summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2018-10-19 21:29:01 +0100
committerColin Watson <cjwatson@debian.org>2018-10-20 22:54:15 +0100
commitd80ebbf028196b2478beebf5a290b97f35e1eed9 (patch)
tree6666a5484923a26738675ff27a6186cfe15d4cad /debian
parent4f5bbf3f11efeec65bbd56464b20a19bd250e5cc (diff)
parent1d2a55436d4b556269f42ad5f7e16608b5a8ed74 (diff)
New upstream release (7.9p1)
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm14
-rw-r--r--debian/NEWS13
-rwxr-xr-xdebian/adjust-openssl-dependencies4
-rw-r--r--debian/changelog57
-rw-r--r--debian/control2
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch4
-rw-r--r--debian/patches/conch-old-privkey-format.patch2
-rw-r--r--debian/patches/debian-banner.patch28
-rw-r--r--debian/patches/debian-config.patch18
-rw-r--r--debian/patches/dnssec-sshfp.patch2
-rw-r--r--debian/patches/doc-hash-tab-completion.patch6
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch252
-rw-r--r--debian/patches/keepalive-extensions.patch24
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch8
-rw-r--r--debian/patches/no-openssl-version-status.patch4
-rw-r--r--debian/patches/openbsd-docs.patch16
-rw-r--r--debian/patches/package-versioning.patch10
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch12
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch12
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch6
-rw-r--r--debian/patches/selinux-role.patch50
-rw-r--r--debian/patches/shell-path.patch6
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch6
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch8
-rw-r--r--debian/patches/syslog-level-silent.patch6
-rw-r--r--debian/patches/systemd-readiness.patch12
-rw-r--r--debian/patches/user-group-modes.patch32
31 files changed, 362 insertions, 260 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 19b6c162b..f6384e17d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,11 +1,11 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
238966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 21d2a55436d4b556269f42ad5f7e16608b5a8ed74
338966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 31d2a55436d4b556269f42ad5f7e16608b5a8ed74
4e6547182a54f0f268ee36e7c99319eeddffbaff2 43d246f10429fc9a37b98eabef94fe8dc7c61002b
5e6547182a54f0f268ee36e7c99319eeddffbaff2 53d246f10429fc9a37b98eabef94fe8dc7c61002b
6openssh_7.8p1.orig.tar.gz 6openssh_7.9p1.orig.tar.gz
727e267e370315561de96577fccae563bc2c37a60 7993aceedea8ecabb1d0dd7293508a361891c4eaa
81548026 81565384
9debianTag="debian/%e%%%V" 9debianTag="debian/%e%%%V"
10patchedTag="patched/%e%%%V" 10patchedTag="patched/%e%%%V"
11upstreamTag="upstream/%U" 11upstreamTag="upstream/%U"
diff --git a/debian/NEWS b/debian/NEWS
index 964989993..82690fe8b 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,16 @@
1openssh (1:7.9p1-1) UNRELEASED; urgency=medium
2
3 OpenSSH 7.9 includes a number of changes that may affect existing
4 configurations:
5
6 * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option
7 bans the use of DSA keys as certificate authorities.
8 * sshd(8): the authentication success/failure log message has changed
9 format slightly. It now includes the certificate fingerprint
10 (previously it included only key ID and CA key fingerprint).
11
12 -- Colin Watson <cjwatson@debian.org> Fri, 19 Oct 2018 21:34:47 +0100
13
1openssh (1:7.8p1-1) unstable; urgency=medium 14openssh (1:7.8p1-1) unstable; urgency=medium
2 15
3 OpenSSH 7.8 includes a number of changes that may affect existing 16 OpenSSH 7.8 includes a number of changes that may affect existing
diff --git a/debian/adjust-openssl-dependencies b/debian/adjust-openssl-dependencies
index cd740a8e1..3c4e5265d 100755
--- a/debian/adjust-openssl-dependencies
+++ b/debian/adjust-openssl-dependencies
@@ -5,9 +5,9 @@
5client=debian/openssh-client.substvars 5client=debian/openssh-client.substvars
6server=debian/openssh-server.substvars 6server=debian/openssh-server.substvars
7 7
8libssl_version="$(dpkg-query -W libssl1.0-dev 2>/dev/null | cut -f2)" 8libssl_version="$(dpkg-query -W libssl-dev 2>/dev/null | cut -f2)"
9if [ -z "$libssl_version" ]; then 9if [ -z "$libssl_version" ]; then
10 libssl_version="$(dpkg-query -W libssl-dev 2>/dev/null | cut -f2)" 10 libssl_version="$(dpkg-query -W libssl1.0-dev 2>/dev/null | cut -f2)"
11fi 11fi
12if [ -z "$libssl_version" ]; then 12if [ -z "$libssl_version" ]; then
13 echo "Can't find libssl-dev version; leaving dependencies alone." 13 echo "Can't find libssl-dev version; leaving dependencies alone."
diff --git a/debian/changelog b/debian/changelog
index 64e1145c4..68fb28bb3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,60 @@
1openssh (1:7.9p1-1) UNRELEASED; urgency=medium
2
3 * New upstream release (https://www.openssh.com/txt/release-7.9):
4 - ssh(1), sshd(8): allow most port numbers to be specified using service
5 names from getservbyname(3) (typically /etc/services; closes:
6 #177406).
7 - ssh(1): allow the IdentityAgent configuration directive to accept
8 environment variable names. This supports the use of multiple agent
9 sockets without needing to use fixed paths.
10 - sshd(8): support signalling sessions via the SSH protocol. A limited
11 subset of signals is supported and only for login or command sessions
12 (i.e. not subsystems) that were not subject to a forced command via
13 authorized_keys or sshd_config.
14 - ssh(1): support "ssh -Q sig" to list supported signature options.
15 Also "ssh -Q help" to show the full set of supported queries.
16 - ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and
17 server configs to allow control over which signature formats are
18 allowed for CAs to sign certificates. For example, this allows
19 banning CAs that sign certificates using the RSA-SHA1 signature
20 algorithm.
21 - sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke
22 keys specified by SHA256 hash.
23 - ssh-keygen(1): allow creation of key revocation lists directly from
24 base64-encoded SHA256 fingerprints. This supports revoking keys using
25 only the information contained in sshd(8) authentication log messages.
26 - ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
27 attempting to load PEM private keys while using an incorrect
28 passphrase.
29 - sshd(8): when a channel closed message is received from a client,
30 close the stderr file descriptor at the same time stdout is closed.
31 This avoids stuck processes if they were waiting for stderr to close
32 and were insensitive to stdin/out closing (closes: #844494).
33 - ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
34 forwarding timeout and support X11 forwarding indefinitely.
35 Previously the behaviour of ForwardX11Timeout=0 was undefined.
36 - sshd(8): when compiled with GSSAPI support, cache supported method
37 OIDs regardless of whether GSSAPI authentication is enabled in the
38 main section of sshd_config. This avoids sandbox violations if GSSAPI
39 authentication was later enabled in a Match block.
40 - sshd(8): do not fail closed when configured with a text key revocation
41 list that contains a too-short key.
42 - ssh(1): treat connections with ProxyJump specified the same as ones
43 with a ProxyCommand set with regards to hostname canonicalisation
44 (i.e. don't try to canonicalise the hostname unless
45 CanonicalizeHostname is set to 'always').
46 - ssh(1): fix regression in OpenSSH 7.8 that could prevent public-key
47 authentication using certificates hosted in a ssh-agent(1) or against
48 sshd(8) from OpenSSH <7.8 (LP: #1790963).
49 - All: support building against the openssl-1.1 API (releases 1.1.0g and
50 later). The openssl-1.0 API will remain supported at least until
51 OpenSSL terminates security patch support for that API version
52 (closes: #828475).
53 - sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
54 apparently required by some glibc/OpenSSL combinations.
55
56 -- Colin Watson <cjwatson@debian.org> Fri, 19 Oct 2018 21:34:47 +0100
57
1openssh (1:7.8p1-1) unstable; urgency=medium 58openssh (1:7.8p1-1) unstable; urgency=medium
2 59
3 * New upstream release (https://www.openssh.com/txt/release-7.8, closes: 60 * New upstream release (https://www.openssh.com/txt/release-7.8, closes:
diff --git a/debian/control b/debian/control
index 476af3aa2..425d9ccf7 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends: autotools-dev,
13 libkrb5-dev | heimdal-dev, 13 libkrb5-dev | heimdal-dev,
14 libpam0g-dev | libpam-dev, 14 libpam0g-dev | libpam-dev,
15 libselinux1-dev [linux-any], 15 libselinux1-dev [linux-any],
16 libssl1.0-dev | libssl-dev (<< 1.1.0~), 16 libssl-dev (>= 1.1.0g) | libssl1.0-dev,
17 libsystemd-dev [linux-any], 17 libsystemd-dev [linux-any],
18 libwrap0-dev | libwrap-dev, 18 libwrap0-dev | libwrap-dev,
19 pkg-config, 19 pkg-config,
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index ad2890400..c895e63db 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
1From 153278a21da639b5ad965632485f79ea4ac5e705 Mon Sep 17 00:00:00 2001 1From 67a6cbb29f77920718884e783238f4a00fe64001 Mon Sep 17 00:00:00 2001
2From: Tomas Pospisek <tpo_deb@sourcepole.ch> 2From: Tomas Pospisek <tpo_deb@sourcepole.ch>
3Date: Sun, 9 Feb 2014 16:10:07 +0000 3Date: Sun, 9 Feb 2014 16:10:07 +0000
4Subject: Install authorized_keys(5) as a symlink to sshd(8) 4Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,7 +13,7 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 6175c6063..0ee0285f6 100644 16index 70050ffb6..ee166114d 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -356,6 +356,7 @@ install-files: 19@@ -356,6 +356,7 @@ install-files:
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index ff5be43d8..90bb3e995 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
1From 38966b4afedee3bb57d3b1b0a7df4ff438fb9fd0 Mon Sep 17 00:00:00 2001 1From 1d2a55436d4b556269f42ad5f7e16608b5a8ed74 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Thu, 30 Aug 2018 00:58:56 +0100 3Date: Thu, 30 Aug 2018 00:58:56 +0100
4Subject: Work around conch interoperability failure 4Subject: Work around conch interoperability failure
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 98d97dce8..7963b03ed 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
1From 905ffae23105d59b013aac809da6195d231b0395 Mon Sep 17 00:00:00 2001 1From a18385c6866da4d69f46b64626ae5d60b4cf4a66 Mon Sep 17 00:00:00 2001
2From: Kees Cook <kees@debian.org> 2From: Kees Cook <kees@debian.org>
3Date: Sun, 9 Feb 2014 16:10:06 +0000 3Date: Sun, 9 Feb 2014 16:10:06 +0000
4Subject: Add DebianBanner server configuration option 4Subject: Add DebianBanner server configuration option
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch.
8 8
9Bug-Debian: http://bugs.debian.org/562048 9Bug-Debian: http://bugs.debian.org/562048
10Forwarded: not-needed 10Forwarded: not-needed
11Last-Update: 2018-08-24 11Last-Update: 2018-10-19
12 12
13Patch-Name: debian-banner.patch 13Patch-Name: debian-banner.patch
14--- 14---
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index e49984a81..bb43a649c 100644 22index 6caf1db38..c5dd617ef 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -181,6 +181,7 @@ initialize_server_options(ServerOptions *options) 25@@ -182,6 +182,7 @@ initialize_server_options(ServerOptions *options)
26 options->fingerprint_hash = -1; 26 options->fingerprint_hash = -1;
27 options->disable_forwarding = -1; 27 options->disable_forwarding = -1;
28 options->expose_userauth_info = -1; 28 options->expose_userauth_info = -1;
@@ -30,7 +30,7 @@ index e49984a81..bb43a649c 100644
30 } 30 }
31 31
32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ 32 /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
33@@ -413,6 +414,8 @@ fill_default_server_options(ServerOptions *options) 33@@ -417,6 +418,8 @@ fill_default_server_options(ServerOptions *options)
34 options->disable_forwarding = 0; 34 options->disable_forwarding = 0;
35 if (options->expose_userauth_info == -1) 35 if (options->expose_userauth_info == -1)
36 options->expose_userauth_info = 0; 36 options->expose_userauth_info = 0;
@@ -39,7 +39,7 @@ index e49984a81..bb43a649c 100644
39 39
40 assemble_algorithms(options); 40 assemble_algorithms(options);
41 41
42@@ -500,6 +503,7 @@ typedef enum { 42@@ -504,6 +507,7 @@ typedef enum {
43 sStreamLocalBindMask, sStreamLocalBindUnlink, 43 sStreamLocalBindMask, sStreamLocalBindUnlink,
44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 44 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
45 sExposeAuthInfo, sRDomain, 45 sExposeAuthInfo, sRDomain,
@@ -47,15 +47,15 @@ index e49984a81..bb43a649c 100644
47 sDeprecated, sIgnore, sUnsupported 47 sDeprecated, sIgnore, sUnsupported
48 } ServerOpCodes; 48 } ServerOpCodes;
49 49
50@@ -656,6 +660,7 @@ static struct { 50@@ -661,6 +665,7 @@ static struct {
51 { "disableforwarding", sDisableForwarding, SSHCFG_ALL },
52 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 51 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
53 { "rdomain", sRDomain, SSHCFG_ALL }, 52 { "rdomain", sRDomain, SSHCFG_ALL },
53 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, 54+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
55 { NULL, sBadOption, 0 } 55 { NULL, sBadOption, 0 }
56 }; 56 };
57 57
58@@ -2164,6 +2169,10 @@ process_server_config_line(ServerOptions *options, char *line, 58@@ -2173,6 +2178,10 @@ process_server_config_line(ServerOptions *options, char *line,
59 *charptr = xstrdup(arg); 59 *charptr = xstrdup(arg);
60 break; 60 break;
61 61
@@ -67,10 +67,10 @@ index e49984a81..bb43a649c 100644
67 case sIgnore: 67 case sIgnore:
68 case sUnsupported: 68 case sUnsupported:
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index 9b117fe27..76098119b 100644 70index 3b76da816..4e3c54042 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -211,6 +211,8 @@ typedef struct { 73@@ -212,6 +212,8 @@ typedef struct {
74 int fingerprint_hash; 74 int fingerprint_hash;
75 int expose_userauth_info; 75 int expose_userauth_info;
76 u_int64_t timing_secret; 76 u_int64_t timing_secret;
@@ -80,7 +80,7 @@ index 9b117fe27..76098119b 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index ffd3dad6a..698593605 100644 83index 9481272fc..d7e77d343 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -94,10 +94,10 @@ index ffd3dad6a..698593605 100644
94 options.version_addendum); 94 options.version_addendum);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 0fbbccbde..96a69ab55 100644 97index e7e55dd71..37e6be38f 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -532,6 +532,11 @@ or 100@@ -543,6 +543,11 @@ or
101 .Cm no . 101 .Cm no .
