress/test-exec.sh
-@@ -527,13 +527,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
-            >> $OBJ/authorized_keys_$USER
- 
-        # Convert rsa2 host key to PuTTY format
--       cp $OBJ/rsa $OBJ/rsa_oldfmt
--       ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
--       ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \
-+       cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
-+       ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
-+       ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \
-            ${OBJ}/.putty/sshhostkeys
--       ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \
-+       ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \
-            ${OBJ}/.putty/sshhostkeys
--       rm -f $OBJ/rsa_oldfmt
-+       rm -f $OBJ/ssh-rsa_oldfmt
- 
-        # Setup proxied session
-        mkdir -p ${OBJ}/.putty/sessions
diff --git a/debian/patches/fix-utimensat-test.patch b/debian/patches/fix-utimensat-test.patch
deleted file mode 100644
index 56b6fcdbf..000000000
--- a/debian/patches/fix-utimensat-test.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 61d2706623ed144ee9cbd212d13eeba202a7ce26 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker@dtucker.net>
-Date: Fri, 7 Jun 2019 23:47:37 +1000
-Subject: Update utimensat test.
-
-POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW should
-update the symlink and not the destination.  The compat code doesn't
-have a way to do this, so where possible it fails instead of following a
-symlink when explicitly asked not to. Instead of checking for an explicit
-failure, check that it does not update the destination, which both the
-real and compat implementations should honour.
-
-Inspired by github pull req #125 from chutzpah at gentoo.org.
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=182898192d4b720e4faeafd5b39c2cfb3b92aa21
-Last-Update: 2019-06-09
-
-Patch-Name: fix-utimensat-test.patch
----
- openbsd-compat/regress/utimensattest.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c
-index a7bc7634b..b29cef2f1 100644
---- a/openbsd-compat/regress/utimensattest.c
-+++ b/openbsd-compat/regress/utimensattest.c
-@@ -83,14 +83,28 @@ main(void)
-                fail("mtim.tv_nsec", 45678000, sb.st_mtim.tv_nsec);
- #endif
- 
-+       /*
-+        * POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW
-+        * should update the symlink and not the destination.  The compat
-+        * code doesn't have a way to do this, so where possible it fails
-+        * with ENOSYS instead of following a symlink when explicitly asked
-+        * not to.  Here we just test that it does not update the destination.
-+        */
-        if (rename(TMPFILE, TMPFILE2) == -1)
-                fail("rename", 0, 0);
-        if (symlink(TMPFILE2, TMPFILE) == -1)
-                fail("symlink", 0, 0);
-+       ts[0].tv_sec = 11223344;
-+       ts[1].tv_sec = 55667788;
-+       (void)utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW);
-+       if (stat(TMPFILE2, &sb) == -1)
-+               fail("stat", 0, 0 );
-+       if (sb.st_atime == 11223344)
-+               fail("utimensat symlink st_atime", 0, 0 );
-+       if (sb.st_mtime == 55667788)
-+               fail("utimensat symlink st_mtime", 0, 0 );
- 
--       if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1)
--               fail("utimensat followed symlink", 0, 0);
--
-+       /* Clean up */
-        if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0))
-                fail("unlink", 0, 0);
-        exit(0);
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 405b1b884..89c2a9864 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 734ffc23e368f9b0df085b4f191d66e21ed52d12 Mon Sep 17 00:00:00 2001
+From 4360244ab2ed367bdb2c836292e761c589355950 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 45d131d27..b858f4915 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 7ce79be85036c4b36937f1b1ba85f6094068412c Mon Sep 17 00:00:00 2001
+From 9da806e67101afdc0d3a1d304659927acf18f5c5 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -18,7 +18,7 @@ security history.
 
 Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2019-06-05
+Last-Updated: 2019-10-09
 
 Patch-Name: gssapi.patch
 ---
@@ -67,7 +67,7 @@ Patch-Name: gssapi.patch
  create mode 100644 kexgsss.c
 
 diff --git a/Makefile.in b/Makefile.in
-index 6f001bb36..c31821acc 100644
+index adb1977e2..ab29e4f05 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -85,7 +85,7 @@ index 6f001bb36..c31821acc 100644
 -       auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +       auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
         loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-        sftp-server.o sftp-common.o \
+        sftp-server.o sftp-common.o sftp-realpath.o \
         sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff --git a/auth-krb5.c b/auth-krb5.c
 index 3096f1c8e..204752e1b 100644
@@ -139,7 +139,7 @@ index 3096f1c8e..204752e1b 100644
         return (krb5_cc_resolve(ctx, ccname, ccache));
  }
 diff --git a/auth.c b/auth.c
-index 8696f258e..f7a23afba 100644
+index ca450f4e4..47c27773c 100644
 --- a/auth.c
 +++ b/auth.c
 @@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
@@ -179,7 +179,7 @@ index 8696f258e..f7a23afba 100644
 -       fromlen = sizeof(from);
 -       memset(&from, 0, sizeof(from));
 -       if (getpeername(ssh_packet_get_connection_in(ssh),
--           (struct sockaddr *)&from, &fromlen) < 0) {
+-           (struct sockaddr *)&from, &fromlen) == -1) {
 -               debug("getpeername failed: %.100s", strerror(errno));
 -               return strdup(ntop);
 -       }
@@ -348,10 +348,10 @@ index 9351e0428..d6446c0cf 100644
         "gssapi-with-mic",
         userauth_gssapi,
 diff --git a/auth2.c b/auth2.c
-index 16ae1a363..7417eafa4 100644
+index 0e7762242..1c217268c 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -75,6 +75,7 @@ extern Authmethod method_passwd;
+@@ -73,6 +73,7 @@ extern Authmethod method_passwd;
  extern Authmethod method_kbdint;
  extern Authmethod method_hostbased;
  #ifdef GSSAPI
@@ -359,7 +359,7 @@ index 16ae1a363..7417eafa4 100644
  extern Authmethod method_gssapi;
  #endif
  
