New upstream release (8.4p1)

author: Colin Watson <cjwatson@debian.org> 2020-10-20 14:12:31 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-10-20 14:12:31 +0100
commit: e371906fbbbbc11b0dced8fd4e0d258eb489d7c1 (patch)
tree: 4d0d8d2afd52572deb7910e29ff5a334b2bcf702 /debian
parent: e429009cde648a41479cd1b60ce972760a2bdabc (diff)
parent: 3728919292c05983372954d27426f7d966813139 (diff)
31 files changed, 370 insertions, 292 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 0e68bd57c..3942a1891 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,12 +1,12 @@
 # see git-dpm(1) from git-dpm package
-877a000e9474ed5e32029f434dbec4de2fb1696f
+3728919292c05983372954d27426f7d966813139
-877a000e9474ed5e32029f434dbec4de2fb1696f
+3728919292c05983372954d27426f7d966813139
-202f5a676221c244cd450086c334c2b59f339e86
+2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
-202f5a676221c244cd450086c334c2b59f339e86
+2b2c99658e3e8ed452e28f88f9cdbcdfb2a461cb
-openssh_8.3p1.orig.tar.gz
+openssh_8.4p1.orig.tar.gz
-04c7adb9986f16746588db8988b910530c589819
+69305059e10a60693ebe6f17731f962c9577535c
-1706358
+1742201
 debianTag="debian/%e%%%V"
 patchedTag="patched/%e%%%V"
 upstreamTag="upstream/%U"
-signature:e3fdeb7b96543bcc2854614c6163cfe860ba5ec8:683:openssh_8.3p1.orig.tar.gz.asc
+signature:323573568682eac265e1f69206bc98149a8e423e:683:openssh_8.4p1.orig.tar.gz.asc
diff --git a/debian/NEWS b/debian/NEWS
index 3bfafbda7..2d38891ea 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,19 @@
+openssh (1:8.4p1-1) unstable; urgency=medium
+  OpenSSH 8.4 includes a number of changes that may affect existing
+  configurations:
+   * ssh-keygen(1): the format of the attestation information optionally
+     recorded when a FIDO key is generated has changed. It now includes the
+     authenticator data needed to validate attestation signatures. 
+   * The API between OpenSSH and the FIDO token middleware has changed and
+     the SSH_SK_VERSION_MAJOR version has been incremented as a result.
+     Third-party middleware libraries must support the current API version
+     (7) to work with OpenSSH 8.4.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 18 Oct 2020 12:07:48 +0100
 openssh (1:8.3p1-1) unstable; urgency=medium
  OpenSSH 8.3 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 95c88c634..03d7a0af4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,133 @@
+openssh (1:8.4p1-1) UNRELEASED; urgency=medium
+  * New upstream release (https://www.openssh.com/txt/release-8.4):
+    - [SECURITY] ssh-agent(1): restrict ssh-agent from signing web
+      challenges for FIDO/U2F keys.
+    - [SECURITY] ssh-keygen(1): Enable FIDO 2.1 credProtect extension when
+      generating a FIDO resident key.
+    - ssh-keygen(1): the format of the attestation information optionally
+      recorded when a FIDO key is generated has changed. It now includes the
+      authenticator data needed to validate attestation signatures. 
+    - The API between OpenSSH and the FIDO token middleware has changed and
+      the SSH_SK_VERSION_MAJOR version has been incremented as a result.
+      Third-party middleware libraries must support the current API version
+      (7) to work with OpenSSH 8.4.
+    - ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
+      each use. These keys may be generated using ssh-keygen using a new
+      "verify-required" option. When a PIN-required key is used, the user
+      will be prompted for a PIN to complete the signature operation.
+    - sshd(8): authorized_keys now supports a new "verify-required" option
+      to require FIDO signatures assert that the token verified that the
+      user was present before making the signature. The FIDO protocol
+      supports multiple methods for user-verification, but currently OpenSSH
+      only supports PIN verification.
+    - sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
+      signatures. Webauthn is a standard for using FIDO keys in web
+      browsers. These signatures are a slightly different format to plain
+      FIDO signatures and thus require explicit support.
+    - ssh(1): allow some keywords to expand shell-style ${ENV} environment
+      variables. The supported keywords are CertificateFile, ControlPath,
+      IdentityAgent and IdentityFile, plus LocalForward and RemoteForward
+      when used for Unix domain socket paths.
+    - ssh(1), ssh-agent(1): allow some additional control over the use of
+      ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
+      including forcibly enabling and disabling its use (closes: #368657).
+    - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
+      limit for keys in addition to its current flag options. Time-limited
+      keys will automatically be removed from ssh-agent after their expiry
+      time has passed.
+    - scp(1), sftp(1): allow the -A flag to explicitly enable agent
+      forwarding in scp and sftp. The default remains to not forward an
+      agent, even when ssh_config enables it.
+    - ssh(1): add a '%k' TOKEN that expands to the effective HostKey of the
+      destination. This allows, e.g., keeping host keys in individual files
+      using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k" (closes: #481250).
+    - ssh(1): add %-TOKEN, environment variable and tilde expansion to the
+      UserKnownHostsFile directive, allowing the path to be completed by the
+      configuration.
+    - ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted from
+      stdin.
+    - sshd(8): improve logging for MaxStartups connection throttling.  sshd
+      will now log when it starts and stops throttling and periodically
+      while in this state.
+    - ssh(1), ssh-keygen(1): better support for multiple attached FIDO
+      tokens. In cases where OpenSSH cannot unambiguously determine which
+      token to direct a request to, the user is now required to select a
+      token by touching it. In cases of operations that require a PIN to be
+      verified, this avoids sending the wrong PIN to the wrong token and
+      incrementing the token's PIN failure counter (tokens effectively erase
+      their keys after too many PIN failures).
+    - sshd(8): fix Include before Match in sshd_config (LP: #1885990).
+    - ssh(1): close stdin/out/error when forking after authentication
+      completes ("ssh -f ...").
+    - ssh(1), sshd(8): limit the amount of channel input data buffered,
+      avoiding peers that advertise large windows but are slow to read from
+      causing high memory consumption.
+    - ssh-agent(1): handle multiple requests sent in a single write() to the
+      agent.
+    - sshd(8): allow sshd_config longer than 256k.
+    - sshd(8): avoid spurious "Unable to load host key" message when sshd
+      load a private key but no public counterpart.
+    - ssh(1): prefer the default hostkey algorithm list whenever we have a
+      hostkey that matches its best-preference algorithm.
+    - sshd(1): when ordering the hostkey algorithms to request from a
+      server, prefer certificate types if the known_hosts files contain a
+      key marked as a @cert-authority.
+    - ssh(1): perform host key fingerprint comparisons for the "Are you sure
+      you want to continue connecting (yes/no/[fingerprint])?" prompt with
+      case sensitivity.
+    - sshd(8): ensure that address/masklen mismatches in sshd_config yield
+      fatal errors at daemon start time rather than later when they are
+      evaluated.
+    - ssh-keygen(1): ensure that certificate extensions are lexically
+      sorted. Previously if the user specified a custom extension then the
+      everything would be in order except the custom ones.
+    - ssh(1): also compare username when checking for JumpHost loops.
+    - ssh-keygen(1): preserve group/world read permission on known_hosts
+      files across runs of "ssh-keygen -Rf /path". The old behaviour was to
+      remove all rights for group/other.
+    - ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen manual
+      page and usage().
+    - sshd(8): explicitly construct path to ~/.ssh/rc rather than relying on
+      it being relative to the current directory, so that it can still be
+      found if the shell startup changes its directory.
+    - sshd(8): when redirecting sshd's log output to a file, undo this
+      redirection after the session child process is forked(). Fixes missing
+      log messages when using this feature under some circumstances.
+    - sshd(8): start ClientAliveInterval bookkeeping before first pass
+      through select() loop; fixed theoretical case where busy sshd may
+      ignore timeouts from client.
+    - ssh(1): only reset the ServerAliveInterval check when we receive
+      traffic from the server and ignore traffic from a port forwarding
+      client, preventing a client from keeping a connection alive when it
+      should be terminated.
+    - ssh-keygen(1): avoid spurious error message when ssh-keygen creates
+      files outside ~/.ssh.
+    - sftp-client(1): fix off-by-one error that caused sftp downloads to
+      make one more concurrent request that desired. This prevented using
+      sftp(1) in unpipelined request/response mode, which is useful when
+      debugging.
+    - ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
+      helpers.
+    - ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
+      write to it so we don't leave an empty .ssh directory when it's not
+      needed.
+    - ssh(1), sshd(8): fix multiplier when parsing time specifications when
+      handling seconds after other units.
+    - sshd(8): always send any PAM account messages. If the PAM account
+      stack returns any messages, always send them to the user and not just
+      if the check succeeds.
+    - gnome-ssh-askpass3: ensure the "close" button is not focused by
+      default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter
+      accidentally dismissing FIDO touch notifications.
+    - gnome-ssh-askpass3: allow some control over textarea colour via
+      $GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR
+      environment variables.
+    - Detect the Frankenstein monster of Linux/X32 and allow the sandbox to
+      function there.
+ -- Colin Watson <cjwatson@debian.org>  Sun, 18 Oct 2020 12:07:48 +0100
 openssh (1:8.3p1-1) unstable; urgency=medium
  * New upstream release (https://www.openssh.com/txt/release-8.3):
diff --git a/debian/control b/debian/control
index 98ee0189a..14506c5c1 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Build-Depends: autotools-dev,
               dpkg-dev (>= 1.16.1~),
               libaudit-dev [linux-any],
               libedit-dev,
-               libfido2-dev [linux-any],
+               libfido2-dev (>= 1.5.0) [linux-any],
               libgtk-3-dev <!pkg.openssh.nognome>,
               libkrb5-dev | heimdal-dev,
               libpam0g-dev | libpam-dev,
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 68f5029d5..2680fc739 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From eb51213d1bdc8d80cd7d0578737d8a7bfde992d2 Mon Sep 17 00:00:00 2001
+From 27ced5f6a3c5dec6e0a78ae138d3db56d49953bd Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
 1 file changed, 1 insertion(+)
 diff --git a/Makefile.in b/Makefile.in
-index bf1e1de47..3aa808a38 100644
+index 56759c388..73e56aaac 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -406,6 +406,7 @@ install-files:
+@@ -408,6 +408,7 @@ install-files:
        $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
        $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
        $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/avoid-extra-ports.patch b/debian/patches/avoid-extra-ports.patch
deleted file mode 100644
index d8df325ac..000000000
--- a/debian/patches/avoid-extra-ports.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 877a000e9474ed5e32029f434dbec4de2fb1696f Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Wed, 27 May 2020 21:59:11 +0000
-Subject: upstream: Do not call process_queued_listen_addrs() for every
-included file from sshd_config; patch from Jakub Jelen
-OpenBSD-Commit-ID: 0ff603d6f06a7fab4881f12503b53024799d0a49
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=0a9a611619b0a1fecd0195ec86a9885f5d681c84
-Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3169
-Bug-Debian: https://bugs.debian.org/962035
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/1876320
-Last-Update: 2020-06-07
-Patch-Name: avoid-extra-ports.patch
---
- servconf.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-diff --git a/servconf.c b/servconf.c
-index c290e9786..5f3336365 100644
--- a/servconf.c
-+++ b/servconf.c
-@@ -1,5 +1,5 @@
- 
-/* $OpenBSD: servconf.c,v 1.363 2020/04/17 03:30:05 djm Exp $ */
-+/* $OpenBSD: servconf.c,v 1.364 2020/05/27 21:59:11 djm Exp $ */
- /*
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-  *                    All rights reserved
-@@ -75,8 +75,8 @@ static void add_listen_addr(ServerOptions *, const char *,
-     const char *, int);
- static void add_one_listen_addr(ServerOptions *, const char *,
-     const char *, int);
-void parse_server_config_depth(ServerOptions *options, const char *filename,
-    struct sshbuf *conf, struct include_list *includes,
-+static void parse_server_config_depth(ServerOptions *options,
-+    const char *filename, struct sshbuf *conf, struct include_list *includes,
-     struct connection_info *connectinfo, int flags, int *activep, int depth);
- 
- /* Use of privilege separation or not */
-@@ -2623,7 +2623,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
- #undef M_CP_STRARRAYOPT
- 
- #define SERVCONF_MAX_DEPTH     16
-void
-+static void
- parse_server_config_depth(ServerOptions *options, const char *filename,
-     struct sshbuf *conf, struct include_list *includes,
-     struct connection_info *connectinfo, int flags, int *activep, int depth)
-@@ -2649,7 +2649,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
-        if (bad_options > 0)
-                fatal("%s: terminating, %d bad configuration options",
-                    filename, bad_options);
-       process_queued_listen_addrs(options);
- }
- 
- void
-@@ -2660,6 +2659,7 @@ parse_server_config(ServerOptions *options, const char *filename,
-        int active = connectinfo ? 0 : 1;
-        parse_server_config_depth(options, filename, conf, includes,
-            connectinfo, 0, &active, 0);
-+       process_queued_listen_addrs(options);
- }
- 
- static const char *
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index dfd1058b8..c7063cece 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
-From f2697f0c5ff23bc13dce1c90fb4c1c934c02070b Mon Sep 17 00:00:00 2001
+From a73fcc8bab768900ca16d3121303941511b28d45 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Thu, 30 Aug 2018 00:58:56 +0100
 Subject: Work around conch interoperability failure
@@ -18,10 +18,10 @@ Patch-Name: conch-old-privkey-format.patch
 3 files changed, 14 insertions(+), 2 deletions(-)
 diff --git a/regress/Makefile b/regress/Makefile
-index 62794d25f..53a50ffca 100644
+index 8b4ed9de3..f50d189bb 100644
 --- a/regress/Makefile
 +++ b/regress/Makefile
-@@ -121,7 +121,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
+@@ -122,7 +122,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
                rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
                scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
                sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 47a2fe372..82cc37c1b 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 90c1c8771b61dd3ee0eacb4e1cfac404dc42f4b0 Mon Sep 17 00:00:00 2001
+From 6353ee79cc71ef33a0a34d2d769a5fe327f6260d Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -22,7 +22,7 @@ Patch-Name: debian-banner.patch
 7 files changed, 22 insertions(+), 5 deletions(-)
 diff --git a/kex.c b/kex.c
-index 0e64bf760..aa5acaac3 100644
+index ce7bb5b3b..763c45536 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -1225,7 +1225,7 @@ send_error(struct ssh *ssh, char *msg)
@@ -58,10 +58,10 @@ index fe7141414..938dca03b 100644
 struct kex *kex_new(void);
 int     kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
 diff --git a/servconf.c b/servconf.c
-index ff5b9436c..cf4e52f3b 100644
+index 21abe41ac..f9eb778d6 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
+@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options)
        options->fingerprint_hash = -1;
        options->disable_forwarding = -1;
        options->expose_userauth_info = -1;
@@ -69,7 +69,7 @@ index ff5b9436c..cf4e52f3b 100644
 }
 
