New upstream release (7.0p1).

36 files changed, 245 insertions, 644 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 4e4b48bbf..77f37fc00 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-11ff24a98751edfc86ef0eed102f840eaa50d4e1
-11ff24a98751edfc86ef0eed102f840eaa50d4e1
-544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
-544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
-openssh_6.9p1.orig.tar.gz
-86ab57f00d0fd9bf302760f2f6deac1b6e9df265
-1487617
+6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d
+6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d
+58ddb8ad21f21f5358db0204c4ba9abf94a1ca11
+58ddb8ad21f21f5358db0204c4ba9abf94a1ca11
+openssh_7.0p1.orig.tar.gz
+d8337c9eab91d360d104f6dd805f8b32089c063c
+1493376
diff --git a/debian/changelog b/debian/changelog
index ccee48f9d..42450d4d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,51 @@
+openssh (1:7.0p1-1) UNRELEASED; urgency=medium
+
+  * New upstream release (http://www.openssh.com/txt/release-7.0, closes:
+    #785190):
+    - Support for the legacy SSH version 1 protocol is disabled by default
+      at compile time.
+    - Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is
+      disabled by default at run-time.  It may be re-enabled using the
+      instructions at http://www.openssh.com/legacy.html
+    - Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by
+      default at run-time.  These may be re-enabled using the instructions
+      at http://www.openssh.com/legacy.html
+    - Support for the legacy v00 cert format has been removed.
+    - The default for the sshd_config(5) PermitRootLogin option has changed
+      from "yes" to "prohibit-password".
+    - PermitRootLogin=without-password/prohibit-password now bans all
+      interactive authentication methods, allowing only public-key,
+      hostbased and GSSAPI authentication (previously it permitted
+      keyboard-interactive and password-less authentication if those were
+      enabled).
+    - ssh_config(5): Add PubkeyAcceptedKeyTypes option to control which
+      public key types are available for user authentication.
+    - sshd_config(5): Add HostKeyAlgorithms option to control which public
+      key types are offered for host authentications.
+    - ssh(1), sshd(8): Extend Ciphers, MACs, KexAlgorithms,
+      HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
+      options to allow appending to the default set of algorithms instead of
+      replacing it.  Options may now be prefixed with a '+' to append to the
+      default, e.g. "HostKeyAlgorithms=+ssh-dss".
+    - sshd_config(5): PermitRootLogin now accepts an argument of
+      'prohibit-password' as a less-ambiguous synonym of 'without-
+      password'.
+    - ssh(1), sshd(8): Add compatability workarounds for Cisco and more
+      PuTTY versions.
+    - Fix some omissions and errors in the PROTOCOL and PROTOCOL.mux
+      documentation relating to Unix domain socket forwarding.
+    - ssh(1): Improve the ssh(1) manual page to include a better description
+      of Unix domain socket forwarding (closes: #779068).
+    - ssh(1), ssh-agent(1): Skip uninitialised PKCS#11 slots, fixing
+      failures to load keys when they are present.
+    - ssh(1), ssh-agent(1): Do not ignore PKCS#11 hosted keys that wth empty
+      CKA_ID.
+    - sshd(8): Clarify documentation for UseDNS option.
+    - Check realpath(3) behaviour matches what sftp-server requires and use
+      a replacement if necessary.
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 29 Nov 2015 17:32:44 +0000
+
 openssh (1:6.9p1-3) unstable; urgency=medium
 
   * ssh_config(5): Fix markup errors in description of GSSAPITrustDns
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index fa9542064..2ed4f2a4c 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From c38beb3f8dcdd55621ad9d8fd3bc204d19a0a741 Mon Sep 17 00:00:00 2001
+From 1b41ad6426301c5131aa93d0915f6c5e69cff645 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch
  4 files changed, 32 insertions(+), 9 deletions(-)
 