-@@ -82,6 +83,7 @@ Authmethod *authmethods[] = {
+@@ -80,6 +81,7 @@ Authmethod *authmethods[] = {
         &method_none,
         &method_pubkey,
  #ifdef GSSAPI
@@ -368,7 +368,7 @@ index 16ae1a363..7417eafa4 100644
  #endif
         &method_passwd,
 diff --git a/canohost.c b/canohost.c
-index f71a08568..404731d24 100644
+index abea9c6e6..9a00fc2cf 100644
 --- a/canohost.c
 +++ b/canohost.c
 @@ -35,6 +35,99 @@
@@ -398,7 +398,7 @@ index f71a08568..404731d24 100644
 +       fromlen = sizeof(from);
 +       memset(&from, 0, sizeof(from));
 +       if (getpeername(ssh_packet_get_connection_in(ssh),
-+           (struct sockaddr *)&from, &fromlen) < 0) {
++           (struct sockaddr *)&from, &fromlen) == -1) {
 +               debug("getpeername failed: %.100s", strerror(errno));
 +               return strdup(ntop);
 +       }
@@ -486,7 +486,7 @@ index 26d62855a..0cadc9f18 100644
  int             get_peer_port(int);
  char           *get_local_ipaddr(int);
 diff --git a/clientloop.c b/clientloop.c
-index 086c0dfe8..9b90c64f3 100644
+index b5a1f7038..9def2a1a9 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -112,6 +112,10 @@
@@ -500,7 +500,7 @@ index 086c0dfe8..9b90c64f3 100644
  /* import options */
  extern Options options;
  
-@@ -1374,9 +1378,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+@@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
                         break;
  
                 /* Do channel operations unless rekeying in progress. */
@@ -521,10 +521,10 @@ index 086c0dfe8..9b90c64f3 100644
                 client_process_net_input(ssh, readset);
  
 diff --git a/configure.ac b/configure.ac
-index 30be6c182..2869f7042 100644
+index 3e93c0276..1c2512314 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -665,6 +665,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
             [Use tunnel device compatibility to OpenBSD])
         AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
             [Prepend the address family to IP tunnel traffic])
@@ -1339,19 +1339,19 @@ index ab3a15f0f..1d47870e7 100644
  
  /* Privileged */
 diff --git a/hmac.c b/hmac.c
-index 1c879640c..a29f32c5c 100644
+index 32688876d..a79e8569c 100644
 --- a/hmac.c
 +++ b/hmac.c
-@@ -19,6 +19,7 @@
+@@ -21,6 +21,7 @@
  
- #include <sys/types.h>
+ #include <stdlib.h>
  #include <string.h>
 +#include <stdlib.h>
  
  #include "sshbuf.h"
  #include "digest.h"
 diff --git a/kex.c b/kex.c
-index 34808b5c3..a2a4794e8 100644
+index 49d701568..e09355dbd 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -55,11 +55,16 @@
@@ -1373,7 +1373,7 @@ index 34808b5c3..a2a4794e8 100644
  static int kex_input_newkeys(int, u_int32_t, struct ssh *);
 @@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = {
  #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
-        { NULL, -1, -1, -1},
+        { NULL, 0, -1, -1},
  };
 +static const struct kexalg gss_kexalgs[] = {
 +#ifdef GSSAPI
@@ -1386,7 +1386,7 @@ index 34808b5c3..a2a4794e8 100644
 +           NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
 +       { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
 +#endif
-+       { NULL, -1, -1, -1 },
++       { NULL, 0, -1, -1 },
 +};
  
 -char *
@@ -1433,7 +1433,7 @@ index 34808b5c3..a2a4794e8 100644
         return NULL;
  }
  
-@@ -301,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
+@@ -313,6 +347,29 @@ kex_assemble_names(char **listp, const char *def, const char *all)
         return r;
  }
  
@@ -1463,7 +1463,7 @@ index 34808b5c3..a2a4794e8 100644
  /* put algorithm proposal into buffer */
  int
  kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
-@@ -657,6 +714,9 @@ kex_free(struct kex *kex)
+@@ -696,6 +753,9 @@ kex_free(struct kex *kex)
         sshbuf_free(kex->server_version);
         sshbuf_free(kex->client_pub);
         free(kex->session_id);
@@ -1474,10 +1474,10 @@ index 34808b5c3..a2a4794e8 100644
         free(kex->hostkey_alg);
         free(kex->name);
 diff --git a/kex.h b/kex.h
-index 6d446d1cc..2d5f1d4ed 100644
+index a5ae6ac05..fe7141414 100644
 --- a/kex.h
 +++ b/kex.h
-@@ -103,6 +103,15 @@ enum kex_exchange {
+@@ -102,6 +102,15 @@ enum kex_exchange {
         KEX_ECDH_SHA2,
         KEX_C25519_SHA256,
         KEX_KEM_SNTRUP4591761X25519_SHA512,
@@ -1493,7 +1493,7 @@ index 6d446d1cc..2d5f1d4ed 100644
         KEX_MAX
  };
  
-@@ -154,6 +163,12 @@ struct kex {
+@@ -153,6 +162,12 @@ struct kex {
         u_int   flags;
         int     hash_alg;
         int     ec_nid;
@@ -1506,7 +1506,7 @@ index 6d446d1cc..2d5f1d4ed 100644
         char    *failed_choice;
         int     (*verify_host_key)(struct sshkey *, struct ssh *);
         struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
-@@ -175,8 +190,10 @@ struct kex {
+@@ -174,8 +189,10 @@ struct kex {
  
  int     kex_names_valid(const char *);
  char   *kex_alg_list(char);
@@ -1517,7 +1517,7 @@ index 6d446d1cc..2d5f1d4ed 100644
  
  int     kex_exchange_identification(struct ssh *, int, const char *);
  
-@@ -203,6 +220,12 @@ int         kexgex_client(struct ssh *);
+@@ -202,6 +219,12 @@ int         kexgex_client(struct ssh *);
  int     kexgex_server(struct ssh *);
  int     kex_gen_client(struct ssh *);
  int     kex_gen_server(struct ssh *);
@@ -1530,7 +1530,7 @@ index 6d446d1cc..2d5f1d4ed 100644
  
  int     kex_dh_keypair(struct kex *);
  int     kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
-@@ -235,6 +258,12 @@ int         kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
+@@ -234,6 +257,12 @@ int         kexgex_hash(int, const struct sshbuf *, const struct sshbuf *,
      const BIGNUM *, const u_char *, size_t,
      u_char *, size_t *);
  
