New upstream release (6.9p1).

31 files changed, 301 insertions, 298 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index c476ca7ec..cc2aee698 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-8698446b972003b63dfe5dcbdb86acfe986afb85
-8698446b972003b63dfe5dcbdb86acfe986afb85
-baccdb349b31c47cd76fb63211f754ed33a9707e
-baccdb349b31c47cd76fb63211f754ed33a9707e
-openssh_6.8p1.orig.tar.gz
-cdbc51e46a902b30d263b05fdc71340920e91c92
-1475953
+810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8
+810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8
+544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
+544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
+openssh_6.9p1.orig.tar.gz
+86ab57f00d0fd9bf302760f2f6deac1b6e9df265
+1487617
diff --git a/debian/changelog b/debian/changelog
index 60049cd71..06ec4ab09 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-openssh (1:6.8p1-1) UNRELEASED; urgency=medium
+openssh (1:6.9p1-1) UNRELEASED; urgency=medium
 
   * New upstream release (http://www.openssh.com/txt/release-6.8):
     - sshd(8): UseDNS now defaults to 'no'.  Configurations that match
@@ -63,6 +63,72 @@ openssh (1:6.8p1-1) UNRELEASED; urgency=medium
     - ssh-keygen(1): Fix broken private key conversion from non-OpenSSH
       formats.
     - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use.
+  * New upstream release (http://www.openssh.com/txt/release-6.9):
+    - SECURITY: ssh(1): When forwarding X11 connections with
+      ForwardX11Trusted=no, connections made after ForwardX11Timeout expired
+      could be permitted and no longer subject to XSECURITY restrictions
+      because of an ineffective timeout check in ssh(1) coupled with "fail
+      open" behaviour in the X11 server when clients attempted connections
+      with expired credentials.  This problem was reported by Jann Horn.
+    - SECURITY: ssh-agent(1): Fix weakness of agent locking (ssh-add -x) to
+      password guessing by implementing an increasing failure delay, storing
+      a salted hash of the password rather than the password itself and
+      using a timing-safe comparison function for verifying unlock attempts.
+      This problem was reported by Ryan Castellucci.
+    - sshd(8): Support admin-specified arguments to AuthorizedKeysCommand
+      (closes: #740494).
+    - sshd(8): Add AuthorizedPrincipalsCommand that allows retrieving
+      authorized principals information from a subprocess rather than a
+      file.
+    - ssh(1), ssh-add(1): Support PKCS#11 devices with external PIN entry
+      devices.
+    - ssh-keygen(1): Support "ssh-keygen -lF hostname" to search known_hosts
+      and print key hashes rather than full keys.
+    - ssh-agent(1): Add -D flag to leave ssh-agent in foreground without
+      enabling debug mode.
+    - ssh(1), sshd(8): Deprecate legacy SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
+      message and do not try to use it against some 3rd-party SSH
+      implementations that use it (older PuTTY, WinSCP).
+    - ssh(1), sshd(8): Cap DH-GEX group size at 4Kbits for Cisco
+      implementations as some would fail when attempting to use group sizes
+      >4K (closes: #740307, LP: #1287222).
+    - ssh(1): Fix out-of-bound read in EscapeChar configuration option
+      parsing.
+    - sshd(8): Fix application of PermitTunnel, LoginGraceTime,
+      AuthenticationMethods and StreamLocalBindMask options in Match blocks.
+    - ssh(1), sshd(8): Improve disconnection message on TCP reset.
+    - ssh(1): Remove failed remote forwards established by multiplexing from
+      the list of active forwards.
+    - sshd(8): Make parsing of authorized_keys "environment=" options
+      independent of PermitUserEnv being enabled.
+    - sshd(8): Fix post-auth crash with permitopen=none (closes: #778807).
+    - ssh(1), ssh-add(1), ssh-keygen(1): Allow new-format private keys to be
+      encrypted with AEAD ciphers.
+    - ssh(1): Allow ListenAddress, Port and AddressFamily configuration
+      options to appear in any order.
+    - sshd(8): Check for and reject missing arguments for VersionAddendum
+      and ForceCommand.
+    - ssh(1), sshd(8): Don't treat unknown certificate extensions as fatal.
+    - ssh-keygen(1): Make stdout and stderr output consistent.
+    - ssh(1): Mention missing DISPLAY environment in debug log when X11
+      forwarding requested.
+    - sshd(8): Correctly record login when UseLogin is set.
+    - sshd(8): Add some missing options to sshd -T output and fix output of
+      VersionAddendum and HostCertificate.
+    - Document and improve consistency of options that accept a "none"
+      argument: TrustedUserCAKeys, RevokedKeys, AuthorizedPrincipalsFile.
+    - ssh(1): Include remote username in debug output.
+    - sshd(8): Avoid compatibility problem with some versions of Tera Term,
+      which would crash when they received the hostkeys notification message
+      (hostkeys-00@openssh.com).
+    - sshd(8): Mention ssh-keygen -E as useful when comparing legacy MD5
+      host key fingerprints.
+    - ssh(1): Clarify pseudo-terminal request behaviour and make manual
+      language consistent.
+    - ssh(1): Document that the TERM environment variable is not subject to
+      SendEnv and AcceptEnv; bz#2386
+    - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).
+    - moduli(5): Update DH-GEX moduli (closes: #787037).
   * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
     GSSAPI key exchange patch.
 
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 491656be2..1b52fd4cc 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From c9c2ebb4680ea6872218b1e4519fe31a2043a27a Mon Sep 17 00:00:00 2001
+From ee78b163ac7fe57b819e8ddf84b32e67b6a950a3 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch
  4 files changed, 32 insertions(+), 9 deletions(-)
 
 diff --git a/auth-options.c b/auth-options.c
-index 4f0da9c..3fa236e 100644
+index facfc02..9ab1880 100644
 --- a/auth-options.c
 +++ b/auth-options.c
 @@ -58,9 +58,20 @@ int forced_tun_device = -1;
@@ -40,7 +40,7 @@ index 4f0da9c..3fa236e 100644
  auth_clear_options(void)
  {
         no_agent_forwarding_flag = 0;
-@@ -288,10 +299,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
+@@ -293,10 +304,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                 /* FALLTHROUGH */
                         case 0:
                                 free(patterns);
@@ -58,7 +58,7 @@ index 4f0da9c..3fa236e 100644
                                 auth_debug_add("Your host '%.200s' is not "
                                     "permitted to use this key for login.",
                                     remote_host);
-@@ -514,11 +528,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
+@@ -519,11 +533,14 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
                                         break;
                                 case 0:
                                         /* no match */
@@ -104,18 +104,18 @@ index cbd971b..4cf2163 100644
          * Go though the accepted keys, looking for the current key.  If
          * found, perform a challenge-response dialog to verify that the
 diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index d943efa..0bda5c9 100644
+index 5aa319c..1eee161 100644
 --- a/auth2-pubkey.c
 +++ b/auth2-pubkey.c
-@@ -282,6 +282,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
-                restore_uid();
-                return 0;
-        }
+@@ -561,6 +561,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
+        u_long linenum = 0;
+        u_int i;
+ 
 +       auth_start_parse_options();
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 /* Skip leading whitespace. */
                 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -343,6 +344,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
+@@ -726,6 +727,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
         found_key = 0;
  