 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
-@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -469,6 +470,8 @@ fill_default_server_options(ServerOptions *options)
                options->expose_userauth_info = 0;
        if (options->sk_provider == NULL)
                options->sk_provider = xstrdup("internal");
@@ -78,7 +78,7 @@ index ff5b9436c..cf4e52f3b 100644
 
        assemble_algorithms(options);
 
-@@ -556,6 +559,7 @@ typedef enum {
+@@ -548,6 +551,7 @@ typedef enum {
        sStreamLocalBindMask, sStreamLocalBindUnlink,
        sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
        sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
@@ -86,7 +86,7 @@ index ff5b9436c..cf4e52f3b 100644
        sDeprecated, sIgnore, sUnsupported
 } ServerOpCodes;
 
-@@ -719,6 +723,7 @@ static struct {
+@@ -712,6 +716,7 @@ static struct {
        { "rdomain", sRDomain, SSHCFG_ALL },
        { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
        { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
@@ -94,7 +94,7 @@ index ff5b9436c..cf4e52f3b 100644
        { NULL, sBadOption, 0 }
 };
 
-@@ -2393,6 +2398,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -2402,6 +2407,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                        *charptr = xstrdup(arg);
                break;
 
@@ -106,10 +106,10 @@ index ff5b9436c..cf4e52f3b 100644
        case sIgnore:
        case sUnsupported:
 diff --git a/servconf.h b/servconf.h
-index 253cad97e..5a2b60512 100644
+index f10908e5b..4afdf24d0 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -226,6 +226,8 @@ typedef struct {
+@@ -227,6 +227,8 @@ typedef struct {
        int     expose_userauth_info;
        u_int64_t timing_secret;
        char   *sk_provider;
@@ -119,10 +119,10 @@ index 253cad97e..5a2b60512 100644
 
 /* Information about the incoming connection as used by Match */
 diff --git a/sshconnect.c b/sshconnect.c
-index f20d3e792..1e5b8ea5a 100644
+index 3ae20b74e..bab3916d8 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -1293,7 +1293,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
+@@ -1296,7 +1296,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
        lowercase(host);
 