102 The default is 102 The default is
103 .Cm yes . 103 .Cm yes .
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index fd86d5a4d..4866d52ad 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
1From 157278376c0eb6e4de3d47e8573684095a230685 Mon Sep 17 00:00:00 2001 1From a433d9baa031d7136a8cf3e3807ebff83a3a8634 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:18 +0000 3Date: Sun, 9 Feb 2014 16:10:18 +0000
4Subject: Various Debian-specific configuration changes 4Subject: Various Debian-specific configuration changes
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index 3ed6dfb54..a3d42f2ae 100644 42index 6b01f20d2..661b8bf40 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -1974,7 +1974,7 @@ fill_default_options(Options * options) 45@@ -2000,7 +2000,7 @@ fill_default_options(Options * options)
46 if (options->forward_x11 == -1) 46 if (options->forward_x11 == -1)
47 options->forward_x11 = 0; 47 options->forward_x11 = 0;
48 if (options->forward_x11_trusted == -1) 48 if (options->forward_x11_trusted == -1)
@@ -52,10 +52,10 @@ index 3ed6dfb54..a3d42f2ae 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index 0a8e63f51..ba55aa665 100644 55index ad1ed0f86..1bcc8edab 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -772,6 +772,16 @@ directive in 58@@ -782,6 +782,16 @@ directive in
59 .Xr ssh_config 5 59 .Xr ssh_config 5
60 for more information. 60 for more information.
61 .Pp 61 .Pp
@@ -72,7 +72,7 @@ index 0a8e63f51..ba55aa665 100644
72 .It Fl x 72 .It Fl x
73 Disables X11 forwarding. 73 Disables X11 forwarding.
74 .Pp 74 .Pp
75@@ -780,6 +790,17 @@ Enables trusted X11 forwarding. 75@@ -790,6 +800,17 @@ Enables trusted X11 forwarding.
76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension 76 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
77 controls. 77 controls.
78 .Pp 78 .Pp
@@ -114,7 +114,7 @@ index bcb9f153d..1b676fb2c 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index cb68f51a6..35c578c3b 100644 117index a91355726..1a8e24bd1 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -140,7 +140,7 @@ index cb68f51a6..35c578c3b 100644
140 The file contains keyword-argument pairs, one per line. 140 The file contains keyword-argument pairs, one per line.
141 Lines starting with 141 Lines starting with
142 .Ql # 142 .Ql #
143@@ -681,11 +697,12 @@ elapsed. 143@@ -699,11 +715,12 @@ elapsed.
144 .It Cm ForwardX11Trusted 144 .It Cm ForwardX11Trusted
145 If this option is set to 145 If this option is set to
146 .Cm yes , 146 .Cm yes ,
@@ -204,7 +204,7 @@ index 2c48105f8..ed8272f6d 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index 9774831fe..15b82e84d 100644 207index 23f71fd1d..ba50a30f1 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 6e90d402c..e2acdf1a2 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
1From 298716354cedb77d8e3672a2157d63e15a778d64 Mon Sep 17 00:00:00 2001 1From 0ee33d93c5c7a5fbb8b027aa24e7c9668125fda9 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:01 +0000 3Date: Sun, 9 Feb 2014 16:10:01 +0000
4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf 4Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 2b7936a5d..c6bc43299 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
1From c1af61a47620c9f50efb53774139c308410f9296 Mon Sep 17 00:00:00 2001 1From 1d0c41a7e0b2426733ddb598248d0488c9c00a8b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:11 +0000 3Date: Sun, 9 Feb 2014 16:10:11 +0000
4Subject: Document that HashKnownHosts may break tab-completion 4Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 03341a229..cb68f51a6 100644 16index 7d55fa820..a91355726 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -775,6 +775,9 @@ Note that existing names and addresses in known hosts files 19@@ -793,6 +793,9 @@ Note that existing names and addresses in known hosts files
20 will not be converted automatically, 20 will not be converted automatically,
21 but may be manually hashed using 21 but may be manually hashed using
22 .Xr ssh-keygen 1 . 22 .Xr ssh-keygen 1 .
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index eb212da29..b6d4f1239 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
1From cae89cd0edc9d656661ea05b7ecca4c9a9ba4d77 Mon Sep 17 00:00:00 2001 1From df56506f727e37c13346259bdcd5975e257a259d Mon Sep 17 00:00:00 2001
2From: Vincent Untz <vuntz@ubuntu.com> 2From: Vincent Untz <vuntz@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:16 +0000 3Date: Sun, 9 Feb 2014 16:10:16 +0000
4Subject: Give the ssh-askpass-gnome window a default icon 4Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 25edd5cbe..f62bf6672 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
1From e6c7c11ac2576ac62334616bd4408bf64140bba7 Mon Sep 17 00:00:00 2001 1From 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 Mon Sep 17 00:00:00 2001
2From: Simon Wilkinson <simon@sxw.org.uk> 2From: Simon Wilkinson <simon@sxw.org.uk>
3Date: Sun, 9 Feb 2014 16:09:48 +0000 3Date: Sun, 9 Feb 2014 16:09:48 +0000
4Subject: GSSAPI key exchange support 4Subject: GSSAPI key exchange support
@@ -17,14 +17,14 @@ have it merged into the main openssh package rather than having separate
17security history. 17security history.
18 18
19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 19Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
20Last-Updated: 2018-08-24 20Last-Updated: 2018-10-20
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
24 ChangeLog.gssapi | 113 ++++++++++++++++ 24 ChangeLog.gssapi | 113 ++++++++++++++++
25 Makefile.in | 3 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth.c | 96 +------------- 27 auth.c | 96 +------------
28 auth2-gss.c | 54 +++++++- 28 auth2-gss.c | 54 +++++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
30 canohost.c | 93 +++++++++++++ 30 canohost.c | 93 +++++++++++++
@@ -32,17 +32,19 @@ Patch-Name: gssapi.patch
32 clientloop.c | 15 ++- 32 clientloop.c | 15 ++-
33 config.h.in | 6 + 33 config.h.in | 6 +
34 configure.ac | 24 ++++ 34 configure.ac | 24 ++++
35 gss-genr.c | 277 +++++++++++++++++++++++++++++++++++++- 35 gss-genr.c | 280 +++++++++++++++++++++++++++++++++++++-
36 gss-serv-krb5.c | 85 +++++++++++- 36 gss-serv-krb5.c | 85 +++++++++++-
37 gss-serv.c | 184 ++++++++++++++++++++++++-- 37 gss-serv.c | 184 +++++++++++++++++++++++--
38 kex.c | 19 +++ 38 kex.c | 19 +++
39 kex.h | 14 ++ 39 kex.h | 14 ++
40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++
41 kexgsss.c | 295 +++++++++++++++++++++++++++++++++++++++++ 41 kexgsss.c | 300 +++++++++++++++++++++++++++++++++++++++++
42 monitor.c | 122 +++++++++++++++-- 42 monitor.c | 122 +++++++++++++++--
43 monitor.h | 3 + 43 monitor.h | 3 +
44 monitor_wrap.c | 53 +++++++- 44 monitor_wrap.c | 53 +++++++-
45 monitor_wrap.h | 4 +- 45 monitor_wrap.h | 4 +-
46 opacket.c | 2 +-
47 opacket.h | 2 +-
46 readconf.c | 43 ++++++ 48 readconf.c | 43 ++++++
47 readconf.h | 5 + 49 readconf.h | 5 +
48 servconf.c | 26 ++++ 50 servconf.c | 26 ++++
@@ -50,13 +52,13 @@ Patch-Name: gssapi.patch
50 ssh-gss.h | 41 +++++- 52 ssh-gss.h | 41 +++++-
51 ssh_config | 2 + 53 ssh_config | 2 +
52 ssh_config.5 | 32 +++++ 54 ssh_config.5 | 32 +++++
53 sshconnect2.c | 133 ++++++++++++++++++- 55 sshconnect2.c | 133 +++++++++++++++++-
54 sshd.c | 112 +++++++++++++++- 56 sshd.c | 110 +++++++++++++++
55 sshd_config | 2 + 57 sshd_config | 2 +
56 sshd_config.5 | 10 ++ 58 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 59 sshkey.c | 3 +-
58 sshkey.h | 1 + 60 sshkey.h | 1 +
59 35 files changed, 2087 insertions(+), 145 deletions(-) 61 37 files changed, 2099 insertions(+), 146 deletions(-)
60 create mode 100644 ChangeLog.gssapi 62 create mode 100644 ChangeLog.gssapi
61 create mode 100644 kexgssc.c 63 create mode 100644 kexgssc.c
62 create mode 100644 kexgsss.c 64 create mode 100644 kexgsss.c
@@ -181,7 +183,7 @@ index 000000000..f117a336a
181+ (from jbasney AT ncsa.uiuc.edu) 183+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 184+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 185diff --git a/Makefile.in b/Makefile.in
184index 2385c62a8..6175c6063 100644 186index 126b2c742..70050ffb6 100644
185--- a/Makefile.in 187--- a/Makefile.in
186+++ b/Makefile.in 188+++ b/Makefile.in
187@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 189@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -253,10 +255,10 @@ index 3096f1c8e..204752e1b 100644
253 return (krb5_cc_resolve(ctx, ccname, ccache)); 255 return (krb5_cc_resolve(ctx, ccname, ccache));
254 } 256 }
255diff --git a/auth.c b/auth.c 257diff --git a/auth.c b/auth.c
256index 9a3bc96f1..80eb78c48 100644 258index 3ca3762cc..d8e6b4a3d 100644
257--- a/auth.c 259--- a/auth.c
258+++ b/auth.c 260+++ b/auth.c
259@@ -395,7 +395,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) 261@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
260 case PERMIT_NO_PASSWD: 262 case PERMIT_NO_PASSWD:
261 if (strcmp(method, "publickey") == 0 || 263 if (strcmp(method, "publickey") == 0 ||
262 strcmp(method, "hostbased") == 0 || 264 strcmp(method, "hostbased") == 0 ||
@@ -266,7 +268,7 @@ index 9a3bc96f1..80eb78c48 100644
266 return 1; 268 return 1;
267 break; 269 break;
268 case PERMIT_FORCED_ONLY: 270 case PERMIT_FORCED_ONLY:
269@@ -733,99 +734,6 @@ fakepw(void) 271@@ -737,99 +738,6 @@ fakepw(void)
270 return (&fake); 272 return (&fake);
271 } 273 }
272 274
@@ -460,7 +462,7 @@ index 9351e0428..1f12bb113 100644
460 "gssapi-with-mic", 462 "gssapi-with-mic",
461 userauth_gssapi, 463 userauth_gssapi,
462diff --git a/auth2.c b/auth2.c 464diff --git a/auth2.c b/auth2.c
463index ab8795895..96efe164c 100644 465index 4d19957a6..a77742819 100644
464--- a/auth2.c 466--- a/auth2.c
465+++ b/auth2.c 467+++ b/auth2.c
466@@ -74,6 +74,7 @@ extern Authmethod method_passwd; 468@@ -74,6 +74,7 @@ extern Authmethod method_passwd;
@@ -598,7 +600,7 @@ index 26d62855a..0cadc9f18 100644
598 int get_peer_port(int); 600 int get_peer_port(int);
599 char *get_local_ipaddr(int); 601 char *get_local_ipaddr(int);
600diff --git a/clientloop.c b/clientloop.c 602diff --git a/clientloop.c b/clientloop.c
601index ad35cb7ba..e69c5141f 100644 603index 8d312cdaa..1464634b0 100644
602--- a/clientloop.c 604--- a/clientloop.c
603+++ b/clientloop.c 605+++ b/clientloop.c
604@@ -112,6 +112,10 @@ 606@@ -112,6 +112,10 @@
@@ -612,7 +614,7 @@ index ad35cb7ba..e69c5141f 100644
612 /* import options */ 614 /* import options */
613 extern Options options; 615 extern Options options;
614 616
615@@ -1357,9 +1361,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, 617@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
616 break; 618 break;
617 619
618 /* Do channel operations unless rekeying in progress. */ 620 /* Do channel operations unless rekeying in progress. */
@@ -633,10 +635,10 @@ index ad35cb7ba..e69c5141f 100644
633 client_process_net_input(readset); 635 client_process_net_input(readset);
634 636
635diff --git a/config.h.in b/config.h.in 637diff --git a/config.h.in b/config.h.in
636index 7940b4c86..93295da07 100644 638index 91b65db8f..209760c7c 100644
637--- a/config.h.in 639--- a/config.h.in
638+++ b/config.h.in 640+++ b/config.h.in
639@@ -1749,6 +1749,9 @@ 641@@ -1845,6 +1845,9 @@
640 /* Use btmp to log bad logins */ 642 /* Use btmp to log bad logins */
641 #undef USE_BTMP 643 #undef USE_BTMP
642 644
@@ -646,7 +648,7 @@ index 7940b4c86..93295da07 100644
646 /* Use libedit for sftp */ 648 /* Use libedit for sftp */
647 #undef USE_LIBEDIT 649 #undef USE_LIBEDIT
648 650
649@@ -1764,6 +1767,9 @@ 651@@ -1860,6 +1863,9 @@
650 /* Use PIPES instead of a socketpair() */ 652 /* Use PIPES instead of a socketpair() */
651 #undef USE_PIPES 653 #undef USE_PIPES
652 654
@@ -657,10 +659,10 @@ index 7940b4c86..93295da07 100644
657 #undef USE_SOLARIS_PRIVS 659 #undef USE_SOLARIS_PRIVS
658 660
659diff --git a/configure.ac b/configure.ac 661diff --git a/configure.ac b/configure.ac
660index 83e530750..82428b241 100644 662index 7379ab358..023e7cc55 100644
661--- a/configure.ac 663--- a/configure.ac
662+++ b/configure.ac 664+++ b/configure.ac
663@@ -673,6 +673,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 665@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
664 [Use tunnel device compatibility to OpenBSD]) 666 [Use tunnel device compatibility to OpenBSD])
665 AC_DEFINE([SSH_TUN_PREPEND_AF], [1], 667 AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
666 [Prepend the address family to IP tunnel traffic]) 668 [Prepend the address family to IP tunnel traffic])