@@ -1572,10 +1572,10 @@ index 67133e339..edaa46762 100644
                 break;
         case KEX_DH_GRP18_SHA512:
 diff --git a/kexgen.c b/kexgen.c
-index 2abbb9ef6..569dc83f3 100644
+index bb996b504..d353ed8b0 100644
 --- a/kexgen.c
 +++ b/kexgen.c
-@@ -43,7 +43,7 @@
+@@ -44,7 +44,7 @@
  static int input_kex_gen_init(int, u_int32_t, struct ssh *);
  static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh);
  
@@ -2677,11 +2677,11 @@ index 000000000..60bc02deb
 +}
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
 diff --git a/mac.c b/mac.c
-index 51dc11d76..3d11eba62 100644
+index f3dda6692..de346ed20 100644
 --- a/mac.c
 +++ b/mac.c
-@@ -29,6 +29,7 @@
- 
+@@ -30,6 +30,7 @@
+ #include <stdlib.h>
  #include <string.h>
  #include <stdio.h>
 +#include <stdlib.h>
@@ -2689,7 +2689,7 @@ index 51dc11d76..3d11eba62 100644
  #include "digest.h"
  #include "hmac.h"
 diff --git a/monitor.c b/monitor.c
-index 60e529444..0766d6ef5 100644
+index 00af44f98..bead9e204 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
@@ -2936,7 +2936,7 @@ index 683e5e071..2b1a2d590 100644
  
  struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 186e8f022..8e4c1c1f8 100644
+index 4169b7604..fdca39a6a 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -3015,10 +3015,10 @@ index 186e8f022..8e4c1c1f8 100644
 +
  #endif /* GSSAPI */
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index fdebb3aa4..69164a8c0 100644
+index 191277f3a..92dda574b 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -61,8 +61,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+@@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
  OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
  OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
     gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -3031,7 +3031,7 @@ index fdebb3aa4..69164a8c0 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index ec497e79f..4d699e5f1 100644
+index f78b4d6fe..3c68d1a88 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -67,6 +67,7 @@
@@ -3074,7 +3074,7 @@ index ec497e79f..4d699e5f1 100644
  #endif
  #ifdef ENABLE_PKCS11
         { "pkcs11provider", oPKCS11Provider },
-@@ -983,10 +998,42 @@ parse_time:
+@@ -988,10 +1003,42 @@ parse_time:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -3117,7 +3117,7 @@ index ec497e79f..4d699e5f1 100644
         case oBatchMode:
                 intptr = &options->batch_mode;
                 goto parse_flag;
-@@ -1854,7 +1901,13 @@ initialize_options(Options * options)
+@@ -1863,7 +1910,13 @@ initialize_options(Options * options)
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
         options->gss_authentication = -1;
@@ -3131,7 +3131,7 @@ index ec497e79f..4d699e5f1 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
-@@ -2000,8 +2053,18 @@ fill_default_options(Options * options)
+@@ -2009,8 +2062,18 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -3150,7 +3150,7 @@ index ec497e79f..4d699e5f1 100644
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -2616,7 +2679,14 @@ dump_client_config(Options *o, const char *host)
+@@ -2625,7 +2688,14 @@ dump_client_config(Options *o, const char *host)
         dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
  #ifdef GSSAPI
         dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3184,7 +3184,7 @@ index 8e36bf32a..0bff6d80a 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index ffac5d2c7..ffdad31e7 100644
+index e76f9c39e..f63eb0b94 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -64,6 +64,7 @@
@@ -3257,7 +3257,7 @@ index ffac5d2c7..ffdad31e7 100644
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1485,6 +1508,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -3268,7 +3268,7 @@ index ffac5d2c7..ffdad31e7 100644
         case sGssCleanupCreds:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
-@@ -1493,6 +1520,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_strict_acceptor;
                 goto parse_flag;
  
@@ -3291,7 +3291,7 @@ index ffac5d2c7..ffdad31e7 100644
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -2579,6 +2622,10 @@ dump_config(ServerOptions *o)
+@@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o)
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
         dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3303,7 +3303,7 @@ index ffac5d2c7..ffdad31e7 100644
         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
         dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 54e0a8d8d..a476d5220 100644
+index 5483da051..29329ba1f 100644
 --- a/servconf.h
 +++ b/servconf.h
 @@ -126,8 +126,11 @@ typedef struct {
@@ -3319,7 +3319,7 @@ index 54e0a8d8d..a476d5220 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
 diff --git a/session.c b/session.c
-index ac06b08e9..ac3d9d19d 100644
+index 8f5d7e0a4..f1a47f766 100644
 --- a/session.c
 +++ b/session.c
 @@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
@@ -3465,7 +3465,7 @@ index 36180d07a..70dd36658 100644
  
  #endif /* _SSH_GSS_H */
 diff --git a/ssh.1 b/ssh.1
-index 9480eba8d..a1c7d2305 100644
+index 424d6c3e8..26940ad55 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see
@@ -3492,7 +3492,7 @@ index 9480eba8d..a1c7d2305 100644
  (key types),
  .Ar key-cert
 diff --git a/ssh.c b/ssh.c
-index 91e7c3511..42be7d88f 100644
+index ee51823cd..2da9f5d0d 100644
 --- a/ssh.c
 +++ b/ssh.c
 @@ -736,6 +736,8 @@ main(int ac, char **av)
@@ -3527,10 +3527,10 @@ index 5e8ef548b..1ff999b68 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 412629637..c3c8b274a 100644
+index 02a87892d..f4668673b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -754,10 +754,67 @@ The default is
+@@ -758,10 +758,67 @@ The default is
  Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Cm no .
@@ -3599,7 +3599,7 @@ index 412629637..c3c8b274a 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index dffee90b1..4020371ae 100644
+index 87fa70a40..a4ec75ca1 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -78,8 +78,6 @@
@@ -3726,7 +3726,7 @@ index dffee90b1..4020371ae 100644
         {"gssapi-with-mic",
                 userauth_gssapi,
                 userauth_gssapi_cleanup,
-@@ -698,12 +766,25 @@ userauth_gssapi(struct ssh *ssh)
+@@ -697,12 +765,25 @@ userauth_gssapi(struct ssh *ssh)
         OM_uint32 min;
         int r, ok = 0;
         gss_OID mech = NULL;
@@ -3753,7 +3753,7 @@ index dffee90b1..4020371ae 100644
  
