summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-04-02 01:26:17 +0100
committerColin Watson <cjwatson@debian.org>2017-04-02 01:54:08 +0100
commit20adc7e0fc13ff9c7d270db250aac1fa140e3851 (patch)
tree5d9f06b0ff195db88093037d9102f0cdcf3884c6 /debian
parentaf27669f905133925224acc753067dea710881dd (diff)
parentec338656a3d6b21bb87f3b6367b232d297f601e5 (diff)
New upstream release (7.5p1)
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/NEWS23
-rw-r--r--debian/changelog81
-rw-r--r--debian/patches/auth-log-verbosity.patch14
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch6
-rw-r--r--debian/patches/debian-banner.patch16
-rw-r--r--debian/patches/debian-config.patch16
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/doc-upstart.patch4
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch118
-rw-r--r--debian/patches/keepalive-extensions.patch20
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch4
-rw-r--r--debian/patches/no-dsa-host-key-by-default.patch12
-rw-r--r--debian/patches/no-openssl-version-status.patch2
-rw-r--r--debian/patches/openbsd-docs.patch6
-rw-r--r--debian/patches/package-versioning.patch14
-rw-r--r--debian/patches/quieter-signals.patch4
-rw-r--r--debian/patches/regress-forwarding-race.patch115
-rw-r--r--debian/patches/regress-integrity-robust.patch27
-rw-r--r--debian/patches/regress-mktemp.patch167
-rw-r--r--debian/patches/restore-authorized_keys2.patch4
-rw-r--r--debian/patches/restore-tcp-wrappers.patch16
-rw-r--r--debian/patches/sandbox-x32-workaround.patch37
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/selinux-role.patch22
-rw-r--r--debian/patches/series7
-rw-r--r--debian/patches/shell-path.patch4
-rw-r--r--debian/patches/sigstop.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-keygen-hash-corruption.patch44
-rw-r--r--debian/patches/ssh-keygen-null-deref.patch31
-rw-r--r--debian/patches/ssh-keyscan-hash-port.patch48
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch20
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/unbreak-unix-forwarding-for-root.patch80
-rw-r--r--debian/patches/user-group-modes.patch14
40 files changed, 294 insertions, 736 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 6c8df34b8..81a664a6f 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,8 +1,8 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2904bc482ad87648a2c799c441dc6a8449f24e15a 2ec338656a3d6b21bb87f3b6367b232d297f601e5
3904bc482ad87648a2c799c441dc6a8449f24e15a 3ec338656a3d6b21bb87f3b6367b232d297f601e5
4971a7653746a6972b907dfe0ce139c06e4a6f482 46fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
5971a7653746a6972b907dfe0ce139c06e4a6f482 56fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
6openssh_7.4p1.orig.tar.gz 6openssh_7.5p1.orig.tar.gz
72330bbf82ed08cf3ac70e0acf00186ef3eeb97e0 75e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd
81511780 81510857
diff --git a/debian/NEWS b/debian/NEWS
index 77c594c5a..51944d2df 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,26 @@
1openssh (1:7.5p1-1) UNRELEASED; urgency=medium
2
3 OpenSSH 7.5 includes a number of changes that may affect existing
4 configurations:
5
6 * This release deprecates the sshd_config UsePrivilegeSeparation option,
7 thereby making privilege separation mandatory.
8
9 * The format of several log messages emitted by the packet code has
10 changed to include additional information about the user and their
11 authentication state. Software that monitors ssh/sshd logs may need to
12 account for these changes. For example:
13
14 Connection closed by user x 1.1.1.1 port 1234 [preauth]
15 Connection closed by authenticating user x 10.1.1.1 port 1234 [preauth]
16 Connection closed by invalid user x 1.1.1.1 port 1234 [preauth]
17
18 Affected messages include connection closure, timeout, remote
19 disconnection, negotiation failure and some other fatal messages
20 generated by the packet code.
21
22 -- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 01:31:21 +0100
23
1openssh (1:7.4p1-7) unstable; urgency=medium 24openssh (1:7.4p1-7) unstable; urgency=medium
2 25
3 This version restores the default for AuthorizedKeysFile to search both 26 This version restores the default for AuthorizedKeysFile to search both
diff --git a/debian/changelog b/debian/changelog
index 7be0100c2..9202f5e3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,84 @@
1openssh (1:7.5p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (https://www.openssh.com/txt/release-7.5):
4 - SECURITY: ssh(1), sshd(8): Fix weakness in CBC padding oracle
5 countermeasures that allowed a variant of the attack fixed in OpenSSH
6 7.3 to proceed. Note that the OpenSSH client disables CBC ciphers by
7 default, sshd offers them as lowest-preference options and will remove
8 them by default entirely in the next release.
9 - This release deprecates the sshd_config UsePrivilegeSeparation option,
10 thereby making privilege separation mandatory (closes: #407754).
11 - The format of several log messages emitted by the packet code has
12 changed to include additional information about the user and their
13 authentication state. Software that monitors ssh/sshd logs may need
14 to account for these changes.
15 - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
16 algorithm lists, e.g. Ciphers=-*cbc.
17 - sshd(1): Fix NULL dereference crash when key exchange start messages
18 are sent out of sequence.
19 - ssh(1), sshd(8): Allow form-feed characters to appear in configuration
20 files.
21 - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs
22 extension, where SHA2 RSA signature methods were not being correctly
23 advertised.
24 - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
25 known_hosts processing.
26 - ssh(1): Allow ssh to use certificates accompanied by a private key
27 file but no corresponding plain *.pub public key.
28 - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept
29 RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously,
30 ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were
31 enabled in HostkeyAlgorithms and not the old ssh-rsa method.
32 - ssh(1): Detect and report excessively long configuration file lines.
33 - Merge a number of fixes found by Coverity and reported via Redhat and
34 FreeBSD. Includes fixes for some memory and file descriptor leaks in
35 error paths.
36 - ssh(1), sshd(8): When logging long messages to stderr, don't truncate
37 "\r\n" if the length of the message exceeds the buffer.
38 - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
39 line; avoid confusion over IPv6 addresses and shells that treat square
40 bracket characters specially.
41 - Fix various fallout and sharp edges caused by removing SSH protocol 1
42 support from the server, including the server banner string being
43 incorrectly terminated with only \n (instead of \r\n), confusing error
44 messages from ssh-keyscan, and a segfault in sshd if protocol v.1 was
45 enabled for the client and sshd_config contained references to legacy
46 keys.
47 - ssh(1), sshd(8): Free fd_set on connection timeout.
48 - sftp(1): Fix division by zero crash in "df" output when server returns
49 zero total filesystem blocks/inodes.
50 - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
51 encountered during key loading to more meaningful error codes.
52 - ssh-keygen(1): Sanitise escape sequences in key comments sent to
53 printf but preserve valid UTF-8 when the locale supports it.
54 - ssh(1), sshd(8): Return reason for port forwarding failures where
55 feasible rather than always "administratively prohibited".
56 - sshd(8): Fix deadlock when AuthorizedKeysCommand or
57 AuthorizedPrincipalsCommand produces a lot of output and a key is
58 matched early.
59 - ssh(1): Fix typo in ~C error message for bad port forward
60 cancellation.
61 - ssh(1): Show a useful error message when included config files can't
62 be opened.
63 - sshd_config(5): Repair accidentally-deleted mention of %k token in
64 AuthorizedKeysCommand.
65 - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM.
66 - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common
67 32-bit compatibility library directories.
68 - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
69 response handling.
70 - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys.
71 It was not possible to delete them except by specifying their full
72 physical path.
73 - sshd(8): Avoid sandbox errors for Linux S390 systems using an ICA
74 crypto coprocessor.
75 - sshd(8): Fix non-exploitable weakness in seccomp-bpf sandbox arg
76 inspection.
77 - ssh-keygen(1), ssh(1), sftp(1): Fix output truncation for various that
78 contain non-printable characters where the codeset in use is ASCII.
79
80 -- Colin Watson <cjwatson@debian.org> Sun, 02 Apr 2017 01:31:21 +0100
81
1openssh (1:7.4p1-10) unstable; urgency=medium 82openssh (1:7.4p1-10) unstable; urgency=medium
2 83
3 * Move privilege separation directory and PID file from /var/run/ to /run/ 84 * Move privilege separation directory and PID file from /var/run/ to /run/
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index cf6febf31..6b5653ca7 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
1From b2b04daa38b264f346acd81e08d224dbf33bac5b Mon Sep 17 00:00:00 2001 1From e08f96cf1105a3ee9a23de7102d593443e031e0c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:02 +0000 3Date: Sun, 9 Feb 2014 16:10:02 +0000
4Subject: Quieten logs when multiple from= restrictions are used 4Subject: Quieten logs when multiple from= restrictions are used
@@ -90,18 +90,18 @@ index 52cbb42a..82355276 100644
90 void auth_clear_options(void); 90 void auth_clear_options(void);
91 int auth_cert_options(struct sshkey *, struct passwd *, const char **); 91 int auth_cert_options(struct sshkey *, struct passwd *, const char **);
92diff --git a/auth2-pubkey.c b/auth2-pubkey.c 92diff --git a/auth2-pubkey.c b/auth2-pubkey.c
93index 20f3309e..add77136 100644 93index 3e5706f4..6dc5076e 100644
94--- a/auth2-pubkey.c 94--- a/auth2-pubkey.c
95+++ b/auth2-pubkey.c 95+++ b/auth2-pubkey.c
96@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw, 96@@ -566,6 +566,7 @@ process_principals(FILE *f, char *file, struct passwd *pw,
97 u_long linenum = 0; 97 u_long linenum = 0;
98 u_int i; 98 u_int i, found_principal = 0;
99 99
100+ auth_start_parse_options(); 100+ auth_start_parse_options();
101 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 101 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
102 /* Skip leading whitespace. */ 102 /* Always consume entire input */
103 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 103 if (found_principal)
104@@ -764,6 +765,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) 104@@ -771,6 +772,7 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
105 found_key = 0; 105 found_key = 0;
106 106
107 found = NULL; 107 found = NULL;
@@ -109,7 +109,7 @@ index 20f3309e..add77136 100644
109 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { 109 while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
110 char *cp, *key_options = NULL, *fp = NULL; 110 char *cp, *key_options = NULL, *fp = NULL;
111 const char *reason = NULL; 111 const char *reason = NULL;
112@@ -911,6 +913,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) 112@@ -921,6 +923,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
113 if (key_cert_check_authority(key, 0, 1, 113 if (key_cert_check_authority(key, 0, 1,
114 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0) 114 use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
115 goto fail_reason; 115 goto fail_reason;
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index a3306e339..1875385e8 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 7ad6dd01af3f4531ccc8e918bc857738e195fd3d Mon Sep 17 00:00:00 2001 1From 983412e0c80c406705e3c65402868b0d15d8695b Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 00a320e1..a6eb81ec 100644 16index 6b774c1a..0577a6c4 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -335,6 +335,7 @@ install-files: 19@@ -339,6 +339,7 @@ install-files:
20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 20 $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 21 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 22 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 874728b02..784cdf746 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 2a1aeb898e4214f98acc210c992d33334e6710dd Mon Sep 17 00:00:00 2001 1From ddf05e4adc7feda2421bdf641bab79b76c1a918e Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -19,7 +19,7 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index 49d3bdc8..1cee3d6c 100644 22index ca73f7c5..a391cf4b 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options) 25@@ -166,6 +166,7 @@ initialize_server_options(ServerOptions *options)
@@ -55,7 +55,7 @@ index 49d3bdc8..1cee3d6c 100644
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -1860,6 +1865,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -1866,6 +1871,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 options->fingerprint_hash = value; 59 options->fingerprint_hash = value;
60 break; 60 break;
61 61
@@ -80,24 +80,24 @@ index 90dfa4c2..913a21b3 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 49f3a2e5..eebf1984 100644 83index 602f4740..f2f54b51 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -378,7 +378,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
87 char remote_version[256]; /* Must be at least as big as buf. */ 87 char remote_version[256]; /* Must be at least as big as buf. */
88 88
89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 89 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
90- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, 90- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
91+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, 91+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
92+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, 92+ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
93 *options.version_addendum == '\0' ? "" : " ", 93 *options.version_addendum == '\0' ? "" : " ",
94 options.version_addendum, newline); 94 options.version_addendum);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 283ba889..4ea0a9c3 100644 97index 41ec6688..5f316481 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -526,6 +526,11 @@ or 100@@ -530,6 +530,11 @@ or
101 .Cm no . 101 .Cm no .