@@ -692,7 +694,7 @@ index 83e530750..82428b241 100644
692 AC_CHECK_DECL([AU_IPv4], [], 694 AC_CHECK_DECL([AU_IPv4], [],
693 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 695 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
694diff --git a/gss-genr.c b/gss-genr.c 696diff --git a/gss-genr.c b/gss-genr.c
695index d56257b4a..285fc29a5 100644 697index d56257b4a..491e62cee 100644
696--- a/gss-genr.c 698--- a/gss-genr.c
697+++ b/gss-genr.c 699+++ b/gss-genr.c
698@@ -1,7 +1,7 @@ 700@@ -1,7 +1,7 @@
@@ -704,13 +706,16 @@ index d56257b4a..285fc29a5 100644
704 * 706 *
705 * Redistribution and use in source and binary forms, with or without 707 * Redistribution and use in source and binary forms, with or without
706 * modification, are permitted provided that the following conditions 708 * modification, are permitted provided that the following conditions
707@@ -41,12 +41,34 @@ 709@@ -39,14 +39,37 @@
710 #include "xmalloc.h"
711 #include "ssherr.h"
708 #include "sshbuf.h" 712 #include "sshbuf.h"
713+#include "sshkey.h"
709 #include "log.h" 714 #include "log.h"
710 #include "ssh2.h" 715 #include "ssh2.h"
711+#include "cipher.h" 716+#include "cipher.h"
712+#include "kex.h" 717+#include "kex.h"
713+#include <openssl/evp.h> 718+#include "digest.h"
714 719
715 #include "ssh-gss.h" 720 #include "ssh-gss.h"
716 721
@@ -739,7 +744,7 @@ index d56257b4a..285fc29a5 100644
739 /* sshbuf_get for gss_buffer_desc */ 744 /* sshbuf_get for gss_buffer_desc */
740 int 745 int
741 ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) 746 ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
742@@ -62,6 +84,141 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) 747@@ -62,6 +85,143 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
743 return 0; 748 return 0;
744 } 749 }
745 750
@@ -769,10 +774,9 @@ index d56257b4a..285fc29a5 100644
769+ size_t i; 774+ size_t i;
770+ int r, oidpos, enclen; 775+ int r, oidpos, enclen;
771+ char *mechs, *encoded; 776+ char *mechs, *encoded;
772+ u_char digest[EVP_MAX_MD_SIZE]; 777+ u_char digest[SSH_DIGEST_MAX_LENGTH];
773+ char deroid[2]; 778+ char deroid[2];
774+ const EVP_MD *evp_md = EVP_md5(); 779+ struct ssh_digest_ctx *md;
775+ EVP_MD_CTX md;
776+ 780+
777+ if (gss_enc2oid != NULL) { 781+ if (gss_enc2oid != NULL) {
778+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) 782+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@@ -794,16 +798,19 @@ index d56257b4a..285fc29a5 100644
794+ deroid[0] = SSH_GSS_OIDTYPE; 798+ deroid[0] = SSH_GSS_OIDTYPE;
795+ deroid[1] = gss_supported->elements[i].length; 799+ deroid[1] = gss_supported->elements[i].length;
796+ 800+
797+ EVP_DigestInit(&md, evp_md); 801+ if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
798+ EVP_DigestUpdate(&md, deroid, 2); 802+ ssh_digest_update(md, deroid, 2) != 0 ||
799+ EVP_DigestUpdate(&md, 803+ ssh_digest_update(md,
800+ gss_supported->elements[i].elements, 804+ gss_supported->elements[i].elements,
801+ gss_supported->elements[i].length); 805+ gss_supported->elements[i].length) != 0 ||
802+ EVP_DigestFinal(&md, digest, NULL); 806+ ssh_digest_final(md, digest, sizeof(digest)) != 0)
807+ fatal("%s: digest failed", __func__);
803+ 808+
804+ encoded = xmalloc(EVP_MD_size(evp_md) * 2); 809+ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5)
805+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md), 810+ * 2);
806+ encoded, EVP_MD_size(evp_md) * 2); 811+ enclen = __b64_ntop(digest,
812+ ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
813+ ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
807+ 814+
808+ if (oidpos != 0) { 815+ if (oidpos != 0) {
809+ if ((r = sshbuf_put_u8(buf, ',')) != 0) 816+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
@@ -881,7 +888,7 @@ index d56257b4a..285fc29a5 100644
881 /* Check that the OID in a data stream matches that in the context */ 888 /* Check that the OID in a data stream matches that in the context */
882 int 889 int
883 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 890 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
884@@ -218,7 +375,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, 891@@ -218,7 +378,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
885 } 892 }
886 893
887 ctx->major = gss_init_sec_context(&ctx->minor, 894 ctx->major = gss_init_sec_context(&ctx->minor,
@@ -890,7 +897,7 @@ index d56257b4a..285fc29a5 100644
890 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 897 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
891 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 898 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
892 899
893@@ -247,9 +404,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) 900@@ -247,9 +407,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
894 return (ctx->major); 901 return (ctx->major);
895 } 902 }
896 903
@@ -934,7 +941,7 @@ index d56257b4a..285fc29a5 100644
934 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 941 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
935 GSS_C_QOP_DEFAULT, buffer, hash))) 942 GSS_C_QOP_DEFAULT, buffer, hash)))
936 ssh_gssapi_error(ctx); 943 ssh_gssapi_error(ctx);
937@@ -257,6 +448,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 944@@ -257,6 +451,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
938 return (ctx->major); 945 return (ctx->major);
939 } 946 }
940 947
@@ -954,7 +961,7 @@ index d56257b4a..285fc29a5 100644
954 void 961 void
955 ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, 962 ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
956 const char *context) 963 const char *context)
957@@ -273,11 +477,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, 964@@ -273,11 +480,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
958 } 965 }
959 966
960 int 967 int
@@ -972,7 +979,7 @@ index d56257b4a..285fc29a5 100644
972 979
973 /* RFC 4462 says we MUST NOT do SPNEGO */ 980 /* RFC 4462 says we MUST NOT do SPNEGO */
974 if (oid->length == spnego_oid.length && 981 if (oid->length == spnego_oid.length &&
975@@ -287,6 +496,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 982@@ -287,6 +499,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
976 ssh_gssapi_build_ctx(ctx); 983 ssh_gssapi_build_ctx(ctx);
977 ssh_gssapi_set_oid(*ctx, oid); 984 ssh_gssapi_set_oid(*ctx, oid);
978 major = ssh_gssapi_import_name(*ctx, host); 985 major = ssh_gssapi_import_name(*ctx, host);
@@ -983,7 +990,7 @@ index d56257b4a..285fc29a5 100644
983 if (!GSS_ERROR(major)) { 990 if (!GSS_ERROR(major)) {
984 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 991 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
985 NULL); 992 NULL);
986@@ -296,10 +509,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 993@@ -296,10 +512,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
987 GSS_C_NO_BUFFER); 994 GSS_C_NO_BUFFER);
988 } 995 }
989 996
@@ -1540,10 +1547,10 @@ index 593de1208..4e5ead839 100644
1540 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); 1547 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
1541diff --git a/kexgssc.c b/kexgssc.c 1548diff --git a/kexgssc.c b/kexgssc.c
1542new file mode 100644 1549new file mode 100644
1543index 000000000..953c0a248 1550index 000000000..3c8ae08dd
1544--- /dev/null 1551--- /dev/null
1545+++ b/kexgssc.c 1552+++ b/kexgssc.c
1546@@ -0,0 +1,338 @@ 1553@@ -0,0 +1,341 @@
1547+/* 1554+/*
1548+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1555+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1549+ * 1556+ *
@@ -1602,6 +1609,7 @@ index 000000000..953c0a248
1602+ DH *dh; 1609+ DH *dh;
1603+ BIGNUM *dh_server_pub = NULL; 1610+ BIGNUM *dh_server_pub = NULL;
1604+ BIGNUM *shared_secret = NULL; 1611+ BIGNUM *shared_secret = NULL;
1612+ const BIGNUM *pub_key, *dh_p, *dh_g;
1605+ BIGNUM *p = NULL; 1613+ BIGNUM *p = NULL;
1606+ BIGNUM *g = NULL; 1614+ BIGNUM *g = NULL;
1607+ u_char *kbuf; 1615+ u_char *kbuf;
@@ -1666,6 +1674,8 @@ index 000000000..953c0a248
1666+ 1674+
1667+ /* Step 1 - e is dh->pub_key */ 1675+ /* Step 1 - e is dh->pub_key */
1668+ dh_gen_key(dh, ssh->kex->we_need * 8); 1676+ dh_gen_key(dh, ssh->kex->we_need * 8);
1677+ DH_get0_key(dh, &pub_key, NULL);
1678+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
1669+ 1679+
1670+ /* This is f, we initialise it now to make life easier */ 1680+ /* This is f, we initialise it now to make life easier */
1671+ dh_server_pub = BN_new(); 1681+ dh_server_pub = BN_new();
@@ -1713,7 +1723,7 @@ index 000000000..953c0a248
1713+ packet_start(SSH2_MSG_KEXGSS_INIT); 1723+ packet_start(SSH2_MSG_KEXGSS_INIT);
1714+ packet_put_string(send_tok.value, 1724+ packet_put_string(send_tok.value,
1715+ send_tok.length); 1725+ send_tok.length);
1716+ packet_put_bignum2(dh->pub_key); 1726+ packet_put_bignum2(pub_key);
1717+ first = 0; 1727+ first = 0;
1718+ } else { 1728+ } else {
1719+ packet_start(SSH2_MSG_KEXGSS_CONTINUE); 1729+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
@@ -1822,7 +1832,7 @@ index 000000000..953c0a248
1822+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), 1832+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
1823+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), 1833+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
1824+ (serverhostkey ? serverhostkey : empty), slen, 1834+ (serverhostkey ? serverhostkey : empty), slen,
1825+ dh->pub_key, /* e */ 1835+ pub_key, /* e */
1826+ dh_server_pub, /* f */ 1836+ dh_server_pub, /* f */
1827+ shared_secret, /* K */ 1837+ shared_secret, /* K */
1828+ hash, &hashlen 1838+ hash, &hashlen
@@ -1837,8 +1847,8 @@ index 000000000..953c0a248
1837+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), 1847+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
1838+ (serverhostkey ? serverhostkey : empty), slen, 1848+ (serverhostkey ? serverhostkey : empty), slen,
1839+ min, nbits, max, 1849+ min, nbits, max,
1840+ dh->p, dh->g, 1850+ dh_p, dh_g,
1841+ dh->pub_key, 1851+ pub_key,
1842+ dh_server_pub, 1852+ dh_server_pub,
1843+ shared_secret, 1853+ shared_secret,
1844+ hash, &hashlen 1854+ hash, &hashlen
@@ -1884,10 +1894,10 @@ index 000000000..953c0a248
1884+#endif /* GSSAPI */ 1894+#endif /* GSSAPI */
1885diff --git a/kexgsss.c b/kexgsss.c 1895diff --git a/kexgsss.c b/kexgsss.c
1886new file mode 100644 1896new file mode 100644
1887index 000000000..31ec6a890 1897index 000000000..18070f1d7
1888--- /dev/null 1898--- /dev/null
1889+++ b/kexgsss.c 1899+++ b/kexgsss.c
1890@@ -0,0 +1,295 @@ 1900@@ -0,0 +1,300 @@
1891+/* 1901+/*
1892+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. 1902+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
1893+ * 1903+ *
@@ -1958,6 +1968,7 @@ index 000000000..31ec6a890
1958+ u_char *kbuf; 1968+ u_char *kbuf;
1959+ DH *dh; 1969+ DH *dh;
1960+ int min = -1, max = -1, nbits = -1; 1970+ int min = -1, max = -1, nbits = -1;
1971+ const BIGNUM *pub_key, *dh_p, *dh_g;
1961+ BIGNUM *shared_secret = NULL; 1972+ BIGNUM *shared_secret = NULL;
1962+ BIGNUM *dh_client_pub = NULL; 1973+ BIGNUM *dh_client_pub = NULL;
1963+ int type = 0; 1974+ int type = 0;
@@ -2008,10 +2019,11 @@ index 000000000..31ec6a890
2008+ nbits, MIN(DH_GRP_MAX, max))); 2019+ nbits, MIN(DH_GRP_MAX, max)));
2009+ if (dh == NULL) 2020+ if (dh == NULL)
2010+ packet_disconnect("Protocol error: no matching group found"); 2021+ packet_disconnect("Protocol error: no matching group found");
2022+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
2011+ 2023+
2012+ packet_start(SSH2_MSG_KEXGSS_GROUP); 2024+ packet_start(SSH2_MSG_KEXGSS_GROUP);
2013+ packet_put_bignum2(dh->p); 2025+ packet_put_bignum2(dh_p);
2014+ packet_put_bignum2(dh->g); 2026+ packet_put_bignum2(dh_g);
2015+ packet_send(); 2027+ packet_send();
2016+ 2028+
2017+ packet_write_wait(); 2029+ packet_write_wait();
@@ -2103,6 +2115,9 @@ index 000000000..31ec6a890
2103+ memset(kbuf, 0, klen); 2115+ memset(kbuf, 0, klen);
2104+ free(kbuf); 2116+ free(kbuf);
2105+ 2117+
2118+ DH_get0_key(dh, &pub_key, NULL);
2119+ DH_get0_pqg(dh, &dh_p, NULL, &dh_g);
2120+
2106+ hashlen = sizeof(hash); 2121+ hashlen = sizeof(hash);
2107+ switch (ssh->kex->kex_type) { 2122+ switch (ssh->kex->kex_type) {
2108+ case KEX_GSS_GRP1_SHA1: 2123+ case KEX_GSS_GRP1_SHA1:
@@ -2113,7 +2128,7 @@ index 000000000..31ec6a890
2113+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), 2128+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
