summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-10 00:27:24 +0000
committerColin Watson <cjwatson@debian.org>2014-02-10 02:40:28 +0000
commita2b8818c5d21cfcba443625251f691a2ea3a29c7 (patch)
tree8fe1fe448cde57eecf71a7bcd57186661b90313f /debian
parentd399ecd8eb7d4aed3b7ba0d2727e619607fb901b (diff)
parentee8d8b97cc2c6081df3af453a228992b87309ec4 (diff)
Merge 6.5p1.
* New upstream release (http://www.openssh.com/txt/release-6.5, LP: #1275068): - ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names (closes: #115286).
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm6
-rw-r--r--debian/changelog11
-rw-r--r--debian/patches/auth-log-verbosity.patch18
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/consolekit.patch44
-rw-r--r--debian/patches/debian-banner.patch24
-rw-r--r--debian/patches/debian-config.patch18
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/doc-upstart.patch4
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch220
-rw-r--r--debian/patches/helpful-wait-terminate.patch6
-rw-r--r--debian/patches/keepalive-extensions.patch34
-rw-r--r--debian/patches/lintian-symlink-pickiness.patch6
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-check.patch2
-rw-r--r--debian/patches/openbsd-docs.patch34
-rw-r--r--debian/patches/package-versioning.patch12
-rw-r--r--debian/patches/quieter-signals.patch4
-rw-r--r--debian/patches/scp-quoting.patch4
-rw-r--r--debian/patches/selinux-role.patch36
-rw-r--r--debian/patches/shell-path.patch8
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch6
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch10
-rw-r--r--debian/patches/ssh1-keepalive.patch8
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/user-group-modes.patch32
30 files changed, 298 insertions, 291 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 0c8685af4..11c6ec01c 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,7 +1,7 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2b65a0ded7a8cfe7d351e28266d7851216d679e05 2ee8d8b97cc2c6081df3af453a228992b87309ec4
3b65a0ded7a8cfe7d351e28266d7851216d679e05 3ee8d8b97cc2c6081df3af453a228992b87309ec4
4ee196dab7c5f97f0b80c8099343a375bead92010 49a975a9faed7c4f334e8c8490db3e77e102f2b21
59a975a9faed7c4f334e8c8490db3e77e102f2b21 59a975a9faed7c4f334e8c8490db3e77e102f2b21
6openssh_6.5p1.orig.tar.gz 6openssh_6.5p1.orig.tar.gz
73363a72b4fee91b29cf2024ff633c17f6cd2f86d 73363a72b4fee91b29cf2024ff633c17f6cd2f86d
diff --git a/debian/changelog b/debian/changelog
index 544aab882..38869d995 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,12 @@
1openssh (1:6.4p1-3) UNRELEASED; urgency=medium 1openssh (1:6.5p1-1) UNRELEASED; urgency=medium
2 2
3 * New upstream release (http://www.openssh.com/txt/release-6.5,
4 LP: #1275068):
5 - ssh(1): Add support for client-side hostname canonicalisation using a
6 set of DNS suffixes and rules in ssh_config(5). This allows
7 unqualified names to be canonicalised to fully-qualified domain names
8 to eliminate ambiguity when looking up keys in known_hosts or checking
9 host certificate names (closes: #115286).
3 * Switch to git; adjust Vcs-* fields. 10 * Switch to git; adjust Vcs-* fields.
4 * Convert to git-dpm, and drop source package documentation associated 11 * Convert to git-dpm, and drop source package documentation associated
5 with the old bzr/quilt patch handling workflow. 12 with the old bzr/quilt patch handling workflow.
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index f1db2dbdf..c91cdbd68 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From 490aadd108dc4bf7f4b5084e3336d88ec23f6b19 Mon Sep 17 00:00:00 2001 1From 493e37552aa05b38cf69b5f1bc4b717fd4a1a285 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -16,10 +16,10 @@ Patch-Name: auth-log-verbosity.patch
16 4 files changed, 32 insertions(+), 9 deletions(-) 16 4 files changed, 32 insertions(+), 9 deletions(-)
17 17
18diff --git a/auth-options.c b/auth-options.c 18diff --git a/auth-options.c b/auth-options.c
19index 12e2e1d..15c00d0 100644 19index fa209ea..df61330 100644
20--- a/auth-options.c 20--- a/auth-options.c
21+++ b/auth-options.c 21+++ b/auth-options.c
22@@ -58,9 +58,20 @@ int forced_tun_device = -1; 22@@ -54,9 +54,20 @@ int forced_tun_device = -1;
23 /* "principals=" option. */ 23 /* "principals=" option. */
24 char *authorized_principals = NULL; 24 char *authorized_principals = NULL;
25 25
@@ -40,7 +40,7 @@ index 12e2e1d..15c00d0 100644
40 auth_clear_options(void) 40 auth_clear_options(void)
41 { 41 {
42 no_agent_forwarding_flag = 0; 42 no_agent_forwarding_flag = 0;
43@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 43@@ -284,10 +295,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
44 /* FALLTHROUGH */ 44 /* FALLTHROUGH */
45 case 0: 45 case 0:
46 free(patterns); 46 free(patterns);
@@ -58,7 +58,7 @@ index 12e2e1d..15c00d0 100644
58 auth_debug_add("Your host '%.200s' is not " 58 auth_debug_add("Your host '%.200s' is not "
59 "permitted to use this key for login.", 59 "permitted to use this key for login.",
60 remote_host); 60 remote_host);
61@@ -513,11 +527,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, 61@@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
62 break; 62 break;
63 case 0: 63 case 0:
64 /* no match */ 64 /* no match */
@@ -104,10 +104,10 @@ index 545aa49..4624c15 100644
104 * Go though the accepted keys, looking for the current key. If 104 * Go though the accepted keys, looking for the current key. If
105 * found, perform a challenge-response dialog to verify that the 105 * found, perform a challenge-response dialog to verify that the
106diff --git a/auth2-pubkey.c b/auth2-pubkey.c 106diff --git a/auth2-pubkey.c b/auth2-pubkey.c
107index 2b3ecb1..4d87f48 100644 107index 0fd27bb..7c56927 100644
108--- a/auth2-pubkey.c 108--- a/auth2-pubkey.c
109+++ b/auth2-pubkey.c 109+++ b/auth2-pubkey.c
110@@ -257,6 +257,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) 110@@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
111 restore_uid(); 111 restore_uid();
112 return 0; 112 return 0;
113 } 113 }
@@ -115,7 +115,7 @@ index 2b3ecb1..4d87f48 100644
115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 115 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
116 /* Skip leading whitespace. */ 116 /* Skip leading whitespace. */
117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 117 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
118@@ -318,6 +319,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) 118@@ -324,6 +325,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
119 found_key = 0; 119 found_key = 0;
120 120
121 found = NULL; 121 found = NULL;
@@ -123,7 +123,7 @@ index 2b3ecb1..4d87f48 100644
123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 123 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
124 char *cp, *key_options = NULL; 124 char *cp, *key_options = NULL;
125 if (found != NULL) 125 if (found != NULL)
126@@ -453,6 +455,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) 126@@ -459,6 +461,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
127 if (key_cert_check_authority(key, 0, 1, 127 if (key_cert_check_authority(key, 0, 1,
128 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0) 128 principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
129 goto fail_reason; 129 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index f59df61bd..ce1b72d60 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From d5b4a3617c50cbe9526582979797248af5cbd9d5 Mon Sep 17 00:00:00 2001 1From cf559d6c8b4616022f5bedcf3b3b85387a4d1559 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index b2dbead..7849979 100644 16index 598d55a..5cf8100 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -283,6 +283,7 @@ install-files: 19@@ -287,6 +287,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index b97bf0cd5..65b6feb71 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,4 +1,4 @@
1From 05609b1cb381eafb999214bf4a95138e63abdbf2 Mon Sep 17 00:00:00 2001 1From efe70e315cfcc70e765ebd070e83528a6be6c125 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:57 +0000 3Date: Sun, 9 Feb 2014 16:09:57 +0000
4Subject: Add support for registering ConsoleKit sessions on login 4Subject: Add support for registering ConsoleKit sessions on login
@@ -24,24 +24,24 @@ Patch-Name: consolekit.patch
24 create mode 100644 consolekit.h 24 create mode 100644 consolekit.h
25 25
26diff --git a/Makefile.in b/Makefile.in 26diff --git a/Makefile.in b/Makefile.in
27index f979926..b2dbead 100644 27index 35c6fd6..598d55a 100644
28--- a/Makefile.in 28--- a/Makefile.in
29+++ b/Makefile.in 29+++ b/Makefile.in
30@@ -94,7 +94,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 30@@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
31 sftp-server.o sftp-common.o \ 31 sftp-server.o sftp-common.o \
32 roaming_common.o roaming_serv.o \ 32 roaming_common.o roaming_serv.o \
33 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 33 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
34- sandbox-seccomp-filter.o 34- sandbox-seccomp-filter.o sandbox-capsicum.o
35+ sandbox-seccomp-filter.o \ 35+ sandbox-seccomp-filter.o sandbox-capsicum.o \
36+ consolekit.o 36+ consolekit.o
37 37
38 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out 38 MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
39 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 39 MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
40diff --git a/configure b/configure 40diff --git a/configure b/configure
41index ceb1b5d..78bbcd0 100755 41index 5a9db2d..57b68e2 100755
42--- a/configure 42--- a/configure
43+++ b/configure 43+++ b/configure
44@@ -738,6 +738,7 @@ with_privsep_user 44@@ -740,6 +740,7 @@ with_privsep_user
45 with_sandbox 45 with_sandbox
46 with_selinux 46 with_selinux
47 with_kerberos5 47 with_kerberos5
@@ -49,15 +49,15 @@ index ceb1b5d..78bbcd0 100755
49 with_privsep_path 49 with_privsep_path
50 with_xauth 50 with_xauth
51 enable_strip 51 enable_strip
52@@ -1428,6 +1429,7 @@ Optional Packages: 52@@ -1432,6 +1433,7 @@ Optional Packages:
53 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter) 53 --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)
54 --with-selinux Enable SELinux support 54 --with-selinux Enable SELinux support
55 --with-kerberos5=PATH Enable Kerberos 5 support 55 --with-kerberos5=PATH Enable Kerberos 5 support
56+ --with-consolekit Enable ConsoleKit support 56+ --with-consolekit Enable ConsoleKit support
57 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) 57 --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
58 --with-xauth=PATH Specify path to xauth program 58 --with-xauth=PATH Specify path to xauth program
59 --with-maildir=/path/to/mail Specify your system mail directory 59 --with-maildir=/path/to/mail Specify your system mail directory
60@@ -16375,6 +16377,135 @@ fi 60@@ -17215,6 +17217,135 @@ fi
61 61
62 62
63 63
@@ -193,7 +193,7 @@ index ceb1b5d..78bbcd0 100755
193 # Looking for programs, paths and files 193 # Looking for programs, paths and files
194 194
195 PRIVSEP_PATH=/var/empty 195 PRIVSEP_PATH=/var/empty
196@@ -18902,6 +19033,7 @@ echo " MD5 password support: $MD5_MSG" 196@@ -19744,6 +19875,7 @@ echo " MD5 password support: $MD5_MSG"
197 echo " libedit support: $LIBEDIT_MSG" 197 echo " libedit support: $LIBEDIT_MSG"
198 echo " Solaris process contract support: $SPC_MSG" 198 echo " Solaris process contract support: $SPC_MSG"
199 echo " Solaris project support: $SP_MSG" 199 echo " Solaris project support: $SP_MSG"