 diff --git a/auth-options.c b/auth-options.c
-index facfc02..9ab1880 100644
+index e387697..f1e3ddf 100644
 --- a/auth-options.c
 +++ b/auth-options.c
 @@ -58,9 +58,20 @@ int forced_tun_device = -1;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 6bcb877e9..6d2e5b544 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 924de4a0afa1e2605c4dbc10dcdb5afc7a5d44ac Mon Sep 17 00:00:00 2001
+From 0eeaf623887ccabc08ba20150618daca817fcba5 Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
diff --git a/debian/patches/backport-do-not-resend-username-to-pam.patch b/debian/patches/backport-do-not-resend-username-to-pam.patch
deleted file mode 100644
index 865221b4f..000000000
--- a/debian/patches/backport-do-not-resend-username-to-pam.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 4e1468d9745c5e32d99cd85386dfc74e90a5cf14 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Tue, 11 Aug 2015 13:33:24 +1000
-Subject: Don't resend username to PAM; it already has it.
-
-Pointed out by Moritz Jodeit; ok dtucker@
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
-Forwarded: not-needed
-Last-Update: 2015-08-19
-
-Patch-Name: backport-do-not-resend-username-to-pam.patch
----
- monitor.c      | 2 --
- monitor_wrap.c | 1 -
- 2 files changed, 3 deletions(-)
-
-diff --git a/monitor.c b/monitor.c
-index 3a3d2f0..3fc9253 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -1127,9 +1127,7 @@ extern KbdintDevice sshpam_device;
- int
- mm_answer_pam_init_ctx(int sock, Buffer *m)
- {
--
-        debug3("%s", __func__);
--       authctxt->user = buffer_get_string(m, NULL);
-        sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
-        sshpam_authok = NULL;
-        buffer_clear(m);
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 6ae72a0..6799911 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
- 
-        debug3("%s", __func__);
-        buffer_init(&m);
--       buffer_put_cstring(&m, authctxt->user);
-        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
-        debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/debian/patches/backport-fix-pty-permissions.patch b/debian/patches/backport-fix-pty-permissions.patch
deleted file mode 100644
index 1449014c0..000000000
--- a/debian/patches/backport-fix-pty-permissions.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From fe597b453a89c6d1dcbbd91cacef80adc3b52fc9 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Thu, 30 Jul 2015 23:09:15 +0000
-Subject: Fix pty permissions
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a
-Forwarded: not-needed
-Last-Update: 2015-08-19
-
-Patch-Name: backport-fix-pty-permissions.patch
----
- sshpty.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sshpty.c b/sshpty.c
-index 0e32b39..e89efb7 100644
---- a/sshpty.c
-+++ b/sshpty.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
-+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
- /*
-  * Author: Tatu Ylonen <ylo@cs.hut.fi>
-  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty, const char *role)
-        /* Determine the group to make the owner of the tty. */
-        grp = getgrnam("tty");
-        gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
--       mode = (grp != NULL) ? 0622 : 0600;
-+       mode = (grp != NULL) ? 0620 : 0600;
- 
-        /*
-         * Change owner and mode of the tty as required.
diff --git a/debian/patches/backport-kbdint-duplicates.patch b/debian/patches/backport-kbdint-duplicates.patch
deleted file mode 100644
index c73c36ce0..000000000
--- a/debian/patches/backport-kbdint-duplicates.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 0bcdac377a097516ed875bfa000598d6cca86c13 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Sat, 18 Jul 2015 07:57:14 +0000
-Subject: only query each keyboard-interactive device once per authentication
- request regardless of how many times it is listed
-
-ok markus@
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18
-Forwarded: not-needed
-Last-Update: 2015-08-19
-
-Patch-Name: backport-kbdint-duplicates.patch
----
- auth2-chall.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/auth2-chall.c b/auth2-chall.c
-index ddabe1a..4aff09d 100644
---- a/auth2-chall.c
-+++ b/auth2-chall.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
-+/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
- /*
-  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
-  * Copyright (c) 2001 Per Allansson.  All rights reserved.
-@@ -83,6 +83,7 @@ struct KbdintAuthctxt
-        void *ctxt;
-        KbdintDevice *device;
-        u_int nreq;
-+       u_int devices_done;
- };
- 
- #ifdef USE_PAM
-@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
-                if (len == 0)
-                        break;
-                for (i = 0; devices[i]; i++) {
--                       if (!auth2_method_allowed(authctxt,
-+                       if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
-+                           !auth2_method_allowed(authctxt,
-                            "keyboard-interactive", devices[i]->name))
-                                continue;
--                       if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-+                       if (strncmp(kbdintctxt->devices, devices[i]->name,
-+                           len) == 0) {
-                                kbdintctxt->device = devices[i];
-+                               kbdintctxt->devices_done |= 1 << i;
-+                       }
-                }
-                t = kbdintctxt->devices;
-                kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
diff --git a/debian/patches/backport-pam-use-after-free.patch b/debian/patches/backport-pam-use-after-free.patch
deleted file mode 100644
index 4baecfe1b..000000000
--- a/debian/patches/backport-pam-use-after-free.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From fddd7fcb2ccb2cfdd88328d1149c0c31fcf21447 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Tue, 11 Aug 2015 13:34:12 +1000
-Subject: set sshpam_ctxt to NULL after free
-
-Avoids use-after-free in monitor when privsep child is compromised.
-Reported by Moritz Jodeit; ok dtucker@
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
-Forwarded: not-needed
-Last-Update: 2015-08-19
-
-Patch-Name: backport-pam-use-after-free.patch
----
- monitor.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/monitor.c b/monitor.c
-index 3fc9253..c063ad1 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -1209,14 +1209,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
- int
- mm_answer_pam_free_ctx(int sock, Buffer *m)
- {
-+       int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
- 
-        debug3("%s", __func__);
-        (sshpam_device.free_ctx)(sshpam_ctxt);
-+       sshpam_ctxt = sshpam_authok = NULL;
-        buffer_clear(m);
-        mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
-        auth_method = "keyboard-interactive";
-        auth_submethod = "pam";
--       return (sshpam_authok == sshpam_ctxt);
-+       return r;
- }
- #endif
- 
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
deleted file mode 100644
index 6b6649638..000000000
--- a/debian/patches/backport-regress-principals-command-noexec.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-From 11ff24a98751edfc86ef0eed102f840eaa50d4e1 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Mon, 10 Aug 2015 11:13:44 +1000
-Subject: let principals-command.sh work for noexec /var/run
-
-Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
-Forwarded: not-needed
-Last-Update: 2015-08-20
-
-Patch-Name: backport-regress-principals-command-noexec.patch
----
- regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
- 1 file changed, 113 insertions(+), 109 deletions(-)
-
-diff --git a/regress/principals-command.sh b/regress/principals-command.sh
-index 9006437..b90a8cf 100644
---- a/regress/principals-command.sh
-+++ b/regress/principals-command.sh
-@@ -14,15 +14,15 @@ fi
- 
- # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
- # acceptable directory permissions.
--PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
--cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
-+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
-+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
- #!/bin/sh
- test "x\$1" != "x${LOGNAME}" && exit 1
- test -f "$OBJ/authorized_principals_${LOGNAME}" &&
-        exec cat "$OBJ/authorized_principals_${LOGNAME}"
- _EOF
- test $? -eq 0 || fatal "couldn't prepare principals command"
--$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
-+$SUDO chmod 0755 "$PRINCIPALS_CMD"
- 
- # Create a CA key and a user certificate.
- ${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
-@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-     -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
-        fatal "couldn't sign cert_user_key"
- 
--# Test explicitly-specified principals
--for privsep in yes no ; do
--       _prefix="privsep $privsep"
--
--       # Setup for AuthorizedPrincipalsCommand
--       rm -f $OBJ/authorized_keys_$USER
--       (
--               cat $OBJ/sshd_proxy_bak
--               echo "UsePrivilegeSeparation $privsep"
--               echo "AuthorizedKeysFile none"
--               echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
--               echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
--               echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
--       ) > $OBJ/sshd_proxy
--
--       # XXX test missing command
--       # XXX test failing command
--
--       # Empty authorized_principals
--       verbose "$tid: ${_prefix} empty authorized_principals"
--       echo > $OBJ/authorized_principals_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -eq 0 ]; then
--               fail "ssh cert connect succeeded unexpectedly"
--       fi
--
--       # Wrong authorized_principals
--       verbose "$tid: ${_prefix} wrong authorized_principals"
--       echo gregorsamsa > $OBJ/authorized_principals_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -eq 0 ]; then
--               fail "ssh cert connect succeeded unexpectedly"
--       fi
--
--       # Correct authorized_principals
--       verbose "$tid: ${_prefix} correct authorized_principals"
--       echo mekmitasdigoat > $OBJ/authorized_principals_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -ne 0 ]; then
--               fail "ssh cert connect failed"
--       fi
--
--       # authorized_principals with bad key option
--       verbose "$tid: ${_prefix} authorized_principals bad key opt"
--       echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -eq 0 ]; then
--               fail "ssh cert connect succeeded unexpectedly"
--       fi
--
--       # authorized_principals with command=false
--       verbose "$tid: ${_prefix} authorized_principals command=false"
--       echo 'command="false" mekmitasdigoat' > \
--           $OBJ/authorized_principals_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -eq 0 ]; then
--               fail "ssh cert connect succeeded unexpectedly"
--       fi
--
--
--       # authorized_principals with command=true
--       verbose "$tid: ${_prefix} authorized_principals command=true"
--       echo 'command="true" mekmitasdigoat' > \
--           $OBJ/authorized_principals_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
--       if [ $? -ne 0 ]; then
--               fail "ssh cert connect failed"
--       fi
--
--       # Setup for principals= key option
--       rm -f $OBJ/authorized_principals_$USER
--       (
--               cat $OBJ/sshd_proxy_bak
--               echo "UsePrivilegeSeparation $privsep"
--       ) > $OBJ/sshd_proxy
--
--       # Wrong principals list
--       verbose "$tid: ${_prefix} wrong principals key option"
--       (
--               printf 'cert-authority,principals="gregorsamsa" '
--               cat $OBJ/user_ca_key.pub
--       ) > $OBJ/authorized_keys_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -eq 0 ]; then
--               fail "ssh cert connect succeeded unexpectedly"
--       fi
--
--       # Correct principals list
--       verbose "$tid: ${_prefix} correct principals key option"
--       (
--               printf 'cert-authority,principals="mekmitasdigoat" '
--               cat $OBJ/user_ca_key.pub
--       ) > $OBJ/authorized_keys_$USER
--       ${SSH} -2i $OBJ/cert_user_key \
--           -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
--       if [ $? -ne 0 ]; then
--               fail "ssh cert connect failed"
--       fi
--done
-+if [ -x $PRINCIPALS_CMD ]; then
-+       # Test explicitly-specified principals
-+       for privsep in yes no ; do
-+               _prefix="privsep $privsep"
-+
-+               # Setup for AuthorizedPrincipalsCommand
-+               rm -f $OBJ/authorized_keys_$USER
-+               (
-+                       cat $OBJ/sshd_proxy_bak
-+                       echo "UsePrivilegeSeparation $privsep"
-+                       echo "AuthorizedKeysFile none"
-+                       echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
-+                       echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
-+                       echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
-+               ) > $OBJ/sshd_proxy
-+
-+               # XXX test missing command
-+               # XXX test failing command
-+
-+               # Empty authorized_principals
-+               verbose "$tid: ${_prefix} empty authorized_principals"
-+               echo > $OBJ/authorized_principals_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -eq 0 ]; then
-+                       fail "ssh cert connect succeeded unexpectedly"
-+               fi
-+
-+               # Wrong authorized_principals
-+               verbose "$tid: ${_prefix} wrong authorized_principals"
-+               echo gregorsamsa > $OBJ/authorized_principals_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -eq 0 ]; then
-+                       fail "ssh cert connect succeeded unexpectedly"
-+               fi
-+
-+               # Correct authorized_principals
-+               verbose "$tid: ${_prefix} correct authorized_principals"
-+               echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -ne 0 ]; then
-+                       fail "ssh cert connect failed"
-+               fi
-+
-+               # authorized_principals with bad key option
-+               verbose "$tid: ${_prefix} authorized_principals bad key opt"
-+               echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -eq 0 ]; then
-+                       fail "ssh cert connect succeeded unexpectedly"
-+               fi
-+
-+               # authorized_principals with command=false
-+               verbose "$tid: ${_prefix} authorized_principals command=false"
-+               echo 'command="false" mekmitasdigoat' > \
-+                   $OBJ/authorized_principals_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -eq 0 ]; then
-+                       fail "ssh cert connect succeeded unexpectedly"
-+               fi
-+
-+               # authorized_principals with command=true
-+               verbose "$tid: ${_prefix} authorized_principals command=true"
-+               echo 'command="true" mekmitasdigoat' > \
-+                   $OBJ/authorized_principals_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
-+               if [ $? -ne 0 ]; then
-+                       fail "ssh cert connect failed"
-+               fi
-+
-+               # Setup for principals= key option
-+               rm -f $OBJ/authorized_principals_$USER
-+               (
-+                       cat $OBJ/sshd_proxy_bak
-+                       echo "UsePrivilegeSeparation $privsep"
-+               ) > $OBJ/sshd_proxy
-+
-+               # Wrong principals list
-+               verbose "$tid: ${_prefix} wrong principals key option"
-+               (
-+                       printf 'cert-authority,principals="gregorsamsa" '
-+                       cat $OBJ/user_ca_key.pub
-+               ) > $OBJ/authorized_keys_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -eq 0 ]; then
-+                       fail "ssh cert connect succeeded unexpectedly"
-+               fi
-+
-+               # Correct principals list
-+               verbose "$tid: ${_prefix} correct principals key option"
-+               (
-+                       printf 'cert-authority,principals="mekmitasdigoat" '
-+                       cat $OBJ/user_ca_key.pub
-+               ) > $OBJ/authorized_keys_$USER
-+               ${SSH} -2i $OBJ/cert_user_key \
-+                   -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
-+               if [ $? -ne 0 ]; then
-+                       fail "ssh cert connect failed"
-+               fi
-+       done
-+else
-+       echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
-+           "(/var/run mounted noexec?)"
-+fi
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index cbbe6b790..35659cd33 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 692e965f7be2a33a6fecc392a2cb8023977f9c31 Mon Sep 17 00:00:00 2001
+From bb18ca3880d333834c89f535032cdf12bc362fdf Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
 