2114+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), 2129+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
2115+ NULL, 0, /* Change this if we start sending host keys */ 2130+ NULL, 0, /* Change this if we start sending host keys */
2116+ dh_client_pub, dh->pub_key, shared_secret, 2131+ dh_client_pub, pub_key, shared_secret,
2117+ hash, &hashlen 2132+ hash, &hashlen
2118+ ); 2133+ );
2119+ break; 2134+ break;
@@ -2125,9 +2140,9 @@ index 000000000..31ec6a890
2125+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), 2140+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
2126+ NULL, 0, 2141+ NULL, 0,
2127+ min, nbits, max, 2142+ min, nbits, max,
2128+ dh->p, dh->g, 2143+ dh_p, dh_g,
2129+ dh_client_pub, 2144+ dh_client_pub,
2130+ dh->pub_key, 2145+ pub_key,
2131+ shared_secret, 2146+ shared_secret,
2132+ hash, &hashlen 2147+ hash, &hashlen
2133+ ); 2148+ );
@@ -2151,7 +2166,7 @@ index 000000000..31ec6a890
2151+ fatal("Couldn't get MIC"); 2166+ fatal("Couldn't get MIC");
2152+ 2167+
2153+ packet_start(SSH2_MSG_KEXGSS_COMPLETE); 2168+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
2154+ packet_put_bignum2(dh->pub_key); 2169+ packet_put_bignum2(pub_key);
2155+ packet_put_string(msg_tok.value,msg_tok.length); 2170+ packet_put_string(msg_tok.value,msg_tok.length);
2156+ 2171+
2157+ if (send_tok.length != 0) { 2172+ if (send_tok.length != 0) {
@@ -2184,10 +2199,10 @@ index 000000000..31ec6a890
2184+} 2199+}
2185+#endif /* GSSAPI */ 2200+#endif /* GSSAPI */
2186diff --git a/monitor.c b/monitor.c 2201diff --git a/monitor.c b/monitor.c
2187index d4b4b0471..4e574a2ae 100644 2202index 531b2993a..eabc1e89b 100644
2188--- a/monitor.c 2203--- a/monitor.c
2189+++ b/monitor.c 2204+++ b/monitor.c
2190@@ -143,6 +143,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *); 2205@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *);
2191 int mm_answer_gss_accept_ctx(int, struct sshbuf *); 2206 int mm_answer_gss_accept_ctx(int, struct sshbuf *);
2192 int mm_answer_gss_userok(int, struct sshbuf *); 2207 int mm_answer_gss_userok(int, struct sshbuf *);
2193 int mm_answer_gss_checkmic(int, struct sshbuf *); 2208 int mm_answer_gss_checkmic(int, struct sshbuf *);
@@ -2196,7 +2211,7 @@ index d4b4b0471..4e574a2ae 100644
2196 #endif 2211 #endif
2197 2212
2198 #ifdef SSH_AUDIT_EVENTS 2213 #ifdef SSH_AUDIT_EVENTS
2199@@ -213,11 +215,18 @@ struct mon_table mon_dispatch_proto20[] = { 2214@@ -215,11 +217,18 @@ struct mon_table mon_dispatch_proto20[] = {
2200 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, 2215 {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
2201 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, 2216 {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
2202 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, 2217 {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
@@ -2215,7 +2230,7 @@ index d4b4b0471..4e574a2ae 100644
2215 #ifdef WITH_OPENSSL 2230 #ifdef WITH_OPENSSL
2216 {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, 2231 {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
2217 #endif 2232 #endif
2218@@ -287,6 +296,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 2233@@ -289,6 +298,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
2219 /* Permit requests for moduli and signatures */ 2234 /* Permit requests for moduli and signatures */
2220 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2235 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2221 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2236 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2226,7 +2241,7 @@ index d4b4b0471..4e574a2ae 100644
2226 2241
2227 /* The first few requests do not require asynchronous access */ 2242 /* The first few requests do not require asynchronous access */
2228 while (!authenticated) { 2243 while (!authenticated) {
2229@@ -399,6 +412,10 @@ monitor_child_postauth(struct monitor *pmonitor) 2244@@ -401,6 +414,10 @@ monitor_child_postauth(struct monitor *pmonitor)
2230 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); 2245 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
2231 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); 2246 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
2232 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); 2247 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2237,7 +2252,7 @@ index d4b4b0471..4e574a2ae 100644
2237 2252
2238 if (auth_opts->permit_pty_flag) { 2253 if (auth_opts->permit_pty_flag) {
2239 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); 2254 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
2240@@ -1662,6 +1679,13 @@ monitor_apply_keystate(struct monitor *pmonitor) 2255@@ -1666,6 +1683,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
2241 # endif 2256 # endif
2242 #endif /* WITH_OPENSSL */ 2257 #endif /* WITH_OPENSSL */
2243 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 2258 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2251,7 +2266,7 @@ index d4b4b0471..4e574a2ae 100644
2251 kex->load_host_public_key=&get_hostkey_public_by_type; 2266 kex->load_host_public_key=&get_hostkey_public_by_type;
2252 kex->load_host_private_key=&get_hostkey_private_by_type; 2267 kex->load_host_private_key=&get_hostkey_private_by_type;
2253 kex->host_key_index=&get_hostkey_index; 2268 kex->host_key_index=&get_hostkey_index;
2254@@ -1752,8 +1776,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) 2269@@ -1756,8 +1780,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m)
2255 u_char *p; 2270 u_char *p;
2256 int r; 2271 int r;
2257 2272
@@ -2262,7 +2277,7 @@ index d4b4b0471..4e574a2ae 100644
2262 2277
2263 if ((r = sshbuf_get_string(m, &p, &len)) != 0) 2278 if ((r = sshbuf_get_string(m, &p, &len)) != 0)
2264 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 2279 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2265@@ -1785,8 +1809,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) 2280@@ -1789,8 +1813,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
2266 OM_uint32 flags = 0; /* GSI needs this */ 2281 OM_uint32 flags = 0; /* GSI needs this */
2267 int r; 2282 int r;
2268 2283
@@ -2273,7 +2288,7 @@ index d4b4b0471..4e574a2ae 100644
2273 2288
2274 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) 2289 if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
2275 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 2290 fatal("%s: buffer error: %s", __func__, ssh_err(r));
2276@@ -1806,6 +1830,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) 2291@@ -1810,6 +1834,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m)
2277 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); 2292 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
2278 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); 2293 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
2279 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); 2294 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2281,7 +2296,7 @@ index d4b4b0471..4e574a2ae 100644
2281 } 2296 }
2282 return (0); 2297 return (0);
2283 } 2298 }
2284@@ -1817,8 +1842,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) 2299@@ -1821,8 +1846,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m)
2285 OM_uint32 ret; 2300 OM_uint32 ret;
2286 int r; 2301 int r;
2287 2302
@@ -2292,7 +2307,7 @@ index d4b4b0471..4e574a2ae 100644
2292 2307
2293 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || 2308 if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
2294 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) 2309 (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
2295@@ -1847,10 +1872,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) 2310@@ -1851,10 +1876,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
2296 int r, authenticated; 2311 int r, authenticated;
2297 const char *displayname; 2312 const char *displayname;
2298 2313
@@ -2307,7 +2322,7 @@ index d4b4b0471..4e574a2ae 100644
2307 2322
2308 sshbuf_reset(m); 2323 sshbuf_reset(m);
2309 if ((r = sshbuf_put_u32(m, authenticated)) != 0) 2324 if ((r = sshbuf_put_u32(m, authenticated)) != 0)
2310@@ -1867,5 +1893,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) 2325@@ -1871,5 +1897,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m)
2311 /* Monitor loop will terminate if authenticated */ 2326 /* Monitor loop will terminate if authenticated */
2312 return (authenticated); 2327 return (authenticated);
2313 } 2328 }
@@ -2490,8 +2505,34 @@ index 644da081d..7f93144ff 100644
2490 #endif 2505 #endif
2491 2506
2492 #ifdef USE_PAM 2507 #ifdef USE_PAM
2508diff --git a/opacket.c b/opacket.c
2509index e637d7a71..7672c0b59 100644
2510--- a/opacket.c
2511+++ b/opacket.c
2512@@ -80,7 +80,7 @@ ssh_packet_put_raw(struct ssh *ssh, const void *buf, u_int len)
2513
2514 #ifdef WITH_OPENSSL
2515 void
2516-ssh_packet_put_bignum2(struct ssh *ssh, BIGNUM * value)
2517+ssh_packet_put_bignum2(struct ssh *ssh, const BIGNUM * value)
2518 {
2519 int r;
2520
2521diff --git a/opacket.h b/opacket.h
2522index f92fe586e..1cf66a2d3 100644
2523--- a/opacket.h
2524+++ b/opacket.h
2525@@ -7,7 +7,7 @@ void ssh_packet_start(struct ssh *, u_char);
2526 void ssh_packet_put_char(struct ssh *, int ch);
2527 void ssh_packet_put_int(struct ssh *, u_int value);
2528 void ssh_packet_put_int64(struct ssh *, u_int64_t value);
2529-void ssh_packet_put_bignum2(struct ssh *, BIGNUM * value);
2530+void ssh_packet_put_bignum2(struct ssh *, const BIGNUM * value);
2531 void ssh_packet_put_ecpoint(struct ssh *, const EC_GROUP *, const EC_POINT *);
2532 void ssh_packet_put_string(struct ssh *, const void *buf, u_int len);
2533 void ssh_packet_put_cstring(struct ssh *, const char *str);
2493diff --git a/readconf.c b/readconf.c 2534diff --git a/readconf.c b/readconf.c
2494index db5f2d547..4ad3c75fe 100644 2535index 433811521..36bc5e59a 100644
2495--- a/readconf.c 2536--- a/readconf.c
2496+++ b/readconf.c 2537+++ b/readconf.c
2497@@ -161,6 +161,8 @@ typedef enum { 2538@@ -161,6 +161,8 @@ typedef enum {
@@ -2524,7 +2565,7 @@ index db5f2d547..4ad3c75fe 100644
2524 #endif 2565 #endif
2525 #ifdef ENABLE_PKCS11 2566 #ifdef ENABLE_PKCS11
2526 { "smartcarddevice", oPKCS11Provider }, 2567 { "smartcarddevice", oPKCS11Provider },
2527@@ -973,10 +985,30 @@ parse_time: 2568@@ -974,10 +986,30 @@ parse_time:
2528 intptr = &options->gss_authentication; 2569 intptr = &options->gss_authentication;
2529 goto parse_flag; 2570 goto parse_flag;
2530 2571
@@ -2555,7 +2596,7 @@ index db5f2d547..4ad3c75fe 100644
2555 case oBatchMode: 2596 case oBatchMode:
2556 intptr = &options->batch_mode; 2597 intptr = &options->batch_mode;
2557 goto parse_flag; 2598 goto parse_flag;
2558@@ -1817,7 +1849,12 @@ initialize_options(Options * options) 2599@@ -1842,7 +1874,12 @@ initialize_options(Options * options)
2559 options->pubkey_authentication = -1; 2600 options->pubkey_authentication = -1;
2560 options->challenge_response_authentication = -1; 2601 options->challenge_response_authentication = -1;
2561 options->gss_authentication = -1; 2602 options->gss_authentication = -1;
@@ -2568,7 +2609,7 @@ index db5f2d547..4ad3c75fe 100644
2568 options->password_authentication = -1; 2609 options->password_authentication = -1;
2569 options->kbd_interactive_authentication = -1; 2610 options->kbd_interactive_authentication = -1;
2570 options->kbd_interactive_devices = NULL; 2611 options->kbd_interactive_devices = NULL;
2571@@ -1962,8 +1999,14 @@ fill_default_options(Options * options) 2612@@ -1988,8 +2025,14 @@ fill_default_options(Options * options)
2572 options->challenge_response_authentication = 1; 2613 options->challenge_response_authentication = 1;
2573 if (options->gss_authentication == -1) 2614 if (options->gss_authentication == -1)
2574 options->gss_authentication = 0; 2615 options->gss_authentication = 0;
@@ -2584,7 +2625,7 @@ index db5f2d547..4ad3c75fe 100644
2584 options->password_authentication = 1; 2625 options->password_authentication = 1;
2585 if (options->kbd_interactive_authentication == -1) 2626 if (options->kbd_interactive_authentication == -1)
2586diff --git a/readconf.h b/readconf.h 2627diff --git a/readconf.h b/readconf.h
2587index c56887816..5ea0c296b 100644 2628index fc7e38251..8e4900d01 100644
2588--- a/readconf.h 2629--- a/readconf.h
2589+++ b/readconf.h 2630+++ b/readconf.h