        /* Exchange protocol version identification strings with the server. */
@@ -132,10 +132,10 @@ index f20d3e792..1e5b8ea5a 100644
 
        /* Put the connection into non-blocking mode. */
 diff --git a/sshd.c b/sshd.c
-index e8b332ca4..baee13506 100644
+index 38d281ab4..50f2726bf 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -2181,7 +2181,7 @@ main(int ac, char **av)
+@@ -2232,7 +2232,7 @@ main(int ac, char **av)
        if (!debug_flag)
                alarm(options.login_grace_time);
 
@@ -145,7 +145,7 @@ index e8b332ca4..baee13506 100644
                sshpkt_fatal(ssh, r, "banner exchange");
 
 diff --git a/sshd_config.5 b/sshd_config.5
-index 9f093be1f..753ceda10 100644
+index 6457620bb..33dc0c675 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -540,6 +540,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index d01331cc3..aa370e52f 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 08ca1225e6979fc6b5b6e7f85ce5cb0ac5cc7405 Mon Sep 17 00:00:00 2001
+From a0c9f82b05d33f3e2cf8e5442cee47c09d1a1dd8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -30,7 +30,7 @@ Document all of this.
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2020-02-21
+Last-Update: 2020-10-18
 Patch-Name: debian-config.patch
 ---
@@ -43,10 +43,10 @@ Patch-Name: debian-config.patch
 6 files changed, 98 insertions(+), 9 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index 5bf0afbb4..87b0dc62a 100644
+index f4f273c96..e676b6be6 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2111,7 +2111,7 @@ fill_default_options(Options * options)
+@@ -2153,7 +2153,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
@@ -56,7 +56,7 @@ index 5bf0afbb4..87b0dc62a 100644
                options->forward_x11_timeout = 1200;
        /*
 diff --git a/ssh.1 b/ssh.1
-index 5a31b5dde..035823da3 100644
+index 76ddd89b5..ad48fc8c8 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -812,6 +812,16 @@ directive in
@@ -98,7 +98,7 @@ index 5a31b5dde..035823da3 100644
 Send log information using the
 .Xr syslog 3
 diff --git a/ssh_config b/ssh_config
-index 1ff999b68..8a55237b9 100644
+index 52aae8692..09a17cf18 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -17,9 +17,12 @@
@@ -115,15 +115,15 @@ index 1ff999b68..8a55237b9 100644
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
-@@ -45,3 +48,6 @@
+@@ -46,3 +49,6 @@
- #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+ #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
 +    SendEnv LANG LC_*
 +    HashKnownHosts yes
 +    GSSAPIAuthentication yes
 diff --git a/ssh_config.5 b/ssh_config.5
-index dd8241df1..aac3fabb7 100644
+index 96ca7a5df..6d6c59521 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
@@ -156,7 +156,7 @@ index dd8241df1..aac3fabb7 100644
 The file contains keyword-argument pairs, one per line.
 Lines starting with
 .Ql #
-@@ -729,11 +752,12 @@ elapsed.
+@@ -742,11 +765,12 @@ elapsed.
 .It Cm ForwardX11Trusted
 If this option is set to
 .Cm yes ,
@@ -229,7 +229,7 @@ index 2c48105f8..459c1b230 100644
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 diff --git a/sshd_config.5 b/sshd_config.5
-index c27f99937..b38025dbf 100644
+index 32ae46476..472001dd1 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 3b9e8df3c..23ecc0d3d 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From ca39bb2ab1f56d8ecdeadc32d6bda1a8e73301ac Mon Sep 17 00:00:00 2001
+From 78a7702d88713e854550a05fa9b8670f219d9bf9 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index f58bbaeee..3e96f3b8e 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 0402bdf307736b3afae8c80c84f04b0295990c45 Mon Sep 17 00:00:00 2001
+From 5fca8a730171f96a72007118c0d35cf4a09359f8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
 1 file changed, 3 insertions(+)
 diff --git a/ssh_config.5 b/ssh_config.5
-index d814147d4..dd8241df1 100644
+index 190e1d927..96ca7a5df 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files
+@@ -861,6 +861,9 @@ Note that existing names and addresses in known hosts files
 will not be converted automatically,
 but may be manually hashed using
 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 7436be62d..d7d0bed64 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 9b1d6a32944943b6b18861b97868c463bf5a6e8c Mon Sep 17 00:00:00 2001
+From c26f6f9c7051b9ab2ac13d1d227e6d39527839cc Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
@@ -12,10 +12,10 @@ Patch-Name: gnome-ssh-askpass2-icon.patch
 1 file changed, 2 insertions(+)
 diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
-index bc83a2d67..88cdfaeff 100644
+index f7912727c..bf8c92c8f 100644
 --- a/contrib/gnome-ssh-askpass2.c
 +++ b/contrib/gnome-ssh-askpass2.c
-@@ -233,6 +233,8 @@ main(int argc, char **argv)
+@@ -322,6 +322,8 @@ main(int argc, char **argv)
 
        gtk_init(&argc, &argv);
 
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 685923e47..d779eacb6 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 79f9d21b406c172878896ef41cdc2502fc2f84a7 Mon Sep 17 00:00:00 2001
+From d1b7918f9bce6e997c7952ac795e18d09192b2a6 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -68,10 +68,10 @@ Patch-Name: gssapi.patch
 create mode 100644 kexgsss.c
 diff --git a/Makefile.in b/Makefile.in
-index c9e4294d3..bf1e1de47 100644
+index acfb919da..56759c388 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+@@ -107,6 +107,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
        kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
        kexgexc.o kexgexs.o \
        sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
@@ -79,7 +79,7 @@ index c9e4294d3..bf1e1de47 100644
        sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
        sshbuf-io.o
 
-@@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
+@@ -123,7 +124,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
        auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
        auth2-none.o auth2-passwd.o auth2-pubkey.o \
        monitor.o monitor_wrap.o auth-krb5.o \
@@ -130,7 +130,7 @@ index 28fb43d2a..5b73d24c0 100644
 
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
 diff --git a/auth.c b/auth.c
-index 086b8ebb1..687c57b42 100644
+index 9a5498b66..3d31ec860 100644
 --- a/auth.c
 +++ b/auth.c
 @@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
@@ -339,7 +339,7 @@ index 9351e0428..d6446c0cf 100644
        "gssapi-with-mic",
        userauth_gssapi,
 diff --git a/auth2.c b/auth2.c
-index 91aaf34a6..a4a5e0069 100644
+index 242a7adbe..9fa1404b3 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -73,6 +73,7 @@ extern Authmethod method_passwd;
@@ -477,7 +477,7 @@ index 26d62855a..0cadc9f18 100644
 int             get_peer_port(int);
 char           *get_local_ipaddr(int);
 diff --git a/clientloop.c b/clientloop.c
-index da396c72a..42ace7789 100644
+index 60b46d161..2cebea29f 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -112,6 +112,10 @@
@@ -491,7 +491,7 @@ index da396c72a..42ace7789 100644
 /* import options */
 extern Options options;
 
-@@ -1361,9 +1365,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
+@@ -1368,9 +1372,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
                        break;
 
                /* Do channel operations unless rekeying in progress. */
@@ -512,10 +512,10 @@ index da396c72a..42ace7789 100644
                client_process_net_input(ssh, readset);
 
 diff --git a/configure.ac b/configure.ac
-index 460383757..d98e6f74a 100644
+index 7005a503e..c8a96deb4 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -676,6 +676,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+@@ -679,6 +679,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
            [Use tunnel device compatibility to OpenBSD])
        AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
            [Prepend the address family to IP tunnel traffic])
@@ -1330,7 +1330,7 @@ index b5d4bb2d1..55f4d4bda 100644
 
 /* Privileged */
 diff --git a/kex.c b/kex.c
-index 09c7258e0..144dee512 100644
+index aecb9394d..751cfc710 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -57,11 +57,16 @@
@@ -1523,10 +1523,10 @@ index a5ae6ac05..fe7141414 100644
        __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
        __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
 diff --git a/kexdh.c b/kexdh.c
-index 67133e339..edaa46762 100644
+index 6e0159f9f..d024a8b9a 100644
 --- a/kexdh.c
 +++ b/kexdh.c
-@@ -48,13 +48,23 @@ kex_dh_keygen(struct kex *kex)
+@@ -49,13 +49,23 @@ kex_dh_keygen(struct kex *kex)
 {
        switch (kex->kex_type) {
        case KEX_DH_GRP1_SHA1:
@@ -2656,7 +2656,7 @@ index 000000000..60bc02deb
 +}
 +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
 diff --git a/monitor.c b/monitor.c
-index b6e855d5d..5347e900d 100644
+index 4cf79dfc9..11868952b 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -148,6 +148,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *);
@@ -2709,7 +2709,7 @@ index b6e855d5d..5347e900d 100644
 
        if (auth_opts->permit_pty_flag) {
                monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
-@@ -1712,6 +1729,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
+@@ -1725,6 +1742,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 # ifdef OPENSSL_HAS_ECC
                kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
@@ -2727,7 +2727,7 @@ index b6e855d5d..5347e900d 100644
 #endif /* WITH_OPENSSL */
                kex->kex[KEX_C25519_SHA256] = kex_gen_server;
                kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
-@@ -1805,8 +1833,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1818,8 +1846,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        u_char *p;
        int r;
 