         /* Check to see whether the mechanism is usable before we offer it */
         while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -712,13 +793,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -711,13 +792,15 @@ userauth_gssapi(struct ssh *ssh)
                     elements[authctxt->mech_tried];
                 /* My DER encoding requires length<128 */
                 if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3770,7 +3770,7 @@ index dffee90b1..4020371ae 100644
         if (!ok || mech == NULL)
                 return 0;
  
-@@ -958,6 +1041,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -957,6 +1040,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
         free(lang);
         return r;
  }
@@ -3827,7 +3827,7 @@ index dffee90b1..4020371ae 100644
  
  static int
 diff --git a/sshd.c b/sshd.c
-index cbd3bce91..98680721b 100644
+index 11571c010..3a5c1ea78 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -123,6 +123,10 @@
@@ -3852,7 +3852,7 @@ index cbd3bce91..98680721b 100644
                 sshpkt_fatal(ssh, r, "%s: send", __func__);
         sshbuf_free(buf);
  }
-@@ -1769,7 +1773,8 @@ main(int ac, char **av)
+@@ -1773,7 +1777,8 @@ main(int ac, char **av)
                 free(fp);
         }
         accumulate_host_timing_secret(cfg, NULL);
@@ -3862,7 +3862,7 @@ index cbd3bce91..98680721b 100644
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
         }
-@@ -2064,6 +2069,60 @@ main(int ac, char **av)
+@@ -2069,6 +2074,60 @@ main(int ac, char **av)
             rdomain == NULL ? "" : "\"");
         free(laddr);
  
@@ -3923,7 +3923,7 @@ index cbd3bce91..98680721b 100644
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2260,6 +2319,48 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2265,6 +2324,48 @@ do_ssh2_kex(struct ssh *ssh)
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
             list_hostkey_types());
  
@@ -3972,7 +3972,7 @@ index cbd3bce91..98680721b 100644
         /* start key exchange */
         if ((r = kex_setup(ssh, myproposal)) != 0)
                 fatal("kex_setup: %s", ssh_err(r));
-@@ -2275,7 +2376,18 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2280,7 +2381,18 @@ do_ssh2_kex(struct ssh *ssh)
  # ifdef OPENSSL_HAS_ECC
         kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
  # endif
@@ -4006,10 +4006,10 @@ index 19b7c91a1..2c48105f8 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index b224f2929..2baa6622b 100644
+index 9486f2a1c..cec3c3c4e 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache
+@@ -655,6 +655,11 @@ Specifies whether to automatically destroy the user's credentials cache
  on logout.
  The default is
  .Cm yes .
@@ -4021,7 +4021,7 @@ index b224f2929..2baa6622b 100644
  .It Cm GSSAPIStrictAcceptorCheck
  Determines whether to be strict about the identity of the GSSAPI acceptor
  a client authenticates against.
-@@ -667,6 +672,31 @@ machine's default store.
+@@ -669,6 +674,31 @@ machine's default store.
  This facility is provided to assist with operation on multi homed machines.
  The default is
  .Cm yes .
@@ -4054,10 +4054,10 @@ index b224f2929..2baa6622b 100644
  Specifies the key types that will be accepted for hostbased authentication
  as a list of comma-separated patterns.
 diff --git a/sshkey.c b/sshkey.c
-index ad1957762..789cd61ef 100644
+index ef90563b3..4d2048b6a 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = {
+@@ -145,6 +145,7 @@ static const struct keytype keytypes[] = {
  #  endif /* OPENSSL_HAS_NISTP521 */
  # endif /* OPENSSL_HAS_ECC */
  #endif /* WITH_OPENSSL */
@@ -4065,7 +4065,7 @@ index ad1957762..789cd61ef 100644
         { NULL, NULL, NULL, -1, -1, 0, 0 }
  };
  
-@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
         const struct keytype *kt;
  
         for (kt = keytypes; kt->type != -1; kt++) {
@@ -4075,7 +4075,7 @@ index ad1957762..789cd61ef 100644
                 if (!include_sigonly && kt->sigonly)
                         continue;
 diff --git a/sshkey.h b/sshkey.h
-index a91e60436..c11106c93 100644
+index 1119a7b07..1bf30d055 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -65,6 +65,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index fbfe6a1fb..2f7ac943d 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 4d8dd12bab7bbc954815d7953a0c86ce1687bd34 Mon Sep 17 00:00:00 2001
+From 26d9fe60e31c78018bdfd49bba1196ea7c44405d Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 29f3bd98d..3d0b6ff90 100644
+index a7fb7ca15..09787c0e5 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -177,6 +177,7 @@ typedef enum {
@@ -46,7 +46,7 @@ index 29f3bd98d..3d0b6ff90 100644
  
         { NULL, oBadOption }
  };
-@@ -1440,6 +1443,8 @@ parse_keytypes:
+@@ -1449,6 +1452,8 @@ parse_keytypes:
                 goto parse_flag;
  
         case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 29f3bd98d..3d0b6ff90 100644
                 intptr = &options->server_alive_interval;
                 goto parse_time;
  