2590@@ -40,7 +40,12 @@ typedef struct { 2631@@ -40,7 +40,12 @@ typedef struct {
@@ -2601,7 +2642,7 @@ index c56887816..5ea0c296b 100644
2601 * authentication. */ 2642 * authentication. */
2602 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2643 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2603diff --git a/servconf.c b/servconf.c 2644diff --git a/servconf.c b/servconf.c
2604index c0f6af0be..e1ae07fb7 100644 2645index 932d363bb..4668b8a45 100644
2605--- a/servconf.c 2646--- a/servconf.c
2606+++ b/servconf.c 2647+++ b/servconf.c
2607@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options) 2648@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options)
@@ -2615,7 +2656,7 @@ index c0f6af0be..e1ae07fb7 100644
2615 options->password_authentication = -1; 2656 options->password_authentication = -1;
2616 options->kbd_interactive_authentication = -1; 2657 options->kbd_interactive_authentication = -1;
2617 options->challenge_response_authentication = -1; 2658 options->challenge_response_authentication = -1;
2618@@ -333,10 +335,14 @@ fill_default_server_options(ServerOptions *options) 2659@@ -337,10 +339,14 @@ fill_default_server_options(ServerOptions *options)
2619 options->kerberos_get_afs_token = 0; 2660 options->kerberos_get_afs_token = 0;
2620 if (options->gss_authentication == -1) 2661 if (options->gss_authentication == -1)
2621 options->gss_authentication = 0; 2662 options->gss_authentication = 0;
@@ -2630,7 +2671,7 @@ index c0f6af0be..e1ae07fb7 100644
2630 if (options->password_authentication == -1) 2671 if (options->password_authentication == -1)
2631 options->password_authentication = 1; 2672 options->password_authentication = 1;
2632 if (options->kbd_interactive_authentication == -1) 2673 if (options->kbd_interactive_authentication == -1)
2633@@ -481,6 +487,7 @@ typedef enum { 2674@@ -485,6 +491,7 @@ typedef enum {
2634 sHostKeyAlgorithms, 2675 sHostKeyAlgorithms,
2635 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, 2676 sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
2636 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, 2677 sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -2638,7 +2679,7 @@ index c0f6af0be..e1ae07fb7 100644
2638 sAcceptEnv, sSetEnv, sPermitTunnel, 2679 sAcceptEnv, sSetEnv, sPermitTunnel,
2639 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, 2680 sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
2640 sUsePrivilegeSeparation, sAllowAgentForwarding, 2681 sUsePrivilegeSeparation, sAllowAgentForwarding,
2641@@ -555,12 +562,20 @@ static struct { 2682@@ -559,12 +566,20 @@ static struct {
2642 #ifdef GSSAPI 2683 #ifdef GSSAPI
2643 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, 2684 { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
2644 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, 2685 { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2659,7 +2700,7 @@ index c0f6af0be..e1ae07fb7 100644
2659 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, 2700 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
2660 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, 2701 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
2661 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, 2702 { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
2662@@ -1459,6 +1474,10 @@ process_server_config_line(ServerOptions *options, char *line, 2703@@ -1468,6 +1483,10 @@ process_server_config_line(ServerOptions *options, char *line,
2663 intptr = &options->gss_authentication; 2704 intptr = &options->gss_authentication;
2664 goto parse_flag; 2705 goto parse_flag;
2665 2706
@@ -2670,7 +2711,7 @@ index c0f6af0be..e1ae07fb7 100644
2670 case sGssCleanupCreds: 2711 case sGssCleanupCreds:
2671 intptr = &options->gss_cleanup_creds; 2712 intptr = &options->gss_cleanup_creds;
2672 goto parse_flag; 2713 goto parse_flag;
2673@@ -1467,6 +1486,10 @@ process_server_config_line(ServerOptions *options, char *line, 2714@@ -1476,6 +1495,10 @@ process_server_config_line(ServerOptions *options, char *line,
2674 intptr = &options->gss_strict_acceptor; 2715 intptr = &options->gss_strict_acceptor;
2675 goto parse_flag; 2716 goto parse_flag;
2676 2717
@@ -2681,7 +2722,7 @@ index c0f6af0be..e1ae07fb7 100644
2681 case sPasswordAuthentication: 2722 case sPasswordAuthentication:
2682 intptr = &options->password_authentication; 2723 intptr = &options->password_authentication;
2683 goto parse_flag; 2724 goto parse_flag;
2684@@ -2551,7 +2574,10 @@ dump_config(ServerOptions *o) 2725@@ -2560,7 +2583,10 @@ dump_config(ServerOptions *o)
2685 #endif 2726 #endif
2686 #ifdef GSSAPI 2727 #ifdef GSSAPI
2687 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); 2728 dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2693,10 +2734,10 @@ index c0f6af0be..e1ae07fb7 100644
2693 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2734 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2694 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2735 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2695diff --git a/servconf.h b/servconf.h 2736diff --git a/servconf.h b/servconf.h
2696index 557521d73..9b117fe27 100644 2737index 0175e00e8..3b76da816 100644
2697--- a/servconf.h 2738--- a/servconf.h
2698+++ b/servconf.h 2739+++ b/servconf.h
2699@@ -124,8 +124,10 @@ typedef struct { 2740@@ -125,8 +125,10 @@ typedef struct {
2700 int kerberos_get_afs_token; /* If true, try to get AFS token if 2741 int kerberos_get_afs_token; /* If true, try to get AFS token if
2701 * authenticated with Kerberos. */ 2742 * authenticated with Kerberos. */
2702 int gss_authentication; /* If true, permit GSSAPI authentication */ 2743 int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2825,10 +2866,10 @@ index c12f5ef52..bcb9f153d 100644
2825 # CheckHostIP yes 2866 # CheckHostIP yes
2826 # AddressFamily any 2867 # AddressFamily any
2827diff --git a/ssh_config.5 b/ssh_config.5 2868diff --git a/ssh_config.5 b/ssh_config.5
2828index f499396a3..5b99921b4 100644 2869index 4d5b01d3e..16c79368a 100644
2829--- a/ssh_config.5 2870--- a/ssh_config.5
2830+++ b/ssh_config.5 2871+++ b/ssh_config.5
2831@@ -718,10 +718,42 @@ The default is 2872@@ -736,10 +736,42 @@ The default is
2832 Specifies whether user authentication based on GSSAPI is allowed. 2873 Specifies whether user authentication based on GSSAPI is allowed.
2833 The default is 2874 The default is
2834 .Cm no . 2875 .Cm no .
@@ -2872,7 +2913,7 @@ index f499396a3..5b99921b4 100644
2872 Indicates that 2913 Indicates that
2873 .Xr ssh 1 2914 .Xr ssh 1
2874diff --git a/sshconnect2.c b/sshconnect2.c 2915diff --git a/sshconnect2.c b/sshconnect2.c
2875index 10e4f0a08..c6a1b1271 100644 2916index 1675f3935..8c872a4fb 100644
2876--- a/sshconnect2.c 2917--- a/sshconnect2.c
2877+++ b/sshconnect2.c 2918+++ b/sshconnect2.c
2878@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2919@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -2985,7 +3026,7 @@ index 10e4f0a08..c6a1b1271 100644
2985 {"gssapi-with-mic", 3026 {"gssapi-with-mic",
2986 userauth_gssapi, 3027 userauth_gssapi,
2987 NULL, 3028 NULL,
2988@@ -657,25 +723,40 @@ userauth_gssapi(Authctxt *authctxt) 3029@@ -686,25 +752,40 @@ userauth_gssapi(Authctxt *authctxt)
2989 static u_int mech = 0; 3030 static u_int mech = 0;
2990 OM_uint32 min; 3031 OM_uint32 min;
2991 int r, ok = 0; 3032 int r, ok = 0;
@@ -3028,7 +3069,7 @@ index 10e4f0a08..c6a1b1271 100644
3028 if (!ok) 3069 if (!ok)
3029 return 0; 3070 return 0;
3030 3071
3031@@ -906,6 +987,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) 3072@@ -935,6 +1016,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh)
3032 free(lang); 3073 free(lang);
3033 return r; 3074 return r;
3034 } 3075 }
@@ -3084,7 +3125,7 @@ index 10e4f0a08..c6a1b1271 100644
3084 3125
3085 int 3126 int
3086diff --git a/sshd.c b/sshd.c 3127diff --git a/sshd.c b/sshd.c
3087index a738c3ab6..2e453cdf8 100644 3128index ba26287ba..539a000fd 100644
3088--- a/sshd.c 3129--- a/sshd.c
3089+++ b/sshd.c 3130+++ b/sshd.c
3090@@ -123,6 +123,10 @@ 3131@@ -123,6 +123,10 @@
@@ -3098,16 +3139,7 @@ index a738c3ab6..2e453cdf8 100644
3098 /* Re-exec fds */ 3139 /* Re-exec fds */
3099 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 3140 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
3100 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 3141 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
3101@@ -536,7 +540,7 @@ privsep_preauth_child(void) 3142@@ -1810,10 +1814,13 @@ main(int ac, char **av)
3102
3103 #ifdef GSSAPI
3104 /* Cache supported mechanism OIDs for later use */
3105- if (options.gss_authentication)
3106+ if (options.gss_authentication || options.gss_keyex)
3107 ssh_gssapi_prepare_supported_oids();
3108 #endif
3109
3110@@ -1811,10 +1815,13 @@ main(int ac, char **av)
3111 free(fp); 3143 free(fp);
3112 } 3144 }
3113 accumulate_host_timing_secret(cfg, NULL); 3145 accumulate_host_timing_secret(cfg, NULL);
@@ -3121,7 +3153,7 @@ index a738c3ab6..2e453cdf8 100644
3121 3153
3122 /* 3154 /*
3123 * Load certificates. They are stored in an array at identical 3155 * Load certificates. They are stored in an array at identical
3124@@ -2105,6 +2112,60 @@ main(int ac, char **av) 3156@@ -2104,6 +2111,60 @@ main(int ac, char **av)
3125 rdomain == NULL ? "" : "\""); 3157 rdomain == NULL ? "" : "\"");
3126 free(laddr); 3158 free(laddr);
3127 3159
@@ -3182,7 +3214,7 @@ index a738c3ab6..2e453cdf8 100644
3182 /* 3214 /*
3183 * We don't want to listen forever unless the other side 3215 * We don't want to listen forever unless the other side
3184 * successfully authenticates itself. So we set up an alarm which is 3216 * successfully authenticates itself. So we set up an alarm which is
3185@@ -2288,6 +2349,48 @@ do_ssh2_kex(void) 3217@@ -2287,6 +2348,48 @@ do_ssh2_kex(void)
3186 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( 3218 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
3187 list_hostkey_types()); 3219 list_hostkey_types());
3188 3220
@@ -3231,7 +3263,7 @@ index a738c3ab6..2e453cdf8 100644
3231 /* start key exchange */ 3263 /* start key exchange */
3232 if ((r = kex_setup(active_state, myproposal)) != 0) 3264 if ((r = kex_setup(active_state, myproposal)) != 0)
3233 fatal("kex_setup: %s", ssh_err(r)); 3265 fatal("kex_setup: %s", ssh_err(r));
3234@@ -2305,6 +2408,13 @@ do_ssh2_kex(void) 3266@@ -2304,6 +2407,13 @@ do_ssh2_kex(void)
3235 # endif 3267 # endif
3236 #endif 3268 #endif
3237 kex->kex[KEX_C25519_SHA256] = kexc25519_server; 3269 kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3259,10 +3291,10 @@ index 19b7c91a1..2c48105f8 100644
3259 # Set this to 'yes' to enable PAM authentication, account processing, 3291 # Set this to 'yes' to enable PAM authentication, account processing,
3260 # and session processing. If this is enabled, PAM authentication will 3292 # and session processing. If this is enabled, PAM authentication will
3261diff --git a/sshd_config.5 b/sshd_config.5 3293diff --git a/sshd_config.5 b/sshd_config.5
3262index e1b54ba20..a0ac717c7 100644 3294index c6484370b..985eef5a2 100644
3263--- a/sshd_config.5 3295--- a/sshd_config.5
3264+++ b/sshd_config.5 3296+++ b/sshd_config.5
3265@@ -637,6 +637,11 @@ The default is 3297@@ -648,6 +648,11 @@ The default is
3266 Specifies whether user authentication based on GSSAPI is allowed. 3298 Specifies whether user authentication based on GSSAPI is allowed.
3267 The default is 3299 The default is
3268 .Cm no . 3300 .Cm no .
@@ -3274,7 +3306,7 @@ index e1b54ba20..a0ac717c7 100644
3274 .It Cm GSSAPICleanupCredentials 3306 .It Cm GSSAPICleanupCredentials
3275 Specifies whether to automatically destroy the user's credentials cache 3307 Specifies whether to automatically destroy the user's credentials cache
3276 on logout. 3308 on logout.
3277@@ -656,6 +661,11 @@ machine's default store. 3309@@ -667,6 +672,11 @@ machine's default store.
3278 This facility is provided to assist with operation on multi homed machines. 3310 This facility is provided to assist with operation on multi homed machines.
3279 The default is 3311 The default is
3280 .Cm yes . 3312 .Cm yes .
@@ -3287,10 +3319,10 @@ index e1b54ba20..a0ac717c7 100644
3287 Specifies the key types that will be accepted for hostbased authentication 3319 Specifies the key types that will be accepted for hostbased authentication
3288 as a list of comma-separated patterns. 3320 as a list of comma-separated patterns.