         found = NULL;
@@ -123,9 +123,9 @@ index d943efa..0bda5c9 100644
         while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
                 char *cp, *key_options = NULL;
                 if (found != NULL)
-@@ -482,6 +484,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
+@@ -872,6 +874,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
         if (key_cert_check_authority(key, 0, 1,
-            principals_file == NULL ? pw->pw_name : NULL, &reason) != 0)
+            use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
                 goto fail_reason;
 +       auth_start_parse_options();
         if (auth_cert_options(key, pw) != 0)
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index eb398f6a4..e2f08085e 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 8a1a563ee326222155c74454e11e6ed62297c403 Mon Sep 17 00:00:00 2001
+From 4a7ce48c3db45ebb9cb76fe21fc9e8811a43d840 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index 0438b8f74..5ab47c0ca 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,4 +1,4 @@
-From 8b3111d597316954caaf8ddf2e7746491976c248 Mon Sep 17 00:00:00 2001
+From 1197fd975ab8fd11b1ac83557ef750129b16c0d8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:57 +0000
 Subject: Add support for registering ConsoleKit sessions on login
@@ -37,10 +37,10 @@ index 3d2a328..c406aec 100644
  MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
  MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 diff --git a/configure.ac b/configure.ac
-index 5f606ea..f7ce777 100644
+index 4d55c46..cd6acaf 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4180,6 +4180,30 @@ AC_ARG_WITH([kerberos5],
+@@ -4188,6 +4188,30 @@ AC_ARG_WITH([kerberos5],
  AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
  
@@ -71,7 +71,7 @@ index 5f606ea..f7ce777 100644
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -4981,6 +5005,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -4989,6 +5013,7 @@ echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -357,7 +357,7 @@ index 0000000..8ce3716
 +
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor.c b/monitor.c
-index 6ff05e4..ce7ba07 100644
+index 3a3d2f0..12ed6fd 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -104,6 +104,9 @@
@@ -411,7 +411,7 @@ index 6ff05e4..ce7ba07 100644
  
         for (;;)
                 monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2187,3 +2203,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2191,3 +2207,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
  
  #endif /* GSSAPI */
  
@@ -455,10 +455,10 @@ index 2d82b8b..fd8d92c 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 5aa9c47..a5f4e9d 100644
+index 6ae72a0..2a0fe9b 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1150,3 +1150,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+@@ -1151,3 +1151,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
  
  #endif /* GSSAPI */
  
@@ -493,7 +493,7 @@ index 5aa9c47..a5f4e9d 100644
 +}
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 4d1e899..f99c31c 100644
+index 57e740f..6829392 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -108,4 +108,8 @@ int mm_skey_respond(void *, u_int, char **);
@@ -506,7 +506,7 @@ index 4d1e899..f99c31c 100644
 +
  #endif /* _MM_WRAP_H_ */
 diff --git a/session.c b/session.c
-index d4b7725..785833f 100644
+index afac4a5..c6bd728 100644
 --- a/session.c
 +++ b/session.c
 @@ -94,6 +94,7 @@
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 5bc70a566..42fc5be76 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 2c31a85436f1eac46e185382c2aa15406ae6c0ac Mon Sep 17 00:00:00 2001
+From 91729e3501d53d11fcc7a364b36994305c495945 Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
  4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/servconf.c b/servconf.c
-index b3a2841..bec53e0 100644
+index 8a5bd7b..fe3e311 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options)
+@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
         options->fingerprint_hash = -1;
@@ -30,7 +30,7 @@ index b3a2841..bec53e0 100644
  }
  
  /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -342,6 +343,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -347,6 +348,8 @@ fill_default_server_options(ServerOptions *options)
                 options->fwd_opts.streamlocal_bind_unlink = 0;
         if (options->fingerprint_hash == -1)
                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -39,7 +39,7 @@ index b3a2841..bec53e0 100644
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
                 use_privsep = PRIVSEP_NOSANDBOX;
-@@ -412,6 +415,7 @@ typedef enum {
+@@ -419,6 +422,7 @@ typedef enum {
         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
         sStreamLocalBindMask, sStreamLocalBindUnlink,
         sAllowStreamLocalForwarding, sFingerprintHash,
@@ -47,7 +47,7 @@ index b3a2841..bec53e0 100644
         sDeprecated, sUnsupported
  } ServerOpCodes;
  
-@@ -556,6 +560,7 @@ static struct {
+@@ -565,6 +569,7 @@ static struct {
         { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
         { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
         { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
@@ -55,7 +55,7 @@ index b3a2841..bec53e0 100644
         { NULL, sBadOption, 0 }
  };
  
-@@ -1777,6 +1782,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1850,6 +1855,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         options->fingerprint_hash = value;
                 break;
  
@@ -67,10 +67,10 @@ index b3a2841..bec53e0 100644
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
 diff --git a/servconf.h b/servconf.h
-index d2ed4d7..ed0f171 100644
+index b99b270..ba7b739 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -192,6 +192,8 @@ typedef struct {
+@@ -196,6 +196,8 @@ typedef struct {
         char   *auth_methods[MAX_AUTH_METHODS];
  
         int     fingerprint_hash;
@@ -80,7 +80,7 @@ index d2ed4d7..ed0f171 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index c362209..5435968 100644
+index 96e75c6..7886d0e 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -94,10 +94,10 @@ index c362209..5435968 100644
             options.version_addendum, newline);
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index d14576e..ec58635 100644
+index 1269bbd..a5afbc3 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -476,6 +476,11 @@ or
+@@ -528,6 +528,11 @@ or
  .Dq no .
  The default is
  .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index a346ba678..4f5db8a91 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 8698446b972003b63dfe5dcbdb86acfe986afb85 Mon Sep 17 00:00:00 2001
+From 810eecd6b2e03770f21e46b5cb8ce8c7fcd46da8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -29,12 +29,12 @@ Patch-Name: debian-config.patch
  readconf.c    |  2 +-
  ssh_config    |  7 ++++++-
  ssh_config.5  | 19 ++++++++++++++++++-
- sshd_config   |  1 +
+ sshd_config   |  3 ++-
  sshd_config.5 | 25 +++++++++++++++++++++++++
- 5 files changed, 51 insertions(+), 3 deletions(-)
+ 5 files changed, 52 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 2ef8d7b..66a62f2 100644
+index 5f6c37f..f0769b5 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
@@ -71,7 +71,7 @@ index 228e5ab..c9386aa 100644
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index 3bd80fd..da8e544 100644
+index acd581b..844d1a0 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -97,7 +97,7 @@ index 3bd80fd..da8e544 100644
  The configuration file has the following format:
  .Pp
  Empty lines and lines starting with
-@@ -715,7 +731,8 @@ token used for the session will be set to expire after 20 minutes.
+@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
  Remote clients will be refused access after this time.
  .Pp
  The default is
@@ -108,19 +108,21 @@ index 3bd80fd..da8e544 100644
  See the X11 SECURITY extension specification for full details on
  the restrictions imposed on untrusted clients.
 diff --git a/sshd_config b/sshd_config
-index a71ad19..3391233 100644
+index 1dfd0f1..23a338f 100644
 --- a/sshd_config
 +++ b/sshd_config
-@@ -41,6 +41,7 @@
+@@ -41,7 +41,8 @@
  # Authentication:
  