 Bug-Debian: http://bugs.debian.org/562048
 Forwarded: not-needed
-Last-Update: 2015-08-19
+Last-Update: 2015-11-29
 
 Patch-Name: debian-banner.patch
 ---
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
  4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/servconf.c b/servconf.c
-index 8a5bd7b..fe3e311 100644
+index ed3a88d..a778f44 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options)
+@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
         options->fingerprint_hash = -1;
@@ -36,10 +36,10 @@ index 8a5bd7b..fe3e311 100644
                 options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
 +       if (options->debian_banner == -1)
 +               options->debian_banner = 1;
-        /* Turn privilege separation on by default */
-        if (use_privsep == -1)
-                use_privsep = PRIVSEP_NOSANDBOX;
-@@ -419,6 +422,7 @@ typedef enum {
+ 
+        if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
+            kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
+@@ -430,6 +433,7 @@ typedef enum {
         sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
         sStreamLocalBindMask, sStreamLocalBindUnlink,
         sAllowStreamLocalForwarding, sFingerprintHash,
@@ -47,7 +47,7 @@ index 8a5bd7b..fe3e311 100644
         sDeprecated, sUnsupported
  } ServerOpCodes;
  
-@@ -565,6 +569,7 @@ static struct {
+@@ -577,6 +581,7 @@ static struct {
         { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
         { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
         { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
@@ -55,7 +55,7 @@ index 8a5bd7b..fe3e311 100644
         { NULL, sBadOption, 0 }
  };
  
-@@ -1850,6 +1855,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1867,6 +1872,10 @@ process_server_config_line(ServerOptions *options, char *line,
                         options->fingerprint_hash = value;
                 break;
  
@@ -67,10 +67,10 @@ index 8a5bd7b..fe3e311 100644
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
 diff --git a/servconf.h b/servconf.h
-index b99b270..ba7b739 100644
+index 778ba17..161fa37 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -196,6 +196,8 @@ typedef struct {
+@@ -197,6 +197,8 @@ typedef struct {
         char   *auth_methods[MAX_AUTH_METHODS];
  
         int     fingerprint_hash;
@@ -80,10 +80,10 @@ index b99b270..ba7b739 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index 96e75c6..7886d0e 100644
+index e3ac37b..d9f5199 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
         }
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -94,10 +94,10 @@ index 96e75c6..7886d0e 100644
             options.version_addendum, newline);
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index 1269bbd..a5afbc3 100644
+index 154e87e..641e1fa 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -528,6 +528,11 @@ or
+@@ -533,6 +533,11 @@ or
  .Dq no .
  The default is
  .Dq delayed .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index dd33c00a6..aae4e7d34 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 0cce5c4c1de33c4172ce8ebc0f93e717995779f8 Mon Sep 17 00:00:00 2001
+From 6d0faf6dc76ac8cc73d6f8e478db7c97f7013a2d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -14,15 +14,12 @@ worms.
 ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by
 default.
 
-sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside
-PermitRootLogin default.
-
 Document all of this, along with several sshd defaults set in
 debian/openssh-server.postinst.
 