102 The default is 102 The default is
103 .Cm yes . 103 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ff3f5f42d..b8483b4e9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 2b53482aec037f0747198f19e449f51d921acd30 Mon Sep 17 00:00:00 2001 1From 78fc8282e021b0236697caedb612cab78831755f Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index c02cdf63..d1091cbd 100644 42index 70fac682..4d92d174 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -1927,7 +1927,7 @@ fill_default_options(Options * options) 45@@ -1950,7 +1950,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -114,7 +114,7 @@ index 4e879cd2..093c8366 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index 8698c28e..26f983a3 100644 117index 093ea8a7..fc13fa51 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more 120@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index 8698c28e..26f983a3 100644
140 The file contains keyword-argument pairs, one per line. 140 The file contains keyword-argument pairs, one per line.
141 Lines starting with 141 Lines starting with
142 .Ql # 142 .Ql #
143@@ -711,11 +727,12 @@ elapsed. 143@@ -715,11 +731,12 @@ elapsed.
144 .It Cm ForwardX11Trusted 144 .It Cm ForwardX11Trusted
145 If this option is set to 145 If this option is set to
146 .Cm yes , 146 .Cm yes ,
@@ -155,7 +155,7 @@ index 8698c28e..26f983a3 100644
155 from stealing or tampering with data belonging to trusted X11 155 from stealing or tampering with data belonging to trusted X11
156 clients. 156 clients.
157diff --git a/sshd_config b/sshd_config 157diff --git a/sshd_config b/sshd_config
158index 00e5a728..13cbe2c6 100644 158index c01dd656..f68edf36 100644
159--- a/sshd_config 159--- a/sshd_config
160+++ b/sshd_config 160+++ b/sshd_config
161@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys 161@@ -58,8 +58,9 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -190,7 +190,7 @@ index 00e5a728..13cbe2c6 100644
190 #PrintLastLog yes 190 #PrintLastLog yes
191 #TCPKeepAlive yes 191 #TCPKeepAlive yes
192 #UseLogin no 192 #UseLogin no
193@@ -110,8 +111,11 @@ AuthorizedKeysFile .ssh/authorized_keys 193@@ -109,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
194 # no default banner path 194 # no default banner path
195 #Banner none 195 #Banner none
196 196
@@ -204,7 +204,7 @@ index 00e5a728..13cbe2c6 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index e45a8937..703a9cdd 100644 207index 603c2ba7..cc5d9fb0 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -57,6 +57,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 2e2f9610d..8f1f9bada 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From c1248ea6dcbbf5702d65efc1750763f66a97ba19 Mon Sep 17 00:00:00 2001 1From 1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 814d8ad7b..7af55869b 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From 87e480b4f405f3249d7f8a912849eb6263456353 Mon Sep 17 00:00:00 2001 1From 0d5ad9fa8d9270ddaaed964edac35b99e7eed067 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 0483a1ee..8698c28e 100644 16index a04e5757..093ea8a7 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -805,6 +805,9 @@ Note that existing names and addresses in known hosts files 19@@ -809,6 +809,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index 14d6ff88d..37e9b09d6 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
1From 7ea8a3c1e0c2ff4998b3fe3caaaba8ff42e513ff Mon Sep 17 00:00:00 2001 1From d35329b23dd567076999470e346f49ef6e56f367 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:12 +0000 3Date: Sun, 9 Feb 2014 16:10:12 +0000
4Subject: Refer to ssh's Upstart job as well as its init script 4Subject: Refer to ssh's Upstart job as well as its init script
@@ -12,7 +12,7 @@ Patch-Name: doc-upstart.patch
12 1 file changed, 4 insertions(+), 1 deletion(-) 12 1 file changed, 4 insertions(+), 1 deletion(-)
13 13
14diff --git a/sshd.8 b/sshd.8 14diff --git a/sshd.8 b/sshd.8
15index e6915141..38a72540 100644 15index 6355178f..dd4b8fc3 100644
16--- a/sshd.8 16--- a/sshd.8
17+++ b/sshd.8 17+++ b/sshd.8
18@@ -65,7 +65,10 @@ over an insecure network. 18@@ -65,7 +65,10 @@ over an insecure network.
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 1558dbd8f..079169d5f 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From 0327e9b3a5f6d1e945f1f028e742e14cf5823962 Mon Sep 17 00:00:00 2001 1From abf7f03362e0cc4855355a7b7c9b76b6963a75cd Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 7196d16b6..c74926dc6 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From 48fbb156bdc676fb6ba6817770e4e971fbf85b1f Mon Sep 17 00:00:00 2001 1From d51c7ac3328464dec21514fb398ab5c140a0664f Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -43,9 +43,9 @@ Patch-Name: gssapi.patch
43 monitor.h | 3 + 43 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++- 44 monitor_wrap.c | 47 +++++++-
45 monitor_wrap.h | 4 +- 45 monitor_wrap.h | 4 +-
46 readconf.c | 42 +++++++ 46 readconf.c | 43 +++++++
47 readconf.h | 5 + 47 readconf.h | 5 +
48 servconf.c | 28 ++++- 48 servconf.c | 26 +++++
49 servconf.h | 2 + 49 servconf.h | 2 +
50 ssh-gss.h | 41 ++++++- 50 ssh-gss.h | 41 ++++++-
51 ssh_config | 2 + 51 ssh_config | 2 +
@@ -56,7 +56,7 @@ Patch-Name: gssapi.patch
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
58 sshkey.h | 1 + 58 sshkey.h | 1 +
59 35 files changed, 2062 insertions(+), 148 deletions(-) 59 35 files changed, 2062 insertions(+), 147 deletions(-)
60 create mode 100644 ChangeLog.gssapi 60 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 61 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 62 create mode 100644 kexgsss.c
@@ -181,7 +181,7 @@ index 00000000..f117a336
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index e10f3742..00a320e1 100644 184index 5870e9e6..6b774c1a 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -92,6 +92,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -454,7 +454,7 @@ index 1ca83577..3b5036df 100644
454 "gssapi-with-mic", 454 "gssapi-with-mic",
455 userauth_gssapi, 455 userauth_gssapi,
456diff --git a/auth2.c b/auth2.c 456diff --git a/auth2.c b/auth2.c
457index 9108b861..ce0d3760 100644 457index 97dd2ef0..946e9235 100644
458--- a/auth2.c 458--- a/auth2.c
459+++ b/auth2.c 459+++ b/auth2.c
460@@ -70,6 +70,7 @@ extern Authmethod method_passwd; 460@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
@@ -592,7 +592,7 @@ index 26d62855..0cadc9f1 100644
592 int get_peer_port(int); 592 int get_peer_port(int);
593 char *get_local_ipaddr(int); 593 char *get_local_ipaddr(int);
594diff --git a/clientloop.c b/clientloop.c 594diff --git a/clientloop.c b/clientloop.c
595index 4289a408..99c68b69 100644 595index 06481623..38b0330e 100644
596--- a/clientloop.c 596--- a/clientloop.c
597+++ b/clientloop.c 597+++ b/clientloop.c
598@@ -113,6 +113,10 @@ 598@@ -113,6 +113,10 @@
@@ -627,10 +627,10 @@ index 4289a408..99c68b69 100644
627 client_process_net_input(readset); 627 client_process_net_input(readset);
628 628
629diff --git a/config.h.in b/config.h.in 629diff --git a/config.h.in b/config.h.in
630index 75e02ab4..afe540e9 100644 630index b65420e4..fd8a73f1 100644
631--- a/config.h.in 631--- a/config.h.in
632+++ b/config.h.in 632+++ b/config.h.in
633@@ -1667,6 +1667,9 @@ 633@@ -1670,6 +1670,9 @@
634 /* Use btmp to log bad logins */ 634 /* Use btmp to log bad logins */
635 #undef USE_BTMP 635 #undef USE_BTMP
636 636
@@ -640,7 +640,7 @@ index 75e02ab4..afe540e9 100644
640 /* Use libedit for sftp */ 640 /* Use libedit for sftp */
641 #undef USE_LIBEDIT 641 #undef USE_LIBEDIT
642 642
643@@ -1682,6 +1685,9 @@ 643@@ -1685,6 +1688,9 @@
644 /* Use PIPES instead of a socketpair() */ 644 /* Use PIPES instead of a socketpair() */
645 #undef USE_PIPES 645 #undef USE_PIPES
646 646
@@ -651,7 +651,7 @@ index 75e02ab4..afe540e9 100644
651 #undef USE_SOLARIS_PRIVS 651 #undef USE_SOLARIS_PRIVS
652 652
653diff --git a/configure.ac b/configure.ac 653diff --git a/configure.ac b/configure.ac
654index eb9f45dc..5fdc696c 100644 654index c2878e3d..ead34acf 100644
655--- a/configure.ac 655--- a/configure.ac
656+++ b/configure.ac 656+++ b/configure.ac
657@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 657@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -1433,7 +1433,7 @@ index 53993d67..2e27cbf9 100644
1433 1433
1434 #endif 1434 #endif
1435diff --git a/kex.c b/kex.c 1435diff --git a/kex.c b/kex.c
1436index 6a94bc53..d8708684 100644 1436index cf4ac0dc..556a32e9 100644
1437--- a/kex.c 1437--- a/kex.c
1438+++ b/kex.c 1438+++ b/kex.c
1439@@ -54,6 +54,10 @@ 1439@@ -54,6 +54,10 @@
@@ -1473,7 +1473,7 @@ index 6a94bc53..d8708684 100644
1473 return NULL; 1473 return NULL;
1474 } 1474 }
1475 1475
1476@@ -597,6 +613,9 @@ kex_free(struct kex *kex) 1476@@ -605,6 +621,9 @@ kex_free(struct kex *kex)
1477 sshbuf_free(kex->peer); 1477 sshbuf_free(kex->peer);
1478 sshbuf_free(kex->my); 1478 sshbuf_free(kex->my);
1479 free(kex->session_id); 1479 free(kex->session_id);
@@ -2168,7 +2168,7 @@ index 00000000..38ca082b
2168+} 2168+}
2169+#endif /* GSSAPI */ 2169+#endif /* GSSAPI */
2170diff --git a/monitor.c b/monitor.c 2170diff --git a/monitor.c b/monitor.c
2171index 43f48470..76d9e346 100644 2171index 96d22b7e..506645c7 100644
2172--- a/monitor.c 2172--- a/monitor.c
2173+++ b/monitor.c 2173+++ b/monitor.c
2174@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2174@@ -157,6 +157,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2199,7 +2199,7 @@ index 43f48470..76d9e346 100644
2199 #ifdef WITH_OPENSSL 2199 #ifdef WITH_OPENSSL
2200 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2200 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2201 #endif 2201 #endif
2202@@ -301,6 +310,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2202@@ -302,6 +311,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2203 /* Permit requests for moduli and signatures */ 2203 /* Permit requests for moduli and signatures */
2204 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2204 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2205 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2205 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2210,7 +2210,7 @@ index 43f48470..76d9e346 100644
2210 2210
2211 /* The first few requests do not require asynchronous access */ 2211 /* The first few requests do not require asynchronous access */
2212 while (!authenticated) { 2212 while (!authenticated) {
2213@@ -400,6 +413,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2213@@ -402,6 +415,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2214 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2214 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2215 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2215 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2216 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2216 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2221,7 +2221,7 @@ index 43f48470..76d9e346 100644
2221 2221
2222 if (!no_pty_flag) { 2222 if (!no_pty_flag) {