-@@ -2133,8 +2138,13 @@ fill_default_options(Options * options)
+@@ -2142,8 +2147,13 @@ fill_default_options(Options * options)
                 options->rekey_interval = 0;
         if (options->verify_host_key_dns == -1)
                 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 29f3bd98d..3d0b6ff90 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index c3c8b274a..250c92d04 100644
+index f4668673b..bc04d8d02 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -265,8 +265,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index c3c8b274a..250c92d04 100644
  The argument must be
  .Cm yes
  or
-@@ -1535,7 +1539,14 @@ from the server,
+@@ -1557,7 +1561,14 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -105,7 +105,7 @@ index c3c8b274a..250c92d04 100644
  .It Cm SetEnv
  Directly specify one or more environment variables and their contents to
  be sent to the server.
-@@ -1615,6 +1626,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1637,6 +1648,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index c3c8b274a..250c92d04 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 2baa6622b..2ef671d1b 100644
+index cec3c3c4e..eec224158 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1597,6 +1597,9 @@ This avoids infinitely hanging sessions.
+@@ -1615,6 +1615,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index f429530a7..639b216d6 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From f9185fc3df5af5f724bca35a957f60309af1d89e Mon Sep 17 00:00:00 2001
+From fdcf8c0343564121a89be817386c5feabd40c609 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
  1 file changed, 8 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 103d84e38..0b6f6af4b 100644
+index 644057bc4..41e75a275 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -986,9 +986,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -990,9 +990,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                         error("%s. This could either mean that", key_msg);
                         error("DNS SPOOFING is happening or the IP address for the host");
                         error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index 103d84e38..0b6f6af4b 100644
                 }
                 /* The host key has changed. */
                 warn_changed_key(host_key);
-@@ -997,6 +1001,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1001,6 +1005,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                 error("Offending %s key in %s:%lu",
                     sshkey_type(host_found->key),
                     host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index d67e00ffc..9b5baee08 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 4cf082890d12604fcd28e7387b5eb4a5fb09695e Mon Sep 17 00:00:00 2001
+From ed88eee326ca80e1e0fdb6f9ef0346f6d5e021a8 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index b4ecb41eb..46e1f8712 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From b3a38ffd3427b5404210f841c8e29c2df21e1825 Mon Sep 17 00:00:00 2001
+From 8fb8f70b0534897791c61f2757e97bd13385944e Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de0850..149846c8c 100644
  .Sh SEE ALSO
  .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 124456577..9b877b860 100644
+index 957d2f0f0..143a2349f 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -178,9 +178,7 @@ key in
+@@ -191,9 +191,7 @@ key in
  .Pa ~/.ssh/id_ed25519
  or
  .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index 124456577..9b877b860 100644
  .Pp
  Normally this program generates the key and asks for a file in which
  to store the private key.
-@@ -243,9 +241,7 @@ If
+@@ -256,9 +254,7 @@ If
  .Fl f
  has also been specified, its argument is used as a prefix to the
  default path for the resulting host key files.
@@ -67,9 +67,9 @@ index 124456577..9b877b860 100644
 -to generate new host keys.
 +This is used by system administration scripts to generate new host keys.
  .It Fl a Ar rounds
- When saving a private key this option specifies the number of KDF
+ When saving a private key, this option specifies the number of KDF
  (key derivation function) rounds used.
-@@ -703,7 +699,7 @@ option.
+@@ -798,7 +794,7 @@ option.
  Valid generator values are 2, 3, and 5.
  .Pp
  Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 124456577..9b877b860 100644
  It is important that this file contains moduli of a range of bit lengths and
  that both ends of a connection share common moduli.
  .Sh CERTIFICATES
-@@ -903,7 +899,7 @@ on all machines
+@@ -1049,7 +1045,7 @@ on all machines
  where the user wishes to log in using public key authentication.
  There is no need to keep the contents of this file secret.
  .Pp
@@ -88,7 +88,7 @@ index 124456577..9b877b860 100644
  The file format is described in
  .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index 64ead5f57..e4aeae7b4 100644
+index 20e4c4efa..4923031f4 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -873,6 +873,10 @@ implements public key authentication protocol automatically,
@@ -133,10 +133,10 @@ index 57a7fd66b..4abc01d66 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index addea54a0..f995e4ab0 100644
+index 46537f177..270805060 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for
+@@ -393,8 +393,7 @@ Certificates signed using other algorithms will not be accepted for
  public key or host-based authentication.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 55e4cc930..7a811f9af 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 0085b2106eb5307ebdae9601471d8387961b2e83 Mon Sep 17 00:00:00 2001
+From 6a8dfab1a067a52b004594fadb3a90578a8cc094 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch
  2 files changed, 7 insertions(+), 2 deletions(-)
 
 diff --git a/kex.c b/kex.c
-index a2a4794e8..be354206d 100644
+index e09355dbd..65ed6af02 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -1186,7 +1186,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+@@ -1239,7 +1239,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
         if (version_addendum != NULL && *version_addendum == '\0')
                 version_addendum = NULL;
         if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
@@ -31,11 +31,11 @@ index a2a4794e8..be354206d 100644
             version_addendum == NULL ? "" : version_addendum)) != 0) {
                 error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
 diff --git a/version.h b/version.h
-index 806ead9a6..599c859e6 100644
+index 6b3fadf89..a24017eca 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_8.0"
+ #define SSH_VERSION    "OpenSSH_8.1"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index dcbe38501..ea5ea0396 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 4eb4bf18caacd2fe12dbdde381347629dd8b3c95 Mon Sep 17 00:00:00 2001
+From f0c916d8008c30809fef44469bee1b74426a3071 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 0472ea7d0..222a996f1 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 0f9f44654708e4fde2f52c52f717d061b5e458fa Mon Sep 17 00:00:00 2001
+From 57c1dd662f9259f58a47801e2d4b0f84e973441d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
  3 files changed, 89 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 2869f7042..ce16e7758 100644
+index 1c2512314..e894db9fc 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1518,6 +1518,62 @@ else
+@@ -1521,6 +1521,62 @@ else
         AC_MSG_RESULT([no])
  fi
  