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2015-08-19
+Last-Update: 2015-11-29
 
 Patch-Name: debian-config.patch
 ---
@@ -30,15 +27,14 @@ Patch-Name: debian-config.patch
  ssh.1         | 21 +++++++++++++++++++++
  ssh_config    |  7 ++++++-
  ssh_config.5  | 19 ++++++++++++++++++-
- sshd_config   |  3 ++-
  sshd_config.5 | 25 +++++++++++++++++++++++++
- 6 files changed, 73 insertions(+), 4 deletions(-)
+ 5 files changed, 71 insertions(+), 3 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 5f6c37f..f0769b5 100644
+index c0ba5a7..e4e1cba 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1748,7 +1748,7 @@ fill_default_options(Options * options)
+@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
@@ -48,14 +44,13 @@ index 5f6c37f..f0769b5 100644
                 options->forward_x11_timeout = 1200;
         if (options->exit_on_forward_failure == -1)
 diff --git a/ssh.1 b/ssh.1
-index 2178863..e2cce49 100644
+index 05b7f10..649d6c3 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -670,12 +670,33 @@ option and the
- directive in
+@@ -755,6 +755,16 @@ directive in
  .Xr ssh_config 5
  for more information.
-+.Pp
+ .Pp
 +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
 +restrictions by default, because too many programs currently crash in this
 +mode.
@@ -65,13 +60,14 @@ index 2178863..e2cce49 100644
 +.Dq no
 +to restore the upstream behaviour.
 +This may change in future depending on client-side improvements.)
++.Pp
  .It Fl x
  Disables X11 forwarding.
- .It Fl Y
- Enables trusted X11 forwarding.
+ .Pp
+@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
  Trusted X11 forwardings are not subjected to the X11 SECURITY extension
  controls.
-+.Pp
+ .Pp
 +(Debian-specific: This option does nothing in the default configuration: it
 +is equivalent to
 +.Dq Cm ForwardX11Trusted No yes ,
@@ -82,6 +78,7 @@ index 2178863..e2cce49 100644
 +.Dq no
 +to restore the upstream behaviour.
 +This may change in future depending on client-side improvements.)
++.Pp
  .It Fl y
  Send log information using the
  .Xr syslog 3
@@ -110,7 +107,7 @@ index 228e5ab..c9386aa 100644
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index f25cedd..9a103f2 100644
+index 5bc04b0..aaa435a 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -136,7 +133,7 @@ index f25cedd..9a103f2 100644
  The configuration file has the following format:
  .Pp
  Empty lines and lines starting with
-@@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes.
+@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
  Remote clients will be refused access after this time.
  .Pp
  The default is
@@ -146,22 +143,8 @@ index f25cedd..9a103f2 100644
  .Pp
  See the X11 SECURITY extension specification for full details on
  the restrictions imposed on untrusted clients.
-diff --git a/sshd_config b/sshd_config
-index 1dfd0f1..23a338f 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -41,7 +41,8 @@
- # Authentication:
- 
- #LoginGraceTime 2m
--#PermitRootLogin no
-+# See /usr/share/doc/openssh-server/README.Debian.gz.
-+#PermitRootLogin without-password
- #StrictModes yes
- #MaxAuthTries 6
- #MaxSessions 10
 diff --git a/sshd_config.5 b/sshd_config.5
-index 355b445..eb6bff8 100644
+index 7e40a27..92c23bc 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 60a12c72f..922798aea 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 840c980f0a68a101c3aa1e884724ceff37e8e147 Mon Sep 17 00:00:00 2001
+From 460260ae3681984ef9fbc0f19fb5d46668eede4e Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 259560a0d..b27e19f2b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From e2a36dcb275a675203f22467863cce90829a64b7 Mon Sep 17 00:00:00 2001
+From def9d74686cb82e98686c1357babd9d24b8b7c54 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index 4e799cf..f25cedd 100644
+index b07e866..5bc04b0 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -804,6 +804,9 @@ Note that existing names and addresses in known hosts files
+@@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 96c76a651..c1fcbcd37 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From c239fee2fa5aae0a6e3086330562241bd9330bca Mon Sep 17 00:00:00 2001
+From 49f2be4bc5297798aa3cd54ba1417804c14f8d38 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
  1 file changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/sshd.8 b/sshd.8
-index 2f4d4f3..42f1520 100644
+index 42ba596..17b917c 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -67,7 +67,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 609706831..91fb20bb3 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From 9a1c2558e40d504443830442c42f5a6e46f31ed0 Mon Sep 17 00:00:00 2001
+From 820ff9bbc530c4f736c883caf4a773fa397ffacc Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 29a689b0d..3d6dfac9a 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 70b18066d3921277861e98902c9cf41a10ac6898 Mon Sep 17 00:00:00 2001
+From 233e78235070e871b658c8f289e600bd52a99711 Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate
 security history.
 
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
-Last-Updated: 2015-09-17
+Last-Updated: 2015-11-29
 
 Patch-Name: gssapi.patch
 ---
@@ -359,10 +359,10 @@ index 7177962..3f49bdc 100644
  #endif
         &method_passwd,
 diff --git a/clientloop.c b/clientloop.c
-index dc0e557..77d5498 100644
+index 87ceb3d..fba1b54 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -114,6 +114,10 @@
+@@ -115,6 +115,10 @@
  #include "ssherr.h"
  #include "hostfile.h"
  
@@ -373,7 +373,7 @@ index dc0e557..77d5498 100644
  /* import options */
  extern Options options;
  
-@@ -1609,6 +1613,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 /* Do channel operations unless rekeying in progress. */
                 if (!rekeying) {
                         channel_after_select(readset, writeset);
@@ -390,7 +390,7 @@ index dc0e557..77d5498 100644
                                 debug("need rekeying");
                                 active_state->kex->done = 0;
 diff --git a/config.h.in b/config.h.in
-index 7e7e38e..6c7de98 100644
+index 7500df5..97accd8 100644
 --- a/config.h.in
 +++ b/config.h.in
 @@ -1623,6 +1623,9 @@
@@ -414,7 +414,7 @@ index 7e7e38e..6c7de98 100644
  #undef USE_SOLARIS_PROCESS_CONTRACTS
  
 diff --git a/configure.ac b/configure.ac
-index bb0095f..df21693 100644
+index 9b05c30..7a25603 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -1197,7 +1197,7 @@ index 53993d6..2f6baf7 100644
  
  #endif
 diff --git a/kex.c b/kex.c
-index dbc55ef..4d8e6f5 100644
+index 5100c66..39a6f98 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -55,6 +55,10 @@
@@ -1238,7 +1238,7 @@ index dbc55ef..4d8e6f5 100644
  }
  
 diff --git a/kex.h b/kex.h
-index f70b81f..7194b14 100644
+index d71b532..ee46815 100644
 --- a/kex.h
 +++ b/kex.h
 @@ -93,6 +93,9 @@ enum kex_exchange {
@@ -1263,8 +1263,8 @@ index f70b81f..7194b14 100644
 +#endif
         char    *client_version_string;
         char    *server_version_string;
-        int     (*verify_host_key)(struct sshkey *, struct ssh *);
-@@ -184,6 +193,11 @@ int         kexecdh_server(struct ssh *);
+        char    *failed_choice;
+@@ -187,6 +196,11 @@ int         kexecdh_server(struct ssh *);
  int     kexc25519_client(struct ssh *);
  int     kexc25519_server(struct ssh *);
  