2223 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2223 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2224@@ -1601,6 +1618,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2224@@ -1606,6 +1623,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2225 # endif 2225 # endif
2226 #endif /* WITH_OPENSSL */ 2226 #endif /* WITH_OPENSSL */
2227 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2227 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2235,7 +2235,7 @@ index 43f48470..76d9e346 100644
2235 kex->load_host_public_key=&get_hostkey_public_by_type; 2235 kex->load_host_public_key=&get_hostkey_public_by_type;
2236 kex->load_host_private_key=&get_hostkey_private_by_type; 2236 kex->load_host_private_key=&get_hostkey_private_by_type;
2237 kex->host_key_index=&get_hostkey_index; 2237 kex->host_key_index=&get_hostkey_index;
2238@@ -1680,8 +1704,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) 2238@@ -1685,8 +1709,8 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
2239 OM_uint32 major; 2239 OM_uint32 major;
2240 u_int len; 2240 u_int len;
2241 2241
@@ -2246,7 +2246,7 @@ index 43f48470..76d9e346 100644
2246 2246
2247 goid.elements = buffer_get_string(m, &len); 2247 goid.elements = buffer_get_string(m, &len);
2248 goid.length = len; 2248 goid.length = len;
2249@@ -1710,8 +1734,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2249@@ -1715,8 +1739,8 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2250 OM_uint32 flags = 0; /* GSI needs this */ 2250 OM_uint32 flags = 0; /* GSI needs this */
2251 u_int len; 2251 u_int len;
2252 2252
@@ -2257,7 +2257,7 @@ index 43f48470..76d9e346 100644
2257 2257
2258 in.value = buffer_get_string(m, &len); 2258 in.value = buffer_get_string(m, &len);
2259 in.length = len; 2259 in.length = len;
2260@@ -1730,6 +1754,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) 2260@@ -1735,6 +1759,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
2261 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2261 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2262 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2263 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2265,7 +2265,7 @@ index 43f48470..76d9e346 100644
2265 } 2265 }
2266 return (0); 2266 return (0);
2267 } 2267 }
2268@@ -1741,8 +1766,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m) 2268@@ -1746,8 +1771,8 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
2269 OM_uint32 ret; 2269 OM_uint32 ret;
2270 u_int len; 2270 u_int len;
2271 2271
@@ -2276,7 +2276,7 @@ index 43f48470..76d9e346 100644
2276 2276
2277 gssbuf.value = buffer_get_string(m, &len); 2277 gssbuf.value = buffer_get_string(m, &len);
2278 gssbuf.length = len; 2278 gssbuf.length = len;
2279@@ -1770,10 +1795,11 @@ mm_answer_gss_userok(int sock, Buffer *m) 2279@@ -1775,10 +1800,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
2280 { 2280 {
2281 int authenticated; 2281 int authenticated;
2282 2282
@@ -2291,7 +2291,7 @@ index 43f48470..76d9e346 100644
2291 2291
2292 buffer_clear(m); 2292 buffer_clear(m);
2293 buffer_put_int(m, authenticated); 2293 buffer_put_int(m, authenticated);
2294@@ -1786,5 +1812,76 @@ mm_answer_gss_userok(int sock, Buffer *m) 2294@@ -1791,5 +1817,76 @@ mm_answer_gss_userok(int sock, Buffer *m)
2295 /* Monitor loop will terminate if authenticated */ 2295 /* Monitor loop will terminate if authenticated */
2296 return (authenticated); 2296 return (authenticated);
2297 } 2297 }
@@ -2463,7 +2463,7 @@ index db5902f5..8f9dd896 100644
2463 2463
2464 #ifdef USE_PAM 2464 #ifdef USE_PAM
2465diff --git a/readconf.c b/readconf.c 2465diff --git a/readconf.c b/readconf.c
2466index fa3fab8f..7902ef26 100644 2466index 9d59493f..00d9cc30 100644
2467--- a/readconf.c 2467--- a/readconf.c
2468+++ b/readconf.c 2468+++ b/readconf.c
2469@@ -160,6 +160,8 @@ typedef enum { 2469@@ -160,6 +160,8 @@ typedef enum {
@@ -2475,8 +2475,8 @@ index fa3fab8f..7902ef26 100644
2475 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, 2475 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
2476 oSendEnv, oControlPath, oControlMaster, oControlPersist, 2476 oSendEnv, oControlPath, oControlMaster, oControlPersist,
2477 oHashKnownHosts, 2477 oHashKnownHosts,
2478@@ -205,10 +207,19 @@ static struct { 2478@@ -196,10 +198,20 @@ static struct {
2479 { "afstokenpassing", oUnsupported }, 2479 /* Sometimes-unsupported options */
2480 #if defined(GSSAPI) 2480 #if defined(GSSAPI)
2481 { "gssapiauthentication", oGssAuthentication }, 2481 { "gssapiauthentication", oGssAuthentication },
2482+ { "gssapikeyexchange", oGssKeyEx }, 2482+ { "gssapikeyexchange", oGssKeyEx },
@@ -2485,17 +2485,18 @@ index fa3fab8f..7902ef26 100644
2485+ { "gssapiclientidentity", oGssClientIdentity }, 2485+ { "gssapiclientidentity", oGssClientIdentity },
2486+ { "gssapiserveridentity", oGssServerIdentity }, 2486+ { "gssapiserveridentity", oGssServerIdentity },
2487+ { "gssapirenewalforcesrekey", oGssRenewalRekey }, 2487+ { "gssapirenewalforcesrekey", oGssRenewalRekey },
2488 #else 2488 # else
2489 { "gssapiauthentication", oUnsupported }, 2489 { "gssapiauthentication", oUnsupported },
2490+ { "gssapikeyexchange", oUnsupported }, 2490+ { "gssapikeyexchange", oUnsupported },
2491 { "gssapidelegatecredentials", oUnsupported }, 2491 { "gssapidelegatecredentials", oUnsupported },
2492+ { "gssapitrustdns", oUnsupported }, 2492+ { "gssapitrustdns", oUnsupported },
2493+ { "gssapiclientidentity", oUnsupported }, 2493+ { "gssapiclientidentity", oUnsupported },
2494+ { "gssapiserveridentity", oUnsupported },
2494+ { "gssapirenewalforcesrekey", oUnsupported }, 2495+ { "gssapirenewalforcesrekey", oUnsupported },
2495 #endif 2496 #endif
2496 { "fallbacktorsh", oDeprecated }, 2497 #ifdef ENABLE_PKCS11
2497 { "usersh", oDeprecated }, 2498 { "smartcarddevice", oPKCS11Provider },
2498@@ -961,10 +972,30 @@ parse_time: 2499@@ -973,10 +985,30 @@ parse_time:
2499 intptr = &options->gss_authentication; 2500 intptr = &options->gss_authentication;
2500 goto parse_flag; 2501 goto parse_flag;
2501 2502
@@ -2526,7 +2527,7 @@ index fa3fab8f..7902ef26 100644
2526 case oBatchMode: 2527 case oBatchMode:
2527 intptr = &options->batch_mode; 2528 intptr = &options->batch_mode;
2528 goto parse_flag; 2529 goto parse_flag;
2529@@ -1776,7 +1807,12 @@ initialize_options(Options * options) 2530@@ -1798,7 +1830,12 @@ initialize_options(Options * options)
2530 options->pubkey_authentication = -1; 2531 options->pubkey_authentication = -1;
2531 options->challenge_response_authentication = -1; 2532 options->challenge_response_authentication = -1;
2532 options->gss_authentication = -1; 2533 options->gss_authentication = -1;
@@ -2539,7 +2540,7 @@ index fa3fab8f..7902ef26 100644
2539 options->password_authentication = -1; 2540 options->password_authentication = -1;
2540 options->kbd_interactive_authentication = -1; 2541 options->kbd_interactive_authentication = -1;
2541 options->kbd_interactive_devices = NULL; 2542 options->kbd_interactive_devices = NULL;
2542@@ -1920,8 +1956,14 @@ fill_default_options(Options * options) 2543@@ -1942,8 +1979,14 @@ fill_default_options(Options * options)
2543 options->challenge_response_authentication = 1; 2544 options->challenge_response_authentication = 1;
2544 if (options->gss_authentication == -1) 2545 if (options->gss_authentication == -1)
2545 options->gss_authentication = 0; 2546 options->gss_authentication = 0;
@@ -2572,7 +2573,7 @@ index cef55f71..fd3d7c75 100644
2572 * authentication. */ 2573 * authentication. */
2573 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2574 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2574diff --git a/servconf.c b/servconf.c 2575diff --git a/servconf.c b/servconf.c
2575index 795ddbab..14c81fa9 100644 2576index 56b83165..d796b7c8 100644
2576--- a/servconf.c 2577--- a/servconf.c
2577+++ b/servconf.c 2578+++ b/servconf.c
2578@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options) 2579@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions *options)
@@ -2595,8 +2596,7 @@ index 795ddbab..14c81fa9 100644
2595 if (options->gss_cleanup_creds == -1) 2596 if (options->gss_cleanup_creds == -1)
2596 options->gss_cleanup_creds = 1; 2597 options->gss_cleanup_creds = 1;
2597 if (options->gss_strict_acceptor == -1) 2598 if (options->gss_strict_acceptor == -1)
2598- options->gss_strict_acceptor = 0; 2599 options->gss_strict_acceptor = 1;
2599+ options->gss_strict_acceptor = 1;
2600+ if (options->gss_store_rekey == -1) 2600+ if (options->gss_store_rekey == -1)
2601+ options->gss_store_rekey = 0; 2601+ options->gss_store_rekey = 0;
2602 if (options->password_authentication == -1) 2602 if (options->password_authentication == -1)
@@ -2631,7 +2631,7 @@ index 795ddbab..14c81fa9 100644
2631 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2631 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2632 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2632 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2633 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2633 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2634@@ -1207,6 +1222,10 @@ process_server_config_line(ServerOptions *options, char *line, 2634@@ -1217,6 +1232,10 @@ process_server_config_line(ServerOptions *options, char *line,
2635 intptr = &options->gss_authentication; 2635 intptr = &options->gss_authentication;
2636 goto parse_flag; 2636 goto parse_flag;
2637 2637
@@ -2642,7 +2642,7 @@ index 795ddbab..14c81fa9 100644
2642 case sGssCleanupCreds: 2642 case sGssCleanupCreds:
2643 intptr = &options->gss_cleanup_creds; 2643 intptr = &options->gss_cleanup_creds;
2644 goto parse_flag; 2644 goto parse_flag;
2645@@ -1215,6 +1234,10 @@ process_server_config_line(ServerOptions *options, char *line, 2645@@ -1225,6 +1244,10 @@ process_server_config_line(ServerOptions *options, char *line,
2646 intptr = &options->gss_strict_acceptor; 2646 intptr = &options->gss_strict_acceptor;
2647 goto parse_flag; 2647 goto parse_flag;
2648 2648
@@ -2653,7 +2653,7 @@ index 795ddbab..14c81fa9 100644
2653 case sPasswordAuthentication: 2653 case sPasswordAuthentication:
2654 intptr = &options->password_authentication; 2654 intptr = &options->password_authentication;
2655 goto parse_flag; 2655 goto parse_flag;
2656@@ -2248,7 +2271,10 @@ dump_config(ServerOptions *o) 2656@@ -2250,7 +2273,10 @@ dump_config(ServerOptions *o)
2657 #endif 2657 #endif
2658 #ifdef GSSAPI 2658 #ifdef GSSAPI
2659 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2659 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2796,10 +2796,10 @@ index 90fb63f0..4e879cd2 100644
2796 # CheckHostIP yes 2796 # CheckHostIP yes
2797 # AddressFamily any 2797 # AddressFamily any
2798diff --git a/ssh_config.5 b/ssh_config.5 2798diff --git a/ssh_config.5 b/ssh_config.5
2799index 591365f3..a7703fc7 100644 2799index 532745b2..ec60273e 100644
2800--- a/ssh_config.5 2800--- a/ssh_config.5
2801+++ b/ssh_config.5 2801+++ b/ssh_config.5
2802@@ -748,10 +748,42 @@ The default is 2802@@ -752,10 +752,42 @@ The default is
2803 Specifies whether user authentication based on GSSAPI is allowed. 2803 Specifies whether user authentication based on GSSAPI is allowed.