@@ -94,7 +94,7 @@ index 2869f7042..ce16e7758 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5269,6 +5325,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5242,6 +5298,7 @@ echo "                       PAM support: $PAM_MSG"
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
@@ -128,7 +128,7 @@ index fb133c14b..57a7fd66b 100644
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index 98680721b..46870d3b5 100644
+index 3a5c1ea78..4e32fd10d 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -127,6 +127,13 @@
@@ -145,7 +145,7 @@ index 98680721b..46870d3b5 100644
  /* Re-exec fds */
  #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
  #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
-@@ -2057,6 +2064,24 @@ main(int ac, char **av)
+@@ -2062,6 +2069,24 @@ main(int ac, char **av)
  #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
  #endif
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index d524dc34f..34743f555 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From f08fbfbaad10ae0bd9f057de8e18071e588146a6 Mon Sep 17 00:00:00 2001
+From efef12825b9582c1710da3b7e50135870963d4f4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 8 Apr 2019 10:46:29 +0100
 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
  4 files changed, 8 insertions(+), 12 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index f35bde6e6..2ba312441 100644
+index 253574ce0..9812b8d98 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2165,9 +2165,9 @@ fill_default_options(Options * options)
+@@ -2174,9 +2174,9 @@ fill_default_options(Options * options)
         if (options->visual_host_key == -1)
                 options->visual_host_key = 0;
         if (options->ip_qos_interactive == -1)
@@ -40,7 +40,7 @@ index f35bde6e6..2ba312441 100644
                 options->request_tty = REQUEST_TTY_AUTO;
         if (options->proxy_use_fdpass == -1)
 diff --git a/servconf.c b/servconf.c
-index 8d2bced52..365e6ff1e 100644
+index 5576098a5..4464d51a5 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options)
@@ -56,10 +56,10 @@ index 8d2bced52..365e6ff1e 100644
                 options->version_addendum = xstrdup("");
         if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index a27631ae9..a9f6d906f 100644
+index d27655e15..b71d5ede9 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1098,11 +1098,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1110,11 +1110,9 @@ If one argument is specified, it is used as the packet class unconditionally.
  If two values are specified, the first is automatically selected for
  interactive sessions and the second for non-interactive sessions.
  The default is
@@ -74,10 +74,10 @@ index a27631ae9..a9f6d906f 100644
  .It Cm KbdInteractiveAuthentication
  Specifies whether to use keyboard-interactive authentication.
 diff --git a/sshd_config.5 b/sshd_config.5
-index c0c4ebd66..e5380f5dc 100644
+index 02e29cb6f..ba533af9e 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -886,11 +886,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -892,11 +892,9 @@ If one argument is specified, it is used as the packet class unconditionally.
  If two values are specified, the first is automatically selected for
  interactive sessions and the second for non-interactive sessions.
  The default is
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index d4561d053..e69c9c46e 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 08821a1b464a0d0d62f735d6bf1e6305faf73fa1 Mon Sep 17 00:00:00 2001
+From 2d8e679834c81fc381d02974986e08cafe3efa29 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/scp.c b/scp.c
-index 80bc0e8b1..a2dc410bd 100644
+index 0348d0673..5a7a92a7e 100644
 --- a/scp.c
 +++ b/scp.c
 @@ -199,8 +199,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/seccomp-handle-shm.patch b/debian/patches/seccomp-handle-shm.patch
deleted file mode 100644
index 7ad068190..000000000
--- a/debian/patches/seccomp-handle-shm.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From ceefaa8ee80b63c0890d24c42369dc51880f53ea Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lonnie@abelbeck.com>
-Date: Tue, 1 Oct 2019 09:05:09 -0500
-Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
-
-New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
-in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
-
-Bug: https://github.com/openssh/openssh-portable/pull/149
-Bug-Debian: https://bugs.debian.org/941663
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602
-Last-Update: 2019-10-05
-
-Patch-Name: seccomp-handle-shm.patch
----
- sandbox-seccomp-filter.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index ef4de8c65..e8f31555e 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_stat64
-        SC_DENY(__NR_stat64, EACCES),
- #endif
-+#ifdef __NR_shmget
-+       SC_DENY(__NR_shmget, EACCES),
-+#endif
-+#ifdef __NR_shmat
-+       SC_DENY(__NR_shmat, EACCES),
-+#endif
-+#ifdef __NR_shmdt
-+       SC_DENY(__NR_shmdt, EACCES),
-+#endif
- 
-        /* Syscalls to permit */
- #ifdef __NR_brk
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index cec741d2b..aaefa9ed4 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
-From a85bb8a31b789276d5edb0c34023ce833a402b00 Mon Sep 17 00:00:00 2001
+From cfc30ca51eba79f9f725c22528e3bfec036aa927 Mon Sep 17 00:00:00 2001
 From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
 Date: Tue, 9 May 2017 10:53:04 -0300
 Subject: Allow flock and ipc syscall for s390 architecture
@@ -22,10 +22,10 @@ Patch-Name: seccomp-s390-flock-ipc.patch
  1 file changed, 6 insertions(+)
 
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 5edbc6946..d4bc20828 100644
+index b5cda70bb..2f6b0d55b 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
-@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -194,6 +194,9 @@ static const struct sock_filter preauth_insns[] = {
  #ifdef __NR_exit_group
         SC_ALLOW(__NR_exit_group),
  #endif
@@ -35,7 +35,7 @@ index 5edbc6946..d4bc20828 100644
  #ifdef __NR_futex
         SC_ALLOW(__NR_futex),
  #endif
-@@ -193,6 +196,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -221,6 +224,9 @@ static const struct sock_filter preauth_insns[] = {
  #ifdef __NR_getuid32
         SC_ALLOW(__NR_getuid32),
  #endif
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
deleted file mode 100644
index 257ea7e79..000000000
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d38283cc4cba6bf7685a16898a3b9d3a6cecf661 Mon Sep 17 00:00:00 2001
-From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
-Date: Tue, 9 May 2017 13:33:30 -0300
-Subject: Enable specific ioctl call for EP11 crypto card (s390)
-
-The EP11 crypto card needs to make an ioctl call, which receives an
-specific argument. This crypto card is for s390 only.
-
-Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
-
-Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
-Last-Update: 2017-08-28
-
-Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
----
- sandbox-seccomp-filter.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index d4bc20828..ef4de8c65 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -256,6 +256,8 @@ static const struct sock_filter preauth_insns[] = {
-        SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
-        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
-        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
-+       /* Allow ioctls for EP11 crypto card on s390 */
-+       SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
- #endif
- #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
-        /*
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5ab339ac9..02d740fe3 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001
+From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -31,10 +31,10 @@ Patch-Name: selinux-role.patch
  15 files changed, 99 insertions(+), 32 deletions(-)
 
 diff --git a/auth.h b/auth.h
-index bf393e755..8f13bdf48 100644
+index becc672b5..5da9fe75f 100644
 --- a/auth.h
 +++ b/auth.h
-@@ -65,6 +65,7 @@ struct Authctxt {
+@@ -63,6 +63,7 @@ struct Authctxt {
         char            *service;
         struct passwd   *pw;            /* set if 'valid' */
         char            *style;
@@ -43,10 +43,10 @@ index bf393e755..8f13bdf48 100644
         /* Method lists for multiple authentication */
         char            **auth_methods; /* modified from server config */
 diff --git a/auth2.c b/auth2.c
-index 7417eafa4..d60e7f1f2 100644
+index 1c217268c..92a6bcaf4 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -267,7 +267,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
  {
         Authctxt *authctxt = ssh->authctxt;
         Authmethod *m = NULL;
@@ -55,7 +55,7 @@ index 7417eafa4..d60e7f1f2 100644
         int r, authenticated = 0;
         double tstart = monotime_double();
  