  #LoginGraceTime 2m
+-#PermitRootLogin no
 +# See /usr/share/doc/openssh-server/README.Debian.gz.
- #PermitRootLogin yes
++#PermitRootLogin without-password
  #StrictModes yes
  #MaxAuthTries 6
+ #MaxSessions 10
 diff --git a/sshd_config.5 b/sshd_config.5
-index 453d741..db1f2fd 100644
+index 355b445..eb6bff8 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 97fe79aef..57bd567e4 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 5cbcc7353649b84b5a7528e583458ee9473fd527 Mon Sep 17 00:00:00 2001
+From dbde51cd7abb931b2d8635230bd77c9ec3b75074 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 35d589353..b80cc4e25 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From b0146d5a8c1b9d87f4255cbee40b31c938fea2f8 Mon Sep 17 00:00:00 2001
+From 9e2f66b771364d835a5308218b777b08935596b8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index 8abcf40..3bd80fd 100644
+index 1d0c52b..acd581b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -801,6 +801,9 @@ Note that existing names and addresses in known hosts files
+@@ -802,6 +802,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 8002929ab..151c57eb1 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From c679bacbff13edaa44255c4f4c32ef5bc0f4ccbc Mon Sep 17 00:00:00 2001
+From 64f36a889a1afd364636c1ded6b6a694675fca67 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
  1 file changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/sshd.8 b/sshd.8
-index 8dba6cf..e198017 100644
+index 2f4d4f3..42f1520 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -67,7 +67,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 79efb8971..cdb3fc7f0 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 02662744e60e6bbe532ff22c7f563026a7424b6c Mon Sep 17 00:00:00 2001
+From f3e58419e41e29f5d03c2d91f4576febac922112 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index b3c437194..3f616af7d 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 06879e71614170580ffa7568ec5c009f60a9d084 Mon Sep 17 00:00:00 2001
+From 5d3dc7ea4c96cab9483d5389a3b04163771fdee2 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -31,7 +31,7 @@ Patch-Name: gssapi.patch
  configure.ac     |  24 ++++
  gss-genr.c       | 275 ++++++++++++++++++++++++++++++++++++++++++++-
  gss-serv-krb5.c  |  85 ++++++++++++--
- gss-serv.c       | 221 +++++++++++++++++++++++++++++++-----
+ gss-serv.c       | 185 +++++++++++++++++++++++++++---
  kex.c            |  16 +++
  kex.h            |  14 +++
  kexgssc.c        | 336 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -42,18 +42,18 @@ Patch-Name: gssapi.patch
  monitor_wrap.h   |   4 +-
  readconf.c       |  42 +++++++
  readconf.h       |   5 +
- servconf.c       |  38 ++++++-
- servconf.h       |   3 +
+ servconf.c       |  28 ++++-
+ servconf.h       |   2 +
  ssh-gss.h        |  41 ++++++-
  ssh_config       |   2 +
  ssh_config.5     |  34 +++++-
  sshconnect2.c    | 124 +++++++++++++++++++-
  sshd.c           | 110 ++++++++++++++++++
  sshd_config      |   2 +
- sshd_config.5    |  28 +++++
+ sshd_config.5    |  11 ++
  sshkey.c         |   3 +-
  sshkey.h         |   1 +
- 32 files changed, 2005 insertions(+), 60 deletions(-)
+ 32 files changed, 1955 insertions(+), 46 deletions(-)
  create mode 100644 ChangeLog.gssapi
  create mode 100644 kexgssc.c
  create mode 100644 kexgsss.c
@@ -359,7 +359,7 @@ index 7177962..3f49bdc 100644
  #endif
         &method_passwd,
 diff --git a/clientloop.c b/clientloop.c
-index a9c8a90..7df9413 100644
+index dc0e557..77d5498 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -114,6 +114,10 @@
@@ -373,7 +373,7 @@ index a9c8a90..7df9413 100644
  /* import options */
  extern Options options;
  
-@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1609,6 +1613,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 /* Do channel operations unless rekeying in progress. */
                 if (!rekeying) {
                         channel_after_select(readset, writeset);
@@ -414,10 +414,10 @@ index 7e7e38e..6c7de98 100644
  #undef USE_SOLARIS_PROCESS_CONTRACTS
  
 diff --git a/configure.ac b/configure.ac
-index b4d6598..216a9fd 100644
+index bb0095f..df21693 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
             [Use tunnel device compatibility to OpenBSD])
         AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
             [Prepend the address family to IP tunnel traffic])
@@ -449,7 +449,7 @@ index b4d6598..216a9fd 100644
         AC_CHECK_DECL([AU_IPv4], [], 
             AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
 diff --git a/gss-genr.c b/gss-genr.c
-index 60ac65f..5610f0b 100644
+index d617d60..b4eca3f 100644
 --- a/gss-genr.c
 +++ b/gss-genr.c
 @@ -1,7 +1,7 @@
@@ -461,7 +461,7 @@ index 60ac65f..5610f0b 100644
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
-@@ -40,12 +40,167 @@
+@@ -41,12 +41,167 @@
  #include "buffer.h"
  #include "log.h"
  #include "ssh2.h"
@@ -629,7 +629,7 @@ index 60ac65f..5610f0b 100644
  /* Check that the OID in a data stream matches that in the context */
  int
  ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
+@@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
         }
  
         ctx->major = gss_init_sec_context(&ctx->minor,
@@ -638,7 +638,7 @@ index 60ac65f..5610f0b 100644
             GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
             0, NULL, recv_tok, NULL, send_tok, flags, NULL);
  
-@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+@@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
  }
  
  OM_uint32
@@ -681,7 +681,7 @@ index 60ac65f..5610f0b 100644
         if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
             GSS_C_QOP_DEFAULT, buffer, hash)))
                 ssh_gssapi_error(ctx);
-@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
+@@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
         return (ctx->major);
  }
  