2804 The default is 2804 The default is
2805 .Cm no . 2805 .Cm no .
@@ -2843,7 +2843,7 @@ index 591365f3..a7703fc7 100644
2843 Indicates that 2843 Indicates that
2844 .Xr ssh 1 2844 .Xr ssh 1
2845diff --git a/sshconnect2.c b/sshconnect2.c 2845diff --git a/sshconnect2.c b/sshconnect2.c
2846index 103a2b36..c35a0bd5 100644 2846index f8a54bee..5743c2c4 100644
2847--- a/sshconnect2.c 2847--- a/sshconnect2.c
2848+++ b/sshconnect2.c 2848+++ b/sshconnect2.c
2849@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2849@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2892,8 +2892,8 @@ index 103a2b36..c35a0bd5 100644
2892+#endif 2892+#endif
2893+ 2893+
2894 if (options.rekey_limit || options.rekey_interval) 2894 if (options.rekey_limit || options.rekey_interval)
2895 packet_set_rekey_limits((u_int32_t)options.rekey_limit, 2895 packet_set_rekey_limits(options.rekey_limit,
2896 (time_t)options.rekey_interval); 2896 options.rekey_interval);
2897@@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2897@@ -213,15 +247,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
2898 # endif 2898 # endif
2899 #endif 2899 #endif
@@ -3060,7 +3060,7 @@ index 103a2b36..c35a0bd5 100644
3060 3060
3061 int 3061 int
3062diff --git a/sshd.c b/sshd.c 3062diff --git a/sshd.c b/sshd.c
3063index 1dc4d182..0970f297 100644 3063index 010a2c38..20a7a5f3 100644
3064--- a/sshd.c 3064--- a/sshd.c
3065+++ b/sshd.c 3065+++ b/sshd.c
3066@@ -123,6 +123,10 @@ 3066@@ -123,6 +123,10 @@
@@ -3083,7 +3083,7 @@ index 1dc4d182..0970f297 100644
3083 ssh_gssapi_prepare_supported_oids(); 3083 ssh_gssapi_prepare_supported_oids();
3084 #endif 3084 #endif
3085 3085
3086@@ -1705,10 +1709,13 @@ main(int ac, char **av) 3086@@ -1719,10 +1723,13 @@ main(int ac, char **av)
3087 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp); 3087 key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
3088 free(fp); 3088 free(fp);
3089 } 3089 }
@@ -3097,7 +3097,7 @@ index 1dc4d182..0970f297 100644
3097 3097
3098 /* 3098 /*
3099 * Load certificates. They are stored in an array at identical 3099 * Load certificates. They are stored in an array at identical
3100@@ -1978,6 +1985,60 @@ main(int ac, char **av) 3100@@ -1992,6 +1999,60 @@ main(int ac, char **av)
3101 remote_ip, remote_port, laddr, ssh_local_port(ssh)); 3101 remote_ip, remote_port, laddr, ssh_local_port(ssh));
3102 free(laddr); 3102 free(laddr);
3103 3103
@@ -3158,7 +3158,7 @@ index 1dc4d182..0970f297 100644
3158 /* 3158 /*
3159 * We don't want to listen forever unless the other side 3159 * We don't want to listen forever unless the other side
3160 * successfully authenticates itself. So we set up an alarm which is 3160 * successfully authenticates itself. So we set up an alarm which is
3161@@ -2159,6 +2220,48 @@ do_ssh2_kex(void) 3161@@ -2173,6 +2234,48 @@ do_ssh2_kex(void)
3162 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3162 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3163 list_hostkey_types()); 3163 list_hostkey_types());
3164 3164
@@ -3207,7 +3207,7 @@ index 1dc4d182..0970f297 100644
3207 /* start key exchange */ 3207 /* start key exchange */
3208 if ((r = kex_setup(active_state, myproposal)) != 0) 3208 if ((r = kex_setup(active_state, myproposal)) != 0)
3209 fatal("kex_setup: %s", ssh_err(r)); 3209 fatal("kex_setup: %s", ssh_err(r));
3210@@ -2176,6 +2279,13 @@ do_ssh2_kex(void) 3210@@ -2190,6 +2293,13 @@ do_ssh2_kex(void)
3211 # endif 3211 # endif
3212 #endif 3212 #endif
3213 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3213 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3222,7 +3222,7 @@ index 1dc4d182..0970f297 100644
3222 kex->client_version_string=client_version_string; 3222 kex->client_version_string=client_version_string;
3223 kex->server_version_string=server_version_string; 3223 kex->server_version_string=server_version_string;
3224diff --git a/sshd_config b/sshd_config 3224diff --git a/sshd_config b/sshd_config
3225index 9f09e4a6..00e5a728 100644 3225index 4eb2e02e..c01dd656 100644
3226--- a/sshd_config 3226--- a/sshd_config
3227+++ b/sshd_config 3227+++ b/sshd_config
3228@@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3228@@ -70,6 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -3235,10 +3235,10 @@ index 9f09e4a6..00e5a728 100644
3235 # Set this to 'yes' to enable PAM authentication, account processing, 3235 # Set this to 'yes' to enable PAM authentication, account processing,
3236 # and session processing. If this is enabled, PAM authentication will 3236 # and session processing. If this is enabled, PAM authentication will
3237diff --git a/sshd_config.5 b/sshd_config.5 3237diff --git a/sshd_config.5 b/sshd_config.5
3238index 32b29d24..dd765b39 100644 3238index ac6ccc79..3f819c76 100644
3239--- a/sshd_config.5 3239--- a/sshd_config.5
3240+++ b/sshd_config.5 3240+++ b/sshd_config.5
3241@@ -623,6 +623,11 @@ The default is 3241@@ -627,6 +627,11 @@ The default is
3242 Specifies whether user authentication based on GSSAPI is allowed. 3242 Specifies whether user authentication based on GSSAPI is allowed.
3243 The default is 3243 The default is
3244 .Cm no . 3244 .Cm no .
@@ -3250,7 +3250,7 @@ index 32b29d24..dd765b39 100644
3250 .It Cm GSSAPICleanupCredentials 3250 .It Cm GSSAPICleanupCredentials
3251 Specifies whether to automatically destroy the user's credentials cache 3251 Specifies whether to automatically destroy the user's credentials cache
3252 on logout. 3252 on logout.
3253@@ -642,6 +647,11 @@ machine's default store. 3253@@ -646,6 +651,11 @@ machine's default store.
3254 This facility is provided to assist with operation on multi homed machines. 3254 This facility is provided to assist with operation on multi homed machines.
3255 The default is 3255 The default is
3256 .Cm yes . 3256 .Cm yes .
@@ -3263,10 +3263,10 @@ index 32b29d24..dd765b39 100644
3263 Specifies the key types that will be accepted for hostbased authentication 3263 Specifies the key types that will be accepted for hostbased authentication
3264 as a comma-separated pattern list. 3264 as a comma-separated pattern list.
3265diff --git a/sshkey.c b/sshkey.c 3265diff --git a/sshkey.c b/sshkey.c
3266index c01da6c3..377d72fa 100644 3266index 53a7674b..54001989 100644
3267--- a/sshkey.c 3267--- a/sshkey.c
3268+++ b/sshkey.c 3268+++ b/sshkey.c
3269@@ -114,6 +114,7 @@ static const struct keytype keytypes[] = { 3269@@ -116,6 +116,7 @@ static const struct keytype keytypes[] = {
3270 # endif /* OPENSSL_HAS_NISTP521 */ 3270 # endif /* OPENSSL_HAS_NISTP521 */
3271 # endif /* OPENSSL_HAS_ECC */ 3271 # endif /* OPENSSL_HAS_ECC */
3272 #endif /* WITH_OPENSSL */ 3272 #endif /* WITH_OPENSSL */
@@ -3274,17 +3274,17 @@ index c01da6c3..377d72fa 100644
3274 { NULL, NULL, -1, -1, 0, 0 } 3274 { NULL, NULL, -1, -1, 0, 0 }
3275 }; 3275 };
3276 3276
3277@@ -202,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, char sep) 3277@@ -204,7 +205,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
3278 const struct keytype *kt; 3278 const struct keytype *kt;
3279 3279
3280 for (kt = keytypes; kt->type != -1; kt++) { 3280 for (kt = keytypes; kt->type != -1; kt++) {
3281- if (kt->name == NULL || kt->sigonly) 3281- if (kt->name == NULL)
3282+ if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL) 3282+ if (kt->name == NULL || kt->type == KEY_NULL)
3283 continue; 3283 continue;
3284 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 3284 if (!include_sigonly && kt->sigonly)
3285 continue; 3285 continue;
3286diff --git a/sshkey.h b/sshkey.h 3286diff --git a/sshkey.h b/sshkey.h
3287index f3936384..7eb2a139 100644 3287index 1b9e42f4..f91e4a08 100644
3288--- a/sshkey.h 3288--- a/sshkey.h
3289+++ b/sshkey.h 3289+++ b/sshkey.h
3290@@ -62,6 +62,7 @@ enum sshkey_types { 3290@@ -62,6 +62,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 59b39cd84..8748ac286 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 9078d9722d24a42b8f86621d20a6a6b42ba18d37 Mon Sep 17 00:00:00 2001 1From 74415628b380db26961259a25dcc47c4f02e8703 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index c1c3aae0..3efba242 100644 29index 32a72957..0b1370a8 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -173,6 +173,7 @@ typedef enum { 32@@ -173,6 +173,7 @@ typedef enum {
@@ -37,7 +37,7 @@ index c1c3aae0..3efba242 100644
37 oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -308,6 +309,8 @@ static struct { 40@@ -321,6 +322,8 @@ static struct {
41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
42 { "ignoreunknown", oIgnoreUnknown }, 42 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump }, 43 { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index c1c3aae0..3efba242 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1402,6 +1405,8 @@ parse_keytypes: 49@@ -1417,6 +1420,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index c1c3aae0..3efba242 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2047,8 +2052,13 @@ fill_default_options(Options * options) 58@@ -2070,8 +2075,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index c1c3aae0..3efba242 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index a7703fc7..a0457314 100644 75index ec60273e..e4eaa5ae 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -250,8 +250,12 @@ Valid arguments are 78@@ -250,8 +250,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index a7703fc7..a0457314 100644
89 The argument must be 89 The argument must be
90 .Cm yes 90 .Cm yes
91 or 91 or
92@@ -1485,7 +1489,14 @@ from the server, 92@@ -1509,7 +1513,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index a7703fc7..a0457314 100644
105 .It Cm StreamLocalBindMask 105 .It Cm StreamLocalBindMask
106 Sets the octal file creation mode mask 106 Sets the octal file creation mode mask
107 .Pq umask 107 .Pq umask
108@@ -1544,6 +1555,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1568,6 +1579,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index a7703fc7..a0457314 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index dd765b39..283ba889 100644 122index 3f819c76..41ec6688 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1427,6 +1427,9 @@ This avoids infinitely hanging sessions. 125@@ -1447,6 +1447,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 128 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 4d27c68ab..f2274cb7f 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 360c4ebd14706887879f1c6d542cd092afffb07b Mon Sep 17 00:00:00 2001 1From 315c5a460b33d076edc27a41b0e790ea73cc3b9d Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,7 +13,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
13 1 file changed, 7 insertions(+), 1 deletion(-) 13 1 file changed, 7 insertions(+), 1 deletion(-)
14 14
15diff --git a/sshconnect.c b/sshconnect.c 15diff --git a/sshconnect.c b/sshconnect.c
16index 698a0711..1cc556e8 100644 16index 7f169a8f..66c495f4 100644
17--- a/sshconnect.c 17--- a/sshconnect.c
18+++ b/sshconnect.c 18+++ b/sshconnect.c
19@@ -1080,9 +1080,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 19@@ -1080,9 +1080,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
diff --git a/debian/patches/no-dsa-host-key-by-default.patch b/debian/patches/no-dsa-host-key-by-default.patch
index bfe6033b1..b20cb22d5 100644
--- a/debian/patches/no-dsa-host-key-by-default.patch
+++ b/debian/patches/no-dsa-host-key-by-default.patch
@@ -1,4 +1,4 @@
1From 3f1016b4535faf6e48aa71e21569aa714a25193f Mon Sep 17 00:00:00 2001 1From 417f561eac9f391661ad23a27f1d711f56566176 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 16 Jan 2017 13:53:04 +0000 3Date: Mon, 16 Jan 2017 13:53:04 +0000
4Subject: Remove ssh_host_dsa_key from HostKey default 4Subject: Remove ssh_host_dsa_key from HostKey default
@@ -19,7 +19,7 @@ Patch-Name: no-dsa-host-key-by-default.patch
19 4 files changed, 6 insertions(+), 11 deletions(-) 19 4 files changed, 6 insertions(+), 11 deletions(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index 1cee3d6c..202c4506 100644 22index a391cf4b..1a7a5f18 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options) 25@@ -204,8 +204,6 @@ fill_default_server_options(ServerOptions *options)
@@ -32,7 +32,7 @@ index 1cee3d6c..202c4506 100644
32 options->host_key_files[options->num_host_key_files++] = 32 options->host_key_files[options->num_host_key_files++] =
33 _PATH_HOST_ECDSA_KEY_FILE; 33 _PATH_HOST_ECDSA_KEY_FILE;
34diff --git a/sshd.8 b/sshd.8 34diff --git a/sshd.8 b/sshd.8
35index 38a72540..e8f1fde8 100644 35index dd4b8fc3..79a7e080 100644
36--- a/sshd.8 36--- a/sshd.8
37+++ b/sshd.8 37+++ b/sshd.8
38@@ -167,11 +167,10 @@ This option must be given if 38@@ -167,11 +167,10 @@ This option must be given if
@@ -51,7 +51,7 @@ index 38a72540..e8f1fde8 100644
51 the different host key algorithms. 51 the different host key algorithms.