@@ -1920,7 +1920,7 @@ index 0000000..0847469
 +}
 +#endif /* GSSAPI */
 diff --git a/monitor.c b/monitor.c
-index b410965..bdc2972 100644
+index a914209..2658aaa 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2127,10 +2127,10 @@ index 93b8b66..bc50ade 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index e6217b3..71e7c08 100644
+index eac421b..81ceddb 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1069,7 +1069,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+@@ -1068,7 +1068,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
  }
  
  int
@@ -2139,7 +2139,7 @@ index e6217b3..71e7c08 100644
  {
         Buffer m;
         int authenticated = 0;
-@@ -1086,5 +1086,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1085,5 +1085,50 @@ mm_ssh_gssapi_userok(char *user)
         debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
         return (authenticated);
  }
@@ -2207,7 +2207,7 @@ index de4a08f..9758290 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index db7d0bb..68dac76 100644
+index 1d03bdf..43b7570 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -147,6 +147,8 @@ typedef enum {
@@ -2219,7 +2219,7 @@ index db7d0bb..68dac76 100644
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
-@@ -191,10 +193,19 @@ static struct {
+@@ -192,10 +194,19 @@ static struct {
         { "afstokenpassing", oUnsupported },
  #if defined(GSSAPI)
         { "gssapiauthentication", oGssAuthentication },
@@ -2239,7 +2239,7 @@ index db7d0bb..68dac76 100644
  #endif
         { "fallbacktorsh", oDeprecated },
         { "usersh", oDeprecated },
-@@ -892,10 +903,30 @@ parse_time:
+@@ -894,10 +905,30 @@ parse_time:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2283,7 +2283,7 @@ index db7d0bb..68dac76 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
-@@ -1728,8 +1764,14 @@ fill_default_options(Options * options)
+@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2299,7 +2299,7 @@ index db7d0bb..68dac76 100644
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index 576b9e3..ef39c4c 100644
+index bb2d552..e7e80c3 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -45,7 +45,12 @@ typedef struct {
@@ -2316,10 +2316,10 @@ index 576b9e3..ef39c4c 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index df93fc4..2f7f41e 100644
+index 6c7a91e..cfe7029 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -115,8 +115,10 @@ initialize_server_options(ServerOptions *options)
+@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions *options)
         options->kerberos_ticket_cleanup = -1;
         options->kerberos_get_afs_token = -1;
         options->gss_authentication=-1;
@@ -2346,15 +2346,15 @@ index df93fc4..2f7f41e 100644
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -401,6 +407,7 @@ typedef enum {
-        sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+@@ -412,6 +418,7 @@ typedef enum {
+        sHostKeyAlgorithms,
         sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
         sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +       sGssKeyEx, sGssStoreRekey,
         sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -473,12 +480,20 @@ static struct {
+@@ -485,12 +492,20 @@ static struct {
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2375,7 +2375,7 @@ index df93fc4..2f7f41e 100644
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1214,6 +1229,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1231,6 +1246,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2386,7 +2386,7 @@ index df93fc4..2f7f41e 100644
         case sGssCleanupCreds:
                 intptr = &options->gss_cleanup_creds;
                 goto parse_flag;
-@@ -1222,6 +1241,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1239,6 +1258,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_strict_acceptor;
                 goto parse_flag;
  
@@ -2397,7 +2397,7 @@ index df93fc4..2f7f41e 100644
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -2229,7 +2252,10 @@ dump_config(ServerOptions *o)
+@@ -2246,7 +2269,10 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2409,10 +2409,10 @@ index df93fc4..2f7f41e 100644
         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
         dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 606d80c..b99b270 100644
+index f4137af..778ba17 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -117,8 +117,10 @@ typedef struct {
+@@ -118,8 +118,10 @@ typedef struct {
         int     kerberos_get_afs_token;         /* If true, try to get AFS token if
                                                  * authenticated with Kerberos. */
         int     gss_authentication;     /* If true, permit GSSAPI authentication */
@@ -2540,10 +2540,10 @@ index 03a228f..228e5ab 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 268a627..59ce400 100644
+index 5b0975f..b2dc49b 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -744,11 +744,45 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -749,11 +749,45 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -2591,7 +2591,7 @@ index 268a627..59ce400 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index fcaed6b..44c89e6 100644
+index 7751031..e2ea826 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2626,12 +2626,12 @@ index fcaed6b..44c89e6 100644
 +       }
 +#endif
 +
-        if (options.ciphers == (char *)-1) {
-                logit("No valid ciphers for protocol version 2 given, using defaults.");
-                options.ciphers = NULL;
-@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-            myproposal[PROPOSAL_KEX_ALGS]);
+            options.kex_algorithms);
+        myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+                    order_hostkeyalgs(host, hostaddr, port));
+        }
  
 +#ifdef GSSAPI
 +       /* If we've got GSSAPI algorithms, then we also support the
@@ -2647,7 +2647,7 @@ index fcaed6b..44c89e6 100644
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                     (time_t)options.rekey_interval);
-@@ -218,10 +254,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -211,10 +247,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  # endif
  #endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2678,7 +2678,7 @@ index fcaed6b..44c89e6 100644
         dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
  
         if (options.use_roaming && !kex->roaming) {
-@@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
+@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32_t, void *);
  int    input_gssapi_hash(int type, u_int32_t, void *);
  int    input_gssapi_error(int, u_int32_t, void *);
  int    input_gssapi_errtok(int, u_int32_t, void *);
@@ -2686,7 +2686,7 @@ index fcaed6b..44c89e6 100644
  #endif
  
  void   userauth(Authctxt *, char *);
-@@ -328,6 +385,11 @@ static char *authmethods_get(void);
+@@ -321,6 +378,11 @@ static char *authmethods_get(void);
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -2698,7 +2698,7 @@ index fcaed6b..44c89e6 100644
         {"gssapi-with-mic",
                 userauth_gssapi,
                 NULL,
-@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
@@ -2732,7 +2732,7 @@ index fcaed6b..44c89e6 100644
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
-@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
  {
         Authctxt *authctxt = ctxt;
         Gssctxt *gssctxt;
@@ -2743,7 +2743,7 @@ index fcaed6b..44c89e6 100644
  
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
-@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
         free(lang);
         return 0;
  }
@@ -2793,10 +2793,10 @@ index fcaed6b..44c89e6 100644
  
  int
 diff --git a/sshd.c b/sshd.c
-index 6f8c6f2..6b85e6c 100644
+index c7dd8cb..32adb1f 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -125,6 +125,10 @@
+@@ -126,6 +126,10 @@
  #include "version.h"
  #include "ssherr.h"
  
@@ -2807,7 +2807,7 @@ index 6f8c6f2..6b85e6c 100644
  #ifndef O_NOCTTY
  #define O_NOCTTY       0
  #endif
-@@ -1823,10 +1827,13 @@ main(int ac, char **av)
+@@ -1827,10 +1831,13 @@ main(int ac, char **av)
                 logit("Disabling protocol version 1. Could not load host key");
                 options.protocol &= ~SSH_PROTO_1;
         }
@@ -2821,7 +2821,7 @@ index 6f8c6f2..6b85e6c 100644
         if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
-@@ -2141,6 +2148,60 @@ main(int ac, char **av)
+@@ -2145,6 +2152,60 @@ main(int ac, char **av)
             remote_ip, remote_port, laddr,  get_local_port());
         free(laddr);
  
@@ -2882,7 +2882,7 @@ index 6f8c6f2..6b85e6c 100644
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2570,6 +2631,48 @@ do_ssh2_kex(void)
+@@ -2563,6 +2624,48 @@ do_ssh2_kex(void)
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
             list_hostkey_types());
  