@@ -701,7 +701,7 @@ index 60ac65f..5610f0b 100644
  void
  ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
      const char *context)
-@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
+@@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
  }
  
  int
@@ -719,7 +719,7 @@ index 60ac65f..5610f0b 100644
  
         /* RFC 4462 says we MUST NOT do SPNEGO */
         if (oid->length == spnego_oid.length && 
-@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+@@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
         ssh_gssapi_build_ctx(ctx);
         ssh_gssapi_set_oid(*ctx, oid);
         major = ssh_gssapi_import_name(*ctx, host);
@@ -730,7 +730,7 @@ index 60ac65f..5610f0b 100644
         if (!GSS_ERROR(major)) {
                 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
                     NULL);
-@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+@@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
                             GSS_C_NO_BUFFER);
         }
  
@@ -925,11 +925,11 @@ index 795992d..fd8b371 100644
  
  #endif /* KRB5 */
 diff --git a/gss-serv.c b/gss-serv.c
-index e7b8c52..539862d 100644
+index 53993d6..2f6baf7 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.28 2015/01/20 23:14:00 deraadt Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.29 2015/05/22 03:50:02 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -937,11 +937,10 @@ index e7b8c52..539862d 100644
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
-@@ -44,15 +44,21 @@
- #include "channels.h"
+@@ -45,17 +45,22 @@
  #include "session.h"
  #include "misc.h"
-+#include "servconf.h"
+ #include "servconf.h"
 +#include "uidswap.h"
  
  #include "ssh-gss.h"
@@ -949,6 +948,8 @@ index e7b8c52..539862d 100644
 +
 +extern ServerOptions options;
  
+ extern ServerOptions options;
+ 
  static ssh_gssapi_client gssapi_client =
      { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
 -    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
@@ -961,54 +962,7 @@ index e7b8c52..539862d 100644
  
  #ifdef KRB5
  extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -99,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
-        char lname[NI_MAXHOST];
-        gss_OID_set oidset;
- 
--       gss_create_empty_oid_set(&status, &oidset);
--       gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+       if (options.gss_strict_acceptor) {
-+               gss_create_empty_oid_set(&status, &oidset);
-+               gss_add_oid_set_member(&status, ctx->oid, &oidset);
- 
--       if (gethostname(lname, sizeof(lname))) {
--               gss_release_oid_set(&status, &oidset);
--               return (-1);
--       }
-+               if (gethostname(lname, sizeof(lname))) {
-+                       gss_release_oid_set(&status, &oidset);
-+                       return (-1);
-+               }
-+
-+               if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+                       gss_release_oid_set(&status, &oidset);
-+                       return (ctx->major);
-+               }
-+
-+               if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+                   ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
-+                   NULL, NULL)))
-+                       ssh_gssapi_error(ctx);
- 
--       if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-                gss_release_oid_set(&status, &oidset);
-                return (ctx->major);
-+       } else {
-+               ctx->name = GSS_C_NO_NAME;
-+               ctx->creds = GSS_C_NO_CREDENTIAL;
-        }
--
--       if ((ctx->major = gss_acquire_cred(&ctx->minor,
--           ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
--               ssh_gssapi_error(ctx);
--
--       gss_release_oid_set(&status, &oidset);
--       return (ctx->major);
-+       return GSS_S_COMPLETE;
- }
- 
- /* Privileged */
-@@ -132,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+@@ -142,6 +147,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
  }
  
  /* Unprivileged */
@@ -1038,7 +992,7 @@ index e7b8c52..539862d 100644
  void
  ssh_gssapi_supported_oids(gss_OID_set *oidset)
  {
-@@ -141,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
+@@ -151,7 +179,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
         gss_OID_set supported;
  
         gss_create_empty_oid_set(&min_status, oidset);
@@ -1049,7 +1003,7 @@ index e7b8c52..539862d 100644
  
         while (supported_mechs[i]->name != NULL) {
                 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -267,8 +305,48 @@ OM_uint32
+@@ -277,8 +307,48 @@ OM_uint32
  ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
  {
         int i = 0;
@@ -1074,8 +1028,7 @@ index e7b8c52..539862d 100644
 +
 +               ctx->major = gss_compare_name(&ctx->minor, client->name, 
 +                   new_name, &equal);
- 
--       gss_buffer_desc ename;
++
 +               if (GSS_ERROR(ctx->major)) {
 +                       ssh_gssapi_error(ctx);
 +                       return (ctx->major);
@@ -1085,7 +1038,8 @@ index e7b8c52..539862d 100644
 +                       debug("Rekeyed credentials have different name");
 +                       return GSS_S_COMPLETE;
 +               }
-+
+ 
+-       gss_buffer_desc ename;
 +               debug("Marking rekeyed credentials for export");
 +
 +               gss_release_name(&ctx->minor, &client->name);
@@ -1099,7 +1053,7 @@ index e7b8c52..539862d 100644
  
         client->mech = NULL;
  
-@@ -283,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -293,6 +363,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
         if (client->mech == NULL)
                 return GSS_S_FAILURE;
  
@@ -1113,7 +1067,7 @@ index e7b8c52..539862d 100644
         if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
             &client->displayname, NULL))) {
                 ssh_gssapi_error(ctx);
-@@ -300,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -310,6 +387,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
                 return (ctx->major);
         }
  
@@ -1122,7 +1076,7 @@ index e7b8c52..539862d 100644
         /* We can't copy this structure, so we just move the pointer to it */
         client->creds = ctx->client_creds;
         ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -347,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
+@@ -357,7 +436,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
  
  /* Privileged */
  int
@@ -1131,7 +1085,7 @@ index e7b8c52..539862d 100644
  {
         OM_uint32 lmin;
  
-@@ -357,9 +444,11 @@ ssh_gssapi_userok(char *user)
+@@ -367,9 +446,11 @@ ssh_gssapi_userok(char *user)
                 return 0;
         }
         if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1145,7 +1099,7 @@ index e7b8c52..539862d 100644
                         /* Destroy delegated credentials if userok fails */
                         gss_release_buffer(&lmin, &gssapi_client.displayname);
                         gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -373,14 +462,90 @@ ssh_gssapi_userok(char *user)
+@@ -383,14 +464,90 @@ ssh_gssapi_userok(char *user)
         return (0);
  }
  
@@ -1243,7 +1197,7 @@ index e7b8c52..539862d 100644
  
  #endif
 diff --git a/kex.c b/kex.c
-index 8c2b001..be938ad 100644
+index dbc55ef..4d8e6f5 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -55,6 +55,10 @@
@@ -1966,7 +1920,7 @@ index 0000000..0847469
 +}
 +#endif /* GSSAPI */
 diff --git a/monitor.c b/monitor.c
-index bab6ce8..a2027e5 100644
+index b410965..bdc2972 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2019,7 +1973,7 @@ index bab6ce8..a2027e5 100644
         } else {
                 mon_dispatch = mon_dispatch_postauth15;
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1860,6 +1877,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
+@@ -1864,6 +1881,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
  # endif
  #endif /* WITH_OPENSSL */
                 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2033,7 +1987,7 @@ index bab6ce8..a2027e5 100644
                 kex->load_host_public_key=&get_hostkey_public_by_type;
                 kex->load_host_private_key=&get_hostkey_private_by_type;
                 kex->host_key_index=&get_hostkey_index;
-@@ -1959,6 +1983,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -1963,6 +1987,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
  