@@ -202,10 +202,10 @@ index ceb1b5d..78bbcd0 100755
202 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 202 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
203 echo " BSD Auth support: $BSD_AUTH_MSG" 203 echo " BSD Auth support: $BSD_AUTH_MSG"
204diff --git a/configure.ac b/configure.ac 204diff --git a/configure.ac b/configure.ac
205index 4c1a658..d7d500a 100644 205index 90eebf5..e2289cd 100644
206--- a/configure.ac 206--- a/configure.ac
207+++ b/configure.ac 207+++ b/configure.ac
208@@ -3841,6 +3841,30 @@ AC_ARG_WITH([kerberos5], 208@@ -4070,6 +4070,30 @@ AC_ARG_WITH([kerberos5],
209 AC_SUBST([GSSLIBS]) 209 AC_SUBST([GSSLIBS])
210 AC_SUBST([K5LIBS]) 210 AC_SUBST([K5LIBS])
211 211
@@ -236,7 +236,7 @@ index 4c1a658..d7d500a 100644
236 # Looking for programs, paths and files 236 # Looking for programs, paths and files
237 237
238 PRIVSEP_PATH=/var/empty 238 PRIVSEP_PATH=/var/empty
239@@ -4641,6 +4665,7 @@ echo " MD5 password support: $MD5_MSG" 239@@ -4871,6 +4895,7 @@ echo " MD5 password support: $MD5_MSG"
240 echo " libedit support: $LIBEDIT_MSG" 240 echo " libedit support: $LIBEDIT_MSG"
241 echo " Solaris process contract support: $SPC_MSG" 241 echo " Solaris process contract support: $SPC_MSG"
242 echo " Solaris project support: $SP_MSG" 242 echo " Solaris project support: $SP_MSG"
@@ -521,7 +521,7 @@ index 0000000..8ce3716
521+ 521+
522+#endif /* USE_CONSOLEKIT */ 522+#endif /* USE_CONSOLEKIT */
523diff --git a/monitor.c b/monitor.c 523diff --git a/monitor.c b/monitor.c
524index e8d63eb..9bc4f0b 100644 524index 88f472e..8ffea4f 100644
525--- a/monitor.c 525--- a/monitor.c
526+++ b/monitor.c 526+++ b/monitor.c
527@@ -98,6 +98,9 @@ 527@@ -98,6 +98,9 @@
@@ -575,7 +575,7 @@ index e8d63eb..9bc4f0b 100644
575 575
576 for (;;) 576 for (;;)
577 monitor_read(pmonitor, mon_dispatch, NULL); 577 monitor_read(pmonitor, mon_dispatch, NULL);
578@@ -2492,3 +2508,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m) 578@@ -2493,3 +2509,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
579 } 579 }
580 580
581 #endif /* JPAKE */ 581 #endif /* JPAKE */
@@ -672,7 +672,7 @@ index 4d12e29..360fb9f 100644
672+ 672+
673 #endif /* _MM_WRAP_H_ */ 673 #endif /* _MM_WRAP_H_ */
674diff --git a/session.c b/session.c 674diff --git a/session.c b/session.c
675index b4d74d9..15bdb1b 100644 675index 5ddd82a..14df226 100644
676--- a/session.c 676--- a/session.c
677+++ b/session.c 677+++ b/session.c
678@@ -92,6 +92,7 @@ 678@@ -92,6 +92,7 @@
@@ -683,7 +683,7 @@ index b4d74d9..15bdb1b 100644
683 683
684 #if defined(KRB5) && defined(USE_AFS) 684 #if defined(KRB5) && defined(USE_AFS)
685 #include <kafs.h> 685 #include <kafs.h>
686@@ -1132,6 +1133,9 @@ do_setup_env(Session *s, const char *shell) 686@@ -1155,6 +1156,9 @@ do_setup_env(Session *s, const char *shell)
687 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) 687 #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
688 char *path = NULL; 688 char *path = NULL;
689 #endif 689 #endif
@@ -693,7 +693,7 @@ index b4d74d9..15bdb1b 100644
693 693
694 /* Initialize the environment. */ 694 /* Initialize the environment. */
695 envsize = 100; 695 envsize = 100;
696@@ -1276,6 +1280,11 @@ do_setup_env(Session *s, const char *shell) 696@@ -1299,6 +1303,11 @@ do_setup_env(Session *s, const char *shell)
697 child_set_env(&env, &envsize, "KRB5CCNAME", 697 child_set_env(&env, &envsize, "KRB5CCNAME",
698 s->authctxt->krb5_ccname); 698 s->authctxt->krb5_ccname);
699 #endif 699 #endif
@@ -705,7 +705,7 @@ index b4d74d9..15bdb1b 100644
705 #ifdef USE_PAM 705 #ifdef USE_PAM
706 /* 706 /*
707 * Pull in any environment variables that may have 707 * Pull in any environment variables that may have
708@@ -2320,6 +2329,10 @@ session_pty_cleanup2(Session *s) 708@@ -2348,6 +2357,10 @@ session_pty_cleanup2(Session *s)
709 709
710 debug("session_pty_cleanup: session %d release %s", s->self, s->tty); 710 debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
711 711
@@ -717,7 +717,7 @@ index b4d74d9..15bdb1b 100644
717 if (s->pid != 0) 717 if (s->pid != 0)
718 record_logout(s->pid, s->tty, s->pw->pw_name); 718 record_logout(s->pid, s->tty, s->pw->pw_name);
719diff --git a/session.h b/session.h 719diff --git a/session.h b/session.h
720index cb4f196..7e51b6a 100644 720index ef6593c..a6b6983 100644
721--- a/session.h 721--- a/session.h
722+++ b/session.h 722+++ b/session.h
723@@ -26,6 +26,8 @@ 723@@ -26,6 +26,8 @@
@@ -729,7 +729,7 @@ index cb4f196..7e51b6a 100644
729 #define TTYSZ 64 729 #define TTYSZ 64
730 typedef struct Session Session; 730 typedef struct Session Session;
731 struct Session { 731 struct Session {
732@@ -60,6 +62,10 @@ struct Session { 732@@ -61,6 +63,10 @@ struct Session {
733 char *name; 733 char *name;
734 char *val; 734 char *val;
735 } *env; 735 } *env;
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 8edc27f70..4cae13961 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From e1e1e23ca98c59a031217da0ea50b70de5427683 Mon Sep 17 00:00:00 2001 1From 68ebfc0e90ceb0f7b24dfb38979df6a80b7ec9e4 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index dcb8caf..802db1d 100644 22index 65f71ad..63ff4ff 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) 25@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
26 options->ip_qos_interactive = -1; 26 options->ip_qos_interactive = -1;
27 options->ip_qos_bulk = -1; 27 options->ip_qos_bulk = -1;
28 options->version_addendum = NULL; 28 options->version_addendum = NULL;
@@ -30,7 +30,7 @@ index dcb8caf..802db1d 100644
30 } 30 }
31 31
32 void 32 void
33@@ -307,6 +308,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
34 options->ip_qos_bulk = IPTOS_THROUGHPUT; 34 options->ip_qos_bulk = IPTOS_THROUGHPUT;
35 if (options->version_addendum == NULL) 35 if (options->version_addendum == NULL)
36 options->version_addendum = xstrdup(""); 36 options->version_addendum = xstrdup("");
@@ -39,7 +39,7 @@ index dcb8caf..802db1d 100644
39 /* Turn privilege separation on by default */ 39 /* Turn privilege separation on by default */
40 if (use_privsep == -1) 40 if (use_privsep == -1)
41 use_privsep = PRIVSEP_NOSANDBOX; 41 use_privsep = PRIVSEP_NOSANDBOX;
42@@ -357,6 +360,7 @@ typedef enum { 42@@ -362,6 +365,7 @@ typedef enum {
43 sKexAlgorithms, sIPQoS, sVersionAddendum, 43 sKexAlgorithms, sIPQoS, sVersionAddendum,
44 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, 44 sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
45 sAuthenticationMethods, sHostKeyAgent, 45 sAuthenticationMethods, sHostKeyAgent,
@@ -47,7 +47,7 @@ index dcb8caf..802db1d 100644
47 sDeprecated, sUnsupported 47 sDeprecated, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -498,6 +502,7 @@ static struct { 50@@ -504,6 +508,7 @@ static struct {
51 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, 51 { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
52 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, 52 { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
53 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, 53 { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -55,7 +55,7 @@ index dcb8caf..802db1d 100644
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1641,6 +1646,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1666,6 +1671,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 } 59 }
60 return 0; 60 return 0;
61 61
@@ -67,10 +67,10 @@ index dcb8caf..802db1d 100644
67 logit("%s line %d: Deprecated option %s", 67 logit("%s line %d: Deprecated option %s",
68 filename, linenum, arg); 68 filename, linenum, arg);
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index ab6e346..1891a95 100644 70index eba76ee..98d68ce 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -187,6 +187,8 @@ typedef struct { 73@@ -188,6 +188,8 @@ typedef struct {
74 74
75 u_int num_auth_methods; 75 u_int num_auth_methods;
76 char *auth_methods[MAX_AUTH_METHODS]; 76 char *auth_methods[MAX_AUTH_METHODS];
@@ -80,7 +80,7 @@ index ab6e346..1891a95 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 46ec1a7..63b9357 100644 83index 82168a1..c49a877 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) 86@@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -94,10 +94,10 @@ index 46ec1a7..63b9357 100644
94 options.version_addendum, newline); 94 options.version_addendum, newline);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index e29604a..50eec53 100644 97index 39643de..bdca797 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -404,6 +404,11 @@ or 100@@ -413,6 +413,11 @@ or
101 .Dq no . 101 .Dq no .
102 The default is 102 The default is
103 .Dq delayed . 103 .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 3c5af97c3..5d24b22b8 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From b65a0ded7a8cfe7d351e28266d7851216d679e05 Mon Sep 17 00:00:00 2001 1From ee8d8b97cc2c6081df3af453a228992b87309ec4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch
34 5 files changed, 53 insertions(+), 3 deletions(-) 34 5 files changed, 53 insertions(+), 3 deletions(-)
35 35
36diff --git a/readconf.c b/readconf.c 36diff --git a/readconf.c b/readconf.c
37index c741934..e1e82c5 100644 37index 273552d..6ac8bea 100644
38--- a/readconf.c 38--- a/readconf.c
39+++ b/readconf.c 39+++ b/readconf.c
40@@ -1292,7 +1292,7 @@ fill_default_options(Options * options) 40@@ -1618,7 +1618,7 @@ fill_default_options(Options * options)
41 if (options->forward_x11 == -1) 41 if (options->forward_x11 == -1)
42 options->forward_x11 = 0; 42 options->forward_x11 = 0;
43 if (options->forward_x11_trusted == -1) 43 if (options->forward_x11_trusted == -1)
@@ -47,7 +47,7 @@ index c741934..e1e82c5 100644
47 options->forward_x11_timeout = 1200; 47 options->forward_x11_timeout = 1200;
48 if (options->exit_on_forward_failure == -1) 48 if (options->exit_on_forward_failure == -1)
49diff --git a/ssh_config b/ssh_config 49diff --git a/ssh_config b/ssh_config
50index 3234321..064b593 100644 50index 228e5ab..c9386aa 100644
51--- a/ssh_config 51--- a/ssh_config
52+++ b/ssh_config 52+++ b/ssh_config
53@@ -17,9 +17,10 @@ 53@@ -17,9 +17,10 @@
@@ -71,7 +71,7 @@ index 3234321..064b593 100644
71+ GSSAPIAuthentication yes 71+ GSSAPIAuthentication yes
72+ GSSAPIDelegateCredentials no 72+ GSSAPIDelegateCredentials no
73diff --git a/ssh_config.5 b/ssh_config.5 73diff --git a/ssh_config.5 b/ssh_config.5
74index 7b05e5f..01e7b6f 100644 74index 85f306c..cc91a5c 100644
75--- a/ssh_config.5 75--- a/ssh_config.5
76+++ b/ssh_config.5 76+++ b/ssh_config.5
77@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 77@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -97,7 +97,7 @@ index 7b05e5f..01e7b6f 100644
97 The configuration file has the following format: 97 The configuration file has the following format:
98 .Pp 98 .Pp
99 Empty lines and lines starting with 99 Empty lines and lines starting with
100@@ -501,7 +517,8 @@ token used for the session will be set to expire after 20 minutes. 100@@ -648,7 +664,8 @@ token used for the session will be set to expire after 20 minutes.
101 Remote clients will be refused access after this time. 101 Remote clients will be refused access after this time.
102 .Pp 102 .Pp
103 The default is 103 The default is
@@ -108,10 +108,10 @@ index 7b05e5f..01e7b6f 100644
108 See the X11 SECURITY extension specification for full details on 108 See the X11 SECURITY extension specification for full details on
109 the restrictions imposed on untrusted clients. 109 the restrictions imposed on untrusted clients.