@@ -2738,7 +2738,7 @@ index b6e855d5d..5347e900d 100644
 
        if ((r = sshbuf_get_string(m, &p, &len)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-@@ -1838,8 +1866,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1851,8 +1879,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 flags = 0; /* GSI needs this */
        int r;
 
@@ -2749,7 +2749,7 @@ index b6e855d5d..5347e900d 100644
 
        if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
                fatal("%s: buffer error: %s", __func__, ssh_err(r));
-@@ -1859,6 +1887,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1872,6 +1900,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2757,7 +2757,7 @@ index b6e855d5d..5347e900d 100644
        }
        return (0);
 }
-@@ -1870,8 +1899,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1883,8 +1912,8 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
        OM_uint32 ret;
        int r;
 
@@ -2768,7 +2768,7 @@ index b6e855d5d..5347e900d 100644
 
        if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
            (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
-@@ -1897,13 +1926,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1910,13 +1939,17 @@ mm_answer_gss_checkmic(struct ssh *ssh, int sock, struct sshbuf *m)
 int
 mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
 {
@@ -2790,7 +2790,7 @@ index b6e855d5d..5347e900d 100644
 
        sshbuf_reset(m);
        if ((r = sshbuf_put_u32(m, authenticated)) != 0)
-@@ -1912,7 +1945,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1925,7 +1958,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        debug3("%s: sending result %d", __func__, authenticated);
        mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 
@@ -2803,7 +2803,7 @@ index b6e855d5d..5347e900d 100644
 
        if ((displayname = ssh_gssapi_displayname()) != NULL)
                auth2_record_info(authctxt, "%s", displayname);
-@@ -1920,5 +1957,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1933,5 +1970,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
        /* Monitor loop will terminate if authenticated */
        return (authenticated);
 }
@@ -2903,7 +2903,7 @@ index 683e5e071..2b1a2d590 100644
 
 struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 001a8fa1c..6edb509a3 100644
+index 5e38d83eb..0e78cd006 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -993,13 +993,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -2982,10 +2982,10 @@ index 001a8fa1c..6edb509a3 100644
 +
 #endif /* GSSAPI */
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 23ab096aa..485590c18 100644
+index 0db38c206..75aef1c74 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -64,8 +64,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
+@@ -65,8 +65,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
 OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -2998,7 +2998,7 @@ index 23ab096aa..485590c18 100644
 
 #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index 2afcbaeca..fb585e248 100644
+index 554efd7c9..57dae55d1 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -67,6 +67,7 @@
@@ -3041,7 +3041,7 @@ index 2afcbaeca..fb585e248 100644
 #endif
 #ifdef ENABLE_PKCS11
        { "pkcs11provider", oPKCS11Provider },
-@@ -1053,10 +1068,42 @@ parse_time:
+@@ -1068,10 +1083,42 @@ parse_time:
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -3084,7 +3084,7 @@ index 2afcbaeca..fb585e248 100644
        case oBatchMode:
                intptr = &options->batch_mode;
                goto parse_flag;
-@@ -1935,7 +1982,13 @@ initialize_options(Options * options)
+@@ -1976,7 +2023,13 @@ initialize_options(Options * options)
        options->pubkey_authentication = -1;
        options->challenge_response_authentication = -1;
        options->gss_authentication = -1;
@@ -3098,7 +3098,7 @@ index 2afcbaeca..fb585e248 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->kbd_interactive_devices = NULL;
-@@ -2083,8 +2136,18 @@ fill_default_options(Options * options)
+@@ -2125,8 +2178,18 @@ fill_default_options(Options * options)
                options->challenge_response_authentication = 1;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -3117,7 +3117,7 @@ index 2afcbaeca..fb585e248 100644
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -2726,7 +2789,14 @@ dump_client_config(Options *o, const char *host)
+@@ -2776,7 +2839,14 @@ dump_client_config(Options *o, const char *host)
        dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
 #ifdef GSSAPI
        dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@@ -3133,7 +3133,7 @@ index 2afcbaeca..fb585e248 100644
        dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
        dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
 diff --git a/readconf.h b/readconf.h
-index e143a1082..c405b837f 100644
+index d6a15550d..3803eeddf 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -41,7 +41,13 @@ typedef struct {
@@ -3151,10 +3151,10 @@ index e143a1082..c405b837f 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index ba0a92c7b..f38ba9e44 100644
+index f08e37477..ded8f4a87 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -69,6 +69,7 @@
+@@ -70,6 +70,7 @@
 #include "auth.h"
 #include "myproposal.h"
 #include "digest.h"
@@ -3162,7 +3162,7 @@ index ba0a92c7b..f38ba9e44 100644
 
 static void add_listen_addr(ServerOptions *, const char *,
     const char *, int);
-@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options)
+@@ -134,8 +135,11 @@ initialize_server_options(ServerOptions *options)
        options->kerberos_ticket_cleanup = -1;
        options->kerberos_get_afs_token = -1;
        options->gss_authentication=-1;
@@ -3174,7 +3174,7 @@ index ba0a92c7b..f38ba9e44 100644
        options->password_authentication = -1;
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
-@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options)
+@@ -376,10 +380,18 @@ fill_default_server_options(ServerOptions *options)
                options->kerberos_get_afs_token = 0;
        if (options->gss_authentication == -1)
                options->gss_authentication = 0;
@@ -3193,7 +3193,7 @@ index ba0a92c7b..f38ba9e44 100644
        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
-@@ -531,6 +543,7 @@ typedef enum {
+@@ -523,6 +535,7 @@ typedef enum {
        sHostKeyAlgorithms,
        sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
        sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -3201,7 +3201,7 @@ index ba0a92c7b..f38ba9e44 100644
        sAcceptEnv, sSetEnv, sPermitTunnel,
        sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
        sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -607,12 +620,22 @@ static struct {
+@@ -600,12 +613,22 @@ static struct {
 #ifdef GSSAPI
        { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
        { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -3224,7 +3224,7 @@ index ba0a92c7b..f38ba9e44 100644
        { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
        { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
        { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1555,6 +1578,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1557,6 +1580,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                intptr = &options->gss_authentication;
                goto parse_flag;
 
@@ -3235,7 +3235,7 @@ index ba0a92c7b..f38ba9e44 100644
        case sGssCleanupCreds:
                intptr = &options->gss_cleanup_creds;
                goto parse_flag;
-@@ -1563,6 +1590,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+@@ -1565,6 +1592,22 @@ process_server_config_line_depth(ServerOptions *options, char *line,
                intptr = &options->gss_strict_acceptor;
                goto parse_flag;
 
@@ -3258,7 +3258,7 @@ index ba0a92c7b..f38ba9e44 100644
        case sPasswordAuthentication:
                intptr = &options->password_authentication;
                goto parse_flag;
-@@ -2791,6 +2834,10 @@ dump_config(ServerOptions *o)
+@@ -2808,6 +2851,10 @@ dump_config(ServerOptions *o)
 #ifdef GSSAPI
        dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
        dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -3270,10 +3270,10 @@ index ba0a92c7b..f38ba9e44 100644
        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
        dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index a420f398d..253cad97e 100644
+index 1df8f3db8..f10908e5b 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -137,8 +137,11 @@ typedef struct {
+@@ -138,8 +138,11 @@ typedef struct {
        int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                 * authenticated with Kerberos. */
        int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -3286,10 +3286,10 @@ index a420f398d..253cad97e 100644
                                                 * authentication. */
        int     kbd_interactive_authentication; /* If true, permit */
 diff --git a/session.c b/session.c
-index 18cdfa8cf..f9c2c866e 100644
+index 27ca8a104..857f17b3c 100644
 --- a/session.c
 +++ b/session.c
-@@ -2678,13 +2678,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
+@@ -2685,13 +2685,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt)
 
 #ifdef KRB5
        if (options.kerberos_ticket_cleanup &&
@@ -3436,7 +3436,7 @@ index 36180d07a..50d80bbca 100644
 