@@ -2043,7 +1997,7 @@ index bab6ce8..a2027e5 100644
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
  
-@@ -1986,6 +2013,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -1990,6 +2017,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2053,7 +2007,7 @@ index bab6ce8..a2027e5 100644
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2003,6 +2033,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2007,6 +2037,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2061,7 +2015,7 @@ index bab6ce8..a2027e5 100644
         }
         return (0);
  }
-@@ -2014,6 +2045,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2018,6 +2049,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
  
@@ -2071,7 +2025,7 @@ index bab6ce8..a2027e5 100644
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
-@@ -2040,7 +2074,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2044,7 +2078,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
  {
         int authenticated;
  
@@ -2084,7 +2038,7 @@ index bab6ce8..a2027e5 100644
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -2053,5 +2091,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2057,5 +2095,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2173,10 +2127,10 @@ index 93b8b66..bc50ade 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index b379f05..b667218 100644
+index e6217b3..71e7c08 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+@@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
  }
  
  int
@@ -2185,7 +2139,7 @@ index b379f05..b667218 100644
  {
         Buffer m;
         int authenticated = 0;
-@@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user)
         debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
         return (authenticated);
  }
@@ -2237,7 +2191,7 @@ index b379f05..b667218 100644
  #endif /* GSSAPI */
  
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index e18784a..0c770e8 100644
+index de4a08f..9758290 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2253,7 +2207,7 @@ index e18784a..0c770e8 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index 42a2961..254dbce 100644
+index db7d0bb..68dac76 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -147,6 +147,8 @@ typedef enum {
@@ -2362,21 +2316,21 @@ index 576b9e3..ef39c4c 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 3185462..f68c0d0 100644
+index df93fc4..2f7f41e 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -114,7 +114,10 @@ initialize_server_options(ServerOptions *options)
+@@ -115,8 +115,10 @@ initialize_server_options(ServerOptions *options)
         options->kerberos_ticket_cleanup = -1;
         options->kerberos_get_afs_token = -1;
         options->gss_authentication=-1;
 +       options->gss_keyex = -1;
         options->gss_cleanup_creds = -1;
-+       options->gss_strict_acceptor = -1;
+        options->gss_strict_acceptor = -1;
 +       options->gss_store_rekey = -1;
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
-@@ -269,8 +272,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -275,10 +277,14 @@ fill_default_server_options(ServerOptions *options)
                 options->kerberos_get_afs_token = 0;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2384,37 +2338,35 @@ index 3185462..f68c0d0 100644
 +               options->gss_keyex = 0;
         if (options->gss_cleanup_creds == -1)
                 options->gss_cleanup_creds = 1;
-+       if (options->gss_strict_acceptor == -1)
+        if (options->gss_strict_acceptor == -1)
+-               options->gss_strict_acceptor = 0;
 +               options->gss_strict_acceptor = 1;
 +       if (options->gss_store_rekey == -1)
 +               options->gss_store_rekey = 0;
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -391,7 +400,9 @@ typedef enum {
-        sBanner, sUseDNS, sHostbasedAuthentication,
+@@ -401,6 +407,7 @@ typedef enum {
         sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
         sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
--       sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+       sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +       sGssKeyEx, sGssStoreRekey,
-+       sAcceptEnv, sPermitTunnel,
+        sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
-        sHostCertificate,
-@@ -462,10 +473,20 @@ static struct {
+@@ -473,12 +480,20 @@ static struct {
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
 +       { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
-+       { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
 +       { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
 +       { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
  #else
         { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
         { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
 +       { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
-+       { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+        { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
 +       { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
 +       { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
  #endif
@@ -2423,7 +2375,7 @@ index 3185462..f68c0d0 100644
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1166,10 +1187,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1214,6 +1229,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2434,11 +2386,10 @@ index 3185462..f68c0d0 100644
         case sGssCleanupCreds:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
+@@ -1222,6 +1241,10 @@ process_server_config_line(ServerOptions *options, char *line,
+                intptr = &options->gss_strict_acceptor;
+                goto parse_flag;
  
-+       case sGssStrictAcceptor:
-+               intptr = &options->gss_strict_acceptor;
-+               goto parse_flag;
-+
 +       case sGssStoreRekey:
 +               intptr = &options->gss_store_rekey;
 +               goto parse_flag;
@@ -2446,7 +2397,7 @@ index 3185462..f68c0d0 100644
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -2125,7 +2158,10 @@ dump_config(ServerOptions *o)
+@@ -2229,7 +2252,10 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2458,16 +2409,16 @@ index 3185462..f68c0d0 100644
         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
         dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 9922f0c..d2ed4d7 100644
+index 606d80c..b99b270 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -115,7 +115,10 @@ typedef struct {
+@@ -117,8 +117,10 @@ typedef struct {
         int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                  * authenticated with Kerberos. */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
 +       int     gss_keyex;              /* If true, permit GSSAPI key exchange */
         int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
-+       int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
+        int     gss_strict_acceptor;    /* If true, restrict the GSSAPI acceptor name */
 +       int     gss_store_rekey;
         int     password_authentication;        /* If true, permit password
                                                  * authentication. */
@@ -2589,10 +2540,10 @@ index 03a228f..228e5ab 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 140d0ba..4476171 100644
+index 268a627..b840261 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -743,11 +743,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -744,11 +744,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -2638,7 +2589,7 @@ index 140d0ba..4476171 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index ba56f64..faa8ec5 100644
+index fcaed6b..44c89e6 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2840,7 +2791,7 @@ index ba56f64..faa8ec5 100644
  
  int
 diff --git a/sshd.c b/sshd.c
-index e1c767c..cf38bae 100644
+index 6f8c6f2..6b85e6c 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -125,6 +125,10 @@
@@ -2854,7 +2805,7 @@ index e1c767c..cf38bae 100644
  #ifndef O_NOCTTY
  #define O_NOCTTY       0
  #endif
-@@ -1815,10 +1819,13 @@ main(int ac, char **av)
+@@ -1823,10 +1827,13 @@ main(int ac, char **av)
                 logit("Disabling protocol version 1. Could not load host key");
                 options.protocol &= ~SSH_PROTO_1;
         }
@@ -2868,9 +2819,9 @@ index e1c767c..cf38bae 100644
         if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
-@@ -2132,6 +2139,60 @@ main(int ac, char **av)
-            remote_ip, remote_port,
-            get_local_ipaddr(sock_in), get_local_port());
+@@ -2141,6 +2148,60 @@ main(int ac, char **av)
+            remote_ip, remote_port, laddr,  get_local_port());
+        free(laddr);
  