@@ -2931,7 +2931,7 @@ index 6f8c6f2..6b85e6c 100644
         /* start key exchange */
         if ((r = kex_setup(active_state, myproposal)) != 0)
                 fatal("kex_setup: %s", ssh_err(r));
-@@ -2584,6 +2687,13 @@ do_ssh2_kex(void)
+@@ -2577,6 +2680,13 @@ do_ssh2_kex(void)
  # endif
  #endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2946,7 +2946,7 @@ index 6f8c6f2..6b85e6c 100644
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
 diff --git a/sshd_config b/sshd_config
-index cf7d8e1..1dfd0f1 100644
+index 4d77f05..64786c9 100644
 --- a/sshd_config
 +++ b/sshd_config
 @@ -84,6 +84,8 @@ AuthorizedKeysFile    .ssh/authorized_keys
@@ -2959,10 +2959,10 @@ index cf7d8e1..1dfd0f1 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 5ab4318..68424f1 100644
+index 58e277f..712f620 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -616,6 +616,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -621,6 +621,12 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -2975,7 +2975,7 @@ index 5ab4318..68424f1 100644
  .It Cm GSSAPICleanupCredentials
  Specifies whether to automatically destroy the user's credentials cache
  on logout.
-@@ -637,6 +643,11 @@ machine's default store.
+@@ -642,6 +648,11 @@ machine's default store.
  This facility is provided to assist with operation on multi homed machines.
  The default is
  .Dq yes .
@@ -2988,18 +2988,18 @@ index 5ab4318..68424f1 100644
  Specifies the key types that will be accepted for hostbased authentication
  as a comma-separated pattern list.
 diff --git a/sshkey.c b/sshkey.c
-index cfe5980..2c87d80 100644
+index dbb16e2..14b6dc3 100644
 --- a/sshkey.c
 +++ b/sshkey.c
-@@ -116,6 +116,7 @@ static const struct keytype keytypes[] = {
-        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
-            KEY_DSA_CERT_V00, 0, 1 },
+@@ -112,6 +112,7 @@ static const struct keytype keytypes[] = {
+ #  endif /* OPENSSL_HAS_NISTP521 */
+ # endif /* OPENSSL_HAS_ECC */
  #endif /* WITH_OPENSSL */
 +       { "null", "null", KEY_NULL, 0, 0 },
         { NULL, NULL, -1, -1, 0 }
  };
  
-@@ -204,7 +205,7 @@ key_alg_list(int certs_only, int plain_only)
+@@ -200,7 +201,7 @@ key_alg_list(int certs_only, int plain_only)
         const struct keytype *kt;
  
         for (kt = keytypes; kt->type != -1; kt++) {
@@ -3009,13 +3009,13 @@ index cfe5980..2c87d80 100644
                 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
                         continue;
 diff --git a/sshkey.h b/sshkey.h
-index cdac0e2..b010b8e 100644
+index c8d3cdd..5cf4e5d 100644
 --- a/sshkey.h
 +++ b/sshkey.h
-@@ -64,6 +64,7 @@ enum sshkey_types {
+@@ -62,6 +62,7 @@ enum sshkey_types {
+        KEY_DSA_CERT,
+        KEY_ECDSA_CERT,
         KEY_ED25519_CERT,
-        KEY_RSA_CERT_V00,
-        KEY_DSA_CERT_V00,
 +       KEY_NULL,
         KEY_UNSPEC
  };
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 6a7f17b2f..504abe68d 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From cc53919ec39bb8a84127b7ba1f23acf3809dc2a0 Mon Sep 17 00:00:00 2001
+From 9fb8297943f1b331129f26606867c5dec2d05317 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 3f425f225..9c6fdca0b 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 302a74ce4e7eb60564410f482cb5778a3dec2e96 Mon Sep 17 00:00:00 2001
+From 25698ed1091d932244f94e7c802dce05c458749a Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
 Author: Ian Jackson <ian@chiark.greenend.org.uk>
 Author: Matthew Vernon <matthew@debian.org>
 Author: Colin Watson <cjwatson@debian.org>
-Last-Update: 2015-08-19
+Last-Update: 2015-11-29
 
 Patch-Name: keepalive-extensions.patch
 ---
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 85eea48..5c5890c 100644
+index 522ad37..46c343f 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -159,6 +159,7 @@ typedef enum {
-        oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+@@ -160,6 +160,7 @@ typedef enum {
         oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
         oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
+        oPubkeyAcceptedKeyTypes,
 +       oProtocolKeepAlives, oSetupTimeOut,
         oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -288,6 +289,8 @@ static struct {
-        { "updatehostkeys", oUpdateHostkeys },
+@@ -290,6 +291,8 @@ static struct {
         { "hostbasedkeytypes", oHostbasedKeyTypes },
+        { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
         { "ignoreunknown", oIgnoreUnknown },
 +       { "protocolkeepalives", oProtocolKeepAlives },
 +       { "setuptimeout", oSetupTimeOut },
  
         { NULL, oBadOption }
  };
-@@ -1299,6 +1302,8 @@ parse_int:
+@@ -1304,6 +1307,8 @@ parse_keytypes:
                 goto parse_flag;
  
         case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 85eea48..5c5890c 100644
                 intptr = &options->server_alive_interval;
                 goto parse_time;
  
-@@ -1858,8 +1863,13 @@ fill_default_options(Options * options)
+@@ -1856,8 +1861,13 @@ fill_default_options(Options * options)
                 options->rekey_interval = 0;
         if (options->verify_host_key_dns == -1)
                 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 85eea48..5c5890c 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index e60a5b4..67e0dff 100644
+index 82dcf0c..f517159 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -233,8 +233,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index e60a5b4..67e0dff 100644
  The argument must be
  .Dq yes
  or
-@@ -1427,8 +1431,15 @@ from the server,
+@@ -1479,8 +1483,15 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -106,7 +106,7 @@ index e60a5b4..67e0dff 100644
  .It Cm StreamLocalBindMask
  Sets the octal file creation mode mask
  .Pq umask
-@@ -1494,6 +1505,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1546,6 +1557,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index e60a5b4..67e0dff 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 68424f1..1269bbd 100644
+index 712f620..154e87e 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1443,6 +1443,9 @@ This avoids infinitely hanging sessions.
+@@ -1510,6 +1510,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 3f14a6470..7c288b452 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
-From 506df046bb56e8d10d95d8cb3912f1462b7c4695 Mon Sep 17 00:00:00 2001
+From 2b5cab64ee1a2c917bf1b076fb81709cc0ea97d9 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:08 +0000
 Subject: Fix picky lintian errors about slogin symlinks
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index d3da72de0..418a5d1b2 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 7fed650902de773980b1de83cec3c4cf6bb282da Mon Sep 17 00:00:00 2001
+From 20ba3686f33c1dbb34583b8731582fdc7181a831 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index fd2686f65..6bc7618fd 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
-From 64a33173d97a03b4d53380206d166716df25591a Mon Sep 17 00:00:00 2001
+From 151c2cd6257c44a9ba51bf7af75bb7d2761cf492 Mon Sep 17 00:00:00 2001
 From: Kurt Roeckx <kurt@roeckx.be>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 8c681b9b0..389e8e73f 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From 96ecf95406b8599528e60ccfc5b32b543f74ddc4 Mon Sep 17 00:00:00 2001
+From d4a383b11e186c0db65b9a2779ad5f5889563ceb Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644
  .Sh SEE ALSO
  .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 9b93666..19bed1e 100644
+index 8c3317b..1a8644e 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
 @@ -174,9 +174,7 @@ key in
@@ -88,10 +88,10 @@ index 9b93666..19bed1e 100644
  The file format is described in
  .Xr moduli 5 .
 diff --git a/ssh.1 b/ssh.1
-index c84196f..c3e1266 100644
+index ff80022..4fba77f 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys,
+@@ -853,6 +853,10 @@ Protocol 1 is restricted to using only RSA keys,
  but protocol 2 may use any.
  The HISTORY section of
  .Xr ssl 8
@@ -103,7 +103,7 @@ index c84196f..c3e1266 100644
  .Pp
  The file
 diff --git a/sshd.8 b/sshd.8
-index 5afd10f..2f4d4f3 100644
+index 2105979..42ba596 100644
 --- a/sshd.8
 +++ b/sshd.8
 @@ -67,7 +67,7 @@ over an insecure network.
@@ -115,7 +115,7 @@ index 5afd10f..2f4d4f3 100644
  It forks a new
  daemon for each incoming connection.
  The forked daemons handle
-@@ -864,7 +864,7 @@ This file is for host-based authentication (see
+@@ -861,7 +861,7 @@ This file is for host-based authentication (see
  .Xr ssh 1 ) .
  It should only be writable by root.
  .Pp
@@ -124,7 +124,7 @@ index 5afd10f..2f4d4f3 100644
  Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
  The file format is described in
  .Xr moduli 5 .
-@@ -963,7 +963,6 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -960,7 +960,6 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
  .Xr hosts_access 5 ,
@@ -133,7 +133,7 @@ index 5afd10f..2f4d4f3 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index a5afbc3..355b445 100644
+index 641e1fa..7e40a27 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -374,8 +374,7 @@ This option is only available for protocol version 2.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index ddec0ec63..e2b40654c 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 2c39fe957130704a00871229c53116db4a25e0c3 Mon Sep 17 00:00:00 2001
+From 4e80e6a84e57783718ca225021a597713c44c2a2 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -36,10 +36,10 @@ index 4aff104..2999061 100644
         if (roaming_atomicio(vwrite, connection_out, client_version_string,
             strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index 9ff9e8b..96e75c6 100644
+index f60c9e0..e3ac37b 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
         }
  
         xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -49,11 +49,11 @@ index 9ff9e8b..96e75c6 100644
             options.version_addendum, newline);
  
 diff --git a/version.h b/version.h
-index b58fbe1..bff2b3b 100644
+index 7a5dbc8..f665356 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.9"
+ #define SSH_VERSION    "OpenSSH_7.0"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 95e0cd71c..b457610f4 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From dd148bdfe1da6fbce48c9d8ed5d74b3ad05de935 Mon Sep 17 00:00:00 2001
+From 5ddd42354edfbe0d5cc607d007f8c655ec351e2f Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index 964353d..65f90b8 100644
+index 9e45d24..5c2b721 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -1720,8 +1720,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1721,8 +1721,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
                 exit_status = 0;
         }
  
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index d8d37e0d3..21c30a0ef 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
-From 1850a2c93f3dcfa3d682eaa85d1593c01d170429 Mon Sep 17 00:00:00 2001
+From 206272ccede7e6fac5d7fda30ea305349b8ad781 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Tue, 7 Oct 2014 13:22:41 +0100
 Subject: Restore TCP wrappers support
@@ -28,7 +28,7 @@ Patch-Name: restore-tcp-wrappers.patch
  3 files changed, 89 insertions(+)
 
 diff --git a/configure.ac b/configure.ac
-index df21693..4d55c46 100644
+index 7a25603..128889a 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
@@ -94,7 +94,7 @@ index df21693..4d55c46 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -4928,6 +4984,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+@@ -4953,6 +5009,7 @@ echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"
  echo "                 Smartcard support: $SCARD_MSG"
  echo "                     S/KEY support: $SKEY_MSG"
@@ -103,10 +103,10 @@ index df21693..4d55c46 100644
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
 diff --git a/sshd.8 b/sshd.8
-index dcf20f0..5afd10f 100644
+index 213b5fc..2105979 100644
 --- a/sshd.8
 +++ b/sshd.8
-@@ -853,6 +853,12 @@ the user's home directory becomes accessible.
+@@ -850,6 +850,12 @@ the user's home directory becomes accessible.
  This file should be writable only by the user, and need not be
  readable by anyone else.
  .Pp
@@ -119,7 +119,7 @@ index dcf20f0..5afd10f 100644
  .It Pa /etc/hosts.equiv
  This file is for host-based authentication (see
  .Xr ssh 1 ) .
-@@ -956,6 +962,7 @@ The content of this file is not sensitive; it can be world-readable.
+@@ -953,6 +959,7 @@ The content of this file is not sensitive; it can be world-readable.
  .Xr ssh-keygen 1 ,
  .Xr ssh-keyscan 1 ,
  .Xr chroot 2 ,
@@ -128,10 +128,10 @@ index dcf20f0..5afd10f 100644
  .Xr moduli 5 ,
  .Xr sshd_config 5 ,
 diff --git a/sshd.c b/sshd.c
-index 6b85e6c..186ad55 100644
+index 32adb1f..4d8a5e8 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -129,6 +129,13 @@
+@@ -130,6 +130,13 @@
  #include <Security/AuthSession.h>
  #endif
  
@@ -145,7 +145,7 @@ index 6b85e6c..186ad55 100644
  #ifndef O_NOCTTY
  #define O_NOCTTY       0
  #endif
-@@ -2141,6 +2148,24 @@ main(int ac, char **av)
+@@ -2145,6 +2152,24 @@ main(int ac, char **av)
  #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
  #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index 04ba23411..ec9c62e6b 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 3ed0b40149ad6ae1bae649d64e69614b8520cd84 Mon Sep 17 00:00:00 2001
+From 39649ea621545db3692a0ecdb2e3e9bf1bec21d5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 94496e34c..a8b214fb4 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From a12d63c53c0eb8926f64580eec2e4ccc57ee6f5c Mon Sep 17 00:00:00 2001
+From 10dec1266aa5cf1ad906b1bef6f67edc322c00cb Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -113,7 +113,7 @@ index 3f49bdc..6eb3cc7 100644
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index bdc2972..3a3d2f0 100644
+index 2658aaa..c063ad1 100644
 --- a/monitor.c
 +++ b/monitor.c
 @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -203,7 +203,7 @@ index bc50ade..2d82b8b 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 71e7c08..6ae72a0 100644
+index 81ceddb..6799911 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
@@ -265,7 +265,7 @@ index 9758290..57e740f 100644
  char *mm_auth2_read_banner(void);
  int mm_auth_password(struct Authctxt *, char *);
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 4637a7a..de6ad3f 100644
+index f36999d..f9cdc15 100644
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
 @@ -29,6 +29,12 @@
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
                        const char *value);
  
 diff --git a/sshd.c b/sshd.c
-index 186ad55..9ff9e8b 100644
+index 4d8a5e8..f60c9e0 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -782,7 +782,7 @@ privsep_postauth(Authctxt *authctxt)
         explicit_bzero(rnd, sizeof(rnd));
  