110diff --git a/sshd_config b/sshd_config 110diff --git a/sshd_config b/sshd_config
111index 9450141..9cfe28d 100644 111index d9b8594..4db32f5 100644
112--- a/sshd_config 112--- a/sshd_config
113+++ b/sshd_config 113+++ b/sshd_config
114@@ -40,6 +40,7 @@ 114@@ -41,6 +41,7 @@
115 # Authentication: 115 # Authentication:
116 116
117 #LoginGraceTime 2m 117 #LoginGraceTime 2m
@@ -120,7 +120,7 @@ index 9450141..9cfe28d 100644
120 #StrictModes yes 120 #StrictModes yes
121 #MaxAuthTries 6 121 #MaxAuthTries 6
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index 04b5f1a..ca4cb19 100644 123index 9fa6086..e7ac846 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes 126@@ -57,6 +57,33 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 4349df707..ccedef08f 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From d77a569da1afcb73c6ddfc934092461eeb4edb53 Mon Sep 17 00:00:00 2001 1From a3e8cef2bae563fe8c87cf9f32511a0808dd47eb Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index a6408c21f..6b21b2e93 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 6a3efad36a54be8fa4de750cd7a555fe925f21cc Mon Sep 17 00:00:00 2001 1From 5e0540a17ace7dbbcec332ad3828d09dfa69dc6f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index a1e18d2..7b05e5f 100644 16index 3c6b9d4..85f306c 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -587,6 +587,9 @@ Note that existing names and addresses in known hosts files 19@@ -734,6 +734,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 0fa00a883..a813eb0ab 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From 5093448a615dcbab13bbbd3765ac353b827f21aa Mon Sep 17 00:00:00 2001 1From 61466f681be917753b4ae82f3b6b16cbb44047ae Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
12 1 file changed, 4 insertions(+), 1 deletion(-) 12 1 file changed, 4 insertions(+), 1 deletion(-)
13 13
14diff --git a/sshd.8 b/sshd.8 14diff --git a/sshd.8 b/sshd.8
15index 95c1845..8e4017b 100644 15index b016e90..cba168a 100644
16--- a/sshd.8 16--- a/sshd.8
17+++ b/sshd.8 17+++ b/sshd.8
18@@ -70,7 +70,10 @@ over an insecure network. 18@@ -70,7 +70,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 1cbb93436..c0ee03c3f 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 797d4dfd543b9d3fe96db6396e902a40b868d5c0 Mon Sep 17 00:00:00 2001 1From 1a6c95a5c5c82664f18bab6159e16cd64b07d870 Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 8a919382e..3f6fccfff 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 950be7e1b1a01ee9b25e2a72726a6370b8acacb6 Mon Sep 17 00:00:00 2001 1From cd404114ded78fc51d5d9cbd458d55c9b2f67daa Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2013-11-09 20Last-Updated: 2014-02-10
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
@@ -179,7 +179,7 @@ index 0000000..f117a33
179+ (from jbasney AT ncsa.uiuc.edu) 179+ (from jbasney AT ncsa.uiuc.edu)
180+ <gssapi-with-mic support is Bugzilla #1008> 180+ <gssapi-with-mic support is Bugzilla #1008>
181diff --git a/Makefile.in b/Makefile.in 181diff --git a/Makefile.in b/Makefile.in
182index 92c95a9..f979926 100644 182index a8aa127..35c6fd6 100644
183--- a/Makefile.in 183--- a/Makefile.in
184+++ b/Makefile.in 184+++ b/Makefile.in
185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 185@@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
@@ -188,22 +188,22 @@ index 92c95a9..f979926 100644
188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ 188 kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
189+ kexgssc.o \ 189+ kexgssc.o \
190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 190 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
191 jpake.o schnorr.o ssh-pkcs11.o krl.o 191 jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
192 192 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
193@@ -88,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ 193@@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
194 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ 194 auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ 195 monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
196 auth-krb5.o \ 196 kexc25519s.o auth-krb5.o \
197- auth2-gss.o gss-serv.o gss-serv-krb5.o \ 197- auth2-gss.o gss-serv.o gss-serv-krb5.o \
198+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ 198+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
199 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ 199 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
200 sftp-server.o sftp-common.o \ 200 sftp-server.o sftp-common.o \
201 roaming_common.o roaming_serv.o \ 201 roaming_common.o roaming_serv.o \
202diff --git a/auth-krb5.c b/auth-krb5.c 202diff --git a/auth-krb5.c b/auth-krb5.c
203index 7c83f59..5613b57 100644 203index 6c62bdf..69a1a53 100644
204--- a/auth-krb5.c 204--- a/auth-krb5.c
205+++ b/auth-krb5.c 205+++ b/auth-krb5.c
206@@ -181,8 +181,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 206@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
207 207
208 len = strlen(authctxt->krb5_ticket_file) + 6; 208 len = strlen(authctxt->krb5_ticket_file) + 6;
209 authctxt->krb5_ccname = xmalloc(len); 209 authctxt->krb5_ccname = xmalloc(len);
@@ -217,7 +217,7 @@ index 7c83f59..5613b57 100644
217 217
218 #ifdef USE_PAM 218 #ifdef USE_PAM
219 if (options.use_pam) 219 if (options.use_pam)
220@@ -239,15 +244,22 @@ krb5_cleanup_proc(Authctxt *authctxt) 220@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
221 #ifndef HEIMDAL 221 #ifndef HEIMDAL
222 krb5_error_code 222 krb5_error_code
223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 223 ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@@ -242,7 +242,7 @@ index 7c83f59..5613b57 100644
242 old_umask = umask(0177); 242 old_umask = umask(0177);
243 tmpfd = mkstemp(ccname + strlen("FILE:")); 243 tmpfd = mkstemp(ccname + strlen("FILE:"));
244 oerrno = errno; 244 oerrno = errno;
245@@ -264,6 +276,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { 245@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
246 return oerrno; 246 return oerrno;
247 } 247 }
248 close(tmpfd); 248 close(tmpfd);
@@ -358,7 +358,7 @@ index f0cab8c..6ed8f04 100644
358 #endif 358 #endif
359 #ifdef JPAKE 359 #ifdef JPAKE
360diff --git a/clientloop.c b/clientloop.c 360diff --git a/clientloop.c b/clientloop.c
361index 23c2f23..311dc13 100644 361index f30c8b6..6d02b0b 100644
362--- a/clientloop.c 362--- a/clientloop.c
363+++ b/clientloop.c 363+++ b/clientloop.c
364@@ -111,6 +111,10 @@ 364@@ -111,6 +111,10 @@
@@ -389,10 +389,10 @@ index 23c2f23..311dc13 100644
389 debug("need rekeying"); 389 debug("need rekeying");
390 xxx_kex->done = 0; 390 xxx_kex->done = 0;
391diff --git a/config.h.in b/config.h.in 391diff --git a/config.h.in b/config.h.in
392index b75e501..34f1c9c 100644 392index 075c619..906e549 100644
393--- a/config.h.in 393--- a/config.h.in
394+++ b/config.h.in 394+++ b/config.h.in
395@@ -1546,6 +1546,9 @@ 395@@ -1616,6 +1616,9 @@
396 /* Use btmp to log bad logins */ 396 /* Use btmp to log bad logins */
397 #undef USE_BTMP 397 #undef USE_BTMP
398 398
@@ -402,7 +402,7 @@ index b75e501..34f1c9c 100644
402 /* Use libedit for sftp */ 402 /* Use libedit for sftp */
403 #undef USE_LIBEDIT 403 #undef USE_LIBEDIT
404 404
405@@ -1561,6 +1564,9 @@ 405@@ -1631,6 +1634,9 @@
406 /* Use PIPES instead of a socketpair() */ 406 /* Use PIPES instead of a socketpair() */
407 #undef USE_PIPES 407 #undef USE_PIPES
408 408
@@ -413,10 +413,10 @@ index b75e501..34f1c9c 100644
413 #undef USE_SOLARIS_PROCESS_CONTRACTS 413 #undef USE_SOLARIS_PROCESS_CONTRACTS
414 414
415diff --git a/configure b/configure 415diff --git a/configure b/configure
416index 0d6fad5..ceb1b5d 100755 416index 2d714ac..5a9db2d 100755
417--- a/configure 417--- a/configure
418+++ b/configure 418+++ b/configure
419@@ -6780,6 +6780,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h 419@@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
420 420
421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h 421 $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h
422 422
@@ -481,10 +481,10 @@ index 0d6fad5..ceb1b5d 100755
481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" 481 ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : 482 if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
483diff --git a/configure.ac b/configure.ac 483diff --git a/configure.ac b/configure.ac
484index 4a1b503..4c1a658 100644 484index dfd32cd..90eebf5 100644
485--- a/configure.ac 485--- a/configure.ac
486+++ b/configure.ac 486+++ b/configure.ac
487@@ -548,6 +548,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 487@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
488 [Use tunnel device compatibility to OpenBSD]) 488 [Use tunnel device compatibility to OpenBSD])
489 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 489 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
490 [Prepend the address family to IP tunnel traffic]) 490 [Prepend the address family to IP tunnel traffic])
@@ -867,7 +867,7 @@ index b39281b..b7d1b7d 100644
867+ 867+
868 #endif /* GSSAPI */ 868 #endif /* GSSAPI */
869diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c 869diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
870index 87f2683..c55446a 100644 870index 759fa10..959a77e 100644
871--- a/gss-serv-krb5.c 871--- a/gss-serv-krb5.c
872+++ b/gss-serv-krb5.c 872+++ b/gss-serv-krb5.c
873@@ -1,7 +1,7 @@ 873@@ -1,7 +1,7 @@
@@ -887,7 +887,7 @@ index 87f2683..c55446a 100644
887 887
888 if (client->creds == NULL) { 888 if (client->creds == NULL) {
889 debug("No credentials stored"); 889 debug("No credentials stored");
890@@ -174,11 +175,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 890@@ -180,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
891 return; 891 return;
892 } 892 }
893 893
@@ -908,7 +908,7 @@ index 87f2683..c55446a 100644
908 908
909 #ifdef USE_PAM 909 #ifdef USE_PAM
910 if (options.use_pam) 910 if (options.use_pam)
911@@ -190,6 +196,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) 911@@ -196,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
912 return; 912 return;
913 } 913 }
914 914
@@ -980,7 +980,7 @@ index 87f2683..c55446a 100644
980 ssh_gssapi_mech gssapi_kerberos_mech = { 980 ssh_gssapi_mech gssapi_kerberos_mech = {
981 "toWM5Slw5Ew8Mqkay+al2g==", 981 "toWM5Slw5Ew8Mqkay+al2g==",
982 "Kerberos", 982 "Kerberos",
983@@ -197,7 +268,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { 983@@ -203,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
984 NULL, 984 NULL,
985 &ssh_gssapi_krb5_userok, 985 &ssh_gssapi_krb5_userok,
986 NULL, 986 NULL,
@@ -1309,12 +1309,12 @@ index 95348e2..97f366f 100644
1309 1309
1310 #endif 1310 #endif
1311diff --git a/kex.c b/kex.c 1311diff --git a/kex.c b/kex.c
1312index 54bd1a4..1ec2782 100644 1312index 616484b..49d0fc8 100644
1313--- a/kex.c 1313--- a/kex.c
1314+++ b/kex.c 1314+++ b/kex.c
1315@@ -50,6 +50,10 @@ 1315@@ -51,6 +51,10 @@
1316 #include "monitor.h"
1317 #include "roaming.h" 1316 #include "roaming.h"
1317 #include "digest.h"
1318 1318