-@@ -281,8 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -69,7 +69,7 @@ index 7417eafa4..d60e7f1f2 100644
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -309,8 +314,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+@@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index 7417eafa4..d60e7f1f2 100644
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         ssh_packet_disconnect(ssh,
 diff --git a/monitor.c b/monitor.c
-index 0766d6ef5..5f84e880d 100644
+index bead9e204..04db44c9c 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644
  
  struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 8e4c1c1f8..6b3a6251c 100644
+index fdca39a6a..933ce9a3d 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
@@ -231,11 +231,11 @@ index 8e4c1c1f8..6b3a6251c 100644
  int
  mm_auth_password(struct ssh *ssh, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 69164a8c0..3d0e32d48 100644
+index 92dda574b..0f09dba09 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -44,7 +44,8 @@ int mm_is_monitor(void);
- DH *mm_choose_dh(int, int, int);
+@@ -46,7 +46,8 @@ DH *mm_choose_dh(int, int, int);
+ #endif
  int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
      const u_char *, size_t, const char *, u_int compat);
 -void mm_inform_authserv(char *, char *);
@@ -328,10 +328,10 @@ index 3c22a854d..c88129428 100644
  void ssh_selinux_setfscreatecon(const char *);
  #endif
 diff --git a/platform.c b/platform.c
-index 41acc9370..35654ea51 100644
+index 44ba71dc5..2defe9425 100644
 --- a/platform.c
 +++ b/platform.c
-@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
+@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
   * called if sshd is running as root.
   */
  void
@@ -340,7 +340,7 @@ index 41acc9370..35654ea51 100644
  {
  #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
         /*
-@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
         }
  #endif /* HAVE_SETPCRED */
  #ifdef WITH_SELINUX
@@ -363,7 +363,7 @@ index ea4f9c584..60d72ffe7 100644
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index ac3d9d19d..d87ea4d44 100644
+index f1a47f766..df7d7cf55 100644
 --- a/session.c
 +++ b/session.c
 @@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
@@ -425,7 +425,7 @@ index ce59dabd9..675c91146 100644
  const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
  
 diff --git a/sshd.c b/sshd.c
-index 46870d3b5..e3e96426e 100644
+index 4e32fd10d..ea8beacb4 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
@@ -438,7 +438,7 @@ index 46870d3b5..e3e96426e 100644
   skip:
         /* It is safe now to apply the key state */
 diff --git a/sshpty.c b/sshpty.c
-index 4da84d05f..676ade50e 100644
+index bce09e255..308449b37 100644
 --- a/sshpty.c
 +++ b/sshpty.c
 @@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -450,7 +450,7 @@ index 4da84d05f..676ade50e 100644
  {
         struct group *grp;
         gid_t gid;
-@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+@@ -186,7 +186,7 @@ pty_setowner(struct passwd *pw, const char *tty)
                     strerror(errno));
  
  #ifdef WITH_SELINUX
diff --git a/debian/patches/series b/debian/patches/series
index 4af8d8861..74cdd2ce3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,9 +22,5 @@ systemd-readiness.patch
 debian-config.patch
 restore-authorized_keys2.patch
 seccomp-s390-flock-ipc.patch
-seccomp-s390-ioctl-ep11-crypto.patch
-fix-interop-tests.patch
 conch-old-privkey-format.patch
 revert-ipqos-defaults.patch
-fix-utimensat-test.patch
-seccomp-handle-shm.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index e6a21fb79..d7f69011e 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 2cbb28cbd60e1c5c13a8457ad77a62c7787ba4a8 Mon Sep 17 00:00:00 2001
+From 5d1aab0eb6baeb044516660a0bde36cba2a3f9c2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index fdcdcd855..103d84e38 100644
+index 6230dad32..644057bc4 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -257,7 +257,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
+@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
                 /* Execute the proxy command.  Note that we gave up any
                    extra privileges above. */
                 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index fdcdcd855..103d84e38 100644
                 perror(argv[0]);
                 exit(1);
         }
-@@ -1382,7 +1382,7 @@ ssh_local_cmd(const char *args)
+@@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args)
         if (pid == 0) {
                 signal(SIGPIPE, SIG_DFL);
                 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index cbc781435..0dd4c662e 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 22d2b4adcb38771adba96e326749cc67ee33d172 Mon Sep 17 00:00:00 2001
+From a8b5ec5c28805f0ab6b1b05474531521ac42eb12 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 5b6c0ce4a..af95ce67e 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From a3f10aefc2ed6ea656f5e57985400f86f56c40f6 Mon Sep 17 00:00:00 2001
+From e9f961ffa4e4e73ed22103b5697147d135d88b4f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,7 +18,7 @@ Patch-Name: ssh-argv0.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/ssh.1 b/ssh.1
-index e4aeae7b4..8d2b08a29 100644
+index 4923031f4..24530e511 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -1584,6 +1584,7 @@ if an error occurred.
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 8adc301fc..5c2b58257 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 0138f331a73d692f4543477ce7f64f9ede7d6b08 Mon Sep 17 00:00:00 2001
+From 42c820f76fddf2f2e537dbe10842aa39f6154059 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
-index 4d699e5f1..29f3bd98d 100644
+index 3c68d1a88..a7fb7ca15 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -192,6 +192,7 @@ static struct {
@@ -29,7 +29,7 @@ index 4d699e5f1..29f3bd98d 100644
         { "useroaming", oDeprecated },
         { "usersh", oDeprecated },
 diff --git a/servconf.c b/servconf.c
-index ffdad31e7..c01e0690e 100644
+index f63eb0b94..73b93c636 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -621,6 +621,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index dd242d80a..2e4e5bbec 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From e9dd9cd95fe8fe2da9b114a1546a90634b3ce4be Mon Sep 17 00:00:00 2001
+From 3d1a993f484e9043e57af3ae37b7c9c608d5a5f1 Mon Sep 17 00:00:00 2001
 From: Natalie Amery <nmamery@chiark.greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 42be7d88f..86f143341 100644
+index 2da9f5d0d..7b482dcb0 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1265,7 +1265,7 @@ main(int ac, char **av)
+@@ -1268,7 +1268,7 @@ main(int ac, char **av)
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index c3b8f9f86..7fb76cf3d 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From d23f57ff1e85ded1298886968c9949282c4cba08 Mon Sep 17 00:00:00 2001
+From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
  2 files changed, 33 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index ce16e7758..de140f578 100644
+index e894db9fc..c119d6fd1 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4526,6 +4526,29 @@ AC_ARG_WITH([kerberos5],
+@@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5],
  AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
  