52 .It Fl i 52 .It Fl i
53diff --git a/sshd_config b/sshd_config 53diff --git a/sshd_config b/sshd_config
54index 13cbe2c6..4aea6c72 100644 54index f68edf36..92822959 100644
55--- a/sshd_config 55--- a/sshd_config
56+++ b/sshd_config 56+++ b/sshd_config
57@@ -16,7 +16,6 @@ 57@@ -16,7 +16,6 @@
@@ -63,10 +63,10 @@ index 13cbe2c6..4aea6c72 100644
63 #HostKey /etc/ssh/ssh_host_ed25519_key 63 #HostKey /etc/ssh/ssh_host_ed25519_key
64 64
65diff --git a/sshd_config.5 b/sshd_config.5 65diff --git a/sshd_config.5 b/sshd_config.5
66index 703a9cdd..8f8fbb66 100644 66index cc5d9fb0..0747cc8b 100644
67--- a/sshd_config.5 67--- a/sshd_config.5
68+++ b/sshd_config.5 68+++ b/sshd_config.5
69@@ -733,11 +733,10 @@ is not to load any certificates. 69@@ -741,11 +741,10 @@ is not to load any certificates.
70 Specifies a file containing a private host key 70 Specifies a file containing a private host key
71 used by SSH. 71 used by SSH.
72 The defaults are 72 The defaults are
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index b1c045643..0c12e2acf 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 48c127fe8f40037d0f33efa8da19cb32514b440e Mon Sep 17 00:00:00 2001 1From 3ccc29568299d597b2753a4a04ad082814b9c8e8 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index 9a7edf949..94574e321 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From 4badfe75ad62ee50394afa9aaac62b3465fd384e Mon Sep 17 00:00:00 2001 1From 22fa108c15a43eb80d5fa7114208ab813019954e Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -103,7 +103,7 @@ index feef81a5..b1f128c2 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index c6784602..e6915141 100644 106index 989dd4bf..6355178f 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -65,7 +65,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
@@ -133,7 +133,7 @@ index c6784602..e6915141 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 4ea0a9c3..e45a8937 100644 136index 5f316481..603c2ba7 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -372,8 +372,7 @@ then no banner is displayed. 139@@ -372,8 +372,7 @@ then no banner is displayed.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index fcc231fc9..1a1036fa8 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From c89c88a0bcada4616262e3d7d9b165aca709927b Mon Sep 17 00:00:00 2001 1From 8f127a3c84d2eae8d1fb5529887c880c22c5cf75 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch
19 3 files changed, 9 insertions(+), 4 deletions(-) 19 3 files changed, 9 insertions(+), 4 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index 1cc556e8..c64c51bb 100644 22index 66c495f4..120f0945 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -526,10 +526,10 @@ send_client_banner(int connection_out, int minor1) 25@@ -526,10 +526,10 @@ send_client_banner(int connection_out, int minor1)
@@ -36,24 +36,24 @@ index 1cc556e8..c64c51bb 100644
36 if (atomicio(vwrite, connection_out, client_version_string, 36 if (atomicio(vwrite, connection_out, client_version_string,
37 strlen(client_version_string)) != strlen(client_version_string)) 37 strlen(client_version_string)) != strlen(client_version_string))
38diff --git a/sshd.c b/sshd.c 38diff --git a/sshd.c b/sshd.c
39index 9aab36c3..49f3a2e5 100644 39index 9221632e..602f4740 100644
40--- a/sshd.c 40--- a/sshd.c
41+++ b/sshd.c 41+++ b/sshd.c
42@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 42@@ -378,7 +378,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
43 char remote_version[256]; /* Must be at least as big as buf. */ 43 char remote_version[256]; /* Must be at least as big as buf. */
44 44
45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", 45 xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
46- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, 46- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
47+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, 47+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
48 *options.version_addendum == '\0' ? "" : " ", 48 *options.version_addendum == '\0' ? "" : " ",
49 options.version_addendum, newline); 49 options.version_addendum);
50 50
51diff --git a/version.h b/version.h 51diff --git a/version.h b/version.h
52index 269ebcda..850a2f7d 100644 52index c86e2097..f4d8b13a 100644
53--- a/version.h 53--- a/version.h
54+++ b/version.h 54+++ b/version.h
55@@ -3,4 +3,9 @@ 55@@ -3,4 +3,9 @@
56 #define SSH_VERSION "OpenSSH_7.4" 56 #define SSH_VERSION "OpenSSH_7.5"
57 57
58 #define SSH_PORTABLE "p1" 58 #define SSH_PORTABLE "p1"
59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 59-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index c19fc46fe..55dd37fb9 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
1From 71809791262478c78d1db2ca1004604c39db8150 Mon Sep 17 00:00:00 2001 1From 980646a9f7f03b43b678272b2a56e30906c6ddec Mon Sep 17 00:00:00 2001
2From: Peter Samuelson <peter@p12n.org> 2From: Peter Samuelson <peter@p12n.org>
3Date: Sun, 9 Feb 2014 16:09:55 +0000 3Date: Sun, 9 Feb 2014 16:09:55 +0000
4Subject: Reduce severity of "Killed by signal %d" 4Subject: Reduce severity of "Killed by signal %d"
@@ -22,7 +22,7 @@ Patch-Name: quieter-signals.patch
22 1 file changed, 4 insertions(+), 2 deletions(-) 22 1 file changed, 4 insertions(+), 2 deletions(-)
23 23
24diff --git a/clientloop.c b/clientloop.c 24diff --git a/clientloop.c b/clientloop.c
25index 99c68b69..5876cc9a 100644 25index 38b0330e..06845280 100644
26--- a/clientloop.c 26--- a/clientloop.c
27+++ b/clientloop.c 27+++ b/clientloop.c
28@@ -1755,8 +1755,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) 28@@ -1755,8 +1755,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
diff --git a/debian/patches/regress-forwarding-race.patch b/debian/patches/regress-forwarding-race.patch
deleted file mode 100644
index f1a535fb2..000000000
--- a/debian/patches/regress-forwarding-race.patch
+++ /dev/null
@@ -1,115 +0,0 @@
1From 166f04046035ffca27c820649df360eaa5dd1b99 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Mon, 2 Jan 2017 14:55:16 +0000
4Subject: Fix race conditions in forwarding tests
5
6The forwarding tests sometimes seem to fail in a way that suggests ports
7are in use even though they shouldn't be. Convert more of them to use a
8mux socket rather than relying on sleeps in the hope that that makes
9behaviour more consistent.