 #endif /* _SSH_GSS_H */
 diff --git a/ssh.1 b/ssh.1
-index dce5f404b..7a3ba31ab 100644
+index 555317887..be8e964f0 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -506,7 +506,13 @@ For full details of the options listed below, and their possible values, see
@@ -3463,10 +3463,10 @@ index dce5f404b..7a3ba31ab 100644
 (key types),
 .Ar key-cert
 diff --git a/ssh.c b/ssh.c
-index 98b6ce788..4a81ef810 100644
+index f34ca0d71..bb98a7e2d 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -773,6 +773,8 @@ main(int ac, char **av)
+@@ -801,6 +801,8 @@ main(int ac, char **av)
                        else if (strcmp(optarg, "kex") == 0 ||
                            strcasecmp(optarg, "KexAlgorithms") == 0)
                                cp = kex_alg_list('\n');
@@ -3475,7 +3475,7 @@ index 98b6ce788..4a81ef810 100644
                        else if (strcmp(optarg, "key") == 0)
                                cp = sshkey_alg_list(0, 0, 0, '\n');
                        else if (strcmp(optarg, "key-cert") == 0)
-@@ -798,8 +800,8 @@ main(int ac, char **av)
+@@ -826,8 +828,8 @@ main(int ac, char **av)
                        } else if (strcmp(optarg, "help") == 0) {
                                cp = xstrdup(
                                    "cipher\ncipher-auth\ncompression\nkex\n"
@@ -3487,7 +3487,7 @@ index 98b6ce788..4a81ef810 100644
                        if (cp == NULL)
                                fatal("Unsupported query \"%s\"", optarg);
 diff --git a/ssh_config b/ssh_config
-index 5e8ef548b..1ff999b68 100644
+index 842ea866c..52aae8692 100644
 --- a/ssh_config
 +++ b/ssh_config
 @@ -24,6 +24,8 @@
@@ -3500,10 +3500,10 @@ index 5e8ef548b..1ff999b68 100644
 #   CheckHostIP yes
 #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index dc010ccbd..e2a2359f9 100644
+index 6be1f1aa2..bd86d000c 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -766,10 +766,67 @@ The default is
+@@ -779,10 +779,67 @@ The default is
 Specifies whether user authentication based on GSSAPI is allowed.
 The default is
 .Cm no .
@@ -3572,7 +3572,7 @@ index dc010ccbd..e2a2359f9 100644
 Indicates that
 .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 1a6545edf..79a22e600 100644
+index f64aae66a..c47fc31a6 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -80,8 +80,6 @@
@@ -3584,7 +3584,7 @@ index 1a6545edf..79a22e600 100644
 extern Options options;
 
 /*
-@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -210,6 +208,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
        char *s, *all_key;
        int r, use_known_hosts_order = 0;
 
@@ -3596,7 +3596,7 @@ index 1a6545edf..79a22e600 100644
        xxx_host = host;
        xxx_hostaddr = hostaddr;
 
-@@ -206,6 +209,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -253,6 +256,41 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
                    compat_pkalg_proposal(options.hostkeyalgorithms);
        }
 
@@ -3638,7 +3638,7 @@ index 1a6545edf..79a22e600 100644
        if (options.rekey_limit || options.rekey_interval)
                ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
                    options.rekey_interval);
-@@ -224,16 +262,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+@@ -271,16 +309,46 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
 # ifdef OPENSSL_HAS_ECC
        ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
 # endif
@@ -3686,7 +3686,7 @@ index 1a6545edf..79a22e600 100644
        if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
                fatal("kex_prop2buf: %s", ssh_err(r));
 
-@@ -330,6 +398,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
+@@ -377,6 +445,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
 static int input_gssapi_token(int type, u_int32_t, struct ssh *);
 static int input_gssapi_error(int, u_int32_t, struct ssh *);
 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@@ -3694,7 +3694,7 @@ index 1a6545edf..79a22e600 100644
 #endif
 
 void   userauth(struct ssh *, char *);
-@@ -346,6 +415,11 @@ static char *authmethods_get(void);
+@@ -393,6 +462,11 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
@@ -3706,7 +3706,7 @@ index 1a6545edf..79a22e600 100644
        {"gssapi-with-mic",
                userauth_gssapi,
                userauth_gssapi_cleanup,
-@@ -716,12 +790,31 @@ userauth_gssapi(struct ssh *ssh)
+@@ -763,12 +837,31 @@ userauth_gssapi(struct ssh *ssh)
        OM_uint32 min;
        int r, ok = 0;
        gss_OID mech = NULL;
@@ -3739,7 +3739,7 @@ index 1a6545edf..79a22e600 100644
 
        /* Check to see whether the mechanism is usable before we offer it */
        while (authctxt->mech_tried < authctxt->gss_supported_mechs->count &&
-@@ -730,13 +823,15 @@ userauth_gssapi(struct ssh *ssh)
+@@ -777,13 +870,15 @@ userauth_gssapi(struct ssh *ssh)
                    elements[authctxt->mech_tried];
                /* My DER encoding requires length<128 */
                if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
@@ -3756,7 +3756,7 @@ index 1a6545edf..79a22e600 100644
        if (!ok || mech == NULL)
                return 0;
 
-@@ -976,6 +1071,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
+@@ -1023,6 +1118,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
        free(lang);
        return r;
 }
@@ -3813,7 +3813,7 @@ index 1a6545edf..79a22e600 100644
 
 static int
 diff --git a/sshd.c b/sshd.c
-index 6f8f11a3b..02fca5c28 100644
+index 8aa7f3df6..8c5d5822e 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -816,8 +816,8 @@ notify_hostkeys(struct ssh *ssh)
@@ -3827,7 +3827,7 @@ index 6f8f11a3b..02fca5c28 100644
                sshpkt_fatal(ssh, r, "%s: send", __func__);
        sshbuf_free(buf);
 }
-@@ -1851,7 +1851,8 @@ main(int ac, char **av)
+@@ -1901,7 +1901,8 @@ main(int ac, char **av)
                free(fp);
        }
        accumulate_host_timing_secret(cfg, NULL);
@@ -3837,7 +3837,7 @@ index 6f8f11a3b..02fca5c28 100644
                logit("sshd: no hostkeys available -- exiting.");
                exit(1);
        }
-@@ -2342,6 +2343,48 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2393,6 +2394,48 @@ do_ssh2_kex(struct ssh *ssh)
        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
            list_hostkey_types());
 
@@ -3886,7 +3886,7 @@ index 6f8f11a3b..02fca5c28 100644
        /* start key exchange */
        if ((r = kex_setup(ssh, myproposal)) != 0)
                fatal("kex_setup: %s", ssh_err(r));
-@@ -2357,7 +2400,18 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2408,7 +2451,18 @@ do_ssh2_kex(struct ssh *ssh)
 # ifdef OPENSSL_HAS_ECC
        kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
@@ -3920,7 +3920,7 @@ index 19b7c91a1..2c48105f8 100644
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index b294efc2d..360e5fb1a 100644
+index 6fa421cae..eabbe9e73 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -644,6 +644,11 @@ Specifies whether to automatically destroy the user's credentials cache
@@ -3968,10 +3968,10 @@ index b294efc2d..360e5fb1a 100644
 Specifies the key types that will be accepted for hostbased authentication
 as a list of comma-separated patterns.
 diff --git a/sshkey.c b/sshkey.c
-index 1571e3d93..1ac32a0ec 100644
+index ac451f1a8..b88282e19 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
+@@ -156,6 +156,7 @@ static const struct keytype keytypes[] = {
            KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
@@ -3979,7 +3979,7 @@ index 1571e3d93..1ac32a0ec 100644
        { NULL, NULL, NULL, -1, -1, 0, 0 }
 };
 
-@@ -255,7 +256,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
+@@ -257,7 +258,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
        const struct keytype *kt;
 
        for (kt = keytypes; kt->type != -1; kt++) {
@@ -3989,7 +3989,7 @@ index 1571e3d93..1ac32a0ec 100644
                if (!include_sigonly && kt->sigonly)
                        continue;
 diff --git a/sshkey.h b/sshkey.h
-index 9c1d4f637..f586e8967 100644
+index 2d8b62497..dc1c10597 100644
 --- a/sshkey.h
 +++ b/sshkey.h
 @@ -69,6 +69,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 4a26d9d31..c9bc83267 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 24c9c811bfd227e467ab1ce00503f08dcc22c0f4 Mon Sep 17 00:00:00 2001
+From 164d1c9f11309d38273ac64e30eda2baa3733f78 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
 3 files changed, 34 insertions(+), 4 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index 2ccc48572..431243193 100644
+index b069333fa..3d0a812b3 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -176,6 +176,7 @@ typedef enum {
@@ -46,7 +46,7 @@ index 2ccc48572..431243193 100644
 