1319+#ifdef GSSAPI 1319+#ifdef GSSAPI
1320+#include "ssh-gss.h" 1320+#include "ssh-gss.h"
@@ -1323,22 +1323,22 @@ index 54bd1a4..1ec2782 100644
1323 #if OPENSSL_VERSION_NUMBER >= 0x00907000L 1323 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1324 # if defined(HAVE_EVP_SHA256) 1324 # if defined(HAVE_EVP_SHA256)
1325 # define evp_ssh_sha256 EVP_sha256 1325 # define evp_ssh_sha256 EVP_sha256
1326@@ -82,6 +86,14 @@ static const struct kexalg kexalgs[] = { 1326@@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = {
1327 #endif 1327 #endif
1328 { NULL, -1, -1, NULL}, 1328 { NULL, -1, -1, -1},
1329 }; 1329 };
1330+static const struct kexalg kexalg_prefixes[] = { 1330+static const struct kexalg kexalg_prefixes[] = {
1331+#ifdef GSSAPI 1331+#ifdef GSSAPI
1332+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, EVP_sha1 }, 1332+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
1333+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, EVP_sha1 }, 1333+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
1334+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, EVP_sha1 }, 1334+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
1335+#endif 1335+#endif
1336+ { NULL, -1, -1, NULL }, 1336+ { NULL, -1, -1, -1 },
1337+}; 1337+};
1338 1338
1339 char * 1339 char *
1340 kex_alg_list(void) 1340 kex_alg_list(char sep)
1341@@ -110,6 +122,10 @@ kex_alg_by_name(const char *name) 1341@@ -120,6 +132,10 @@ kex_alg_by_name(const char *name)
1342 if (strcmp(k->name, name) == 0) 1342 if (strcmp(k->name, name) == 0)
1343 return k; 1343 return k;
1344 } 1344 }
@@ -1350,22 +1350,22 @@ index 54bd1a4..1ec2782 100644
1350 } 1350 }
1351 1351
1352diff --git a/kex.h b/kex.h 1352diff --git a/kex.h b/kex.h
1353index 9f1e1ad..d5046c6 100644 1353index 1aa3ec2..8fbcb2b 100644
1354--- a/kex.h 1354--- a/kex.h
1355+++ b/kex.h 1355+++ b/kex.h
1356@@ -74,6 +74,9 @@ enum kex_exchange { 1356@@ -76,6 +76,9 @@ enum kex_exchange {
1357 KEX_DH_GEX_SHA1,
1358 KEX_DH_GEX_SHA256, 1357 KEX_DH_GEX_SHA256,
1359 KEX_ECDH_SHA2, 1358 KEX_ECDH_SHA2,
1359 KEX_C25519_SHA256,
1360+ KEX_GSS_GRP1_SHA1, 1360+ KEX_GSS_GRP1_SHA1,
1361+ KEX_GSS_GRP14_SHA1, 1361+ KEX_GSS_GRP14_SHA1,
1362+ KEX_GSS_GEX_SHA1, 1362+ KEX_GSS_GEX_SHA1,
1363 KEX_MAX 1363 KEX_MAX
1364 }; 1364 };
1365 1365
1366@@ -133,6 +136,12 @@ struct Kex { 1366@@ -136,6 +139,12 @@ struct Kex {
1367 int flags; 1367 int flags;
1368 const EVP_MD *evp_md; 1368 int hash_alg;
1369 int ec_nid; 1369 int ec_nid;
1370+#ifdef GSSAPI 1370+#ifdef GSSAPI
1371+ int gss_deleg_creds; 1371+ int gss_deleg_creds;
@@ -1376,9 +1376,9 @@ index 9f1e1ad..d5046c6 100644
1376 char *client_version_string; 1376 char *client_version_string;
1377 char *server_version_string; 1377 char *server_version_string;
1378 int (*verify_host_key)(Key *); 1378 int (*verify_host_key)(Key *);
1379@@ -162,6 +171,11 @@ void kexgex_server(Kex *); 1379@@ -168,6 +177,11 @@ void kexecdh_server(Kex *);
1380 void kexecdh_client(Kex *); 1380 void kexc25519_client(Kex *);
1381 void kexecdh_server(Kex *); 1381 void kexc25519_server(Kex *);
1382 1382
1383+#ifdef GSSAPI 1383+#ifdef GSSAPI
1384+void kexgss_client(Kex *); 1384+void kexgss_client(Kex *);
@@ -1390,7 +1390,7 @@ index 9f1e1ad..d5046c6 100644
1390 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); 1390 BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
1391diff --git a/kexgssc.c b/kexgssc.c 1391diff --git a/kexgssc.c b/kexgssc.c
1392new file mode 100644 1392new file mode 100644
1393index 0000000..616893c 1393index 0000000..14f5598
1394--- /dev/null 1394--- /dev/null
1395+++ b/kexgssc.c 1395+++ b/kexgssc.c
1396@@ -0,0 +1,333 @@ 1396@@ -0,0 +1,333 @@
@@ -1675,7 +1675,7 @@ index 0000000..616893c
1675+ break; 1675+ break;
1676+ case KEX_GSS_GEX_SHA1: 1676+ case KEX_GSS_GEX_SHA1:
1677+ kexgex_hash( 1677+ kexgex_hash(
1678+ kex->evp_md, 1678+ kex->hash_alg,
1679+ kex->client_version_string, 1679+ kex->client_version_string,
1680+ kex->server_version_string, 1680+ kex->server_version_string,
1681+ buffer_ptr(&kex->my), buffer_len(&kex->my), 1681+ buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -1721,7 +1721,7 @@ index 0000000..616893c
1721+ else 1721+ else
1722+ ssh_gssapi_delete_ctx(&ctxt); 1722+ ssh_gssapi_delete_ctx(&ctxt);
1723+ 1723+
1724+ kex_derive_keys(kex, hash, hashlen, shared_secret); 1724+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
1725+ BN_clear_free(shared_secret); 1725+ BN_clear_free(shared_secret);
1726+ kex_finish(kex); 1726+ kex_finish(kex);
1727+} 1727+}
@@ -1729,7 +1729,7 @@ index 0000000..616893c
1729+#endif /* GSSAPI */ 1729+#endif /* GSSAPI */
1730diff --git a/kexgsss.c b/kexgsss.c 1730diff --git a/kexgsss.c b/kexgsss.c
1731new file mode 100644 1731new file mode 100644
1732index 0000000..18b065b 1732index 0000000..8095259
1733--- /dev/null 1733--- /dev/null
1734+++ b/kexgsss.c 1734+++ b/kexgsss.c
1735@@ -0,0 +1,289 @@ 1735@@ -0,0 +1,289 @@
@@ -1959,7 +1959,7 @@ index 0000000..18b065b
1959+ break; 1959+ break;
1960+ case KEX_GSS_GEX_SHA1: 1960+ case KEX_GSS_GEX_SHA1:
1961+ kexgex_hash( 1961+ kexgex_hash(
1962+ kex->evp_md, 1962+ kex->hash_alg,
1963+ kex->client_version_string, kex->server_version_string, 1963+ kex->client_version_string, kex->server_version_string,
1964+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), 1964+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
1965+ buffer_ptr(&kex->my), buffer_len(&kex->my), 1965+ buffer_ptr(&kex->my), buffer_len(&kex->my),
@@ -2012,7 +2012,7 @@ index 0000000..18b065b
2012+ 2012+
2013+ DH_free(dh); 2013+ DH_free(dh);
2014+ 2014+
2015+ kex_derive_keys(kex, hash, hashlen, shared_secret); 2015+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
2016+ BN_clear_free(shared_secret); 2016+ BN_clear_free(shared_secret);
2017+ kex_finish(kex); 2017+ kex_finish(kex);
2018+ 2018+
@@ -2023,23 +2023,23 @@ index 0000000..18b065b
2023+} 2023+}
2024+#endif /* GSSAPI */ 2024+#endif /* GSSAPI */
2025diff --git a/key.c b/key.c 2025diff --git a/key.c b/key.c
2026index 55ee789..2591635 100644 2026index 9142338..3867eb3 100644
2027--- a/key.c 2027--- a/key.c
2028+++ b/key.c 2028+++ b/key.c
2029@@ -933,6 +933,7 @@ static const struct keytype keytypes[] = { 2029@@ -985,6 +985,7 @@ static const struct keytype keytypes[] = {
2030 KEY_RSA_CERT_V00, 0, 1 },
2031 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
2032 KEY_DSA_CERT_V00, 0, 1 }, 2030 KEY_DSA_CERT_V00, 0, 1 },
2031 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
2032 KEY_ED25519_CERT, 0, 1 },
2033+ { "null", "null", KEY_NULL, 0, 0 }, 2033+ { "null", "null", KEY_NULL, 0, 0 },
2034 { NULL, NULL, -1, -1, 0 } 2034 { NULL, NULL, -1, -1, 0 }
2035 }; 2035 };
2036 2036
2037diff --git a/key.h b/key.h 2037diff --git a/key.h b/key.h
2038index 17358ae..b57d6a4 100644 2038index d8ad13d..c8aeba2 100644
2039--- a/key.h 2039--- a/key.h
2040+++ b/key.h 2040+++ b/key.h
2041@@ -44,6 +44,7 @@ enum types { 2041@@ -46,6 +46,7 @@ enum types {
2042 KEY_ECDSA_CERT, 2042 KEY_ED25519_CERT,
2043 KEY_RSA_CERT_V00, 2043 KEY_RSA_CERT_V00,
2044 KEY_DSA_CERT_V00, 2044 KEY_DSA_CERT_V00,
2045+ KEY_NULL, 2045+ KEY_NULL,
@@ -2047,7 +2047,7 @@ index 17358ae..b57d6a4 100644
2047 }; 2047 };
2048 enum fp_type { 2048 enum fp_type {
2049diff --git a/monitor.c b/monitor.c 2049diff --git a/monitor.c b/monitor.c
2050index 44dff98..9079c97 100644 2050index 03baf1e..a777c4c 100644
2051--- a/monitor.c 2051--- a/monitor.c
2052+++ b/monitor.c 2052+++ b/monitor.c
2053@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2053@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2102,10 +2102,10 @@ index 44dff98..9079c97 100644
2102 } else { 2102 } else {
2103 mon_dispatch = mon_dispatch_postauth15; 2103 mon_dispatch = mon_dispatch_postauth15;
2104 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2104 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
2105@@ -1855,6 +1872,13 @@ mm_get_kex(Buffer *m) 2105@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m)
2106 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
2107 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 2106 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
2108 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 2107 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
2108 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
2109+#ifdef GSSAPI 2109+#ifdef GSSAPI
2110+ if (options.gss_keyex) { 2110+ if (options.gss_keyex) {
2111+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 2111+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -2116,7 +2116,7 @@ index 44dff98..9079c97 100644
2116 kex->server = 1; 2116 kex->server = 1;
2117 kex->hostkey_type = buffer_get_int(m); 2117 kex->hostkey_type = buffer_get_int(m);
2118 kex->kex_type = buffer_get_int(m); 2118 kex->kex_type = buffer_get_int(m);
2119@@ -2062,6 +2086,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2119@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2120 OM_uint32 major; 2120 OM_uint32 major;
2121 u_int len; 2121 u_int len;
2122 2122
@@ -2126,7 +2126,7 @@ index 44dff98..9079c97 100644
2126 goid.elements = buffer_get_string(m, &len); 2126 goid.elements = buffer_get_string(m, &len);
2127 goid.length = len; 2127 goid.length = len;
2128 2128
2129@@ -2089,6 +2116,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2129@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2130 OM_uint32 flags = 0; /* GSI needs this */ 2130 OM_uint32 flags = 0; /* GSI needs this */
2131 u_int len; 2131 u_int len;
2132 2132
@@ -2136,7 +2136,7 @@ index 44dff98..9079c97 100644
2136 in.value = buffer_get_string(m, &len); 2136 in.value = buffer_get_string(m, &len);
2137 in.length = len; 2137 in.length = len;
2138 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); 2138 major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
2139@@ -2106,6 +2136,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2139@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2140 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2140 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2141 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2141 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2142 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2142 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2144,7 +2144,7 @@ index 44dff98..9079c97 100644
2144 } 2144 }
2145 return (0); 2145 return (0);
2146 } 2146 }
2147@@ -2117,6 +2148,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2147@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2148 OM_uint32 ret; 2148 OM_uint32 ret;
2149 u_int len; 2149 u_int len;
2150 2150
@@ -2154,7 +2154,7 @@ index 44dff98..9079c97 100644
2154 gssbuf.value = buffer_get_string(m, &len); 2154 gssbuf.value = buffer_get_string(m, &len);
2155 gssbuf.length = len; 2155 gssbuf.length = len;
2156 mic.value = buffer_get_string(m, &len); 2156 mic.value = buffer_get_string(m, &len);
2157@@ -2143,7 +2177,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2157@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2158 { 2158 {