3289diff --git a/sshkey.c b/sshkey.c 3321diff --git a/sshkey.c b/sshkey.c
3290index 72c08c7e0..91e99a262 100644 3322index 6555c5ef8..a85c185fc 100644
3291--- a/sshkey.c 3323--- a/sshkey.c
3292+++ b/sshkey.c 3324+++ b/sshkey.c
3293@@ -140,6 +140,7 @@ static const struct keytype keytypes[] = { 3325@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = {
3294 # endif /* OPENSSL_HAS_NISTP521 */ 3326 # endif /* OPENSSL_HAS_NISTP521 */
3295 # endif /* OPENSSL_HAS_ECC */ 3327 # endif /* OPENSSL_HAS_ECC */
3296 #endif /* WITH_OPENSSL */ 3328 #endif /* WITH_OPENSSL */
@@ -3298,7 +3330,7 @@ index 72c08c7e0..91e99a262 100644
3298 { NULL, NULL, NULL, -1, -1, 0, 0 } 3330 { NULL, NULL, NULL, -1, -1, 0, 0 }
3299 }; 3331 };
3300 3332
3301@@ -228,7 +229,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 3333@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
3302 const struct keytype *kt; 3334 const struct keytype *kt;
3303 3335
3304 for (kt = keytypes; kt->type != -1; kt++) { 3336 for (kt = keytypes; kt->type != -1; kt++) {
@@ -3308,10 +3340,10 @@ index 72c08c7e0..91e99a262 100644
3308 if (!include_sigonly && kt->sigonly) 3340 if (!include_sigonly && kt->sigonly)
3309 continue; 3341 continue;
3310diff --git a/sshkey.h b/sshkey.h 3342diff --git a/sshkey.h b/sshkey.h
3311index 9060b2ecb..0cbdcfd74 100644 3343index f6a007fdf..f54deb0c0 100644
3312--- a/sshkey.h 3344--- a/sshkey.h
3313+++ b/sshkey.h 3345+++ b/sshkey.h
3314@@ -63,6 +63,7 @@ enum sshkey_types { 3346@@ -64,6 +64,7 @@ enum sshkey_types {
3315 KEY_ED25519_CERT, 3347 KEY_ED25519_CERT,
3316 KEY_XMSS, 3348 KEY_XMSS,
3317 KEY_XMSS_CERT, 3349 KEY_XMSS_CERT,
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index fc052ea73..4207302c3 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
1From 2c0a1fef2aaf16c5b97694139239797f0ea33d27 Mon Sep 17 00:00:00 2001 1From 7ba31c6ff505278fb9f33b695605ca3a093caba2 Mon Sep 17 00:00:00 2001
2From: Richard Kettlewell <rjk@greenend.org.uk> 2From: Richard Kettlewell <rjk@greenend.org.uk>
3Date: Sun, 9 Feb 2014 16:09:52 +0000 3Date: Sun, 9 Feb 2014 16:09:52 +0000
4Subject: Various keepalive extensions 4Subject: Various keepalive extensions
@@ -16,7 +16,7 @@ keepalives.
16Author: Ian Jackson <ian@chiark.greenend.org.uk> 16Author: Ian Jackson <ian@chiark.greenend.org.uk>
17Author: Matthew Vernon <matthew@debian.org> 17Author: Matthew Vernon <matthew@debian.org>
18Author: Colin Watson <cjwatson@debian.org> 18Author: Colin Watson <cjwatson@debian.org>
19Last-Update: 2018-08-24 19Last-Update: 2018-10-19
20 20
21Patch-Name: keepalive-extensions.patch 21Patch-Name: keepalive-extensions.patch
22--- 22---
@@ -26,18 +26,18 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 6e26ba32d..3fd0fe7b7 100644 29index 5e655e924..052d4b1ac 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -175,6 +175,7 @@ typedef enum { 32@@ -175,6 +175,7 @@ typedef enum {
33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, 33 oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, 34 oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
35 oPubkeyAcceptedKeyTypes, oProxyJump, 35 oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
36+ oProtocolKeepAlives, oSetupTimeOut, 36+ oProtocolKeepAlives, oSetupTimeOut,
37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported 37 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
38 } OpCodes; 38 } OpCodes;
39 39
40@@ -321,6 +322,8 @@ static struct { 40@@ -322,6 +323,8 @@ static struct {
41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, 41 { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
42 { "ignoreunknown", oIgnoreUnknown }, 42 { "ignoreunknown", oIgnoreUnknown },
43 { "proxyjump", oProxyJump }, 43 { "proxyjump", oProxyJump },
@@ -46,7 +46,7 @@ index 6e26ba32d..3fd0fe7b7 100644
46 46
47 { NULL, oBadOption } 47 { NULL, oBadOption }
48 }; 48 };
49@@ -1401,6 +1404,8 @@ parse_keytypes: 49@@ -1415,6 +1418,8 @@ parse_keytypes:
50 goto parse_flag; 50 goto parse_flag;
51 51
52 case oServerAliveInterval: 52 case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 6e26ba32d..3fd0fe7b7 100644
55 intptr = &options->server_alive_interval; 55 intptr = &options->server_alive_interval;
56 goto parse_time; 56 goto parse_time;
57 57
58@@ -2075,8 +2080,13 @@ fill_default_options(Options * options) 58@@ -2101,8 +2106,13 @@ fill_default_options(Options * options)
59 options->rekey_interval = 0; 59 options->rekey_interval = 0;
60 if (options->verify_host_key_dns == -1) 60 if (options->verify_host_key_dns == -1)
61 options->verify_host_key_dns = 0; 61 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 6e26ba32d..3fd0fe7b7 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 5b99921b4..86ada128e 100644 75index 16c79368a..54e143c93 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -247,8 +247,12 @@ Valid arguments are 78@@ -247,8 +247,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index 5b99921b4..86ada128e 100644
89 The argument must be 89 The argument must be
90 .Cm yes 90 .Cm yes
91 or 91 or
92@@ -1463,7 +1467,14 @@ from the server, 92@@ -1485,7 +1489,14 @@ from the server,
93 will send a message through the encrypted 93 will send a message through the encrypted
94 channel to request a response from the server. 94 channel to request a response from the server.
95 The default 95 The default
@@ -105,7 +105,7 @@ index 5b99921b4..86ada128e 100644
105 .It Cm SetEnv 105 .It Cm SetEnv
106 Directly specify one or more environment variables and their contents to 106 Directly specify one or more environment variables and their contents to
107 be sent to the server. 107 be sent to the server.
108@@ -1543,6 +1554,12 @@ Specifies whether the system should send TCP keepalive messages to the 108@@ -1565,6 +1576,12 @@ Specifies whether the system should send TCP keepalive messages to the
109 other side. 109 other side.
110 If they are sent, death of the connection or crash of one 110 If they are sent, death of the connection or crash of one
111 of the machines will be properly noticed. 111 of the machines will be properly noticed.
@@ -119,10 +119,10 @@ index 5b99921b4..86ada128e 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index a0ac717c7..0fbbccbde 100644 122index 985eef5a2..e7e55dd71 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1566,6 +1566,9 @@ This avoids infinitely hanging sessions. 125@@ -1577,6 +1577,9 @@ This avoids infinitely hanging sessions.
126 .Pp 126 .Pp
127 To disable TCP keepalive messages, the value should be set to 127 To disable TCP keepalive messages, the value should be set to
128 .Cm no . 128 .Cm no .
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 3f0d5fba3..75ed46db7 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
1From 0e0121b6dc0ffc2ec6a171328fea530378df2b3b Mon Sep 17 00:00:00 2001 1From bb8bb2621914ad600202e38d5b9b4f4544b191e5 Mon Sep 17 00:00:00 2001
2From: Scott Moser <smoser@ubuntu.com> 2From: Scott Moser <smoser@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:10:03 +0000 3Date: Sun, 9 Feb 2014 16:10:03 +0000
4Subject: Mention ssh-keygen in ssh fingerprint changed warning 4Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index a2efe6d15..ab5966066 100644 17index 700ea6c3c..158e8146f 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -1112,9 +1112,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -1121,9 +1121,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
21 error("%s. This could either mean that", key_msg); 21 error("%s. This could either mean that", key_msg);
22 error("DNS SPOOFING is happening or the IP address for the host"); 22 error("DNS SPOOFING is happening or the IP address for the host");
23 error("and its host key have changed at the same time."); 23 error("and its host key have changed at the same time.");
@@ -32,7 +32,7 @@ index a2efe6d15..ab5966066 100644
32 } 32 }
33 /* The host key has changed. */ 33 /* The host key has changed. */
34 warn_changed_key(host_key); 34 warn_changed_key(host_key);
35@@ -1123,6 +1127,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 35@@ -1132,6 +1136,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
36 error("Offending %s key in %s:%lu", 36 error("Offending %s key in %s:%lu",
37 sshkey_type(host_found->key), 37 sshkey_type(host_found->key),
38 host_found->file, host_found->line); 38 host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index 9c9c664d4..3b2e05e58 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -1,4 +1,4 @@
1From 4d75300bdb447824c974febd3d04331755dde3ca Mon Sep 17 00:00:00 2001 1From 690051b3aa4ff72af57e4a82d640858357eef820 Mon Sep 17 00:00:00 2001
2From: Kurt Roeckx <kurt@roeckx.be> 2From: Kurt Roeckx <kurt@roeckx.be>
3Date: Sun, 9 Feb 2014 16:10:14 +0000 3Date: Sun, 9 Feb 2014 16:10:14 +0000
4Subject: Don't check the status field of the OpenSSL version 4Subject: Don't check the status field of the OpenSSL version
@@ -23,7 +23,7 @@ Patch-Name: no-openssl-version-status.patch
23 2 files changed, 4 insertions(+), 3 deletions(-) 23 2 files changed, 4 insertions(+), 3 deletions(-)
24 24
25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c 25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
26index 259fccbec..aaa953f2d 100644 26index 8b4a36274..ea0b0c9fb 100644
27--- a/openbsd-compat/openssl-compat.c 27--- a/openbsd-compat/openssl-compat.c
28+++ b/openbsd-compat/openssl-compat.c 28+++ b/openbsd-compat/openssl-compat.c
29@@ -34,7 +34,7 @@ 29@@ -34,7 +34,7 @@
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index dacff74c3..cdb905b2e 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
1From f48c4fd12f8ecd275226e357454e45f10c20ac92 Mon Sep 17 00:00:00 2001 1From 96c85e746d4f94c7d2748a200e5817ad8a987918 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:09 +0000 3Date: Sun, 9 Feb 2014 16:10:09 +0000
4Subject: Adjust various OpenBSD-specific references in manual pages 4Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de0850..149846c8c 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index dd6e7e5a8..33e0bbcc1 100644 47index bfa2eb5f3..da6b5ed76 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -176,9 +176,7 @@ key in 50@@ -176,9 +176,7 @@ key in
@@ -78,7 +78,7 @@ index dd6e7e5a8..33e0bbcc1 100644
78 It is important that this file contains moduli of a range of bit lengths and 78 It is important that this file contains moduli of a range of bit lengths and
79 that both ends of a connection share common moduli. 79 that both ends of a connection share common moduli.
80 .Sh CERTIFICATES 80 .Sh CERTIFICATES
81@@ -864,7 +860,7 @@ on all machines 81@@ -877,7 +873,7 @@ on all machines
82 where the user wishes to log in using public key authentication. 82 where the user wishes to log in using public key authentication.
83 There is no need to keep the contents of this file secret. 83 There is no need to keep the contents of this file secret.
84 .Pp 84 .Pp
@@ -88,10 +88,10 @@ index dd6e7e5a8..33e0bbcc1 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index cb0fdd50e..d41426781 100644 91index 81f29af43..5dfad6daa 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -850,6 +850,10 @@ implements public key authentication protocol automatically, 94@@ -860,6 +860,10 @@ implements public key authentication protocol automatically,
95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms. 95 using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
96 The HISTORY section of 96 The HISTORY section of
97 .Xr ssl 8 97 .Xr ssl 8
@@ -133,11 +133,11 @@ index 57a7fd66b..4abc01d66 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 96a69ab55..9774831fe 100644 136index 37e6be38f..23f71fd1d 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -384,8 +384,7 @@ then no banner is displayed. 139@@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for