@@ -47,7 +47,7 @@ index ce16e7758..de140f578 100644
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -5332,6 +5355,7 @@ echo "                   libldns support: $LDNS_MSG"
+@@ -5305,6 +5328,7 @@ echo "                   libldns support: $LDNS_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
  echo "         Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index ce16e7758..de140f578 100644
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/sshd.c b/sshd.c
-index 1e7ece588..48162b629 100644
+index 4e8ff0662..5e7679a33 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index 1e7ece588..48162b629 100644
  #include "xmalloc.h"
  #include "ssh.h"
  #include "ssh2.h"
-@@ -1946,6 +1950,11 @@ main(int ac, char **av)
+@@ -1951,6 +1955,11 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 05ea5f486..9a1b434fa 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 0fc2ac6707abe076cd6b444f73c478eeda54b25f Mon Sep 17 00:00:00 2001
+From 19f1d075a06f4d3c9b440d7272272569d8bb0a17 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -13,7 +13,7 @@ default.
 
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
-Last-Update: 2019-06-05
+Last-Update: 2019-10-09
 
 Patch-Name: user-group-modes.patch
 ---
@@ -27,10 +27,10 @@ Patch-Name: user-group-modes.patch
  7 files changed, 63 insertions(+), 13 deletions(-)
 
 diff --git a/auth-rhosts.c b/auth-rhosts.c
-index 57296e1f6..546aa0495 100644
+index 7a10210b6..587f53721 100644
 --- a/auth-rhosts.c
 +++ b/auth-rhosts.c
-@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
+@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
                 return 0;
         }
         if (options.strict_modes &&
@@ -40,7 +40,7 @@ index 57296e1f6..546aa0495 100644
                 logit("Rhosts authentication refused for %.100s: "
                     "bad ownership or modes for home directory.", pw->pw_name);
                 auth_debug_add("Rhosts authentication refused for %.100s: "
-@@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
+@@ -287,8 +286,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
                  * allowing access to their account by anyone.
                  */
                 if (options.strict_modes &&
@@ -51,7 +51,7 @@ index 57296e1f6..546aa0495 100644
                             pw->pw_name, buf);
                         auth_debug_add("Bad file modes for %.200s", buf);
 diff --git a/auth.c b/auth.c
-index f7a23afba..8ffd77662 100644
+index 47c27773c..fc0c05bae 100644
 --- a/auth.c
 +++ b/auth.c
 @@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
@@ -65,7 +65,7 @@ index f7a23afba..8ffd77662 100644
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
 diff --git a/misc.c b/misc.c
-index 009e02bc5..634b5060a 100644
+index 88833d7ff..42eeb425a 100644
 --- a/misc.c
 +++ b/misc.c
 @@ -59,8 +59,9 @@
@@ -79,7 +79,7 @@ index 009e02bc5..634b5060a 100644
  #ifdef SSH_TUN_OPENBSD
  #include <net/if.h>
  #endif
-@@ -1103,6 +1104,55 @@ percent_expand(const char *string, ...)
+@@ -1112,6 +1113,55 @@ percent_expand(const char *string, ...)
  #undef EXPAND_MAX_KEYS
  }
  
@@ -135,7 +135,7 @@ index 009e02bc5..634b5060a 100644
  int
  tun_open(int tun, int mode, char **ifname)
  {
-@@ -1860,8 +1910,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -1869,8 +1919,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
                 snprintf(err, errlen, "%s is not a regular file", buf);
                 return -1;
         }
@@ -145,10 +145,10 @@ index 009e02bc5..634b5060a 100644
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -1876,8 +1925,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -1885,8 +1934,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
                 strlcpy(buf, cp, sizeof(buf));
  
-                if (stat(buf, &st) < 0 ||
+                if (stat(buf, &st) == -1 ||
 -                   (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
 -                   (st.st_mode & 022) != 0) {
 +                   !secure_permissions(&st, uid)) {
@@ -156,10 +156,10 @@ index 009e02bc5..634b5060a 100644
                             "bad ownership or modes for directory %s", buf);
                         return -1;
 diff --git a/misc.h b/misc.h
-index 5b4325aba..a4bdee187 100644
+index bcc34f980..869895d3a 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -175,6 +175,8 @@ int  safe_path_fd(int, const char *, struct passwd *,
+@@ -181,6 +181,8 @@ int opt_match(const char **opts, const char *term);
  char   *read_passphrase(const char *, int);
  int     ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
  
@@ -169,10 +169,10 @@ index 5b4325aba..a4bdee187 100644
  #define MAXIMUM(a, b)  (((a) > (b)) ? (a) : (b))
  #define ROUNDUP(x, y)   ((((x)+((y)-1))/(y))*(y))
 diff --git a/readconf.c b/readconf.c
-index 3d0b6ff90..cd60007f8 100644
+index 09787c0e5..16d2729dd 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1846,8 +1846,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+@@ -1855,8 +1855,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
  
                 if (fstat(fileno(f), &sb) == -1)
                         fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,7 +183,7 @@ index 3d0b6ff90..cd60007f8 100644
         }
  
 diff --git a/ssh.1 b/ssh.1
-index a1c7d2305..64ead5f57 100644
+index 26940ad55..20e4c4efa 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -1484,6 +1484,8 @@ The file format and configuration options are described in
@@ -196,10 +196,10 @@ index a1c7d2305..64ead5f57 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index 250c92d04..bd1e9311d 100644
+index bc04d8d02..2c74b57c0 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1885,6 +1885,8 @@ The format of this file is described above.
+@@ -1907,6 +1907,8 @@ The format of this file is described above.
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not writable by others.
diff --git a/debian/rules b/debian/rules
index 2a41b023b..c8b778dc0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -144,11 +144,7 @@ override_dh_auto_build-indep:
 
 override_dh_auto_test-arch:
 ifeq ($(RUN_TESTS),yes)
-        $(MAKE) -C debian/build-deb/regress \
-                .OBJDIR="$(CURDIR)/debian/build-deb/regress" \
-                .CURDIR="$(CURDIR)/regress" \
-                unit
-        $(MAKE) -C debian/build-deb compat-tests
+        $(MAKE) -C debian/build-deb unit compat-tests
         $(MAKE) -C debian/keygen-test
 endif