         /* Drop privileges */
@@ -471,7 +471,7 @@ index 186ad55..9ff9e8b 100644
   skip:
         /* It is safe now to apply the key state */
 diff --git a/sshpty.c b/sshpty.c
-index 7bb7641..0e32b39 100644
+index 15da8c6..e89efb7 100644
 --- a/sshpty.c
 +++ b/sshpty.c
 @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
diff --git a/debian/patches/series b/debian/patches/series
index b6538a45a..b37955563 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,8 +26,3 @@ no-openssl-version-status.patch
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
-backport-fix-pty-permissions.patch
-backport-do-not-resend-username-to-pam.patch
-backport-pam-use-after-free.patch
-backport-kbdint-duplicates.patch
-backport-regress-principals-command-noexec.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 2c8c17bca..d75268651 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 120a9e949da169bd8672f58a66160730c2763db6 Mon Sep 17 00:00:00 2001
+From e6ac786efa1922c3a4846023b85b4425c3b27624 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index f568ebf3d..07cc502ea 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From 18a9869659a7e7f3bde44fa2d26599844baece2c Mon Sep 17 00:00:00 2001
+From 28b42c7cc08dd3dbdc149281912a41ae65594301 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
  1 file changed, 10 insertions(+)
 
 diff --git a/sshd.c b/sshd.c
-index 7886d0e..cc8ecaf 100644
+index d9f5199..b345c9f 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -2038,6 +2038,16 @@ main(int ac, char **av)
+@@ -2042,6 +2042,16 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 4c5d39dc1..5cabd8ead 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 751acd3741de0e2ae2dbd32cc5970981cb6382da Mon Sep 17 00:00:00 2001
+From ffd0bdfb5e16b792de4f98ca19f94d9e2fb8b281 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 174d321df..e2c977c72 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From eb8700714181bd9e84a110edfd5978a932622aa0 Mon Sep 17 00:00:00 2001
+From c243ac551b1f62aae59ee8ae29166fd410d4e9d4 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/ssh.1 b/ssh.1
-index c3e1266..2178863 100644
+index 4fba77f..05b7f10 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1487,6 +1487,7 @@ if an error occurred.
+@@ -1574,6 +1574,7 @@ if an error occurred.
  .Xr sftp 1 ,
  .Xr ssh-add 1 ,
  .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 07cdee7ce..8fb05d4c4 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 654750762053d631bd1e1176c230eaeaad9b4250 Mon Sep 17 00:00:00 2001
+From 89dd60ab74e7ebfe4f234c4068fa941479535d8e Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
-index 68dac76..85eea48 100644
+index 43b7570..522ad37 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -180,6 +180,7 @@ static struct {
+@@ -181,6 +181,7 @@ static struct {
         { "passwordauthentication", oPasswordAuthentication },
         { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
         { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index 68dac76..85eea48 100644
         { "pubkeyauthentication", oPubkeyAuthentication },
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
 diff --git a/servconf.c b/servconf.c
-index 2f7f41e..8a5bd7b 100644
+index cfe7029..ed3a88d 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -510,6 +510,7 @@ static struct {
+@@ -522,6 +522,7 @@ static struct {
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 705004567..cf414d4d5 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
-From 634f3188e7f3c104cc7b13a078059f15f3f4a68a Mon Sep 17 00:00:00 2001
+From f1b6288dd90b72d4cad7e65f35d05148a5ba1874 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:51 +0000
 Subject: Partial server keep-alive implementation for SSH1
@@ -13,10 +13,10 @@ Patch-Name: ssh1-keepalive.patch
  2 files changed, 19 insertions(+), 11 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index 77d5498..964353d 100644
+index fba1b54..9e45d24 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -577,16 +577,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
+@@ -578,16 +578,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
  static void
  server_alive_check(void)
  {
@@ -47,7 +47,7 @@ index 77d5498..964353d 100644
  }
  
  /*
-@@ -648,7 +653,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
+@@ -649,7 +654,7 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
          */
  
         timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */
@@ -57,10 +57,10 @@ index 77d5498..964353d 100644
                 server_alive_time = now + options.server_alive_interval;
         }
 diff --git a/ssh_config.5 b/ssh_config.5
-index 59ce400..e60a5b4 100644
+index b2dc49b..82dcf0c 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1416,7 +1416,10 @@ If, for example,
+@@ -1468,7 +1468,10 @@ If, for example,
  .Cm ServerAliveCountMax
  is left at the default, if the server becomes unresponsive,
  ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index dd8fe6904..aca618985 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From ff5dffb6e1e7b0c5cd6cf8f47fa89bcef10e666d Mon Sep 17 00:00:00 2001
+From 19ab567e88d730a6862aab3fb33e399a9c3f67b2 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -21,10 +21,10 @@ Patch-Name: syslog-level-silent.patch
  2 files changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/log.c b/log.c
-index 32e1d2e..53e7b65 100644
+index ad12930..e68b84a 100644
 --- a/log.c
 +++ b/log.c
-@@ -94,6 +94,7 @@ static struct {
+@@ -93,6 +93,7 @@ static struct {
         LogLevel val;
  } log_levels[] =
  {
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 3fd5a94..d99f7ef 100644
+index 59c1f93..712ea0e 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -1105,7 +1105,7 @@ main(int ac, char **av)
+@@ -1106,7 +1106,7 @@ main(int ac, char **av)
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index b43b0c9bb..b147b45eb 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 113450cad7a19b997e51945f012539836bba6f17 Mon Sep 17 00:00:00 2001
+From d0e69ff6f823231b121af1fe8bbe9442bfed4fe8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -52,10 +52,10 @@ index ee9e827..2ff2cff 100644
                             pw->pw_name, buf);
                         auth_debug_add("Bad file modes for %.200s", buf);
 diff --git a/auth.c b/auth.c
-index e6c094d..a99c475 100644
+index fc32f6c..8255d22 100644
 --- a/auth.c
 +++ b/auth.c
-@@ -422,8 +422,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
+@@ -424,8 +424,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
                 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
                 if (options.strict_modes &&
                     (stat(user_hostfile, &st) == 0) &&
@@ -65,7 +65,7 @@ index e6c094d..a99c475 100644
                         logit("Authentication refused for %.100s: "
                             "bad owner or modes for %.200s",
                             pw->pw_name, user_hostfile);
-@@ -485,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -487,8 +486,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                 snprintf(err, errlen, "%s is not a regular file", buf);
                 return -1;
         }
@@ -75,7 +75,7 @@ index e6c094d..a99c475 100644
                 snprintf(err, errlen, "bad ownership or modes for file %s",
                     buf);
                 return -1;
-@@ -501,8 +499,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
+@@ -503,8 +501,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
                 strlcpy(buf, cp, sizeof(buf));
  
                 if (stat(buf, &st) < 0 ||
@@ -216,7 +216,7 @@ index f35ec39..9a23e6e 100644
 -       return 0;
 -}
 diff --git a/readconf.c b/readconf.c
-index 5c5890c..5f6c37f 100644
+index 46c343f..c0ba5a7 100644
 --- a/readconf.c
 +++ b/readconf.c
 @@ -39,6 +39,8 @@
@@ -239,10 +239,10 @@ index 5c5890c..5f6c37f 100644
         }
  
 diff --git a/ssh.1 b/ssh.1
-index df7ac86..c84196f 100644
+index 2ea0a20..ff80022 100644
 --- a/ssh.1
 +++ b/ssh.1
-@@ -1371,6 +1371,8 @@ The file format and configuration options are described in
+@@ -1458,6 +1458,8 @@ The file format and configuration options are described in
  .Xr ssh_config 5 .
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not writable by others.
@@ -252,10 +252,10 @@ index df7ac86..c84196f 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index 67e0dff..4e799cf 100644
+index f517159..b07e866 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1708,6 +1708,8 @@ The format of this file is described above.
+@@ -1760,6 +1760,8 @@ The format of this file is described above.
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.