        { NULL, oBadOption }
 };
-@@ -1519,6 +1522,8 @@ parse_keytypes:
+@@ -1534,6 +1537,8 @@ parse_keytypes:
                goto parse_flag;
 
        case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 2ccc48572..431243193 100644
                intptr = &options->server_alive_interval;
                goto parse_time;
 
-@@ -2222,8 +2227,13 @@ fill_default_options(Options * options)
+@@ -2266,8 +2271,13 @@ fill_default_options(Options * options)
                options->rekey_interval = 0;
        if (options->verify_host_key_dns == -1)
                options->verify_host_key_dns = 0;
@@ -72,10 +72,10 @@ index 2ccc48572..431243193 100644
                options->server_alive_count_max = 3;
        if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index e2a2359f9..85ab7447f 100644
+index bd86d000c..3ceb800ba 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -266,9 +266,13 @@ If set to
+@@ -275,9 +275,13 @@ If set to
 .Cm yes ,
 user interaction such as password prompts and host key confirmation requests
 will be disabled.
@@ -90,7 +90,7 @@ index e2a2359f9..85ab7447f 100644
 The argument must be
 .Cm yes
 or
-@@ -1604,7 +1608,14 @@ from the server,
+@@ -1624,7 +1628,14 @@ from the server,
 will send a message through the encrypted
 channel to request a response from the server.
 The default
@@ -106,7 +106,7 @@ index e2a2359f9..85ab7447f 100644
 .It Cm SetEnv
 Directly specify one or more environment variables and their contents to
 be sent to the server.
-@@ -1684,6 +1695,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1704,6 +1715,12 @@ Specifies whether the system should send TCP keepalive messages to the
 other side.
 If they are sent, death of the connection or crash of one
 of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index e2a2359f9..85ab7447f 100644
 connections will die if the route is down temporarily, and some people
 find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 360e5fb1a..9f093be1f 100644
+index eabbe9e73..6457620bb 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1680,6 +1680,9 @@ This avoids infinitely hanging sessions.
+@@ -1691,6 +1691,9 @@ This avoids infinitely hanging sessions.
 .Pp
 To disable TCP keepalive messages, the value should be set to
 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 50b51619c..cb227f839 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 8ec2f85d03524a6b4954f0a29496b5a301f92080 Mon Sep 17 00:00:00 2001
+From c8da63c601b5d44fd233548385809c9c3a2fa0b8 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index bfbf80e92..f20d3e792 100644
+index 5f8c81b84..3ae20b74e 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -994,9 +994,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                        error("%s. This could either mean that", key_msg);
                        error("DNS SPOOFING is happening or the IP address for the host");
                        error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index bfbf80e92..f20d3e792 100644
                }
                /* The host key has changed. */
                warn_changed_key(host_key);
-@@ -1002,6 +1006,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1005,6 +1009,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                error("Offending %s key in %s:%lu",
                    sshkey_type(host_found->key),
                    host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index b91cbd4ea..e383375c6 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From a5d0b90bbd2c5a6bdec17b1abc5dca8166ae73f7 Mon Sep 17 00:00:00 2001
+From cf3ffd6a25d425bed33dd698f92e64953d9769eb Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 342487057..64405d578 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 34bf12a8e8fcc7720168dac307ef9388af93b947 Mon Sep 17 00:00:00 2001
+From 6bcbfca92b58917dba48b696dd63529fa5dcbb82 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,10 +44,10 @@ index ef0de0850..149846c8c 100644
 .Sh SEE ALSO
 .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 059c1b034..45866f931 100644
+index 3ae596caa..836174fb6 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
-@@ -197,9 +197,7 @@ key in
+@@ -202,9 +202,7 @@ key in
 .Pa ~/.ssh/id_ed25519_sk
 or
 .Pa ~/.ssh/id_rsa .
@@ -58,7 +58,7 @@ index 059c1b034..45866f931 100644
 .Pp
 Normally this program generates the key and asks for a file in which
 to store the private key.
-@@ -262,9 +260,7 @@ If
+@@ -269,9 +267,7 @@ If
 .Fl f
 has also been specified, its argument is used as a prefix to the
 default path for the resulting host key files.
@@ -69,7 +69,7 @@ index 059c1b034..45866f931 100644
 .It Fl a Ar rounds
 When saving a private key, this option specifies the number of KDF
 (key derivation function) rounds used.
-@@ -787,7 +783,7 @@ option.
+@@ -804,7 +800,7 @@ option.
 Valid generator values are 2, 3, and 5.
 .Pp
 Screened DH groups may be installed in
@@ -78,7 +78,7 @@ index 059c1b034..45866f931 100644
 It is important that this file contains moduli of a range of bit lengths and
 that both ends of a connection share common moduli.
 .Pp
-@@ -1158,7 +1154,7 @@ on all machines
+@@ -1185,7 +1181,7 @@ on all machines
 where the user wishes to log in using public key authentication.
 There is no need to keep the contents of this file secret.
 .Pp
@@ -88,7 +88,7 @@ index 059c1b034..45866f931 100644
 The file format is described in
 .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index a80be8efe..566fdba6b 100644
+index 5d613076c..1880c032d 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -890,6 +890,10 @@ implements public key authentication protocol automatically,
@@ -103,7 +103,7 @@ index a80be8efe..566fdba6b 100644
 .Pp
 The file
 diff --git a/sshd.8 b/sshd.8
-index 730520231..5ce0ea4fa 100644
+index 97d547ffa..7895a6a94 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -65,7 +65,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index 730520231..5ce0ea4fa 100644
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
-@@ -904,7 +904,7 @@ This file is for host-based authentication (see
+@@ -911,7 +911,7 @@ This file is for host-based authentication (see
 .Xr ssh 1 ) .
 It should only be writable by root.
 .Pp
@@ -124,7 +124,7 @@ index 730520231..5ce0ea4fa 100644
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
 key exchange method.
 The file format is described in
-@@ -1002,7 +1002,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -1009,7 +1009,6 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
 .Xr hosts_access 5 ,
@@ -133,7 +133,7 @@ index 730520231..5ce0ea4fa 100644
 .Xr sshd_config 5 ,
 .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index 753ceda10..c27f99937 100644
+index 33dc0c675..32ae46476 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -385,8 +385,7 @@ Certificates signed using other algorithms will not be accepted for
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index a560ae940..daa1473db 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From d66c30698f807ab95aee7ea4a882c192884df047 Mon Sep 17 00:00:00 2001
+From 707144d399b9fc959a4f6be3fd8e239c208c88ff Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -18,7 +18,7 @@ Patch-Name: package-versioning.patch
 2 files changed, 7 insertions(+), 2 deletions(-)
 diff --git a/kex.c b/kex.c
-index 144dee512..0e64bf760 100644
+index 751cfc710..ce7bb5b3b 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -1243,7 +1243,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
@@ -31,11 +31,11 @@ index 144dee512..0e64bf760 100644
            version_addendum == NULL ? "" : version_addendum)) != 0) {
                oerrno = errno;
 diff --git a/version.h b/version.h
-index a2eca3ec8..158eaee70 100644
+index c2f9c55bb..480cd59e1 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_8.3"
+ #define SSH_VERSION    "OpenSSH_8.4"
 
 #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index e32c31717..a1f52056f 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From a31d1fdf19480d9a184a27a4d221655f408f74d7 Mon Sep 17 00:00:00 2001
+From 8dc9bb0d9cf53a35d6003623f1e7c91326d79875 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index e544e3874..7388fadff 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 7e3de67f8447064d6963e8299653d8e01baaef1e Mon Sep 17 00:00:00 2001
+From 6806b85f30244d186206004386a9faddc16b8738 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
 3 files changed, 89 insertions(+)
 diff --git a/configure.ac b/configure.ac
-index d98e6f74a..812b7218f 100644
+index c8a96deb4..bb435ec1f 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1558,6 +1558,62 @@ else
+@@ -1571,6 +1571,62 @@ else
        AC_MSG_RESULT([no])
 fi
 