10
11Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2659
12Patch-Name: regress-forwarding-race.patch
13
14Last-Update: 2017-01-02
15---
16 regress/forwarding.sh | 32 +++++++++++++++++++-------------
17 1 file changed, 19 insertions(+), 13 deletions(-)
18
19diff --git a/regress/forwarding.sh b/regress/forwarding.sh
20index 2539db9b..a1a4b13f 100644
21--- a/regress/forwarding.sh
22+++ b/regress/forwarding.sh
23@@ -11,7 +11,6 @@ base=33
24 last=$PORT
25 fwd=""
26 CTL=$OBJ/ctl-sock
27-rm -f $CTL
28
29 for j in 0 1 2; do
30 for i in 0 1 2; do
31@@ -29,7 +28,8 @@ for p in ${SSH_PROTOCOLS}; do
32 q=$p
33 fi
34 trace "start forwarding, fork to background"
35- ${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
36+ rm -f $CTL
37+ ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
38
39 trace "transfer over forwarded channels and check result"
40 ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
41@@ -37,7 +37,7 @@ for p in ${SSH_PROTOCOLS}; do
42 test -s ${COPY} || fail "failed copy of ${DATA}"
43 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
44
45- sleep 10
46+ ${SSH} -S $CTL -O exit somehost
47 done
48
49 for p in ${SSH_PROTOCOLS}; do
50@@ -75,7 +75,8 @@ for p in ${SSH_PROTOCOLS}; do
51 ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
52
53 trace "clear local forward proto $p"
54- ${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
55+ rm -f $CTL
56+ ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
57 -oClearAllForwardings=yes somehost sleep 10
58 if [ $? != 0 ]; then
59 fail "connection failed with cleared local forwarding"
60@@ -85,10 +86,11 @@ for p in ${SSH_PROTOCOLS}; do
61 >>$TEST_REGRESS_LOGFILE 2>&1 && \
62 fail "local forwarding not cleared"
63 fi
64- sleep 10
65+ ${SSH} -S $CTL -O exit somehost
66
67 trace "clear remote forward proto $p"
68- ${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
69+ rm -f $CTL
70+ ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
71 -oClearAllForwardings=yes somehost sleep 10
72 if [ $? != 0 ]; then
73 fail "connection failed with cleared remote forwarding"
74@@ -98,7 +100,7 @@ for p in ${SSH_PROTOCOLS}; do
75 >>$TEST_REGRESS_LOGFILE 2>&1 && \
76 fail "remote forwarding not cleared"
77 fi
78- sleep 10
79+ ${SSH} -S $CTL -O exit somehost
80 done
81
82 for p in 2; do
83@@ -115,6 +117,7 @@ echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
84 echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
85 for p in ${SSH_PROTOCOLS}; do
86 trace "config file: start forwarding, fork to background"
87+ rm -f $CTL
88 ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
89
90 trace "config file: transfer over forwarded channels and check result"
91@@ -129,15 +132,18 @@ done
92 for p in 2; do
93 trace "transfer over chained unix domain socket forwards and check result"
94 rm -f $OBJ/unix-[123].fwd
95- ${SSH} -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
96- ${SSH} -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
97- ${SSH} -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
98- ${SSH} -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
99+ rm -f $CTL $CTL.[123]
100+ ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
101+ ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
102+ ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
103+ ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
104 ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
105 somehost cat ${DATA} > ${COPY}
106 test -s ${COPY} || fail "failed copy ${DATA}"
107 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
108
109- #wait
110- sleep 10
111+ ${SSH} -S $CTL -O exit somehost
112+ ${SSH} -S $CTL.1 -O exit somehost
113+ ${SSH} -S $CTL.2 -O exit somehost
114+ ${SSH} -S $CTL.3 -O exit somehost
115 done
diff --git a/debian/patches/regress-integrity-robust.patch b/debian/patches/regress-integrity-robust.patch
index 651a7a88e..2c515e317 100644
--- a/debian/patches/regress-integrity-robust.patch
+++ b/debian/patches/regress-integrity-robust.patch
@@ -1,4 +1,4 @@
1From 7ce93c802065cd926e7cbfd10e629f3a2d352301 Mon Sep 17 00:00:00 2001 1From c210daa1ae77904f57478315e75af3f82a5d69f2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 1 Jan 2017 15:21:10 +0000 3Date: Sun, 1 Jan 2017 15:21:10 +0000
4Subject: Make integrity tests more robust against timeouts 4Subject: Make integrity tests more robust against timeouts
@@ -12,31 +12,14 @@ Patch-Name: regress-integrity-robust.patch
12 12
13Last-Update: 2017-01-01 13Last-Update: 2017-01-01
14--- 14---
15 regress/integrity.sh | 9 +++++---- 15 regress/integrity.sh | 6 ++++--
16 1 file changed, 5 insertions(+), 4 deletions(-) 16 1 file changed, 4 insertions(+), 2 deletions(-)
17 17
18diff --git a/regress/integrity.sh b/regress/integrity.sh 18diff --git a/regress/integrity.sh b/regress/integrity.sh
19index 39d310de..fd7d58bc 100644 19index 1df2924f..ed378337 100644
20--- a/regress/integrity.sh 20--- a/regress/integrity.sh
21+++ b/regress/integrity.sh 21+++ b/regress/integrity.sh
22@@ -5,8 +5,6 @@ tid="integrity" 22@@ -60,14 +60,16 @@ for m in $macs; do
23 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
24
25 # start at byte 2900 (i.e. after kex) and corrupt at different offsets
26-# XXX the test hangs if we modify the low bytes of the packet length
27-# XXX and ssh tries to read...
28 tries=10
29 startoffset=2900
30 macs=`${SSH} -Q mac`
31@@ -27,6 +25,7 @@ for m in $macs; do
32 elen=0
33 epad=0
34 emac=0
35+ etmo=0
36 ecnt=0
37 skip=0
38 for off in `jot $tries $startoffset`; do
39@@ -61,14 +60,16 @@ for m in $macs; do
40 Corrupted?MAC* | *message?authentication?code?incorrect*) 23 Corrupted?MAC* | *message?authentication?code?incorrect*)
41 emac=`expr $emac + 1`; skip=0;; 24 emac=`expr $emac + 1`; skip=0;;
42 padding*) epad=`expr $epad + 1`; skip=0;; 25 padding*) epad=`expr $epad + 1`; skip=0;;
diff --git a/debian/patches/regress-mktemp.patch b/debian/patches/regress-mktemp.patch
deleted file mode 100644
index f5cfde1e8..000000000
--- a/debian/patches/regress-mktemp.patch
+++ /dev/null
@@ -1,167 +0,0 @@
1From 6ca09916439a58f0789deb79960ee5defc05a946 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 3 Jan 2017 12:09:42 +0000
4Subject: Create mux socket for regress in temp directory
5
6In some setups, creating the socket under OBJ may result in a path that
7is too long for a Unix domain socket. Add a helper to let us portably
8create a temporary directory instead.
9
10Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2660
11Last-Update: 2017-01-03
12
13Patch-Name: regress-mktemp.patch
14---
15 Makefile.in | 5 +++++
16 regress/forwarding.sh | 3 ++-
17 regress/mkdtemp.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++
18 regress/multiplex.sh | 3 ++-
19 regress/test-exec.sh | 11 ++++++++++
20 5 files changed, 79 insertions(+), 2 deletions(-)
21 create mode 100644 regress/mkdtemp.c
22
23diff --git a/Makefile.in b/Makefile.in
24index a6eb81ec..a00347e2 100644
25--- a/Makefile.in
26+++ b/Makefile.in
27@@ -459,6 +459,10 @@ regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c $(REGRESSLIBS)
28 $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/check-perm.c \
29 $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
30
31+regress/mkdtemp$(EXEEXT): $(srcdir)/regress/mkdtemp.c $(REGRESSLIBS)
32+ $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/mkdtemp.c \
33+ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
34+
35 UNITTESTS_TEST_HELPER_OBJS=\
36 regress/unittests/test_helper/test_helper.o \
37 regress/unittests/test_helper/fuzz.o
38@@ -557,6 +561,7 @@ regress-binaries: regress/modpipe$(EXEEXT) \
39 regress/setuid-allowed$(EXEEXT) \
40 regress/netcat$(EXEEXT) \
41 regress/check-perm$(EXEEXT) \
42+ regress/mkdtemp$(EXEEXT) \
43 regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
44 regress/unittests/sshkey/test_sshkey$(EXEEXT) \
45 regress/unittests/bitmap/test_bitmap$(EXEEXT) \
46diff --git a/regress/forwarding.sh b/regress/forwarding.sh
47index a1a4b13f..592de7bc 100644
48--- a/regress/forwarding.sh
49+++ b/regress/forwarding.sh
50@@ -10,7 +10,8 @@ start_sshd
51 base=33
52 last=$PORT
53 fwd=""
54-CTL=$OBJ/ctl-sock
55+make_tmpdir
56+CTL=$TMP/ctl-sock
57
58 for j in 0 1 2; do
59 for i in 0 1 2; do
60diff --git a/regress/mkdtemp.c b/regress/mkdtemp.c
61new file mode 100644
62index 00000000..8c7d2e21
63--- /dev/null
64+++ b/regress/mkdtemp.c
65@@ -0,0 +1,59 @@
66+/*
67+ * Copyright (c) 2017 Colin Watson <cjwatson@debian.org>
68+ *
69+ * Permission to use, copy, modify, and distribute this software for any
70+ * purpose with or without fee is hereby granted, provided that the above
71+ * copyright notice and this permission notice appear in all copies.
72+ *
73+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
74+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
75+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
76+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
77+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
78+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
79+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
80+ */
81+
82+/* Roughly equivalent to "mktemp -d -t TEMPLATE", but portable. */
83+
84+#include "includes.h"
85+
86+#include <limits.h>
87+#include <stdio.h>
88+#include <stdlib.h>
89+
90+#include "log.h"
91+
92+static void
93+usage(void)
94+{
95+ fprintf(stderr, "mkdtemp template\n");
96+ exit(1);
97+}
98+
99+int
100+main(int argc, char **argv)
101+{
102+ const char *base;
103+ const char *tmpdir;
104+ char template[PATH_MAX];
105+ int r;
106+ char *dir;
107+
108+ if (argc != 2)
109+ usage();
110+ base = argv[1];
111+
112+ if ((tmpdir = getenv("TMPDIR")) == NULL)
113+ tmpdir = "/tmp";
114+ r = snprintf(template, sizeof(template), "%s/%s", tmpdir, base);
115+ if (r < 0 || (size_t)r >= sizeof(template))
116+ fatal("template string too long");
117+ dir = mkdtemp(template);
118+ if (dir == NULL) {
119+ perror("mkdtemp");
120+ exit(1);
121+ }
122+ puts(dir);
123+ return 0;
124+}
125diff --git a/regress/multiplex.sh b/regress/multiplex.sh
126index acb9234d..0ac4065e 100644
127--- a/regress/multiplex.sh
128+++ b/regress/multiplex.sh
129@@ -1,7 +1,8 @@
130 # $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $
131 # Placed in the Public Domain.
132
133-CTL=/tmp/openssh.regress.ctl-sock.$$
134+make_tmpdir
135+CTL=$TMP/ctl-sock
136
137 tid="connection multiplexing"
138
139diff --git a/regress/test-exec.sh b/regress/test-exec.sh
140index bfa48803..13a8e18f 100644
141--- a/regress/test-exec.sh
142+++ b/regress/test-exec.sh
143@@ -317,6 +317,14 @@ stop_sshd ()
144 fi
145 }
146
147+TMP=
148+
149+make_tmpdir ()
150+{
151+ TMP="$($OBJ/mkdtemp openssh-regress-XXXXXXXXXXXX)" || \
152+ fatal "failed to create temporary directory"
153+}
154+
155 # helper
156 cleanup ()
157 {
158@@ -327,6 +335,9 @@ cleanup ()
159 kill $SSH_PID
160 fi
161 fi
162+ if [ "x$TMP" != "x" ]; then
163+ rm -rf "$TMP"
164+ fi
165 stop_sshd
166 }
167
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 86da09c7e..4aec2ddc9 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From e18d2ba71e6bf009c53e65509da84b712c300471 Mon Sep 17 00:00:00 2001 1From ec338656a3d6b21bb87f3b6367b232d297f601e5 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
@@ -18,7 +18,7 @@ Patch-Name: restore-authorized_keys2.patch
18 1 file changed, 2 insertions(+), 3 deletions(-) 18 1 file changed, 2 insertions(+), 3 deletions(-)
19 19
20diff --git a/sshd_config b/sshd_config 20diff --git a/sshd_config b/sshd_config
21index 4aea6c72..bcf3ac17 100644 21index 92822959..a32dc1d4 100644
22--- a/sshd_config 22--- a/sshd_config
23+++ b/sshd_config 23+++ b/sshd_config
24@@ -36,9 +36,8 @@ 24@@ -36,9 +36,8 @@
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index ec958d3ab..67711c5f8 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 5488e924267d7a845fb86a0b6b4db1e340799a5a Mon Sep 17 00:00:00 2001 1From 9d91ede3c03c99b6584038aa07d095d7c277ad3a Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 5fdc696c..4747ce4a 100644 31index ead34acf..a92425db 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey], 34@@ -1494,6 +1494,62 @@ AC_ARG_WITH([skey],
35 ] 35 ]
36 ) 36 )
37 37
@@ -94,16 +94,16 @@ index 5fdc696c..4747ce4a 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5105,6 +5161,7 @@ echo " KerberosV support: $KRB5_MSG" 97@@ -5117,6 +5173,7 @@ echo " KerberosV support: $KRB5_MSG"
98 echo " SELinux support: $SELINUX_MSG" 98 echo " SELinux support: $SELINUX_MSG"
99 echo " Smartcard support: $SCARD_MSG" 99 echo " Smartcard support: $SCARD_MSG"
100 echo " S/KEY support: $SKEY_MSG" 100 echo " S/KEY support: $SKEY_MSG"
101+echo " TCP Wrappers support: $TCPW_MSG" 101+echo " TCP Wrappers support: $TCPW_MSG"
102 echo " MD5 password support: $MD5_MSG" 102 echo " MD5 password support: $MD5_MSG"
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " Solaris process contract support: $SPC_MSG" 104 echo " libldns support: $LDNS_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 41fc5051..c6784602 100644 106index 7725a692..989dd4bf 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -825,6 +825,12 @@ the user's home directory becomes accessible. 109@@ -825,6 +825,12 @@ the user's home directory becomes accessible.