 +#ifdef USE_SECURITY_SESSION_API
 +       /*
@@ -2929,7 +2880,7 @@ index e1c767c..cf38bae 100644
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2561,6 +2622,48 @@ do_ssh2_kex(void)
+@@ -2570,6 +2631,48 @@ do_ssh2_kex(void)
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
             list_hostkey_types());
  
@@ -2978,7 +2929,7 @@ index e1c767c..cf38bae 100644
         /* start key exchange */
         if ((r = kex_setup(active_state, myproposal)) != 0)
                 fatal("kex_setup: %s", ssh_err(r));
-@@ -2575,6 +2678,13 @@ do_ssh2_kex(void)
+@@ -2584,6 +2687,13 @@ do_ssh2_kex(void)
  # endif
  #endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2993,7 +2944,7 @@ index e1c767c..cf38bae 100644
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index c9042ac..a71ad19 100644
+index cf7d8e1..1dfd0f1 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -84,6 +84,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
@@ -3006,10 +2957,10 @@ index c9042ac..a71ad19 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 6dce0c7..0331496 100644
+index 5ab4318..68424f1 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -564,12 +564,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -616,6 +616,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -3022,26 +2973,10 @@ index 6dce0c7..0331496 100644
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
+@@ -637,6 +643,11 @@ machine's default store.
+ This facility is provided to assist with operation on multi homed machines.
  The default is
  .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor 
-+a client authenticates against. If
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname. If 
-+.Dq no
-+then the client may authenticate against any service key stored in the 
-+machine's default store. This facility is provided to assist with operation 
-+on multi homed machines. 
-+The default is
-+.Dq yes .
-+Note that this option applies only to protocol version 2 GSSAPI connections,
-+and setting it to 
-+.Dq no
-+may only work with recent Kerberos GSSAPI libraries.
 +.It Cm GSSAPIStoreCredentialsOnRekey
 +Controls whether the user's GSSAPI credentials should be updated following a 
 +successful connection rekeying. This option can be used to accepted renewed 
@@ -3051,7 +2986,7 @@ index 6dce0c7..0331496 100644
  Specifies the key types that will be accepted for hostbased authentication
  as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index 4768790..cd5992e 100644
+index cfe5980..2c87d80 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -116,6 +116,7 @@ static const struct keytype keytypes[] = {
@@ -3072,7 +3007,7 @@ index 4768790..cd5992e 100644
                 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
                         continue;
 diff --git a/sshkey.h b/sshkey.h
-index 62c1c3e..9314e85 100644
+index cdac0e2..b010b8e 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -64,6 +64,7 @@ enum sshkey_types {
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 6ea643210..ac8630b4c 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 9a440da8025dbc120803ee09c2a7ac8c638d31c2 Mon Sep 17 00:00:00 2001
+From 5496170cd67abb653e385277bd83b69f1b10905d Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 0adfbd2b5..09c178db4 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 7efad61f1e562f504a5ff3fb0ae90ac05a208e66 Mon Sep 17 00:00:00 2001
+From 02a61bcb045503a5f3f7e274ac1f4524e30f87c8 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 278fe15..1d2d596 100644
+index 85eea48..5c5890c 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -159,6 +159,7 @@ typedef enum {
@@ -72,7 +72,7 @@ index 278fe15..1d2d596 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index dd35dd8..250c0d1 100644
+index f7510b6..21d3e94 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -233,8 +233,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index dd35dd8..250c0d1 100644
  The argument must be
  .Dq yes
  or
-@@ -1420,8 +1424,15 @@ from the server,
+@@ -1425,8 +1429,15 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -106,7 +106,7 @@ index dd35dd8..250c0d1 100644
  .It Cm StreamLocalBindMask
  Sets the octal file creation mode mask
  .Pq umask
-@@ -1487,6 +1498,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1492,6 +1503,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index dd35dd8..250c0d1 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 0331496..d14576e 100644
+index 68424f1..1269bbd 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1392,6 +1392,9 @@ This avoids infinitely hanging sessions.
+@@ -1443,6 +1443,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
@@ -132,4 +132,4 @@ index 0331496..d14576e 100644
 +.Cm KeepAlive .
  .It Cm TrustedUserCAKeys
  Specifies a file containing public keys of certificate authorities that are
- trusted to sign user certificates for authentication.
+ trusted to sign user certificates for authentication, or
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 7aa035726..a285b4c69 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
-From 90fc009420a03c598d6f003df5466191ab4d12b2 Mon Sep 17 00:00:00 2001
+From 1237c8b43799156af8972c53c9ccc6b27140a284 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:08 +0000
 Subject: Fix picky lintian errors about slogin symlinks
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 127ed9f9e..84804481e 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From aedcf9cb37f512b929ce895ba1fccc9ca39166b0 Mon Sep 17 00:00:00 2001
+From f948cb2d089ebf70b70db3d483d09ad97a0cf371 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,7 +13,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 0073c6e..6065dff 100644
+index 8adc943..0c9fc6c 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -1078,9 +1078,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index f4d8bca66..73b16a368 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 6b85aa42144010401906754b98f9876651669163 Mon Sep 17 00:00:00 2001
+From d3777c50b834493fcfbc3549e1dfb465c10abeec Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index f5b96f4a1..97971707f 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 96c2797aaa79d687e75dc56f40f7102131d87fb1 Mon Sep 17 00:00:00 2001
+From 3303a9d037ae9b62e5af01f467d8053cbd9c8410 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -88,7 +88,7 @@ index 9b93666..19bed1e 100644
  The file format is described in
  .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index 53c711a..04de6cf 100644
+index c84196f..c3e1266 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys,
@@ -103,7 +103,7 @@ index 53c711a..04de6cf 100644
  .Pp
  The file
 diff --git a/sshd.8 b/sshd.8
-index fc2154c..8dba6cf 100644
+index 5afd10f..2f4d4f3 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -67,7 +67,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index fc2154c..8dba6cf 100644
  It forks a new
  daemon for each incoming connection.
  The forked daemons handle
-@@ -862,7 +862,7 @@ This file is for host-based authentication (see
+@@ -864,7 +864,7 @@ This file is for host-based authentication (see
  .Xr ssh 1 ) .
  It should only be writable by root.
  .Pp
@@ -124,7 +124,7 @@ index fc2154c..8dba6cf 100644
  Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
  The file format is described in
  .Xr moduli 5 .
-@@ -961,7 +961,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -963,7 +963,6 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -133,10 +133,10 @@ index fc2154c..8dba6cf 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index ec58635..453d741 100644
+index a5afbc3..355b445 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -322,8 +322,7 @@ This option is only available for protocol version 2.
+@@ -374,8 +374,7 @@ This option is only available for protocol version 2.
  By default, no banner is displayed.
  .It Cm ChallengeResponseAuthentication
  Specifies whether challenge-response authentication is allowed (e.g. via
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 11674a915..6eb7b7243 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 9f6aded97671ee8b9164f0524b3ac622d827dcde Mon Sep 17 00:00:00 2001
+From c3a4906692ddd85d8530d2fdb74822ae793f18db Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch
  3 files changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 6065dff..a6c9e20 100644
+index 0c9fc6c..988f4ef 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1)
@@ -36,7 +36,7 @@ index 6065dff..a6c9e20 100644
         if (roaming_atomicio(vwrite, connection_out, client_version_string,
             strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index 3b4e97c..c362209 100644
+index 9ff9e8b..96e75c6 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -49,11 +49,11 @@ index 3b4e97c..c362209 100644
             options.version_addendum, newline);
  