@@ -94,7 +94,7 @@ index d98e6f74a..812b7218f 100644
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
-@@ -5479,6 +5535,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5536,6 +5592,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
@@ -103,10 +103,10 @@ index d98e6f74a..812b7218f 100644
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "                   libldns support: $LDNS_MSG"
 diff --git a/sshd.8 b/sshd.8
-index c5f8987d2..730520231 100644
+index b2fad56d3..97d547ffa 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
+@@ -900,6 +900,12 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
@@ -119,7 +119,7 @@ index c5f8987d2..730520231 100644
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
-@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -1002,6 +1008,7 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
@@ -128,7 +128,7 @@ index c5f8987d2..730520231 100644
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index 02fca5c28..e96d90809 100644
+index 8c5d5822e..a50ec3584 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -124,6 +124,13 @@
@@ -145,7 +145,7 @@ index 02fca5c28..e96d90809 100644
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD   (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD         (STDERR_FILENO + 2)
-@@ -2132,6 +2139,24 @@ main(int ac, char **av)
+@@ -2183,6 +2190,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 0ec75419a..b84cef134 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From 39b8d128ef980a410bb1ea0ee80e95ac9fff59c3 Mon Sep 17 00:00:00 2001
+From 3728919292c05983372954d27426f7d966813139 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 8 Apr 2019 10:46:29 +0100
 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch
 4 files changed, 8 insertions(+), 12 deletions(-)
 diff --git a/readconf.c b/readconf.c
-index 87b0dc62a..9a646dcaa 100644
+index e676b6be6..c60df5602 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2254,9 +2254,9 @@ fill_default_options(Options * options)
+@@ -2298,9 +2298,9 @@ fill_default_options(Options * options)
        if (options->visual_host_key == -1)
                options->visual_host_key = 0;
        if (options->ip_qos_interactive == -1)
@@ -40,10 +40,10 @@ index 87b0dc62a..9a646dcaa 100644
                options->request_tty = REQUEST_TTY_AUTO;
        if (options->proxy_use_fdpass == -1)
 diff --git a/servconf.c b/servconf.c
-index cf4e52f3b..c290e9786 100644
+index f9eb778d6..98afcfcec 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options)
+@@ -453,9 +453,9 @@ fill_default_server_options(ServerOptions *options)
        if (options->permit_tun == -1)
                options->permit_tun = SSH_TUNMODE_NO;
        if (options->ip_qos_interactive == -1)
@@ -56,10 +56,10 @@ index cf4e52f3b..c290e9786 100644
                options->version_addendum = xstrdup("");
        if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index aac3fabb7..2574b1004 100644
+index 6d6c59521..080d289a7 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally.
+@@ -1156,11 +1156,9 @@ If one argument is specified, it is used as the packet class unconditionally.
 If two values are specified, the first is automatically selected for
 interactive sessions and the second for non-interactive sessions.
 The default is
@@ -74,7 +74,7 @@ index aac3fabb7..2574b1004 100644
 .It Cm KbdInteractiveAuthentication
 Specifies whether to use keyboard-interactive authentication.
 diff --git a/sshd_config.5 b/sshd_config.5
-index b38025dbf..88db4db07 100644
+index 472001dd1..a555e7ec3 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -925,11 +925,9 @@ If one argument is specified, it is used as the packet class unconditionally.
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 0166c914a..604e831b3 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 2520672d1ccfd88744c93bac102f461f9b1e0cf3 Mon Sep 17 00:00:00 2001
+From 94f06f8888f2e11267120eeebdb931d95bbfb7fd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/scp.c b/scp.c
-index b4492a062..66b4af8e8 100644
+index 6ae17061d..2d1b8e9b9 100644
 --- a/scp.c
 +++ b/scp.c
 @@ -201,8 +201,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index b0088c104..3161999a9 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 8641a3f57e67e087b4500beb9916e06c4d0ba94c Mon Sep 17 00:00:00 2001
+From c574865182e2c5dfa183b577f49ac602d16df5c0 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2020-02-21
+Last-Update: 2020-10-18
 Patch-Name: selinux-role.patch
 ---
@@ -43,7 +43,7 @@ index becc672b5..5da9fe75f 100644
        /* Method lists for multiple authentication */
        char            **auth_methods; /* modified from server config */
 diff --git a/auth2.c b/auth2.c
-index a4a5e0069..05d6c2447 100644
+index 9fa1404b3..d8363bdba 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -81,7 +81,7 @@ index a4a5e0069..05d6c2447 100644
                if (auth2_setup_methods_lists(authctxt) != 0)
                        ssh_packet_disconnect(ssh,
 diff --git a/monitor.c b/monitor.c
-index 5347e900d..8002aca86 100644
+index 11868952b..98362948f 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
@@ -154,7 +154,7 @@ index 5347e900d..8002aca86 100644
        return (0);
 }
 
-@@ -1553,7 +1582,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1566,7 +1595,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644
 
 struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 6edb509a3..b49c268d3 100644
+index 0e78cd006..d41d3949d 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
@@ -231,13 +231,13 @@ index 6edb509a3..b49c268d3 100644
 int
 mm_auth_password(struct ssh *ssh, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 485590c18..370b08e17 100644
+index 75aef1c74..c39e5dd8b 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
+@@ -48,7 +48,8 @@ DH *mm_choose_dh(int, int, int);
- #endif
 int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
-     const u_char *, size_t, const char *, const char *, u_int compat);
+     const u_char *, size_t, const char *, const char *,
+     const char *, u_int compat);
 -void mm_inform_authserv(char *, char *);
 +void mm_inform_authserv(char *, char *, char *);
 +void mm_inform_authrole(char *);
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index f9c2c866e..837a8bacf 100644
+index 857f17b3c..b1796a803 100644
 --- a/session.c
 +++ b/session.c
-@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1364,7 +1364,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -375,7 +375,7 @@ index f9c2c866e..837a8bacf 100644
 {
        char uidstr[32], *chroot_path, *tmp;
 
-@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1392,7 +1392,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
@@ -384,7 +384,7 @@ index f9c2c866e..837a8bacf 100644
 
                if (!in_chroot && options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1536,7 +1536,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index f9c2c866e..837a8bacf 100644
                child_close_fds(ssh);
                do_pwchange(s);
                exit(1);
-@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1554,7 +1554,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
        /* When PAM is enabled we rely on it to do the nologin check */
        if (!options.use_pam)
                do_nologin(pw);
@@ -402,7 +402,7 @@ index f9c2c866e..837a8bacf 100644
        /*
         * PAM session modules in do_setusercontext may have
         * generated messages, so if this in an interactive
-@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
+@@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s)
                sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 
        if (!use_privsep)
@@ -425,7 +425,7 @@ index ce59dabd9..675c91146 100644
 const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
 