2159 int authenticated; 2159 int authenticated;
2160 2160
@@ -2167,7 +2167,7 @@ index 44dff98..9079c97 100644
2167 2167
2168 buffer_clear(m); 2168 buffer_clear(m);
2169 buffer_put_int(m, authenticated); 2169 buffer_put_int(m, authenticated);
2170@@ -2156,6 +2194,74 @@ mm_answer_gss_userok(int sock, Buffer *m) 2170@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
2171 /* Monitor loop will terminate if authenticated */ 2171 /* Monitor loop will terminate if authenticated */
2172 return (authenticated); 2172 return (authenticated);
2173 } 2173 }
@@ -2338,10 +2338,10 @@ index 0c7f2e3..ec9b9b1 100644
2338 2338
2339 #ifdef USE_PAM 2339 #ifdef USE_PAM
2340diff --git a/readconf.c b/readconf.c 2340diff --git a/readconf.c b/readconf.c
2341index 1464430..2695fd6 100644 2341index 9c7e73d..cb8bcb2 100644
2342--- a/readconf.c 2342--- a/readconf.c
2343+++ b/readconf.c 2343+++ b/readconf.c
2344@@ -132,6 +132,8 @@ typedef enum { 2344@@ -140,6 +140,8 @@ typedef enum {
2345 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 2345 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
2346 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 2346 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
2347 oAddressFamily, oGssAuthentication, oGssDelegateCreds, 2347 oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2350,7 +2350,7 @@ index 1464430..2695fd6 100644
2350 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2350 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2351 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2351 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2352 oHashKnownHosts, 2352 oHashKnownHosts,
2353@@ -172,10 +174,19 @@ static struct { 2353@@ -182,10 +184,19 @@ static struct {
2354 { "afstokenpassing", oUnsupported }, 2354 { "afstokenpassing", oUnsupported },
2355 #if defined(GSSAPI) 2355 #if defined(GSSAPI)
2356 { "gssapiauthentication", oGssAuthentication }, 2356 { "gssapiauthentication", oGssAuthentication },
@@ -2370,7 +2370,7 @@ index 1464430..2695fd6 100644
2370 #endif 2370 #endif
2371 { "fallbacktorsh", oDeprecated }, 2371 { "fallbacktorsh", oDeprecated },
2372 { "usersh", oDeprecated }, 2372 { "usersh", oDeprecated },
2373@@ -516,10 +527,30 @@ parse_flag: 2373@@ -839,10 +850,30 @@ parse_time:
2374 intptr = &options->gss_authentication; 2374 intptr = &options->gss_authentication;
2375 goto parse_flag; 2375 goto parse_flag;
2376 2376
@@ -2401,7 +2401,7 @@ index 1464430..2695fd6 100644
2401 case oBatchMode: 2401 case oBatchMode:
2402 intptr = &options->batch_mode; 2402 intptr = &options->batch_mode;
2403 goto parse_flag; 2403 goto parse_flag;
2404@@ -1168,7 +1199,12 @@ initialize_options(Options * options) 2404@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
2405 options->pubkey_authentication = -1; 2405 options->pubkey_authentication = -1;
2406 options->challenge_response_authentication = -1; 2406 options->challenge_response_authentication = -1;
2407 options->gss_authentication = -1; 2407 options->gss_authentication = -1;
@@ -2414,7 +2414,7 @@ index 1464430..2695fd6 100644
2414 options->password_authentication = -1; 2414 options->password_authentication = -1;
2415 options->kbd_interactive_authentication = -1; 2415 options->kbd_interactive_authentication = -1;
2416 options->kbd_interactive_devices = NULL; 2416 options->kbd_interactive_devices = NULL;
2417@@ -1268,8 +1304,14 @@ fill_default_options(Options * options) 2417@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
2418 options->challenge_response_authentication = 1; 2418 options->challenge_response_authentication = 1;
2419 if (options->gss_authentication == -1) 2419 if (options->gss_authentication == -1)
2420 options->gss_authentication = 0; 2420 options->gss_authentication = 0;
@@ -2430,10 +2430,10 @@ index 1464430..2695fd6 100644
2430 options->password_authentication = 1; 2430 options->password_authentication = 1;
2431 if (options->kbd_interactive_authentication == -1) 2431 if (options->kbd_interactive_authentication == -1)
2432diff --git a/readconf.h b/readconf.h 2432diff --git a/readconf.h b/readconf.h
2433index 23fc500..675b35d 100644 2433index 2d7ea9f..826c676 100644
2434--- a/readconf.h 2434--- a/readconf.h
2435+++ b/readconf.h 2435+++ b/readconf.h
2436@@ -48,7 +48,12 @@ typedef struct { 2436@@ -54,7 +54,12 @@ typedef struct {
2437 int challenge_response_authentication; 2437 int challenge_response_authentication;
2438 /* Try S/Key or TIS, authentication. */ 2438 /* Try S/Key or TIS, authentication. */
2439 int gss_authentication; /* Try GSS authentication */ 2439 int gss_authentication; /* Try GSS authentication */
@@ -2447,10 +2447,10 @@ index 23fc500..675b35d 100644
2447 * authentication. */ 2447 * authentication. */
2448 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2448 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2449diff --git a/servconf.c b/servconf.c 2449diff --git a/servconf.c b/servconf.c
2450index 747edde..c938ae3 100644 2450index 9bcd05b..29209e4 100644
2451--- a/servconf.c 2451--- a/servconf.c
2452+++ b/servconf.c 2452+++ b/servconf.c
2453@@ -107,7 +107,10 @@ initialize_server_options(ServerOptions *options) 2453@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
2454 options->kerberos_ticket_cleanup = -1; 2454 options->kerberos_ticket_cleanup = -1;
2455 options->kerberos_get_afs_token = -1; 2455 options->kerberos_get_afs_token = -1;
2456 options->gss_authentication=-1; 2456 options->gss_authentication=-1;
@@ -2461,7 +2461,7 @@ index 747edde..c938ae3 100644
2461 options->password_authentication = -1; 2461 options->password_authentication = -1;
2462 options->kbd_interactive_authentication = -1; 2462 options->kbd_interactive_authentication = -1;
2463 options->challenge_response_authentication = -1; 2463 options->challenge_response_authentication = -1;
2464@@ -240,8 +243,14 @@ fill_default_server_options(ServerOptions *options) 2464@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options)
2465 options->kerberos_get_afs_token = 0; 2465 options->kerberos_get_afs_token = 0;
2466 if (options->gss_authentication == -1) 2466 if (options->gss_authentication == -1)
2467 options->gss_authentication = 0; 2467 options->gss_authentication = 0;
@@ -2476,7 +2476,7 @@ index 747edde..c938ae3 100644
2476 if (options->password_authentication == -1) 2476 if (options->password_authentication == -1)
2477 options->password_authentication = 1; 2477 options->password_authentication = 1;
2478 if (options->kbd_interactive_authentication == -1) 2478 if (options->kbd_interactive_authentication == -1)
2479@@ -338,7 +347,9 @@ typedef enum { 2479@@ -343,7 +352,9 @@ typedef enum {
2480 sBanner, sUseDNS, sHostbasedAuthentication, 2480 sBanner, sUseDNS, sHostbasedAuthentication,
2481 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, 2481 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
2482 sClientAliveCountMax, sAuthorizedKeysFile, 2482 sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2487,7 +2487,7 @@ index 747edde..c938ae3 100644
2487 sMatch, sPermitOpen, sForceCommand, sChrootDirectory, 2487 sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
2488 sUsePrivilegeSeparation, sAllowAgentForwarding, 2488 sUsePrivilegeSeparation, sAllowAgentForwarding,
2489 sZeroKnowledgePasswordAuthentication, sHostCertificate, 2489 sZeroKnowledgePasswordAuthentication, sHostCertificate,
2490@@ -405,10 +416,20 @@ static struct { 2490@@ -410,10 +421,20 @@ static struct {
2491 #ifdef GSSAPI 2491 #ifdef GSSAPI
2492 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2492 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2493 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2493 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2508,7 +2508,7 @@ index 747edde..c938ae3 100644
2508 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2508 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2509 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2509 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2510 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2510 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2511@@ -1073,10 +1094,22 @@ process_server_config_line(ServerOptions *options, char *line, 2511@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions *options, char *line,
2512 intptr = &options->gss_authentication; 2512 intptr = &options->gss_authentication;
2513 goto parse_flag; 2513 goto parse_flag;
2514 2514
@@ -2531,7 +2531,7 @@ index 747edde..c938ae3 100644
2531 case sPasswordAuthentication: 2531 case sPasswordAuthentication:
2532 intptr = &options->password_authentication; 2532 intptr = &options->password_authentication;
2533 goto parse_flag; 2533 goto parse_flag;
2534@@ -1983,7 +2016,10 @@ dump_config(ServerOptions *o) 2534@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
2535 #endif 2535 #endif
2536 #ifdef GSSAPI 2536 #ifdef GSSAPI
2537 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2537 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2543,10 +2543,10 @@ index 747edde..c938ae3 100644
2543 #ifdef JPAKE 2543 #ifdef JPAKE
2544 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication, 2544 dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
2545diff --git a/servconf.h b/servconf.h 2545diff --git a/servconf.h b/servconf.h
2546index 98aad8b..ab6e346 100644 2546index 8812c5a..eba76ee 100644
2547--- a/servconf.h 2547--- a/servconf.h
2548+++ b/servconf.h 2548+++ b/servconf.h
2549@@ -111,7 +111,10 @@ typedef struct { 2549@@ -112,7 +112,10 @@ typedef struct {
2550 int kerberos_get_afs_token; /* If true, try to get AFS token if 2550 int kerberos_get_afs_token; /* If true, try to get AFS token if
2551 * authenticated with Kerberos. */ 2551 * authenticated with Kerberos. */
2552 int gss_authentication; /* If true, permit GSSAPI authentication */ 2552 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2659,7 +2659,7 @@ index 077e13c..bc6e8f9 100644
2659 2659
2660 #endif /* _SSH_GSS_H */ 2660 #endif /* _SSH_GSS_H */
2661diff --git a/ssh_config b/ssh_config 2661diff --git a/ssh_config b/ssh_config
2662index bb40819..3234321 100644 2662index 03a228f..228e5ab 100644
2663--- a/ssh_config 2663--- a/ssh_config
2664+++ b/ssh_config 2664+++ b/ssh_config
2665@@ -26,6 +26,8 @@ 2665@@ -26,6 +26,8 @@
@@ -2672,10 +2672,10 @@ index bb40819..3234321 100644
2672 # CheckHostIP yes 2672 # CheckHostIP yes
2673 # AddressFamily any 2673 # AddressFamily any
2674diff --git a/ssh_config.5 b/ssh_config.5 2674diff --git a/ssh_config.5 b/ssh_config.5
2675index 5d76c6d..e72919a 100644 2675index 3cadcd7..49505ae 100644
2676--- a/ssh_config.5 2676--- a/ssh_config.5
2677+++ b/ssh_config.5 2677+++ b/ssh_config.5
2678@@ -529,11 +529,43 @@ Specifies whether user authentication based on GSSAPI is allowed. 2678@@ -676,11 +676,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
2679 The default is 2679 The default is
2680 .Dq no . 2680 .Dq no .
2681 Note that this option applies to protocol version 2 only. 2681 Note that this option applies to protocol version 2 only.