 diff --git a/version.h b/version.h
-index dfe3ee9..94569ac 100644
+index b58fbe1..bff2b3b 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.8"
+ #define SSH_VERSION    "OpenSSH_6.9"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index ff16b9850..ba16a9943 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 34592a434851697537873eed1eb83ba0a640c5c8 Mon Sep 17 00:00:00 2001
+From 7c26c2f768c5d457c6645c1e1c077ba10a853626 Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index 156a196..45cef88 100644
+index 964353d..65f90b8 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1707,8 +1707,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1720,8 +1720,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 exit_status = 0;
         }
  
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index c9da26f7d..9e0435313 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 7df209aed8ded9a6cab34e704576998786bdc890 Mon Sep 17 00:00:00 2001
+From ace4bfab52b31a2833636a243ba150fdf0f48293 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
  3 files changed, 89 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index 216a9fd..5f606ea 100644
+index df21693..4d55c46 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
+@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
         ]
  )
  
@@ -94,7 +94,7 @@ index 216a9fd..5f606ea 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4920,6 +4976,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -4928,6 +4984,7 @@ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
@@ -103,10 +103,10 @@ index 216a9fd..5f606ea 100644
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
 diff --git a/sshd.8 b/sshd.8
-index 3c53f7c..fc2154c 100644
+index dcf20f0..5afd10f 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
+@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
  This file should be writable only by the user, and need not be
  readable by anyone else.
  .Pp
@@ -119,7 +119,7 @@ index 3c53f7c..fc2154c 100644
  .It Pa /etc/hosts.equiv
  This file is for host-based authentication (see
  .Xr ssh 1 ) .
-@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
@@ -128,7 +128,7 @@ index 3c53f7c..fc2154c 100644
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index cf38bae..9cbe8c4 100644
+index 6b85e6c..186ad55 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -129,6 +129,13 @@
@@ -145,7 +145,7 @@ index cf38bae..9cbe8c4 100644
  #ifndef O_NOCTTY
  #define O_NOCTTY       0
  #endif
-@@ -2133,6 +2140,24 @@ main(int ac, char **av)
+@@ -2141,6 +2148,24 @@ main(int ac, char **av)
  #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
  #endif
@@ -169,4 +169,4 @@ index cf38bae..9cbe8c4 100644
 +#endif /* LIBWRAP */
  
         /* Log the connection. */
-        verbose("Connection from %s port %d on %s port %d",
+        laddr = get_local_ipaddr(sock_in);
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 52e709112..fcf389dec 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 4f55e60d2296feba17b473b2146a75debe29993a Mon Sep 17 00:00:00 2001
+From 9921536f50f50eb283dea50c77753eb0773d4258 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/scp.c b/scp.c
-index 887b014..afa4a2f 100644
+index 593fe89..e39294e 100644
 --- a/scp.c
 +++ b/scp.c
 @@ -190,8 +190,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index da53671e3..617aa3b11 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From b9e97e15e25e4c836cb550213e3ee59b19096f9d Mon Sep 17 00:00:00 2001
+From 8b3e4a6ddad01fef62d153ac3b033de61a02696e Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
  16 files changed, 104 insertions(+), 31 deletions(-)
 
 diff --git a/auth.h b/auth.h
-index db86037..4985cd8 100644
+index 8b27575..3c2222f 100644
 --- a/auth.h
 +++ b/auth.h
 @@ -62,6 +62,7 @@ struct Authctxt {
@@ -113,7 +113,7 @@ index 3f49bdc..6eb3cc7 100644
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index a2027e5..6ff05e4 100644
+index bdc2972..3a3d2f0 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -180,7 +180,7 @@ index a2027e5..6ff05e4 100644
         return (0);
  }
  
-@@ -1540,7 +1566,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1544,7 +1570,7 @@ mm_answer_pty(int sock, Buffer *m)
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -203,10 +203,10 @@ index bc50ade..2d82b8b 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index b667218..5aa9c47 100644
+index 71e7c08..6ae72a0 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -329,10 +329,10 @@ mm_auth2_read_banner(void)
+@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
         return (banner);
  }
  
@@ -219,7 +219,7 @@ index b667218..5aa9c47 100644
  {
         Buffer m;
  
-@@ -341,12 +341,30 @@ mm_inform_authserv(char *service, char *style)
+@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style)
         buffer_init(&m);
         buffer_put_cstring(&m, service);
         buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +251,7 @@ index b667218..5aa9c47 100644
  int
  mm_auth_password(Authctxt *authctxt, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 0c770e8..4d1e899 100644
+index 9758290..57e740f 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
@@ -396,7 +396,7 @@ index 1c7a45d..436ae7c 100644
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 54bac36..d4b7725 100644
+index 5a64715..afac4a5 100644
 --- a/session.c
 +++ b/session.c
 @@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid)
@@ -458,7 +458,7 @@ index 6a2f35e..ef6593c 100644
                        const char *value);
  
 diff --git a/sshd.c b/sshd.c
-index 9cbe8c4..3b4e97c 100644
+index 186ad55..9ff9e8b 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt)
@@ -471,7 +471,7 @@ index 9cbe8c4..3b4e97c 100644
   skip:
         /* It is safe now to apply the key state */
 diff --git a/sshpty.c b/sshpty.c
-index d2ff8c1..f7b1f6d 100644
+index 7bb7641..0e32b39 100644
 --- a/sshpty.c
 +++ b/sshpty.c
 @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 549ef38dd..c12d86132 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 8a8bbc66b8eefd7c679d5769f087209188deafe7 Mon Sep 17 00:00:00 2001
+From 865180de0e7d4735170faac2d584603fbe0530b2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 9e51506..0073c6e 100644
+index f41960c..8adc943 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
@@ -28,7 +28,7 @@ index 9e51506..0073c6e 100644
                 perror(argv[0]);
                 exit(1);
         }
-@@ -1470,7 +1470,7 @@ ssh_local_cmd(const char *args)
+@@ -1471,7 +1471,7 @@ ssh_local_cmd(const char *args)
         if (pid == 0) {
                 signal(SIGPIPE, SIG_DFL);
                 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index 80e775dc1..ae65d8285 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From a8e779107942d044d281461c609ec29129dec51e Mon Sep 17 00:00:00 2001
+From b0b95d9689563856ac4992c90b65ed4fd8f3fae6 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
  1 file changed, 10 insertions(+)
 