 diff --git a/sshd.c b/sshd.c
-index e96d90809..e8b332ca4 100644
+index a50ec3584..38d281ab4 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
diff --git a/debian/patches/series b/debian/patches/series
index 9abd84350..8c1046a74 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,4 +23,3 @@ debian-config.patch
 restore-authorized_keys2.patch
 conch-old-privkey-format.patch
 revert-ipqos-defaults.patch
-avoid-extra-ports.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 4752e2a71..503b08dda 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From b78e6371a98460f5d12683406674e117d64b35f2 Mon Sep 17 00:00:00 2001
+From a7d2f23b7b86f97749856482233cdc9dd970d1d3 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/sshconnect.c b/sshconnect.c
-index af08be415..bfbf80e92 100644
+index 9ec0618a9..5f8c81b84 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
+@@ -263,7 +263,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
                /* Execute the proxy command.  Note that we gave up any
                   extra privileges above. */
                ssh_signal(SIGPIPE, SIG_DFL);
@@ -28,7 +28,7 @@ index af08be415..bfbf80e92 100644
                perror(argv[0]);
                exit(1);
        }
-@@ -1389,7 +1389,7 @@ ssh_local_cmd(const char *args)
+@@ -1392,7 +1392,7 @@ ssh_local_cmd(const char *args)
        if (pid == 0) {
                ssh_signal(SIGPIPE, SIG_DFL);
                debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index ed23334d9..5d7a6c0fb 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 303cbd5533df863d518bc61d837ce56a93166b11 Mon Sep 17 00:00:00 2001
+From 7a305ed4a0cba43d0d1bc6ebf5737521a0854a9d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch
 1 file changed, 15 insertions(+)
 diff --git a/ssh-agent.1 b/ssh-agent.1
-index fff0db6bc..99e4f6d2e 100644
+index 2cf46160b..272da79b3 100644
 --- a/ssh-agent.1
 +++ b/ssh-agent.1
-@@ -201,6 +201,21 @@ socket and stores its pathname in this variable.
+@@ -206,6 +206,21 @@ socket and stores its pathname in this variable.
 It is accessible only to the current user,
 but is easily abused by root or another instance of the same user.
 .El
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 52e5bf70b..12f8c1b90 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From 81723f749647928d918de21057d9dbfbebaa8e53 Mon Sep 17 00:00:00 2001
+From 0e71b467fd84b0972c6aa2762d93af1c3defc0dc Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
 1 file changed, 1 insertion(+)
 diff --git a/ssh.1 b/ssh.1
-index 566fdba6b..5a31b5dde 100644
+index 1880c032d..76ddd89b5 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1613,6 +1613,7 @@ if an error occurred.
+@@ -1632,6 +1632,7 @@ if an error occurred.
 .Xr sftp 1 ,
 .Xr ssh-add 1 ,
 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index cc2656bda..f4bedfd7b 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 6ed578a01fd61f9c930ef46cfefc467203ddd6c0 Mon Sep 17 00:00:00 2001
+From 61b4d4c07d19cd0816ab5d48da81a75f7adbdf24 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
 2 files changed, 2 insertions(+)
 diff --git a/readconf.c b/readconf.c
-index fb585e248..2ccc48572 100644
+index 57dae55d1..b069333fa 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -191,6 +191,7 @@ static struct {
@@ -29,10 +29,10 @@ index fb585e248..2ccc48572 100644
        { "useroaming", oDeprecated },
        { "usersh", oDeprecated },
 diff --git a/servconf.c b/servconf.c
-index f38ba9e44..ff5b9436c 100644
+index ded8f4a87..21abe41ac 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -656,6 +656,7 @@ static struct {
+@@ -649,6 +649,7 @@ static struct {
        { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
        { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
        { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 273f8069f..d6215dea6 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From f2c3eb379d31f24de20dc9a2e0089ed84f52055b Mon Sep 17 00:00:00 2001
+From 33a5f7aadea15899586710c615408045eaaecebd Mon Sep 17 00:00:00 2001
 From: Natalie Amery <nmamery@chiark.greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
 2 files changed, 2 insertions(+), 1 deletion(-)
 diff --git a/log.c b/log.c
-index d9c2d136c..1749af6d1 100644
+index 6b1a7a314..5ebae1480 100644
 --- a/log.c
 +++ b/log.c
 @@ -93,6 +93,7 @@ static struct {
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644
        { "FATAL",      SYSLOG_LEVEL_FATAL },
        { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 4a81ef810..7879d4f4d 100644
+index bb98a7e2d..aa15b8a1f 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1339,7 +1339,7 @@ main(int ac, char **av)
+@@ -1373,7 +1373,7 @@ main(int ac, char **av)
        /* Do not allocate a tty if stdin is not a tty. */
        if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
            options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index a85ed6732..37e98c1dc 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
-From fe8c9983321154a61f4f06be602f925f1fd24ee7 Mon Sep 17 00:00:00 2001
+From e8453621b2a26f8d6afec405ff60201749b01e5e Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@debian.org>
 Date: Mon, 21 Dec 2015 16:08:47 +0000
 Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
 2 files changed, 33 insertions(+)
 diff --git a/configure.ac b/configure.ac
-index 812b7218f..7e0584d2c 100644
+index bb435ec1f..5944299fa 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4730,6 +4730,29 @@ AC_ARG_WITH([kerberos5],
+@@ -4785,6 +4785,29 @@ AC_ARG_WITH([kerberos5],
 AC_SUBST([GSSLIBS])
 AC_SUBST([K5LIBS])
 
@@ -47,7 +47,7 @@ index 812b7218f..7e0584d2c 100644
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
-@@ -5542,6 +5565,7 @@ echo "                   libldns support: $LDNS_MSG"
+@@ -5599,6 +5622,7 @@ echo "                   libldns support: $LDNS_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
 echo "         Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 812b7218f..7e0584d2c 100644
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/sshd.c b/sshd.c
-index baee13506..d2d1877d4 100644
+index 50f2726bf..fb9b7b7fb 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index baee13506..d2d1877d4 100644
 #include "xmalloc.h"
 #include "ssh.h"
 #include "ssh2.h"
-@@ -2026,6 +2030,11 @@ main(int ac, char **av)
+@@ -2076,6 +2080,11 @@ main(int ac, char **av)
                        }
                }
 
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 19c1809d9..8f5a8a383 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From cb72edd9757c469f3b5dc9cde374715ae8b54509 Mon Sep 17 00:00:00 2001
+From d08cd2b0cfbedf3ccd2ec3adaef850b8d9a87e85 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -51,7 +51,7 @@ index e81321b49..3bcc73766 100644
                            pw->pw_name, buf);
                        auth_debug_add("Bad file modes for %.200s", buf);
 diff --git a/auth.c b/auth.c
-index 687c57b42..aed3c13ac 100644
+index 3d31ec860..4152d9c44 100644
 --- a/auth.c
 +++ b/auth.c
 @@ -474,8 +474,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
@@ -65,10 +65,10 @@ index 687c57b42..aed3c13ac 100644
                            "bad owner or modes for %.200s",
                            pw->pw_name, user_hostfile);
 diff --git a/misc.c b/misc.c
-index 554ceb0b1..75fe4dfea 100644
+index 4623b5755..c75a795c2 100644
 --- a/misc.c
 +++ b/misc.c
-@@ -61,8 +61,9 @@
+@@ -55,8 +55,9 @@
 #include <netdb.h>
 #ifdef HAVE_PATHS_H
 # include <paths.h>
@@ -79,8 +79,8 @@ index 554ceb0b1..75fe4dfea 100644
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
-@@ -1124,6 +1125,55 @@ percent_expand(const char *string, ...)
+@@ -1271,6 +1272,55 @@ percent_dollar_expand(const char *string, ...)
- #undef EXPAND_MAX_KEYS
+        return ret;
 }
 
 +int
@@ -135,7 +135,7 @@ index 554ceb0b1..75fe4dfea 100644
 int
 tun_open(int tun, int mode, char **ifname)
 {
-@@ -1909,8 +1959,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -2056,8 +2106,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
                snprintf(err, errlen, "%s is not a regular file", buf);
                return -1;
        }
@@ -145,7 +145,7 @@ index 554ceb0b1..75fe4dfea 100644
                snprintf(err, errlen, "bad ownership or modes for file %s",
                    buf);
                return -1;
-@@ -1925,8 +1974,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -2072,8 +2121,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
                strlcpy(buf, cp, sizeof(buf));
 
                if (stat(buf, &st) == -1 ||
@@ -156,10 +156,10 @@ index 554ceb0b1..75fe4dfea 100644
                            "bad ownership or modes for directory %s", buf);
                        return -1;
 diff --git a/misc.h b/misc.h
-index 4a05db2da..5db594b91 100644
+index ab94a79c0..b34c798e7 100644
 --- a/misc.h
 +++ b/misc.h
-@@ -188,6 +188,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
+@@ -192,6 +192,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
        __attribute__((format(printf, 2, 3)));
 void   notify_complete(struct notifier_ctx *);
 
@@ -169,10 +169,10 @@ index 4a05db2da..5db594b91 100644
 #define MAXIMUM(a, b)  (((a) > (b)) ? (a) : (b))
 #define ROUNDUP(x, y)   ((((x)+((y)-1))/(y))*(y))
 diff --git a/readconf.c b/readconf.c
-index 431243193..5bf0afbb4 100644
+index 3d0a812b3..f4f273c96 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1926,8 +1926,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+@@ -1967,8 +1967,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
 
                if (fstat(fileno(f), &sb) == -1)
                        fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 431243193..5bf0afbb4 100644
        }
 
 diff --git a/ssh.1 b/ssh.1
-index 7a3ba31ab..a80be8efe 100644
+index be8e964f0..5d613076c 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1509,6 +1509,8 @@ The file format and configuration options are described in
+@@ -1528,6 +1528,8 @@ The file format and configuration options are described in
 .Xr ssh_config 5 .
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index 7a3ba31ab..a80be8efe 100644
 .It Pa ~/.ssh/environment
 Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index 85ab7447f..d814147d4 100644
+index 3ceb800ba..190e1d927 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1957,6 +1957,8 @@ The format of this file is described above.
+@@ -2010,6 +2010,8 @@ The format of this file is described above.
 This file is used by the SSH client.
 Because of the potential for abuse, this file must have strict permissions:
 read/write for the user, and not writable by others.
author	Colin Watson <cjwatson@debian.org>	2020-10-20 14:12:31 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-10-20 14:12:31 +0100
commit	e371906fbbbbc11b0dced8fd4e0d258eb489d7c1 (patch)
tree	4d0d8d2afd52572deb7910e29ff5a334b2bcf702 /debian
parent	e429009cde648a41479cd1b60ce972760a2bdabc (diff)
parent	3728919292c05983372954d27426f7d966813139 (diff)