@@ -2721,7 +2721,7 @@ index 5d76c6d..e72919a 100644
2721 Indicates that 2721 Indicates that
2722 .Xr ssh 1 2722 .Xr ssh 1
2723diff --git a/sshconnect2.c b/sshconnect2.c 2723diff --git a/sshconnect2.c b/sshconnect2.c
2724index 70e3cd8..0b13530 100644 2724index 8acffc5..21a269d 100644
2725--- a/sshconnect2.c 2725--- a/sshconnect2.c
2726+++ b/sshconnect2.c 2726+++ b/sshconnect2.c
2727@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2727@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2759,7 +2759,7 @@ index 70e3cd8..0b13530 100644
2759 if (options.ciphers == (char *)-1) { 2759 if (options.ciphers == (char *)-1) {
2760 logit("No valid ciphers for protocol version 2 given, using defaults."); 2760 logit("No valid ciphers for protocol version 2 given, using defaults.");
2761 options.ciphers = NULL; 2761 options.ciphers = NULL;
2762@@ -197,6 +222,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2762@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2763 if (options.kex_algorithms != NULL) 2763 if (options.kex_algorithms != NULL)
2764 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; 2764 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
2765 2765
@@ -2777,10 +2777,10 @@ index 70e3cd8..0b13530 100644
2777 if (options.rekey_limit || options.rekey_interval) 2777 if (options.rekey_limit || options.rekey_interval)
2778 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2778 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
2779 (time_t)options.rekey_interval); 2779 (time_t)options.rekey_interval);
2780@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2780@@ -210,10 +246,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2781 kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
2782 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; 2781 kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
2783 kex->kex[KEX_ECDH_SHA2] = kexecdh_client; 2782 kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
2783 kex->kex[KEX_C25519_SHA256] = kexc25519_client;
2784+#ifdef GSSAPI 2784+#ifdef GSSAPI
2785+ if (options.gss_keyex) { 2785+ if (options.gss_keyex) {
2786+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; 2786+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -2808,7 +2808,7 @@ index 70e3cd8..0b13530 100644
2808 xxx_kex = kex; 2808 xxx_kex = kex;
2809 2809
2810 dispatch_run(DISPATCH_BLOCK, &kex->done, kex); 2810 dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
2811@@ -307,6 +363,7 @@ void input_gssapi_token(int type, u_int32_t, void *); 2811@@ -309,6 +365,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
2812 void input_gssapi_hash(int type, u_int32_t, void *); 2812 void input_gssapi_hash(int type, u_int32_t, void *);
2813 void input_gssapi_error(int, u_int32_t, void *); 2813 void input_gssapi_error(int, u_int32_t, void *);
2814 void input_gssapi_errtok(int, u_int32_t, void *); 2814 void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2816,7 +2816,7 @@ index 70e3cd8..0b13530 100644
2816 #endif 2816 #endif
2817 2817
2818 void userauth(Authctxt *, char *); 2818 void userauth(Authctxt *, char *);
2819@@ -322,6 +379,11 @@ static char *authmethods_get(void); 2819@@ -324,6 +381,11 @@ static char *authmethods_get(void);
2820 2820
2821 Authmethod authmethods[] = { 2821 Authmethod authmethods[] = {
2822 #ifdef GSSAPI 2822 #ifdef GSSAPI
@@ -2828,7 +2828,7 @@ index 70e3cd8..0b13530 100644
2828 {"gssapi-with-mic", 2828 {"gssapi-with-mic",
2829 userauth_gssapi, 2829 userauth_gssapi,
2830 NULL, 2830 NULL,
2831@@ -625,19 +687,31 @@ userauth_gssapi(Authctxt *authctxt) 2831@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
2832 static u_int mech = 0; 2832 static u_int mech = 0;
2833 OM_uint32 min; 2833 OM_uint32 min;
2834 int ok = 0; 2834 int ok = 0;
@@ -2862,7 +2862,7 @@ index 70e3cd8..0b13530 100644
2862 ok = 1; /* Mechanism works */ 2862 ok = 1; /* Mechanism works */
2863 } else { 2863 } else {
2864 mech++; 2864 mech++;
2865@@ -734,8 +808,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) 2865@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
2866 { 2866 {
2867 Authctxt *authctxt = ctxt; 2867 Authctxt *authctxt = ctxt;
2868 Gssctxt *gssctxt; 2868 Gssctxt *gssctxt;
@@ -2873,7 +2873,7 @@ index 70e3cd8..0b13530 100644
2873 2873
2874 if (authctxt == NULL) 2874 if (authctxt == NULL)
2875 fatal("input_gssapi_response: no authentication context"); 2875 fatal("input_gssapi_response: no authentication context");
2876@@ -844,6 +918,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) 2876@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
2877 free(msg); 2877 free(msg);
2878 free(lang); 2878 free(lang);
2879 } 2879 }
@@ -2923,7 +2923,7 @@ index 70e3cd8..0b13530 100644
2923 2923
2924 int 2924 int
2925diff --git a/sshd.c b/sshd.c 2925diff --git a/sshd.c b/sshd.c
2926index 174cc7a..4eddeb8 100644 2926index 25380c9..fe65132 100644
2927--- a/sshd.c 2927--- a/sshd.c
2928+++ b/sshd.c 2928+++ b/sshd.c
2929@@ -122,6 +122,10 @@ 2929@@ -122,6 +122,10 @@
@@ -2937,7 +2937,7 @@ index 174cc7a..4eddeb8 100644
2937 #ifdef LIBWRAP 2937 #ifdef LIBWRAP
2938 #include <tcpd.h> 2938 #include <tcpd.h>
2939 #include <syslog.h> 2939 #include <syslog.h>
2940@@ -1703,10 +1707,13 @@ main(int ac, char **av) 2940@@ -1721,10 +1725,13 @@ main(int ac, char **av)
2941 logit("Disabling protocol version 1. Could not load host key"); 2941 logit("Disabling protocol version 1. Could not load host key");
2942 options.protocol &= ~SSH_PROTO_1; 2942 options.protocol &= ~SSH_PROTO_1;
2943 } 2943 }
@@ -2951,9 +2951,9 @@ index 174cc7a..4eddeb8 100644
2951 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { 2951 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
2952 logit("sshd: no hostkeys available -- exiting."); 2952 logit("sshd: no hostkeys available -- exiting.");
2953 exit(1); 2953 exit(1);
2954@@ -2035,6 +2042,60 @@ main(int ac, char **av) 2954@@ -2051,6 +2058,60 @@ main(int ac, char **av)
2955 /* Log the connection. */ 2955 remote_ip, remote_port,
2956 verbose("Connection from %.500s port %d", remote_ip, remote_port); 2956 get_local_ipaddr(sock_in), get_local_port());
2957 2957
2958+#ifdef USE_SECURITY_SESSION_API 2958+#ifdef USE_SECURITY_SESSION_API
2959+ /* 2959+ /*
@@ -3012,9 +3012,9 @@ index 174cc7a..4eddeb8 100644
3012 /* 3012 /*
3013 * We don't want to listen forever unless the other side 3013 * We don't want to listen forever unless the other side
3014 * successfully authenticates itself. So we set up an alarm which is 3014 * successfully authenticates itself. So we set up an alarm which is
3015@@ -2439,6 +2500,48 @@ do_ssh2_kex(void) 3015@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
3016 3016 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3017 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); 3017 list_hostkey_types());
3018 3018
3019+#ifdef GSSAPI 3019+#ifdef GSSAPI
3020+ { 3020+ {
@@ -3061,10 +3061,10 @@ index 174cc7a..4eddeb8 100644
3061 /* start key exchange */ 3061 /* start key exchange */
3062 kex = kex_setup(myproposal); 3062 kex = kex_setup(myproposal);
3063 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; 3063 kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
3064@@ -2446,6 +2549,13 @@ do_ssh2_kex(void) 3064@@ -2464,6 +2567,13 @@ do_ssh2_kex(void)
3065 kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
3066 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 3065 kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
3067 kex->kex[KEX_ECDH_SHA2] = kexecdh_server; 3066 kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
3067 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
3068+#ifdef GSSAPI 3068+#ifdef GSSAPI
3069+ if (options.gss_keyex) { 3069+ if (options.gss_keyex) {
3070+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; 3070+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -3076,23 +3076,23 @@ index 174cc7a..4eddeb8 100644
3076 kex->client_version_string=client_version_string; 3076 kex->client_version_string=client_version_string;
3077 kex->server_version_string=server_version_string; 3077 kex->server_version_string=server_version_string;
3078diff --git a/sshd_config b/sshd_config 3078diff --git a/sshd_config b/sshd_config
3079index b786361..9450141 100644 3079index e9045bc..d9b8594 100644
3080--- a/sshd_config 3080--- a/sshd_config
3081+++ b/sshd_config 3081+++ b/sshd_config
3082@@ -83,6 +83,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3082@@ -84,6 +84,8 @@ AuthorizedKeysFile .ssh/authorized_keys
3083 # GSSAPI options 3083 # GSSAPI options
3084 #GSSAPIAuthentication no 3084 #GSSAPIAuthentication no
3085 #GSSAPICleanupCredentials yes 3085 #GSSAPICleanupCredentials yes
3086+#GSSAPIStrictAcceptorCheck yes 3086+#GSSAPIStrictAcceptorCheck yes
3087+#GSSAPIKeyExchange no 3087+#GSSAPIKeyExchange no
3088 3088
3089 # Set this to 'yes' to enable PAM authentication, account processing, 3089 # Set this to 'yes' to enable PAM authentication, account processing,
3090 # and session processing. If this is enabled, PAM authentication will 3090 # and session processing. If this is enabled, PAM authentication will
3091diff --git a/sshd_config.5 b/sshd_config.5 3091diff --git a/sshd_config.5 b/sshd_config.5
3092index 3abac6c..525d9c8 100644 3092index 3b21ea6..9aa9eba 100644
3093--- a/sshd_config.5 3093--- a/sshd_config.5
3094+++ b/sshd_config.5 3094+++ b/sshd_config.5
3095@@ -484,12 +484,40 @@ Specifies whether user authentication based on GSSAPI is allowed. 3095@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
3096 The default is 3096 The default is
3097 .Dq no . 3097 .Dq no .
3098 Note that this option applies to protocol version 2 only. 3098 Note that this option applies to protocol version 2 only.
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 23afe3be9..ca90ba124 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
1From 84589dc348c43ec22b50ede0c2946cf6afd0980d Mon Sep 17 00:00:00 2001 1From 71003a35537df521296408d9f6bd0a200ed2a854 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:09:56 +0000 3Date: Sun, 9 Feb 2014 16:09:56 +0000
4Subject: Mention ~& when waiting for forwarded connections to terminate 4Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,10 +12,10 @@ Patch-Name: helpful-wait-terminate.patch
12 1 file changed, 1 insertion(+), 1 deletion(-) 12 1 file changed, 1 insertion(+), 1 deletion(-)
13 13
14diff --git a/serverloop.c b/serverloop.c 14diff --git a/serverloop.c b/serverloop.c
15index ccbad61..5f22df3 100644 15index 5b2f802..d3079d2 100644
16--- a/serverloop.c 16--- a/serverloop.c
17+++ b/serverloop.c 17+++ b/serverloop.c
18@@ -686,7 +686,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 18@@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
19 if (!channel_still_open()) 19 if (!channel_still_open())
20 break; 20 break;
21 if (!waiting_termination) { 21 if (!waiting_termination) {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index e22410298..84da73ae0 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From bd3d91c378d549aed56246ad4535aea29db04150 Mon Sep 17 00:00:00 2001 1From 043f937820e1152df2c8416f37e6c8d923fc1811 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 915a0f7..dab7963 100644 29index 2a1fe8e..e79e355 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -140,6 +140,7 @@ typedef enum { 32@@ -150,6 +150,7 @@ typedef enum {
33 oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, 33 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
34 oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, 34 oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
35 oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, 35 oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -262,6 +263,8 @@ static struct { 40@@ -279,6 +280,8 @@ static struct {
41 { "ipqos", oIPQoS }, 41 { "canonicalizemaxdots", oCanonicalizeMaxDots },
42 { "requesttty", oRequestTTY }, 42 { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
43 { "ignoreunknown", oIgnoreUnknown }, 43 { "ignoreunknown", oIgnoreUnknown },
44+ { "protocolkeepalives", oProtocolKeepAlives }, 44+ { "protocolkeepalives", oProtocolKeepAlives },
45+ { "setuptimeout", oSetupTimeOut }, 45+ { "setuptimeout", oSetupTimeOut },
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -934,6 +937,8 @@ parse_int: 49@@ -1245,6 +1248,8 @@ parse_int:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 915a0f7..dab7963 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -1396,8 +1401,13 @@ fill_default_options(Options * options) 58@@ -1724,8 +1729,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index 915a0f7..dab7963 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 1fc0a6b..6948680 100644 75index 617a312..b3c5dc6 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -136,8 +136,12 @@ Valid arguments are 78@@ -205,8 +205,12 @@ Valid arguments are
79 If set to 79 If set to
80 .Dq yes , 80 .Dq yes ,
81 passphrase/password querying will be disabled. 81 passphrase/password querying will be disabled.
@@ -89,7 +89,7 @@ index 1fc0a6b..6948680 100644
89 The argument must be 89 The argument must be
90 .Dq yes 90 .Dq yes
91 or 91 or
92@@ -1141,8 +1145,15 @@ from the server, 92@@ -1299,8 +1303,15 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -106,7 +106,7 @@ index 1fc0a6b..6948680 100644
106 .It Cm StrictHostKeyChecking 106 .It Cm StrictHostKeyChecking
107 If this flag is set to 107 If this flag is set to
108 .Dq yes , 108 .Dq yes ,
109@@ -1181,6 +1192,12 @@ Specifies whether the system should send TCP keepalive messages to the 109@@ -1339,6 +1350,12 @@ Specifies whether the system should send TCP keepalive messages to the
110 other side. 110 other side.
111 If they are sent, death of the connection or crash of one 111 If they are sent, death of the connection or crash of one
112 of the machines will be properly noticed. 112 of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 1fc0a6b..6948680 100644
120 connections will die if the route is down temporarily, and some people 120 connections will die if the route is down temporarily, and some people
121 find it annoying. 121 find it annoying.
122diff --git a/sshd_config.5 b/sshd_config.5 122diff --git a/sshd_config.5 b/sshd_config.5
123index 525d9c8..e29604a 100644 123index 9aa9eba..39643de 100644
124--- a/sshd_config.5 124--- a/sshd_config.5
125+++ b/sshd_config.5 125+++ b/sshd_config.5
126@@ -1147,6 +1147,9 @@ This avoids infinitely hanging sessions. 126@@ -1168,6 +1168,9 @@ This avoids infinitely hanging sessions.