 diff --git a/sshd.c b/sshd.c
-index 5435968..f8db3ae 100644
+index 7886d0e..cc8ecaf 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -2030,6 +2030,16 @@ main(int ac, char **av)
+@@ -2038,6 +2038,16 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index b382252a3..aa9fa7e4d 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 101d1dd7f95d75f1862c541a5b8d4032d4623d53 Mon Sep 17 00:00:00 2001
+From 95d0369e741776a0d18cffb2e4526dee37ebdbd6 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
  1 file changed, 15 insertions(+)
 
 diff --git a/ssh-agent.1 b/ssh-agent.1
-index 6759afe..25de326 100644
+index d0aa712..2a940d9 100644
 --- a/ssh-agent.1
 +++ b/ssh-agent.1
-@@ -181,6 +181,21 @@ environment variable holds the agent's process ID.
+@@ -186,6 +186,21 @@ environment variable holds the agent's process ID.
  .Pp
  The agent exits automatically when the command given on the command
  line terminates.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 0fe3b6da4..fce893c91 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From fac628fd57d3d357b86d77987f896d6289240345 Mon Sep 17 00:00:00 2001
+From abc6170edaed77f07694dd001c87077376157eaa Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/ssh.1 b/ssh.1
-index 04de6cf..c8892fe 100644
+index c3e1266..2178863 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1471,6 +1471,7 @@ if an error occurred.
+@@ -1487,6 +1487,7 @@ if an error occurred.
  .Xr sftp 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 28b98f527..7af91e955 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From d027dea6b4b659a7ad537e452db563763302eabd Mon Sep 17 00:00:00 2001
+From dd02db02d322c9db67d42fe491727854f951c828 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
-index 254dbce..278fe15 100644
+index 68dac76..85eea48 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -180,6 +180,7 @@ static struct {
@@ -29,10 +29,10 @@ index 254dbce..278fe15 100644
         { "pubkeyauthentication", oPubkeyAuthentication },
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
 diff --git a/servconf.c b/servconf.c
-index f68c0d0..b3a2841 100644
+index 2f7f41e..8a5bd7b 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -503,6 +503,7 @@ static struct {
+@@ -510,6 +510,7 @@ static struct {
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index e6bc72440..48308bcff 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
-From 396f7d932b391fc92ac7ccdf8813f49564e2bbab Mon Sep 17 00:00:00 2001
+From b3d7661669a0f5255ede81f82c25951aeba9576c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:51 +0000
 Subject: Partial server keep-alive implementation for SSH1
@@ -13,10 +13,10 @@ Patch-Name: ssh1-keepalive.patch
  2 files changed, 19 insertions(+), 11 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index 7df9413..156a196 100644
+index 77d5498..964353d 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -564,16 +564,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
+@@ -577,16 +577,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
  static void
  server_alive_check(void)
  {
@@ -47,7 +47,7 @@ index 7df9413..156a196 100644
  }
  
  /*
-@@ -635,7 +640,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
+@@ -648,7 +653,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
          */
  
         timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -57,10 +57,10 @@ index 7df9413..156a196 100644
                 server_alive_time = now + options.server_alive_interval;
         }
 diff --git a/ssh_config.5 b/ssh_config.5
-index 4476171..dd35dd8 100644
+index b840261..f7510b6 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1409,7 +1409,10 @@ If, for example,
+@@ -1414,7 +1414,10 @@ If, for example,
  .Cm ServerAliveCountMax
  is left at the default, if the server becomes unresponsive,
  ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index d760e6c19..e829e50fd 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From fbe5bd9e957ea90404158b3a3c11a6b91fe6f010 Mon Sep 17 00:00:00 2001
+From 9e6bb8525886d99876eb43a3b39c96bdf3032146 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 0ad82f0..e8be6fe 100644
+index 3fd5a94..d99f7ef 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1107,7 +1107,7 @@ main(int ac, char **av)
+@@ -1105,7 +1105,7 @@ main(int ac, char **av)
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 8ce3d1f71..9213c1f29 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 39b2121148a0aa016a648446823c8f02c5fd95b3 Mon Sep 17 00:00:00 2001
+From 209c51110996719eab04236d72f776eed6bd8226 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -52,10 +52,10 @@ index ee9e827..2ff2cff 100644
                             pw->pw_name, buf);
                         auth_debug_add("Bad file modes for %.200s", buf);
 diff --git a/auth.c b/auth.c
-index f9b7673..41e3876 100644
+index e6c094d..a99c475 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -423,8 +423,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
+@@ -422,8 +422,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
                 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                 if (options.strict_modes &&
                     (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index f9b7673..41e3876 100644
                         logit("Authentication refused for %.100s: "
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
-@@ -486,8 +485,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -485,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                 snprintf(err, errlen, "%s is not a regular file", buf);
                 return -1;
         }
@@ -75,7 +75,7 @@ index f9b7673..41e3876 100644
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -502,8 +500,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -501,8 +499,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                 strlcpy(buf, cp, sizeof(buf));
  
                 if (stat(buf, &st) < 0 ||
@@ -86,7 +86,7 @@ index f9b7673..41e3876 100644
                             "bad ownership or modes for directory %s", buf);
                         return -1;
 diff --git a/misc.c b/misc.c
-index 38af3df..d745480 100644
+index ddd2b2d..1c063ea 100644
 --- a/misc.c
 +++ b/misc.c
 @@ -50,8 +50,9 @@
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644
 -       return 0;
 -}
 diff --git a/readconf.c b/readconf.c
-index 1d2d596..2ef8d7b 100644
+index 5c5890c..5f6c37f 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -39,6 +39,8 @@
@@ -239,10 +239,10 @@ index 1d2d596..2ef8d7b 100644
         }
  
 diff --git a/ssh.1 b/ssh.1
-index da64b71..53c711a 100644
+index df7ac86..c84196f 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1355,6 +1355,8 @@ The file format and configuration options are described in
+@@ -1371,6 +1371,8 @@ The file format and configuration options are described in
  .Xr ssh_config 5 .
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index da64b71..53c711a 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index 250c0d1..8abcf40 100644
+index 21d3e94..1d0c52b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1701,6 +1701,8 @@ The format of this file is described above.
+@@ -1706,6 +1706,8 @@ The format of this file is described above.
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.