140 By default, no banner is displayed. 140 public key or host-based authentication.
141 .It Cm ChallengeResponseAuthentication 141 .It Cm ChallengeResponseAuthentication
142 Specifies whether challenge-response authentication is allowed (e.g. via 142 Specifies whether challenge-response authentication is allowed (e.g. via
143-PAM or through authentication styles supported in 143-PAM or through authentication styles supported in
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 470d057b2..809c78846 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
1From 97c5d99b8d1957d5a29ca34157a9bfe2ed5c7003 Mon Sep 17 00:00:00 2001 1From b258a00bedcf29200b394c671c6deb1e53157f32 Mon Sep 17 00:00:00 2001
2From: Matthew Vernon <matthew@debian.org> 2From: Matthew Vernon <matthew@debian.org>
3Date: Sun, 9 Feb 2014 16:10:05 +0000 3Date: Sun, 9 Feb 2014 16:10:05 +0000
4Subject: Include the Debian version in our identification 4Subject: Include the Debian version in our identification
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch
19 3 files changed, 8 insertions(+), 3 deletions(-) 19 3 files changed, 8 insertions(+), 3 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index ab5966066..d3656e47a 100644 22index 158e8146f..b9418e277 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1) 25@@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1)
@@ -32,7 +32,7 @@ index ab5966066..d3656e47a 100644
32 strlen(client_version_string)) != strlen(client_version_string)) 32 strlen(client_version_string)) != strlen(client_version_string))
33 fatal("write: %.100s", strerror(errno)); 33 fatal("write: %.100s", strerror(errno));
34diff --git a/sshd.c b/sshd.c 34diff --git a/sshd.c b/sshd.c
35index 92d15c82d..ffd3dad6a 100644 35index 2bc6679e5..9481272fc 100644
36--- a/sshd.c 36--- a/sshd.c
37+++ b/sshd.c 37+++ b/sshd.c
38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -45,11 +45,11 @@ index 92d15c82d..ffd3dad6a 100644
45 options.version_addendum); 45 options.version_addendum);
46 46
47diff --git a/version.h b/version.h 47diff --git a/version.h b/version.h
48index f1bbf00f3..e7df751e1 100644 48index 422dfbc3a..5e1ce0426 100644
49--- a/version.h 49--- a/version.h
50+++ b/version.h 50+++ b/version.h
51@@ -3,4 +3,9 @@ 51@@ -3,4 +3,9 @@
52 #define SSH_VERSION "OpenSSH_7.8" 52 #define SSH_VERSION "OpenSSH_7.9"
53 53
54 #define SSH_PORTABLE "p1" 54 #define SSH_PORTABLE "p1"
55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE 55-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 6f0abc35f..fcb1ac7e3 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
1From 2bc71f46ab96ec8af88a5b86786fb0835d9b65bc Mon Sep 17 00:00:00 2001 1From cebe4b82b280810172877a7f3d489c506c9a0691 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 5 Mar 2017 02:02:11 +0000 3Date: Sun, 5 Mar 2017 02:02:11 +0000
4Subject: Restore reading authorized_keys2 by default 4Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 91f3377b1..fdc6cf18a 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -1,4 +1,4 @@
1From 84a7a1b1c767056c80add9f0e15c9f9ec23ec94d Mon Sep 17 00:00:00 2001 1From 389e16d0109d8c49a761cd7c267438b05c9ab984 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Tue, 7 Oct 2014 13:22:41 +0100 3Date: Tue, 7 Oct 2014 13:22:41 +0100
4Subject: Restore TCP wrappers support 4Subject: Restore TCP wrappers support
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 82428b241..ebc10f51e 100644 31index 023e7cc55..917300b43 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1526,6 +1526,62 @@ else 34@@ -1517,6 +1517,62 @@ else
35 AC_MSG_RESULT([no]) 35 AC_MSG_RESULT([no])
36 fi 36 fi
37 37
@@ -94,7 +94,7 @@ index 82428b241..ebc10f51e 100644
94 # Check whether user wants to use ldns 94 # Check whether user wants to use ldns
95 LDNS_MSG="no" 95 LDNS_MSG="no"
96 AC_ARG_WITH(ldns, 96 AC_ARG_WITH(ldns,
97@@ -5201,6 +5257,7 @@ echo " PAM support: $PAM_MSG" 97@@ -5329,6 +5385,7 @@ echo " PAM support: $PAM_MSG"
98 echo " OSF SIA support: $SIA_MSG" 98 echo " OSF SIA support: $SIA_MSG"
99 echo " KerberosV support: $KRB5_MSG" 99 echo " KerberosV support: $KRB5_MSG"
100 echo " SELinux support: $SELINUX_MSG" 100 echo " SELinux support: $SELINUX_MSG"
@@ -128,7 +128,7 @@ index fb133c14b..57a7fd66b 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index 2e453cdf8..71c360da0 100644 131index 539a000fd..673db87f6 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -127,6 +127,13 @@
@@ -145,7 +145,7 @@ index 2e453cdf8..71c360da0 100644
145 /* Re-exec fds */ 145 /* Re-exec fds */
146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 146 #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) 147 #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
148@@ -2100,6 +2107,24 @@ main(int ac, char **av) 148@@ -2099,6 +2106,24 @@ main(int ac, char **av)
149 #ifdef SSH_AUDIT_EVENTS 149 #ifdef SSH_AUDIT_EVENTS
150 audit_connection_from(remote_ip, remote_port); 150 audit_connection_from(remote_ip, remote_port);
151 #endif 151 #endif
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index c52632134..d054b2a82 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
1From f14447b774639c6de52f452e5a0e012939832855 Mon Sep 17 00:00:00 2001 1From eefdc7046766b52e39f1b6eafcde22c1e013ce9f Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> 2From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:59 +0000 3Date: Sun, 9 Feb 2014 16:09:59 +0000
4Subject: Adjust scp quoting in verbose mode 4Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index 2febc4e38..e864427bd 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -1,4 +1,4 @@
1From 04910479f7869c27065950b7deb0d69d85230927 Mon Sep 17 00:00:00 2001 1From 690939ba320d93e6f3ab5266bea94d8fb06c8bae Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300 3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture 4Subject: Allow flock and ipc syscall for s390 architecture
@@ -14,7 +14,7 @@ Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
17Last-Update: 2018-08-24 17Last-Update: 2018-10-19
18 18
19Patch-Name: seccomp-s390-flock-ipc.patch 19Patch-Name: seccomp-s390-flock-ipc.patch
20--- 20---
@@ -22,7 +22,7 @@ Patch-Name: seccomp-s390-flock-ipc.patch
22 1 file changed, 6 insertions(+) 22 1 file changed, 6 insertions(+)
23 23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index 12c4ee130..bcea77997 100644 25index 5edbc6946..d4bc20828 100644
26--- a/sandbox-seccomp-filter.c 26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c 27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { 28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -32,10 +32,10 @@ index 12c4ee130..bcea77997 100644
32+#if defined(__NR_flock) && defined(__s390__) 32+#if defined(__NR_flock) && defined(__s390__)
33+ SC_ALLOW(__NR_flock), 33+ SC_ALLOW(__NR_flock),
34+#endif 34+#endif
35 #ifdef __NR_geteuid 35 #ifdef __NR_futex
36 SC_ALLOW(__NR_geteuid), 36 SC_ALLOW(__NR_futex),
37 #endif 37 #endif
38@@ -190,6 +193,9 @@ static const struct sock_filter preauth_insns[] = { 38@@ -193,6 +196,9 @@ static const struct sock_filter preauth_insns[] = {
39 #ifdef __NR_getuid32 39 #ifdef __NR_getuid32
40 SC_ALLOW(__NR_getuid32), 40 SC_ALLOW(__NR_getuid32),
41 #endif 41 #endif
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
index fc3af3e64..ecbe1d142 100644
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -1,4 +1,4 @@
1From 16a47fc4b04977a14f44dd433c8da1499fa80671 Mon Sep 17 00:00:00 2001 1From 9ce189b9f22890421b7f8d3f49a39186d3ce3e14 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300 3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390) 4Subject: Enable specific ioctl call for EP11 crypto card (s390)
@@ -19,10 +19,10 @@ Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
19 1 file changed, 2 insertions(+) 19 1 file changed, 2 insertions(+)
20 20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index bcea77997..f216ba353 100644 22index d4bc20828..ef4de8c65 100644
23--- a/sandbox-seccomp-filter.c 23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c 24+++ b/sandbox-seccomp-filter.c
25@@ -253,6 +253,8 @@ static const struct sock_filter preauth_insns[] = { 25@@ -256,6 +256,8 @@ static const struct sock_filter preauth_insns[] = {
26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), 26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), 27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), 28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 95d582067..269a87c76 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From 03979f2e0768e146d179c66f2d2e33afe61c1be3 Mon Sep 17 00:00:00 2001 1From cf3f6ac19812e4d32874304b3854b055831c2124 Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -43,7 +43,7 @@ index 977562f0a..90802a5eb 100644
43 /* Method lists for multiple authentication */ 43 /* Method lists for multiple authentication */
44 char **auth_methods; /* modified from server config */ 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index 96efe164c..90a247c1c 100644 46index a77742819..3035926ba 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 49@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -81,10 +81,10 @@ index 96efe164c..90a247c1c 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index 4e574a2ae..c1e7e9b80 100644 84index eabc1e89b..08fddabd7 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -115,6 +115,7 @@ int mm_answer_sign(int, struct sshbuf *); 87@@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *);
88 int mm_answer_pwnamallow(int, struct sshbuf *); 88 int mm_answer_pwnamallow(int, struct sshbuf *);
89 int mm_answer_auth2_read_banner(int, struct sshbuf *); 89 int mm_answer_auth2_read_banner(int, struct sshbuf *);
90 int mm_answer_authserv(int, struct sshbuf *); 90 int mm_answer_authserv(int, struct sshbuf *);
@@ -92,7 +92,7 @@ index 4e574a2ae..c1e7e9b80 100644
92 int mm_answer_authpassword(int, struct sshbuf *); 92 int mm_answer_authpassword(int, struct sshbuf *);
93 int mm_answer_bsdauthquery(int, struct sshbuf *); 93 int mm_answer_bsdauthquery(int, struct sshbuf *);
94 int mm_answer_bsdauthrespond(int, struct sshbuf *); 94 int mm_answer_bsdauthrespond(int, struct sshbuf *);
95@@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = { 95@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = {
96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 96 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 97 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 98 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index 4e574a2ae..c1e7e9b80 100644
100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 100 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 101 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102 #ifdef USE_PAM 102 #ifdef USE_PAM
103@@ -813,6 +815,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) 103@@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
104 104
105 /* Allow service/style information on the auth context */ 105 /* Allow service/style information on the auth context */
106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 106 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index 4e574a2ae..c1e7e9b80 100644
108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 108 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109 109
110 #ifdef USE_PAM 110 #ifdef USE_PAM
111@@ -846,16 +849,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) 111@@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m)
112 monitor_permit_authentications(1); 112 monitor_permit_authentications(1);
113 113
114 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || 114 if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -154,7 +154,7 @@ index 4e574a2ae..c1e7e9b80 100644
154 return (0); 154 return (0);
155 } 155 }
156 156
157@@ -1497,7 +1526,7 @@ mm_answer_pty(int sock, struct sshbuf *m) 157@@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m)
158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 158 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
159 if (res == 0) 159 if (res == 0)
160 goto error; 160 goto error;
@@ -245,10 +245,10 @@ index 7f93144ff..79e78cc90 100644
245 char *mm_auth2_read_banner(void); 245 char *mm_auth2_read_banner(void);
246 int mm_auth_password(struct ssh *, char *); 246 int mm_auth_password(struct ssh *, char *);
247diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 247diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
248index 8c5325cc3..9fdda664f 100644 248index 622988822..3e6e07670 100644
249--- a/openbsd-compat/port-linux.c 249--- a/openbsd-compat/port-linux.c
250+++ b/openbsd-compat/port-linux.c 250+++ b/openbsd-compat/port-linux.c
251@@ -55,7 +55,7 @@ ssh_selinux_enabled(void) 251@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
252 252
253 /* Return the default security context for the given username */ 253 /* Return the default security context for the given username */
254 static security_context_t 254 static security_context_t
@@ -257,7 +257,7 @@ index 8c5325cc3..9fdda664f 100644
257 { 257 {
258 security_context_t sc = NULL; 258 security_context_t sc = NULL;
259 char *sename = NULL, *lvl = NULL; 259 char *sename = NULL, *lvl = NULL;
260@@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname) 260@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
261 #endif 261 #endif
262 262
263 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 263 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -276,7 +276,7 @@ index 8c5325cc3..9fdda664f 100644
276 #endif 276 #endif
277 277
278 if (r != 0) { 278 if (r != 0) {
279@@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname) 279@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
280 280
281 /* Set the execution context to the default for the specified user */ 281 /* Set the execution context to the default for the specified user */
282 void 282 void
@@ -285,7 +285,7 @@ index 8c5325cc3..9fdda664f 100644
285 { 285 {
286 security_context_t user_ctx = NULL; 286 security_context_t user_ctx = NULL;
287 287
288@@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname) 288@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
289 289
290 debug3("%s: setting execution context", __func__); 290 debug3("%s: setting execution context", __func__);
291 291
@@ -294,7 +294,7 @@ index 8c5325cc3..9fdda664f 100644
294 if (setexeccon(user_ctx) != 0) { 294 if (setexeccon(user_ctx) != 0) {
295 switch (security_getenforce()) { 295 switch (security_getenforce()) {
296 case -1: 296 case -1:
297@@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname) 297@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
298 298
299 /* Set the TTY context for the specified user */ 299 /* Set the TTY context for the specified user */
300 void 300 void
@@ -303,7 +303,7 @@ index 8c5325cc3..9fdda664f 100644
303 { 303 {
304 security_context_t new_tty_ctx = NULL; 304 security_context_t new_tty_ctx = NULL;
305 security_context_t user_ctx = NULL; 305 security_context_t user_ctx = NULL;
306@@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) 306@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
307 307
308 debug3("%s: setting TTY context on %s", __func__, tty); 308 debug3("%s: setting TTY context on %s", __func__, tty);
309 309
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
363 char *platform_krb5_get_principal_name(const char *); 363 char *platform_krb5_get_principal_name(const char *);
364 int platform_sys_dir_uid(uid_t); 364 int platform_sys_dir_uid(uid_t);
365diff --git a/session.c b/session.c 365diff --git a/session.c b/session.c
366index f2cf52006..d5d2e94b0 100644 366index 2d0958d11..19f38637e 100644
367--- a/session.c 367--- a/session.c
368+++ b/session.c 368+++ b/session.c
369@@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid) 369@@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid)
370 370
371 /* Set login name, uid, gid, and groups. */ 371 /* Set login name, uid, gid, and groups. */
372 void 372 void
@@ -375,7 +375,7 @@ index f2cf52006..d5d2e94b0 100644
375 { 375 {
376 char uidstr[32], *chroot_path, *tmp; 376 char uidstr[32], *chroot_path, *tmp;
377 377
378@@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw) 378@@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw)
379 endgrent(); 379 endgrent();
380 #endif 380 #endif
381 381
@@ -384,7 +384,7 @@ index f2cf52006..d5d2e94b0 100644
384 384
385 if (!in_chroot && options.chroot_directory != NULL && 385 if (!in_chroot && options.chroot_directory != NULL &&
386 strcasecmp(options.chroot_directory, "none") != 0) { 386 strcasecmp(options.chroot_directory, "none") != 0) {
387@@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 387@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
388 388
389 /* Force a password change */ 389 /* Force a password change */
390 if (s->authctxt->force_pwchange) { 390 if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index f2cf52006..d5d2e94b0 100644
393 child_close_fds(ssh); 393 child_close_fds(ssh);
394 do_pwchange(s); 394 do_pwchange(s);
395 exit(1); 395 exit(1);
396@@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) 396@@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
397 /* When PAM is enabled we rely on it to do the nologin check */ 397 /* When PAM is enabled we rely on it to do the nologin check */
398 if (!options.use_pam) 398 if (!options.use_pam)
399 do_nologin(pw); 399 do_nologin(pw);
@@ -402,7 +402,7 @@ index f2cf52006..d5d2e94b0 100644
402 /* 402 /*
403 * PAM session modules in do_setusercontext may have 403 * PAM session modules in do_setusercontext may have
404 * generated messages, so if this in an interactive 404 * generated messages, so if this in an interactive
405@@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s) 405@@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s)
406 ssh_tty_parse_modes(ssh, s->ttyfd); 406 ssh_tty_parse_modes(ssh, s->ttyfd);
407 407
408 if (!use_privsep) 408 if (!use_privsep)
@@ -412,10 +412,10 @@ index f2cf52006..d5d2e94b0 100644
412 /* Set window size from the packet. */ 412 /* Set window size from the packet. */
413 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 413 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
414diff --git a/session.h b/session.h 414diff --git a/session.h b/session.h
415index 54dd1f0ca..8535ebcef 100644 415index ce59dabd9..675c91146 100644
416--- a/session.h 416--- a/session.h
417+++ b/session.h 417+++ b/session.h
418@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); 418@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
419 Session *session_new(void); 419 Session *session_new(void);
420 Session *session_by_tty(char *); 420 Session *session_by_tty(char *);
421 void session_close(struct ssh *, Session *); 421 void session_close(struct ssh *, Session *);
@@ -425,10 +425,10 @@ index 54dd1f0ca..8535ebcef 100644
425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 425 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
426 426
427diff --git a/sshd.c b/sshd.c 427diff --git a/sshd.c b/sshd.c
428index 71c360da0..92d15c82d 100644 428index 673db87f6..2bc6679e5 100644
429--- a/sshd.c 429--- a/sshd.c
430+++ b/sshd.c 430+++ b/sshd.c
431@@ -684,7 +684,7 @@ privsep_postauth(Authctxt *authctxt) 431@@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt)
432 reseed_prngs(); 432 reseed_prngs();
433 433
434 /* Drop privileges */ 434 /* Drop privileges */
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 7e91b9b14..ad574e829 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
1From 0e7d3495f758a4ecccc14eda31845ea0efc89251 Mon Sep 17 00:00:00 2001 1From cabad6b7182cd6eaa8b760718200a316e7f578ed Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:00 +0000 3Date: Sun, 9 Feb 2014 16:10:00 +0000
4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand 4Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 78813c164..a2efe6d15 100644 19index 6d819279e..700ea6c3c 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, 22@@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
@@ -28,7 +28,7 @@ index 78813c164..a2efe6d15 100644
28 perror(argv[0]); 28 perror(argv[0]);
29 exit(1); 29 exit(1);
30 } 30 }
31@@ -1525,7 +1525,7 @@ ssh_local_cmd(const char *args) 31@@ -1534,7 +1534,7 @@ ssh_local_cmd(const char *args)
32 if (pid == 0) { 32 if (pid == 0) {
33 signal(SIGPIPE, SIG_DFL); 33 signal(SIGPIPE, SIG_DFL);
34 debug3("Executing %s -c \"%s\"", shell, args); 34 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index ae29c2afb..ed6ef3d46 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
1From 67414e1884f4ac0eb391988b932af2dd9b2ab5ae Mon Sep 17 00:00:00 2001 1From 6d4521d39a852dc5627187c045c933f4e1cb4601 Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:13 +0000 3Date: Sun, 9 Feb 2014 16:10:13 +0000
4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) 4Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 5f9e9bbc8..bb1e10973 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
1From 0d0221146dc61545ca1dba099f669d5d6a37504e Mon Sep 17 00:00:00 2001 1From d1064c2689df8d0894a68ac9671d14ab125bc91b Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:10:10 +0000 3Date: Sun, 9 Feb 2014 16:10:10 +0000
4Subject: ssh(1): Refer to ssh-argv0(1) 4Subject: ssh(1): Refer to ssh-argv0(1)
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index d41426781..0a8e63f51 100644 21index 5dfad6daa..ad1ed0f86 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1575,6 +1575,7 @@ if an error occurred. 24@@ -1585,6 +1585,7 @@ if an error occurred.