127 .Pp 127 .Pp
128 To disable TCP keepalive messages, the value should be set to 128 To disable TCP keepalive messages, the value should be set to
129 .Dq no . 129 .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index e1073e4ac..588834b5a 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
1From 9ffc99332ff1bac6be9f0af430268e7981bd3dd2 Mon Sep 17 00:00:00 2001 1From cf359c36be95e478071cb0dc4491aba88a5bae70 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:08 +0000 3Date: Sun, 9 Feb 2014 16:10:08 +0000
4Subject: Fix picky lintian errors about slogin symlinks 4Subject: Fix picky lintian errors about slogin symlinks
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch
15 1 file changed, 2 insertions(+), 2 deletions(-) 15 1 file changed, 2 insertions(+), 2 deletions(-)
16 16
17diff --git a/Makefile.in b/Makefile.in 17diff --git a/Makefile.in b/Makefile.in
18index 7849979..095f4ff 100644 18index 5cf8100..b7de26f 100644
19--- a/Makefile.in 19--- a/Makefile.in
20+++ b/Makefile.in 20+++ b/Makefile.in
21@@ -289,9 +289,9 @@ install-files: 21@@ -293,9 +293,9 @@ install-files:
22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 22 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 23 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
24 -rm -f $(DESTDIR)$(bindir)/slogin 24 -rm -f $(DESTDIR)$(bindir)/slogin
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 08e1a2f3e..637d438b9 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 6a137c3718ea1afab92b25a018e393cfede4d6a8 Mon Sep 17 00:00:00 2001 1From 9c6deb4e89ad1ac2c2046b1371f378a80b0b4dec Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
13 1 file changed, 6 insertions(+), 1 deletion(-) 13 1 file changed, 6 insertions(+), 1 deletion(-)
14 14
15diff --git a/sshconnect.c b/sshconnect.c 15diff --git a/sshconnect.c b/sshconnect.c
16index 91fd59a..bda83b2 100644 16index ef4d9e0..4ff5c73 100644
17--- a/sshconnect.c 17--- a/sshconnect.c
18+++ b/sshconnect.c 18+++ b/sshconnect.c
19@@ -981,9 +981,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 19@@ -1062,9 +1062,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
20 error("%s. This could either mean that", key_msg); 20 error("%s. This could either mean that", key_msg);
21 error("DNS SPOOFING is happening or the IP address for the host"); 21 error("DNS SPOOFING is happening or the IP address for the host");
22 error("and its host key have changed at the same time."); 22 error("and its host key have changed at the same time.");
@@ -30,7 +30,7 @@ index 91fd59a..bda83b2 100644
30 } 30 }
31 /* The host key has changed. */ 31 /* The host key has changed. */
32 warn_changed_key(host_key); 32 warn_changed_key(host_key);
33@@ -991,6 +994,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 33@@ -1072,6 +1075,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
34 user_hostfiles[0]); 34 user_hostfiles[0]);
35 error("Offending %s key in %s:%lu", key_type(host_found->key), 35 error("Offending %s key in %s:%lu", key_type(host_found->key),
36 host_found->file, host_found->line); 36 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
index 6e41d2ed9..ca2a83473 100644
--- a/debian/patches/no-openssl-version-check.patch
+++ b/debian/patches/no-openssl-version-check.patch
@@ -1,4 +1,4 @@
1From 3e3f5462b563ab0f2b4ba67590e5a5735fa17bec Mon Sep 17 00:00:00 2001 1From db27c81d3de93a0df6cb0f01e9b8b6bf4bb17d06 Mon Sep 17 00:00:00 2001
2From: Philip Hands <phil@hands.com> 2From: Philip Hands <phil@hands.com>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Disable OpenSSL version check 4Subject: Disable OpenSSL version check
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 670eea421..2dbfd31b7 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From d087ec8cf190df54fa8cb77c6ffd55a819dd1777 Mon Sep 17 00:00:00 2001 1From 1c4af29874fe7bd1cec92ee90fc613c3cf83f571 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,11 +44,11 @@ index ef0de08..149846c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 0d55854..151cab0 100644 47index 0e0ed98..299ccf8 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -171,9 +171,7 @@ key in 50@@ -172,9 +172,7 @@ key in
51 .Pa ~/.ssh/id_dsa 51 .Pa ~/.ssh/id_ed25519
52 or 52 or
53 .Pa ~/.ssh/id_rsa . 53 .Pa ~/.ssh/id_rsa .
54-Additionally, the system administrator may use this to generate host keys, 54-Additionally, the system administrator may use this to generate host keys,
@@ -58,18 +58,18 @@ index 0d55854..151cab0 100644
58 .Pp 58 .Pp
59 Normally this program generates the key and asks for a file in which 59 Normally this program generates the key and asks for a file in which
60 to store the private key. 60 to store the private key.
61@@ -219,9 +217,7 @@ The options are as follows: 61@@ -221,9 +219,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
62 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 62 for which host keys
63 do not exist, generate the host keys with the default key file path, 63 do not exist, generate the host keys with the default key file path,
64 an empty passphrase, default bits for the key type, and default comment. 64 an empty passphrase, default bits for the key type, and default comment.
65-This is used by 65-This is used by
66-.Pa /etc/rc 66-.Pa /etc/rc
67-to generate new host keys. 67-to generate new host keys.
68+This is used by system administration scripts to generate new host keys. 68+This is used by system administration scripts to generate new host keys.
69 .It Fl a Ar trials 69 .It Fl a Ar rounds
70 Specifies the number of primality tests to perform when screening DH-GEX 70 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
71 candidates using the 71 2 key when the
72@@ -605,7 +601,7 @@ option. 72@@ -628,7 +624,7 @@ option.
73 Valid generator values are 2, 3, and 5. 73 Valid generator values are 2, 3, and 5.
74 .Pp 74 .Pp
75 Screened DH groups may be installed in 75 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 0d55854..151cab0 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -800,7 +796,7 @@ on all machines 81@@ -827,7 +823,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index 0d55854..151cab0 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 05ae6ad..6e2e03b 100644 91index ff5e6ac..67b4f44 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -756,6 +756,10 @@ Protocol 1 is restricted to using only RSA keys, 94@@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys,
95 but protocol 2 may use any. 95 but protocol 2 may use any.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -103,7 +103,7 @@ index 05ae6ad..6e2e03b 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index b0c7ab6..95c1845 100644 106index e6a900b..b016e90 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -70,7 +70,7 @@ over an insecure network. 109@@ -70,7 +70,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index b0c7ab6..95c1845 100644
115 It forks a new 115 It forks a new
116 daemon for each incoming connection. 116 daemon for each incoming connection.
117 The forked daemons handle 117 The forked daemons handle
118@@ -859,7 +859,7 @@ This file is for host-based authentication (see 118@@ -862,7 +862,7 @@ This file is for host-based authentication (see
119 .Xr ssh 1 ) . 119 .Xr ssh 1 ) .
120 It should only be writable by root. 120 It should only be writable by root.
121 .Pp 121 .Pp
@@ -124,7 +124,7 @@ index b0c7ab6..95c1845 100644
124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". 124 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
125 The file format is described in 125 The file format is described in
126 .Xr moduli 5 . 126 .Xr moduli 5 .
127@@ -956,7 +956,6 @@ The content of this file is not sensitive; it can be world-readable. 127@@ -961,7 +961,6 @@ The content of this file is not sensitive; it can be world-readable.
128 .Xr ssh-keyscan 1 , 128 .Xr ssh-keyscan 1 ,
129 .Xr chroot 2 , 129 .Xr chroot 2 ,
130 .Xr hosts_access 5 , 130 .Xr hosts_access 5 ,
@@ -133,7 +133,7 @@ index b0c7ab6..95c1845 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 50eec53..04b5f1a 100644 136index bdca797..9fa6086 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -283,8 +283,7 @@ This option is only available for protocol version 2. 139@@ -283,8 +283,7 @@ This option is only available for protocol version 2.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index f6d793751..99a2167b3 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 893bd5a6f70b58e1ed98d496c4f465d8c1df71a7 Mon Sep 17 00:00:00 2001 1From 03b1ae877da1db4c517747bee89f1a494cce8566 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 9 insertions(+), 4 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index bda83b2..ad960fd 100644 22index 4ff5c73..a2fbf9e 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -442,10 +442,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -517,10 +517,10 @@ send_client_banner(int connection_out, int minor1)
26 /* Send our own protocol version identification. */ 26 /* Send our own protocol version identification. */
27 if (compat20) { 27 if (compat20) {
28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", 28 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -36,7 +36,7 @@ index bda83b2..ad960fd 100644
36 if (roaming_atomicio(vwrite, connection_out, client_version_string, 36 if (roaming_atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index e5c9835..46ec1a7 100644 39index 0a30101..82168a1 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out) 42@@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -49,11 +49,11 @@ index e5c9835..46ec1a7 100644
49 options.version_addendum, newline); 49 options.version_addendum, newline);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index 39033ed..036277d 100644 52index 83d70c6..0c6ea0f 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_6.4" 56 #define SSH_VERSION "OpenSSH_6.5"
57 57
58 #define SSH_PORTABLE "p1" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 664abf0ff..18489cabe 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From 360257b8a56798d507123ff770f2def408464f00 Mon Sep 17 00:00:00 2001 1From 32e3aad13edff8c03c524105e2c4d4194995573b Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,7 +22,7 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index dc76d69..f2f474e 100644 25index 37b3a04..60c9e87 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 71dcecc9c..a2df78d10 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From bb3ea9f222f7f0fe9b449b75bfae93513f7ca3e2 Mon Sep 17 00:00:00 2001 1From 52d571e95114cd6d63b5dc4829f87fd55213c828 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 28ded5e..b7a17ab 100644 20index 18d3b1d..0669d02 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -189,8 +189,16 @@ do_local_cmd(arglist *a) 23@@ -189,8 +189,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 8aa8f614e..dc0ffa300 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 07f2a771c490bd68cd5c5ea9c535705e93bd94f3 Mon Sep 17 00:00:00 2001 1From cc5ecb35ae6572d13ed523d143439a8559d1fee2 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -113,7 +113,7 @@ index 6ed8f04..b55bbcd 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 115diff --git a/monitor.c b/monitor.c
116index 9079c97..e8d63eb 100644 116index a777c4c..88f472e 100644
117--- a/monitor.c 117--- a/monitor.c
118+++ b/monitor.c 118+++ b/monitor.c
119@@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *); 119@@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *);
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644
361 void ssh_selinux_setfscreatecon(const char *); 361 void ssh_selinux_setfscreatecon(const char *);
362 #endif 362 #endif
363diff --git a/platform.c b/platform.c 363diff --git a/platform.c b/platform.c
364index 3262b24..a962f15 100644 364index 30fc609..4aab9a9 100644
365--- a/platform.c 365--- a/platform.c
366+++ b/platform.c 366+++ b/platform.c
367@@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw) 367@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
368 * called if sshd is running as root. 368 * called if sshd is running as root.