@@ -128,7 +128,7 @@ index 41fc5051..c6784602 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 0970f297..72d85de1 100644 131index 20a7a5f3..38cf9b49 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -127,6 +127,13 @@
@@ -145,7 +145,7 @@ index 0970f297..72d85de1 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -1978,6 +1985,24 @@ main(int ac, char **av) 148@@ -1992,6 +1999,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/sandbox-x32-workaround.patch b/debian/patches/sandbox-x32-workaround.patch
deleted file mode 100644
index 340363de9..000000000
--- a/debian/patches/sandbox-x32-workaround.patch
+++ /dev/null
@@ -1,37 +0,0 @@
1From 8c1a0893f0e55a793071af9734d2fa2eb1f3a2a6 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 3 Jan 2017 14:01:56 +0000
4Subject: Work around clock_gettime kernel bug on Linux x32
5
6On Linux x32, the clock_gettime VDSO currently falls back to the x86-64
7syscall, so allow that as well as its x32 sibling.
8
9Bug-Debian: https://bugs.debian.org/849923
10Forwarded: no
11Last-Update: 2017-01-03
12
13Patch-Name: sandbox-x32-workaround.patch
14---
15 sandbox-seccomp-filter.c | 9 +++++++++
16 1 file changed, 9 insertions(+)
17
18diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
19index 2e1ed2c5..62c578d3 100644
20--- a/sandbox-seccomp-filter.c
21+++ b/sandbox-seccomp-filter.c
22@@ -137,6 +137,15 @@ static const struct sock_filter preauth_insns[] = {
23 #endif
24 #ifdef __NR_clock_gettime
25 SC_ALLOW(clock_gettime),
26+# if defined(__x86_64__) && defined(__ILP32__)
27+ /* On Linux x32, the clock_gettime VDSO currently falls back to the
28+ * x86-64 syscall (see https://bugs.debian.org/849923), so allow
29+ * that too.
30+ */
31+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K,
32+ __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1),
33+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
34+# endif
35 #endif
36 #ifdef __NR_close
37 SC_ALLOW(close),
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index f318c49fb..f48709864 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From cfc11fb9604f8049957a409ff0835f642a047496 Mon Sep 17 00:00:00 2001 1From 17d18d2f87eaa6c781356a78800ee17ccd12218b Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 98be50fad..ae83d23b0 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From a01822fe1c50668ef7918dfd28b1c7e88ff16254 Mon Sep 17 00:00:00 2001 1From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -43,11 +43,11 @@ index 338a62da..8c658d16 100644
43 char *info; /* Extra info for next auth_log */ 43 char *info; /* Extra info for next auth_log */
44 #ifdef BSD_AUTH 44 #ifdef BSD_AUTH
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index ce0d3760..461311bd 100644 46index 946e9235..2f51be23 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 49@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
50 { 50 struct ssh *ssh = active_state; /* XXX */
51 Authctxt *authctxt = ctxt; 51 Authctxt *authctxt = ctxt;
52 Authmethod *m = NULL; 52 Authmethod *m = NULL;
53- char *user, *service, *method, *style = NULL; 53- char *user, *service, *method, *style = NULL;
@@ -55,7 +55,7 @@ index ce0d3760..461311bd 100644
55 int authenticated = 0; 55 int authenticated = 0;
56 56
57 if (authctxt == NULL) 57 if (authctxt == NULL)
58@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 58@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
59 debug("userauth-request for user %s service %s method %s", user, service, method); 59 debug("userauth-request for user %s service %s method %s", user, service, method);
60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 60 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
61 61
@@ -69,7 +69,7 @@ index ce0d3760..461311bd 100644
69 69
70 if (authctxt->attempt++ == 0) { 70 if (authctxt->attempt++ == 0) {
71 /* setup auth context */ 71 /* setup auth context */
72@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 72@@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
73 use_privsep ? " [net]" : ""); 73 use_privsep ? " [net]" : "");
74 authctxt->service = xstrdup(service); 74 authctxt->service = xstrdup(service);
75 authctxt->style = style ? xstrdup(style) : NULL; 75 authctxt->style = style ? xstrdup(style) : NULL;
@@ -81,7 +81,7 @@ index ce0d3760..461311bd 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index 76d9e346..64286a12 100644 84index 506645c7..7452e20e 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
@@ -100,7 +100,7 @@ index 76d9e346..64286a12 100644
100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102 #ifdef USE_PAM 102 #ifdef USE_PAM
103@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 103@@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
104 104
105 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index 76d9e346..64286a12 100644
108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109 109
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m) 111@@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m)
112 112
113 authctxt->service = buffer_get_string(m, NULL); 113 authctxt->service = buffer_get_string(m, NULL);
114 authctxt->style = buffer_get_string(m, NULL); 114 authctxt->style = buffer_get_string(m, NULL);
@@ -148,7 +148,7 @@ index 76d9e346..64286a12 100644
148 return (0); 148 return (0);
149 } 149 }
150 150
151@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m) 151@@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m)
152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 152 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
153 if (res == 0) 153 if (res == 0)
154 goto error; 154 goto error;
@@ -426,7 +426,7 @@ index 98e1dafe..0a31dce4 100644
426 const char *value); 426 const char *value);
427 427
428diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
429index 72d85de1..9aab36c3 100644 429index 38cf9b49..9221632e 100644
430--- a/sshd.c 430--- a/sshd.c
431+++ b/sshd.c 431+++ b/sshd.c
432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
diff --git a/debian/patches/series b/debian/patches/series
index c5fc81486..52a8f50b1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,12 +25,5 @@ sigstop.patch
25systemd-readiness.patch 25systemd-readiness.patch
26debian-config.patch 26debian-config.patch
27regress-integrity-robust.patch 27regress-integrity-robust.patch
28regress-forwarding-race.patch
29regress-mktemp.patch
30sandbox-x32-workaround.patch
31no-dsa-host-key-by-default.patch 28no-dsa-host-key-by-default.patch
32restore-authorized_keys2.patch 29restore-authorized_keys2.patch
33ssh-keygen-hash-corruption.patch
34ssh-keyscan-hash-port.patch
35ssh-keygen-null-deref.patch
36unbreak-unix-forwarding-for-root.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index c263dd7f1..1fecd756e 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 5ec0d5f79166a7e2aeab5c7f13d64bb08c4621bd Mon Sep 17 00:00:00 2001 1From ce9a126fdaa8ef6488364107cc66d04ecabc8cc4 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 96b91ce1..698a0711 100644 19index 948b638a..7f169a8f 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) 22@@ -231,7 +231,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index fa4d0a8cc..43d3937e5 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
1From 218ecbc433b69b8584000380626a9d9aa31c095b Mon Sep 17 00:00:00 2001 1From a91715df66fc2a0b7792e87a864c334f4cb15043 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:17 +0000 3Date: Sun, 9 Feb 2014 16:10:17 +0000
4Subject: Support synchronisation with service supervisor using SIGSTOP 4Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch
13 1 file changed, 10 insertions(+) 13 1 file changed, 10 insertions(+)
14 14
15diff --git a/sshd.c b/sshd.c 15diff --git a/sshd.c b/sshd.c
16index eebf1984..b6826c84 100644 16index f2f54b51..a2ca2d3e 100644
17--- a/sshd.c 17--- a/sshd.c
18+++ b/sshd.c 18+++ b/sshd.c
19@@ -1878,6 +1878,16 @@ main(int ac, char **av) 19@@ -1892,6 +1892,16 @@ main(int ac, char **av)
20 } 20 }
21 } 21 }
22 22
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index b14ec01d4..472eb2fa7 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 0ae30d0171b789953318670ac8679127ddfb3cd1 Mon Sep 17 00:00:00 2001 1From 583919799c3946c5fa89f8907349c1443639b6bd Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 7fbaa25dd..b637b7bda 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From e39339d49d1b05e1db45c6420d7e6da29cf483dc Mon Sep 17 00:00:00 2001 1From dce48f6795b6f0b1d4c2e069f26a21419ba4d575 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-keygen-hash-corruption.patch b/debian/patches/ssh-keygen-hash-corruption.patch
deleted file mode 100644
index 7ef3c637c..000000000
--- a/debian/patches/ssh-keygen-hash-corruption.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 78800aa252da1ebbfb55f7e593f43c337e694cc3 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 3 Mar 2017 06:13:11 +0000
4Subject: upstream commit
5
6fix ssh-keygen -H accidentally corrupting known_hosts that
7contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
8hostkeys_foreach() when hostname matching is in use, so we need to look for
9the hash marker explicitly.
10
11Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
12
13Origin: https://anongit.mindrot.org/openssh.git/commit/?id=12d3767ba4c84c32150cbe6ff6494498780f12c9
14Bug-Debian: https://bugs.debian.org/851734
15Bug-Ubuntu: https://bugs.launchpad.net/bugs/1668093
16Last-Update: 2017-03-09
17
18Patch-Name: ssh-keygen-hash-corruption.patch
19---
20 ssh-keygen.c | 4 ++--
21 1 file changed, 2 insertions(+), 2 deletions(-)
22
23diff --git a/ssh-keygen.c b/ssh-keygen.c
24index 2a7939bf..0833ee61 100644
25--- a/ssh-keygen.c
26+++ b/ssh-keygen.c
27@@ -1082,6 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
28 struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
29 char *hashed, *cp, *hosts, *ohosts;
30 int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
31+ int was_hashed = l->hosts[0] == HASH_DELIM;
32
33 switch (l->status) {
34 case HKF_STATUS_OK:
35@@ -1090,8 +1091,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
36 * Don't hash hosts already already hashed, with wildcard
37 * characters or a CA/revocation marker.