25 .Xr sftp 1 , 25 .Xr sftp 1 ,
26 .Xr ssh-add 1 , 26 .Xr ssh-add 1 ,
27 .Xr ssh-agent 1 , 27 .Xr ssh-agent 1 ,
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index da0f358d8..ca3e090bd 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
1From 80ef33d2e2559a2fcb71940f0ef0de18f426dab4 Mon Sep 17 00:00:00 2001 1From eccbd3637a2b8544fdcfdd5d1a00a9dfdac62aeb Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@ubuntu.com> 2From: Colin Watson <cjwatson@ubuntu.com>
3Date: Sun, 9 Feb 2014 16:09:50 +0000 3Date: Sun, 9 Feb 2014 16:09:50 +0000
4Subject: Accept obsolete ssh-vulnkey configuration options 4Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index 4ad3c75fe..6e26ba32d 100644 20index 36bc5e59a..5e655e924 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -190,6 +190,7 @@ static struct { 23@@ -190,6 +190,7 @@ static struct {
@@ -29,10 +29,10 @@ index 4ad3c75fe..6e26ba32d 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index e1ae07fb7..e49984a81 100644 32index 4668b8a45..6caf1db38 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -596,6 +596,7 @@ static struct { 35@@ -600,6 +600,7 @@ static struct {
36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 36 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 37 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 38 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 1610d40d1..3093a41fb 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
1From d47fa6fefb418c6d8f5a6d3dd49fd9dc7fce0c74 Mon Sep 17 00:00:00 2001 1From e755ec70d62bfb9b02159123f4e870b00010be77 Mon Sep 17 00:00:00 2001
2From: Jonathan David Amery <jdamery@ysolde.ucam.org> 2From: Jonathan David Amery <jdamery@ysolde.ucam.org>
3Date: Sun, 9 Feb 2014 16:09:54 +0000 3Date: Sun, 9 Feb 2014 16:09:54 +0000
4Subject: "LogLevel SILENT" compatibility 4Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index ce628848c..6ee0f8c68 100644 36index 0777c31e4..3140fed4c 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1252,7 +1252,7 @@ main(int ac, char **av) 39@@ -1258,7 +1258,7 @@ main(int ac, char **av)
40 /* Do not allocate a tty if stdin is not a tty. */ 40 /* Do not allocate a tty if stdin is not a tty. */
41 if ((!isatty(fileno(stdin)) || stdin_null_flag) && 41 if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
42 options.request_tty != REQUEST_TTY_FORCE) { 42 options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 95753542e..c5dee41ad 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,4 +1,4 @@
1From ba2be368348f9f411377f494e209faedf53903de Mon Sep 17 00:00:00 2001 1From da34947128351bee9d2530574432190548f5be58 Mon Sep 17 00:00:00 2001
2From: Michael Biebl <biebl@debian.org> 2From: Michael Biebl <biebl@debian.org>
3Date: Mon, 21 Dec 2015 16:08:47 +0000 3Date: Mon, 21 Dec 2015 16:08:47 +0000
4Subject: Add systemd readiness notification support 4Subject: Add systemd readiness notification support
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index ebc10f51e..dab138640 100644 17index 917300b43..8a5db4cb5 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4458,6 +4458,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4586,6 +4586,29 @@ AC_ARG_WITH([kerberos5],
21 AC_SUBST([GSSLIBS]) 21 AC_SUBST([GSSLIBS])
22 AC_SUBST([K5LIBS]) 22 AC_SUBST([K5LIBS])
23 23
@@ -47,7 +47,7 @@ index ebc10f51e..dab138640 100644
47 # Looking for programs, paths and files 47 # Looking for programs, paths and files
48 48
49 PRIVSEP_PATH=/var/empty 49 PRIVSEP_PATH=/var/empty
50@@ -5264,6 +5287,7 @@ echo " libldns support: $LDNS_MSG" 50@@ -5392,6 +5415,7 @@ echo " libldns support: $LDNS_MSG"
51 echo " Solaris process contract support: $SPC_MSG" 51 echo " Solaris process contract support: $SPC_MSG"
52 echo " Solaris project support: $SP_MSG" 52 echo " Solaris project support: $SP_MSG"
53 echo " Solaris privilege support: $SPP_MSG" 53 echo " Solaris privilege support: $SPP_MSG"
@@ -56,7 +56,7 @@ index ebc10f51e..dab138640 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 698593605..7ff109175 100644 59index d7e77d343..a1c3970b3 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
@@ -70,7 +70,7 @@ index 698593605..7ff109175 100644
70 #include "xmalloc.h" 70 #include "xmalloc.h"
71 #include "ssh.h" 71 #include "ssh.h"
72 #include "ssh2.h" 72 #include "ssh2.h"
73@@ -1991,6 +1995,11 @@ main(int ac, char **av) 73@@ -1990,6 +1994,11 @@ main(int ac, char **av)
74 } 74 }
75 } 75 }
76 76
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index cc9cbacad..bc2390e06 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
1From 840f43066f9cdf5f6bb07992aca1c5f43be8eb80 Mon Sep 17 00:00:00 2001 1From 7b931d36ad36a93d2b1811858ca29408ec44ecae Mon Sep 17 00:00:00 2001
2From: Colin Watson <cjwatson@debian.org> 2From: Colin Watson <cjwatson@debian.org>
3Date: Sun, 9 Feb 2014 16:09:58 +0000 3Date: Sun, 9 Feb 2014 16:09:58 +0000
4Subject: Allow harmless group-writability 4Subject: Allow harmless group-writability
@@ -51,10 +51,10 @@ index 57296e1f6..546aa0495 100644
51 pw->pw_name, buf); 51 pw->pw_name, buf);
52 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
53diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
54index 80eb78c48..ad25631a5 100644 54index d8e6b4a3d..9d1d453f1 100644
55--- a/auth.c 55--- a/auth.c
56+++ b/auth.c 56+++ b/auth.c
57@@ -469,8 +469,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, 57@@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); 58 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
59 if (options.strict_modes && 59 if (options.strict_modes &&
60 (stat(user_hostfile, &st) == 0) && 60 (stat(user_hostfile, &st) == 0) &&
@@ -65,10 +65,10 @@ index 80eb78c48..ad25631a5 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index ae4d29b84..2f3dbda0c 100644 68index bdc06fdb3..5159e6692 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -57,8 +57,9 @@ 71@@ -58,8 +58,9 @@
72 #include <netdb.h> 72 #include <netdb.h>
73 #ifdef HAVE_PATHS_H 73 #ifdef HAVE_PATHS_H
74 # include <paths.h> 74 # include <paths.h>
@@ -79,7 +79,7 @@ index ae4d29b84..2f3dbda0c 100644
79 #ifdef SSH_TUN_OPENBSD 79 #ifdef SSH_TUN_OPENBSD
80 #include <net/if.h> 80 #include <net/if.h>
81 #endif 81 #endif
82@@ -1024,6 +1025,55 @@ percent_expand(const char *string, ...) 82@@ -1028,6 +1029,55 @@ percent_expand(const char *string, ...)
83 #undef EXPAND_MAX_KEYS 83 #undef EXPAND_MAX_KEYS
84 } 84 }
85 85
@@ -135,7 +135,7 @@ index ae4d29b84..2f3dbda0c 100644
135 int 135 int
136 tun_open(int tun, int mode, char **ifname) 136 tun_open(int tun, int mode, char **ifname)
137 { 137 {
138@@ -1782,8 +1832,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 138@@ -1786,8 +1836,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
139 snprintf(err, errlen, "%s is not a regular file", buf); 139 snprintf(err, errlen, "%s is not a regular file", buf);
140 return -1; 140 return -1;
141 } 141 }
@@ -145,7 +145,7 @@ index ae4d29b84..2f3dbda0c 100644
145 snprintf(err, errlen, "bad ownership or modes for file %s", 145 snprintf(err, errlen, "bad ownership or modes for file %s",
146 buf); 146 buf);
147 return -1; 147 return -1;
148@@ -1798,8 +1847,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, 148@@ -1802,8 +1851,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
149 strlcpy(buf, cp, sizeof(buf)); 149 strlcpy(buf, cp, sizeof(buf));
150 150
151 if (stat(buf, &st) < 0 || 151 if (stat(buf, &st) < 0 ||
@@ -156,10 +156,10 @@ index ae4d29b84..2f3dbda0c 100644
156 "bad ownership or modes for directory %s", buf); 156 "bad ownership or modes for directory %s", buf);
157 return -1; 157 return -1;
158diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
159index 6be289fd2..213c3abb7 100644 159index 31b207a8d..aaf966e65 100644
160--- a/misc.h 160--- a/misc.h
161+++ b/misc.h 161+++ b/misc.h
162@@ -167,6 +167,8 @@ int safe_path_fd(int, const char *, struct passwd *, 162@@ -168,6 +168,8 @@ int safe_path_fd(int, const char *, struct passwd *,
163 char *read_passphrase(const char *, int); 163 char *read_passphrase(const char *, int);
164 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); 164 int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
165 165
@@ -169,10 +169,10 @@ index 6be289fd2..213c3abb7 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 3fd0fe7b7..3ed6dfb54 100644 172index 052d4b1ac..6b01f20d2 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1795,8 +1795,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1820,8 +1820,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
176 176
177 if (fstat(fileno(f), &sb) == -1) 177 if (fstat(fileno(f), &sb) == -1)
178 fatal("fstat %s: %s", filename, strerror(errno)); 178 fatal("fstat %s: %s", filename, strerror(errno));
@@ -183,10 +183,10 @@ index 3fd0fe7b7..3ed6dfb54 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index b20908a5e..cb0fdd50e 100644 186index 7760c3075..81f29af43 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1475,6 +1475,8 @@ The file format and configuration options are described in 189@@ -1485,6 +1485,8 @@ The file format and configuration options are described in
190 .Xr ssh_config 5 . 190 .Xr ssh_config 5 .
191 Because of the potential for abuse, this file must have strict permissions: 191 Because of the potential for abuse, this file must have strict permissions:
192 read/write for the user, and not writable by others. 192 read/write for the user, and not writable by others.
@@ -196,10 +196,10 @@ index b20908a5e..cb0fdd50e 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index 86ada128e..03341a229 100644 199index 54e143c93..7d55fa820 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1813,6 +1813,8 @@ The format of this file is described above. 202@@ -1835,6 +1835,8 @@ The format of this file is described above.
203 This file is used by the SSH client. 203 This file is used by the SSH client.
204 Because of the potential for abuse, this file must have strict permissions: 204 Because of the potential for abuse, this file must have strict permissions:
205 read/write for the user, and not accessible by others. 205 read/write for the user, and not accessible by others.