369 */ 369 */
370 void 370 void
@@ -373,7 +373,7 @@ index 3262b24..a962f15 100644
373 { 373 {
374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375 /* 375 /*
376@@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 376@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377 } 377 }
378 #endif /* HAVE_SETPCRED */ 378 #endif /* HAVE_SETPCRED */
379 #ifdef WITH_SELINUX 379 #ifdef WITH_SELINUX
@@ -383,10 +383,10 @@ index 3262b24..a962f15 100644
383 } 383 }
384 384
385diff --git a/platform.h b/platform.h 385diff --git a/platform.h b/platform.h
386index 19f6bfd..3188a3d 100644 386index 1c7a45d..436ae7c 100644
387--- a/platform.h 387--- a/platform.h
388+++ b/platform.h 388+++ b/platform.h
389@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid); 389@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
390 void platform_post_fork_child(void); 390 void platform_post_fork_child(void);
391 int platform_privileged_uidswap(void); 391 int platform_privileged_uidswap(void);
392 void platform_setusercontext(struct passwd *); 392 void platform_setusercontext(struct passwd *);
@@ -396,10 +396,10 @@ index 19f6bfd..3188a3d 100644
396 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 398diff --git a/session.c b/session.c
399index d4b57bd..b4d74d9 100644 399index 12dd9ab..5ddd82a 100644
400--- a/session.c 400--- a/session.c
401+++ b/session.c 401+++ b/session.c
402@@ -1474,7 +1474,7 @@ safely_chroot(const char *path, uid_t uid) 402@@ -1497,7 +1497,7 @@ safely_chroot(const char *path, uid_t uid)
403 403
404 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
405 void 405 void
@@ -408,7 +408,7 @@ index d4b57bd..b4d74d9 100644
408 { 408 {
409 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
410 410
411@@ -1502,7 +1502,7 @@ do_setusercontext(struct passwd *pw) 411@@ -1525,7 +1525,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 412 endgrent();
413 #endif 413 #endif
414 414
@@ -417,7 +417,7 @@ index d4b57bd..b4d74d9 100644
417 417
418 if (options.chroot_directory != NULL && 418 if (options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1646,7 +1646,7 @@ do_child(Session *s, const char *command) 420@@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command)
421 421
422 /* Force a password change */ 422 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index d4b57bd..b4d74d9 100644
426 child_close_fds(); 426 child_close_fds();
427 do_pwchange(s); 427 do_pwchange(s);
428 exit(1); 428 exit(1);
429@@ -1673,7 +1673,7 @@ do_child(Session *s, const char *command) 429@@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 431 if (!options.use_pam)
432 do_nologin(pw); 432 do_nologin(pw);
@@ -435,7 +435,7 @@ index d4b57bd..b4d74d9 100644
435 /* 435 /*
436 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
438@@ -2084,7 +2084,7 @@ session_pty_req(Session *s) 438@@ -2112,7 +2112,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
440 440
441 if (!use_privsep) 441 if (!use_privsep)
@@ -445,10 +445,10 @@ index d4b57bd..b4d74d9 100644
445 /* Set window size from the packet. */ 445 /* Set window size from the packet. */
446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 446 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
447diff --git a/session.h b/session.h 447diff --git a/session.h b/session.h
448index cbb8e3a..cb4f196 100644 448index 6a2f35e..ef6593c 100644
449--- a/session.h 449--- a/session.h
450+++ b/session.h 450+++ b/session.h
451@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); 451@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
452 Session *session_new(void); 452 Session *session_new(void);
453 Session *session_by_tty(char *); 453 Session *session_by_tty(char *);
454 void session_close(Session *); 454 void session_close(Session *);
@@ -458,11 +458,11 @@ index cbb8e3a..cb4f196 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index 4eddeb8..e5c9835 100644 461index fe65132..0a30101 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -753,7 +753,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -763,7 +763,7 @@ privsep_postauth(Authctxt *authctxt)
465 RAND_seed(rnd, sizeof(rnd)); 465 bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
468- do_setusercontext(authctxt->pw); 468- do_setusercontext(authctxt->pw);
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index a7540eb34..8f716f8de 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 7231af57ca3efb451ace1b8e056fa0e52c67654e Mon Sep 17 00:00:00 2001 1From 95e6f7afe0ca1c16c31845d6fa30453b45b73e0e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 483eb85..91fd59a 100644 19index d21781e..ef4d9e0 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -151,7 +151,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
23 /* Execute the proxy command. Note that we gave up any 23 /* Execute the proxy command. Note that we gave up any
24 extra privileges above. */ 24 extra privileges above. */
25 signal(SIGPIPE, SIG_DFL); 25 signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index 483eb85..91fd59a 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1298,7 +1298,7 @@ ssh_local_cmd(const char *args) 31@@ -1384,7 +1384,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 7776b6d11..0abebb664 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From 727d51f30918f6635f06694f71f4318a6038296d Mon Sep 17 00:00:00 2001 1From 6b7aca6f112d216f321466cc7301b5183e772513 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -12,10 +12,10 @@ Patch-Name: sigstop.patch
12 1 file changed, 4 insertions(+) 12 1 file changed, 4 insertions(+)
13 13
14diff --git a/sshd.c b/sshd.c 14diff --git a/sshd.c b/sshd.c
15index 63b9357..fd7f182 100644 15index c49a877..23e8c2d 100644
16--- a/sshd.c 16--- a/sshd.c
17+++ b/sshd.c 17+++ b/sshd.c
18@@ -1909,6 +1909,10 @@ main(int ac, char **av) 18@@ -1924,6 +1924,10 @@ main(int ac, char **av)
19 } 19 }
20 } 20 }
21 21
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 9ae105960..78047d30c 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From ad4f5086a0f0c47daf04be484ff310101551e48a Mon Sep 17 00:00:00 2001 1From 0b9347201e50bd518c09babde3e7650c2b2e9228 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index bb801c9..d370531 100644 16index 281ecbd..38fd540 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -182,6 +182,21 @@ environment variable holds the agent's process ID. 19@@ -183,6 +183,21 @@ environment variable holds the agent's process ID.
20 .Pp 20 .Pp
21 The agent exits automatically when the command given on the command 21 The agent exits automatically when the command given on the command
22 line terminates. 22 line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 138a3632a..53f7d6641 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 901a9e09f92a72c4a627af9feffdd39fb805e95d Mon Sep 17 00:00:00 2001 1From 4e249feb183e35e32cbc0f68cfdfb6bbe09576a9 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 6e2e03b..63b0573 100644 21index 67b4f44..9868025 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1451,6 +1451,7 @@ if an error occurred. 24@@ -1468,6 +1468,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 50d500f6d..a14f7ae06 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From bdc94de85ed7dbafb949c239d7c3eff23ea4aa28 Mon Sep 17 00:00:00 2001 1From 889e217b88a7848e6c997f7f87d07b9d1a35fb49 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 2695fd6..915a0f7 100644 20index cb8bcb2..2a1fe8e 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -161,6 +161,7 @@ static struct { 23@@ -171,6 +171,7 @@ static struct {
24 { "passwordauthentication", oPasswordAuthentication }, 24 { "passwordauthentication", oPasswordAuthentication },
25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
26 { "kbdinteractivedevices", oKbdInteractiveDevices }, 26 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 2695fd6..915a0f7 100644
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "pubkeyauthentication", oPubkeyAuthentication },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index c938ae3..dcb8caf 100644 32index 29209e4..65f71ad 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -451,6 +451,7 @@ static struct { 35@@ -456,6 +456,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 1ab818a37..4eab486fe 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
1From 3d498ae4180b8338db5f960865882b3f781aec2a Mon Sep 17 00:00:00 2001 1From 9f42d3b964854aecfed2fff64ac375c0c4805fa5 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:51 +0000 3Date: Sun, 9 Feb 2014 16:09:51 +0000
4Subject: Partial server keep-alive implementation for SSH1 4Subject: Partial server keep-alive implementation for SSH1
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch
13 2 files changed, 19 insertions(+), 11 deletions(-) 13 2 files changed, 19 insertions(+), 11 deletions(-)
14 14
15diff --git a/clientloop.c b/clientloop.c 15diff --git a/clientloop.c b/clientloop.c
16index 311dc13..dc76d69 100644 16index 6d02b0b..37b3a04 100644
17--- a/clientloop.c 17--- a/clientloop.c
18+++ b/clientloop.c 18+++ b/clientloop.c
19@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) 19@@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
@@ -57,10 +57,10 @@ index 311dc13..dc76d69 100644
57 server_alive_time = now + options.server_alive_interval; 57 server_alive_time = now + options.server_alive_interval;
58 } 58 }
59diff --git a/ssh_config.5 b/ssh_config.5 59diff --git a/ssh_config.5 b/ssh_config.5
60index e72919a..1fc0a6b 100644 60index 49505ae..617a312 100644
61--- a/ssh_config.5 61--- a/ssh_config.5
62+++ b/ssh_config.5 62+++ b/ssh_config.5
63@@ -1130,7 +1130,10 @@ If, for example, 63@@ -1288,7 +1288,10 @@ If, for example,
64 .Cm ServerAliveCountMax 64 .Cm ServerAliveCountMax
65 is left at the default, if the server becomes unresponsive, 65 is left at the default, if the server becomes unresponsive,
66 ssh will disconnect after approximately 45 seconds. 66 ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 40b26d002..682ec3657 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From b8a355b5db58dc489fca181e333dacf5e14f4f1d Mon Sep 17 00:00:00 2001 1From 36c21f10bd09ee15eb7f5bd7448309bf9a5cd466 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index 87233bc..5502889 100644 36index 5de8fcf..0cea713 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -740,7 +740,7 @@ main(int ac, char **av) 39@@ -889,7 +889,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index cfc14523a..0bc245ab1 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 2bb37315c1e077bc176e703fbf0028a1f6315d37 Mon Sep 17 00:00:00 2001 1From b63620615d5c8af09e350608233f69191ad6c275 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -86,10 +86,10 @@ index 9a36f1d..0c45f09 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index c3c8099..eb57bfc 100644 89index e4c8c32..4e756b0 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -48,8 +48,9 @@ 92@@ -49,8 +49,9 @@
93 #include <netdb.h> 93 #include <netdb.h>
94 #ifdef HAVE_PATHS_H 94 #ifdef HAVE_PATHS_H
95 # include <paths.h> 95 # include <paths.h>
@@ -100,7 +100,7 @@ index c3c8099..eb57bfc 100644
100 #ifdef SSH_TUN_OPENBSD 100 #ifdef SSH_TUN_OPENBSD
101 #include <net/if.h> 101 #include <net/if.h>
102 #endif 102 #endif
103@@ -58,6 +59,7 @@ 103@@ -59,6 +60,7 @@
104 #include "misc.h" 104 #include "misc.h"
105 #include "log.h" 105 #include "log.h"
106 #include "ssh.h" 106 #include "ssh.h"
@@ -108,7 +108,7 @@ index c3c8099..eb57bfc 100644
108 108
109 /* remove newline at end of string */ 109 /* remove newline at end of string */
110 char * 110 char *
111@@ -642,6 +644,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 111@@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
112 return -1; 112 return -1;
113 } 113 }
114 114
@@ -181,10 +181,10 @@ index c3c8099..eb57bfc 100644
181 tun_open(int tun, int mode) 181 tun_open(int tun, int mode)
182 { 182 {
183diff --git a/misc.h b/misc.h 183diff --git a/misc.h b/misc.h
184index fceb306..51ba182 100644 184index d4df619..ceb173b 100644
185--- a/misc.h 185--- a/misc.h
186+++ b/misc.h 186+++ b/misc.h
187@@ -104,4 +104,6 @@ char *read_passphrase(const char *, int); 187@@ -106,4 +106,6 @@ char *read_passphrase(const char *, int);
188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 188 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); 189 int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
190 190
@@ -192,10 +192,10 @@ index fceb306..51ba182 100644
192+ 192+
193 #endif /* _MISC_H */ 193 #endif /* _MISC_H */
194diff --git a/platform.c b/platform.c 194diff --git a/platform.c b/platform.c
195index a962f15..0b3bee1 100644 195index 4aab9a9..f99de7f 100644
196--- a/platform.c 196--- a/platform.c
197+++ b/platform.c 197+++ b/platform.c
198@@ -194,19 +194,3 @@ platform_krb5_get_principal_name(const char *pw_name) 198@@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name)
199 return NULL; 199 return NULL;
200 #endif 200 #endif
201 } 201 }
@@ -216,10 +216,10 @@ index a962f15..0b3bee1 100644
216- return 0; 216- return 0;
217-} 217-}
218diff --git a/readconf.c b/readconf.c 218diff --git a/readconf.c b/readconf.c
219index dab7963..c741934 100644 219index e79e355..273552d 100644
220--- a/readconf.c 220--- a/readconf.c
221+++ b/readconf.c 221+++ b/readconf.c
222@@ -30,6 +30,8 @@ 222@@ -36,6 +36,8 @@
223 #include <stdio.h> 223 #include <stdio.h>
224 #include <string.h> 224 #include <string.h>
225 #include <unistd.h> 225 #include <unistd.h>
@@ -228,7 +228,7 @@ index dab7963..c741934 100644
228 #ifdef HAVE_UTIL_H 228 #ifdef HAVE_UTIL_H
229 #include <util.h> 229 #include <util.h>
230 #endif 230 #endif
231@@ -1155,8 +1157,7 @@ read_config_file(const char *filename, const char *host, Options *options, 231@@ -1475,8 +1477,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
232 232
233 if (fstat(fileno(f), &sb) == -1) 233 if (fstat(fileno(f), &sb) == -1)
234 fatal("fstat %s: %s", filename, strerror(errno)); 234 fatal("fstat %s: %s", filename, strerror(errno));
@@ -239,10 +239,10 @@ index dab7963..c741934 100644
239 } 239 }
240 240
241diff --git a/ssh.1 b/ssh.1 241diff --git a/ssh.1 b/ssh.1
242index 62292cc..05ae6ad 100644 242index 27794e2..ff5e6ac 100644
243--- a/ssh.1 243--- a/ssh.1
244+++ b/ssh.1 244+++ b/ssh.1
245@@ -1338,6 +1338,8 @@ The file format and configuration options are described in 245@@ -1352,6 +1352,8 @@ The file format and configuration options are described in
246 .Xr ssh_config 5 . 246 .Xr ssh_config 5 .
247 Because of the potential for abuse, this file must have strict permissions: 247 Because of the potential for abuse, this file must have strict permissions:
248 read/write for the user, and not writable by others. 248 read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index 62292cc..05ae6ad 100644
252 .It Pa ~/.ssh/environment 252 .It Pa ~/.ssh/environment
253 Contains additional definitions for environment variables; see 253 Contains additional definitions for environment variables; see
254diff --git a/ssh_config.5 b/ssh_config.5 254diff --git a/ssh_config.5 b/ssh_config.5
255index 6948680..a1e18d2 100644 255index b3c5dc6..3c6b9d4 100644
256--- a/ssh_config.5 256--- a/ssh_config.5
257+++ b/ssh_config.5 257+++ b/ssh_config.5
258@@ -1365,6 +1365,8 @@ The format of this file is described above. 258@@ -1523,6 +1523,8 @@ The format of this file is described above.
259 This file is used by the SSH client. 259 This file is used by the SSH client.
260 Because of the potential for abuse, this file must have strict permissions: 260 Because of the potential for abuse, this file must have strict permissions:
261 read/write for the user, and not accessible by others. 261 read/write for the user, and not accessible by others.