38 */
39- if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||
40- has_wild || l->marker != MRK_NONE) {
41+ if (was_hashed || has_wild || l->marker != MRK_NONE) {
42 fprintf(ctx->out, "%s\n", l->line);
43 if (has_wild && !find_host) {
44 logit("%s:%ld: ignoring host name "
diff --git a/debian/patches/ssh-keygen-null-deref.patch b/debian/patches/ssh-keygen-null-deref.patch
deleted file mode 100644
index 0220d7c66..000000000
--- a/debian/patches/ssh-keygen-null-deref.patch
+++ /dev/null
@@ -1,31 +0,0 @@
1From 35b2ea77a74348b575d680061f35ec7992b26ec8 Mon Sep 17 00:00:00 2001
2From: "dtucker@openbsd.org" <dtucker@openbsd.org>
3Date: Mon, 6 Mar 2017 02:03:20 +0000
4Subject: upstream commit
5
6Check l->hosts before dereferencing; fixes potential null
7pointer deref. ok djm@
8
9Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
10
11Origin: https://anongit.mindrot.org/openssh.git/commit/?id=18501151cf272a15b5f2c5e777f2e0933633c513
12Last-Update: 2017-03-16
13
14Patch-Name: ssh-keygen-null-deref.patch
15---
16 ssh-keygen.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/ssh-keygen.c b/ssh-keygen.c
20index 0833ee61..a7c1e80b 100644
21--- a/ssh-keygen.c
22+++ b/ssh-keygen.c
23@@ -1082,7 +1082,7 @@ known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
24 struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
25 char *hashed, *cp, *hosts, *ohosts;
26 int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
27- int was_hashed = l->hosts[0] == HASH_DELIM;
28+ int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM;
29
30 switch (l->status) {
31 case HKF_STATUS_OK:
diff --git a/debian/patches/ssh-keyscan-hash-port.patch b/debian/patches/ssh-keyscan-hash-port.patch
deleted file mode 100644
index 32a2f6a01..000000000
--- a/debian/patches/ssh-keyscan-hash-port.patch
+++ /dev/null
@@ -1,48 +0,0 @@
1From a0f9daa9c3cc2b37b9707b228263eb717d201371 Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 10 Mar 2017 03:18:24 +0000
4Subject: upstream commit
5
6correctly hash hosts with a port number. Reported by Josh
7Powers in bz#2692; ok dtucker@
8
9Upstream-ID: 468e357ff143e00acc05bdd2803a696b3d4b6442
10
11Origin: https://anongit.mindrot.org/openssh.git/commit/?id=8a2834454c73dfc1eb96453c0e97690595f3f4c2
12Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2692
13Bug-Debian: https://bugs.debian.org/857736
14Bug-Ubuntu: https://bugs.launchpad.net/bugs/1670745
15Last-Update: 2017-03-14
16
17Patch-Name: ssh-keyscan-hash-port.patch
18---
19 ssh-keyscan.c | 11 ++++++-----
20 1 file changed, 6 insertions(+), 5 deletions(-)
21
22diff --git a/ssh-keyscan.c b/ssh-keyscan.c
23index c30d54e6..24b51ff1 100644
24--- a/ssh-keyscan.c
25+++ b/ssh-keyscan.c
26@@ -321,16 +321,17 @@ keygrab_ssh2(con *c)
27 }
28
29 static void
30-keyprint_one(char *host, struct sshkey *key)
31+keyprint_one(const char *host, struct sshkey *key)
32 {
33 char *hostport;
34-
35- if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
36- fatal("host_hash failed");
37+ const char *known_host, *hashed;
38
39 hostport = put_host_port(host, ssh_port);
40+ if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
41+ fatal("host_hash failed");
42+ known_host = hash_hosts ? hashed : hostport;
43 if (!get_cert)
44- fprintf(stdout, "%s ", hostport);
45+ fprintf(stdout, "%s ", known_host);
46 sshkey_write(key, stdout);
47 fputs("\n", stdout);
48 free(hostport);
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index fbe64336b..d8f4ec973 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From ffecece153b7caedf997dccf17747633675631fd Mon Sep 17 00:00:00 2001 1From fb7c3c37876359b7a110e1386a6b7887cd2c8ca2 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,19 +17,19 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 7902ef26..c1c3aae0 100644 20index 00d9cc30..32a72957 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -194,6 +194,7 @@ static struct { 23@@ -186,6 +186,7 @@ static struct {
24 { "passwordauthentication", oPasswordAuthentication }, 24 { "fallbacktorsh", oDeprecated },
25 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 25 { "globalknownhostsfile2", oDeprecated },
26 { "kbdinteractivedevices", oKbdInteractiveDevices }, 26 { "rhostsauthentication", oDeprecated },
27+ { "useblacklistedkeys", oDeprecated }, 27+ { "useblacklistedkeys", oDeprecated },
28 { "rsaauthentication", oRSAAuthentication }, 28 { "userknownhostsfile2", oDeprecated },
29 { "pubkeyauthentication", oPubkeyAuthentication }, 29 { "useroaming", oDeprecated },
30 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index 14c81fa9..49d3bdc8 100644 32index d796b7c8..ca73f7c5 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -521,6 +521,7 @@ static struct { 35@@ -521,6 +521,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 7a4839c03..3f012c99c 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From f4d9efefeae948e1e00212bf9702245c3c51c8c5 Mon Sep 17 00:00:00 2001 1From b5695a565e466477305d2ae0059b09e94ae6f44e Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
21 2 files changed, 2 insertions(+), 1 deletion(-) 21 2 files changed, 2 insertions(+), 1 deletion(-)
22 22
23diff --git a/log.c b/log.c 23diff --git a/log.c b/log.c
24index 2b59c427..ffc8ffbb 100644 24index d0f86cf6..0e515e26 100644
25--- a/log.c 25--- a/log.c
26+++ b/log.c 26+++ b/log.c
27@@ -93,6 +93,7 @@ static struct { 27@@ -93,6 +93,7 @@ static struct {
@@ -33,7 +33,7 @@ index 2b59c427..ffc8ffbb 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index ee0b16dc..39609e79 100644 36index 32b27bbc..b65f35ac 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1167,7 +1167,7 @@ main(int ac, char **av) 39@@ -1167,7 +1167,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 6c8cf9b6d..1d7a14168 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From 0fd4134a3ef467e1e69db5b19b7903cf306ec64b Mon Sep 17 00:00:00 2001 1From bd5c1cc302550e4caf8c3a6942f48a784f347b58 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 4747ce4a..9f59794b 100644 17index a92425db..9d89bc35 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4364,6 +4364,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4376,6 +4376,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index 4747ce4a..9f59794b 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5167,6 +5190,7 @@ echo " libedit support: $LIBEDIT_MSG" 50@@ -5180,6 +5203,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index 4747ce4a..9f59794b 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index b6826c84..027daa9d 100644 59index a2ca2d3e..8996e0e8 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index b6826c84..027daa9d 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1888,6 +1892,11 @@ main(int ac, char **av) 73@@ -1902,6 +1906,11 @@ main(int ac, char **av)
74 unsetenv("SSH_SIGSTOP"); 74 unsetenv("SSH_SIGSTOP");
75 } 75 }
76 76
diff --git a/debian/patches/unbreak-unix-forwarding-for-root.patch b/debian/patches/unbreak-unix-forwarding-for-root.patch
deleted file mode 100644
index 8408a118a..000000000
--- a/debian/patches/unbreak-unix-forwarding-for-root.patch
+++ /dev/null
@@ -1,80 +0,0 @@
1From 904bc482ad87648a2c799c441dc6a8449f24e15a Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Wed, 4 Jan 2017 05:37:40 +0000
4Subject: upstream commit
5
6unbreak Unix domain socket forwarding for root; ok
7markus@
8
9Upstream-ID: 6649c76eb7a3fa15409373295ca71badf56920a2
10
11Origin: https://anongit.mindrot.org/openssh.git/commit/?id=51045869fa084cdd016fdd721ea760417c0a3bf3
12Bug-Debian: https://bugs.debian.org/858252
13Last-Update: 2017-03-30
14
15Patch-Name: unbreak-unix-forwarding-for-root.patch
16---
17 serverloop.c | 19 ++++++++++++-------
18 1 file changed, 12 insertions(+), 7 deletions(-)
19
20diff --git a/serverloop.c b/serverloop.c
21index c4e4699d..c55d203b 100644
22--- a/serverloop.c
23+++ b/serverloop.c
24@@ -468,6 +468,10 @@ server_request_direct_streamlocal(void)
25 Channel *c = NULL;
26 char *target, *originator;
27 u_short originator_port;
28+ struct passwd *pw = the_authctxt->pw;
29+
30+ if (pw == NULL || !the_authctxt->valid)
31+ fatal("server_input_global_request: no/invalid user");
32
33 target = packet_get_string(NULL);
34 originator = packet_get_string(NULL);
35@@ -480,7 +484,7 @@ server_request_direct_streamlocal(void)
36 /* XXX fine grained permissions */
37 if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
38 !no_port_forwarding_flag && !options.disable_forwarding &&
39- use_privsep) {
40+ (pw->pw_uid == 0 || use_privsep)) {
41 c = channel_connect_to_path(target,
42 "direct-streamlocal@openssh.com", "direct-streamlocal");
43 } else {
44@@ -702,6 +706,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
45 int want_reply;
46 int r, success = 0, allocated_listen_port = 0;
47 struct sshbuf *resp = NULL;
48+ struct passwd *pw = the_authctxt->pw;
49+
50+ if (pw == NULL || !the_authctxt->valid)
51+ fatal("server_input_global_request: no/invalid user");
52
53 rtype = packet_get_string(NULL);
54 want_reply = packet_get_char();
55@@ -709,12 +717,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
56
57 /* -R style forwarding */
58 if (strcmp(rtype, "tcpip-forward") == 0) {
59- struct passwd *pw;
60 struct Forward fwd;
61
62- pw = the_authctxt->pw;
63- if (pw == NULL || !the_authctxt->valid)
64- fatal("server_input_global_request: no/invalid user");
65 memset(&fwd, 0, sizeof(fwd));
66 fwd.listen_host = packet_get_string(NULL);
67 fwd.listen_port = (u_short)packet_get_int();
68@@ -762,9 +766,10 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
69 /* check permissions */
70 if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
71 || no_port_forwarding_flag || options.disable_forwarding ||
72- !use_privsep) {
73+ (pw->pw_uid != 0 && !use_privsep)) {
74 success = 0;
75- packet_send_debug("Server has disabled port forwarding.");
76+ packet_send_debug("Server has disabled "
77+ "streamlocal forwarding.");
78 } else {
79 /* Start listening on the socket */
80 success = channel_setup_remote_fwd_listener(
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 2e32f9d76..17e7126ca 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From c20ad02ad58a523c6f4974e1ca124e71b7b801b1 Mon Sep 17 00:00:00 2001 1From 0b9c0482cbff9ce16384e4247d955676d4d77df3 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -86,7 +86,7 @@ index c6390687..90390724 100644
86 "bad ownership or modes for directory %s", buf); 86 "bad ownership or modes for directory %s", buf);
87 return -1; 87 return -1;
88diff --git a/misc.c b/misc.c 88diff --git a/misc.c b/misc.c
89index 65c9222a..bf9153a6 100644 89index cfd32729..6e972f56 100644
90--- a/misc.c 90--- a/misc.c
91+++ b/misc.c 91+++ b/misc.c
92@@ -51,8 +51,9 @@ 92@@ -51,8 +51,9 @@
@@ -108,7 +108,7 @@ index 65c9222a..bf9153a6 100644
108 108
109 /* remove newline at end of string */ 109 /* remove newline at end of string */
110 char * 110 char *
111@@ -708,6 +710,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 111@@ -713,6 +715,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
112 return -1; 112 return -1;
113 } 113 }
114 114
@@ -218,10 +218,10 @@ index cd7bf566..380ee3a4 100644
218- return 0; 218- return 0;
219-} 219-}
220diff --git a/readconf.c b/readconf.c 220diff --git a/readconf.c b/readconf.c
221index 3efba242..c02cdf63 100644 221index 0b1370a8..70fac682 100644
222--- a/readconf.c 222--- a/readconf.c
223+++ b/readconf.c 223+++ b/readconf.c
224@@ -1752,8 +1752,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 224@@ -1773,8 +1773,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
225 225
226 if (fstat(fileno(f), &sb) == -1) 226 if (fstat(fileno(f), &sb) == -1)
227 fatal("fstat %s: %s", filename, strerror(errno)); 227 fatal("fstat %s: %s", filename, strerror(errno));
@@ -245,10 +245,10 @@ index 4011c65a..feef81a5 100644
245 .It Pa ~/.ssh/environment 245 .It Pa ~/.ssh/environment
246 Contains additional definitions for environment variables; see 246 Contains additional definitions for environment variables; see
247diff --git a/ssh_config.5 b/ssh_config.5 247diff --git a/ssh_config.5 b/ssh_config.5
248index a0457314..0483a1ee 100644 248index e4eaa5ae..a04e5757 100644
249--- a/ssh_config.5 249--- a/ssh_config.5
250+++ b/ssh_config.5 250+++ b/ssh_config.5
251@@ -1803,6 +1803,8 @@ The format of this file is described above. 251@@ -1827,6 +1827,8 @@ The format of this file is described above.
252 This file is used by the SSH client. 252 This file is used by the SSH client.
253 Because of the potential for abuse, this file must have strict permissions: 253 Because of the potential for abuse, this file must have strict permissions:
254 read/write for the user, and not accessible by others. 254 read/write for the user, and not accessible by others.