summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth-options.c4
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog4
-rw-r--r--debian/patches/authorized-keys-man-symlink.patch2
-rw-r--r--debian/patches/debian-banner.patch8
-rw-r--r--debian/patches/debian-config.patch12
-rw-r--r--debian/patches/dnssec-sshfp.patch6
-rw-r--r--debian/patches/doc-hash-tab-completion.patch2
-rw-r--r--debian/patches/gnome-ssh-askpass2-icon.patch2
-rw-r--r--debian/patches/gssapi.patch108
-rw-r--r--debian/patches/keepalive-extensions.patch6
-rw-r--r--debian/patches/mention-ssh-keygen-on-keychange.patch2
-rw-r--r--debian/patches/no-openssl-version-status.patch4
-rw-r--r--debian/patches/openbsd-docs.patch10
-rw-r--r--debian/patches/package-versioning.patch6
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/restore-tcp-wrappers.patch10
-rw-r--r--debian/patches/scp-quoting.patch2
-rw-r--r--debian/patches/seccomp-getuid-geteuid.patch2
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch2
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch2
-rw-r--r--debian/patches/selinux-role.patch30
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/shell-path.patch2
-rw-r--r--debian/patches/ssh-agent-setgid.patch2
-rw-r--r--debian/patches/ssh-argv0.patch2
-rw-r--r--debian/patches/ssh-vulnkey-compat.patch4
-rw-r--r--debian/patches/syslog-level-silent.patch4
-rw-r--r--debian/patches/systemd-readiness.patch4
-rw-r--r--debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch40
-rw-r--r--debian/patches/user-group-modes.patch16
31 files changed, 175 insertions, 130 deletions
diff --git a/auth-options.c b/auth-options.c
index b528c197a..ef57ebf43 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.78 2018/03/14 05:35:40 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.79 2018/04/06 04:15:45 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2018 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -394,7 +394,7 @@ sshauthopt_parse(const char *opts, const char **errstrp)
394 goto fail; 394 goto fail;
395 } 395 }
396 for (cp = opt; cp < tmp; cp++) { 396 for (cp = opt; cp < tmp; cp++) {
397 if (!isalnum((u_char)*cp)) { 397 if (!isalnum((u_char)*cp) && *cp != '_') {
398 free(opt); 398 free(opt);
399 errstr = "invalid environment string"; 399 errstr = "invalid environment string";
400 goto fail; 400 goto fail;
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c57923b4d..0f4069a2f 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
2ea67bc97339c9a507343e4a1f5fb867f678fbe1d 260256f28189c3d0650a78e737eb0ca4753478a4b
3ea67bc97339c9a507343e4a1f5fb867f678fbe1d 360256f28189c3d0650a78e737eb0ca4753478a4b
4ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 4ed6ae9c1a014a08ff5db3d768f01f2e427eeb476
5ed6ae9c1a014a08ff5db3d768f01f2e427eeb476 5ed6ae9c1a014a08ff5db3d768f01f2e427eeb476
6openssh_7.7p1.orig.tar.gz 6openssh_7.7p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 51269fe0d..3bd1146a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,10 @@ openssh (1:7.7p1-3) UNRELEASED; urgency=medium
9 [ Juri Grabowski ] 9 [ Juri Grabowski ]
10 * Add rescue.target with ssh support. 10 * Add rescue.target with ssh support.
11 11
12 [ Christian Ehrhardt ]
13 * Fix unintentional restriction of authorized keys environment options
14 to be alphanumeric (LP: #1771011)
15
12 -- Colin Watson <cjwatson@debian.org> Sat, 16 Jun 2018 12:42:36 +0100 16 -- Colin Watson <cjwatson@debian.org> Sat, 16 Jun 2018 12:42:36 +0100
13 17
14openssh (1:7.7p1-2) unstable; urgency=medium 18openssh (1:7.7p1-2) unstable; urgency=medium
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 239c36f78..b5a1ea191 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -13,7 +13,7 @@ Patch-Name: authorized-keys-man-symlink.patch
13 1 file changed, 1 insertion(+) 13 1 file changed, 1 insertion(+)
14 14
15diff --git a/Makefile.in b/Makefile.in 15diff --git a/Makefile.in b/Makefile.in
16index 6f3f042b..1afb4f79 100644 16index 6f3f042b1..1afb4f798 100644
17--- a/Makefile.in 17--- a/Makefile.in
18+++ b/Makefile.in 18+++ b/Makefile.in
19@@ -352,6 +352,7 @@ install-files: 19@@ -352,6 +352,7 @@ install-files:
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index b1338d2c7..9062918f6 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -19,7 +19,7 @@ Patch-Name: debian-banner.patch
19 4 files changed, 18 insertions(+), 1 deletion(-) 19 4 files changed, 18 insertions(+), 1 deletion(-)
20 20
21diff --git a/servconf.c b/servconf.c 21diff --git a/servconf.c b/servconf.c
22index 3fff3d53..0a8f6fd6 100644 22index 3fff3d531..0a8f6fd62 100644
23--- a/servconf.c 23--- a/servconf.c
24+++ b/servconf.c 24+++ b/servconf.c
25@@ -177,6 +177,7 @@ initialize_server_options(ServerOptions *options) 25@@ -177,6 +177,7 @@ initialize_server_options(ServerOptions *options)
@@ -67,7 +67,7 @@ index 3fff3d53..0a8f6fd6 100644
67 case sIgnore: 67 case sIgnore:
68 case sUnsupported: 68 case sUnsupported:
69diff --git a/servconf.h b/servconf.h 69diff --git a/servconf.h b/servconf.h
70index 5dfc9bc0..b0fa7045 100644 70index 5dfc9bc02..b0fa70455 100644
71--- a/servconf.h 71--- a/servconf.h
72+++ b/servconf.h 72+++ b/servconf.h
73@@ -211,6 +211,8 @@ typedef struct { 73@@ -211,6 +211,8 @@ typedef struct {
@@ -80,7 +80,7 @@ index 5dfc9bc0..b0fa7045 100644
80 80
81 /* Information about the incoming connection as used by Match */ 81 /* Information about the incoming connection as used by Match */
82diff --git a/sshd.c b/sshd.c 82diff --git a/sshd.c b/sshd.c
83index 9a7f5495..1d645a17 100644 83index 9a7f5495c..1d645a170 100644
84--- a/sshd.c 84--- a/sshd.c
85+++ b/sshd.c 85+++ b/sshd.c
86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 86@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -94,7 +94,7 @@ index 9a7f5495..1d645a17 100644
94 options.version_addendum); 94 options.version_addendum);
95 95
96diff --git a/sshd_config.5 b/sshd_config.5 96diff --git a/sshd_config.5 b/sshd_config.5
97index 1a1c6dd0..45044a70 100644 97index 1a1c6dd09..45044a70f 100644
98--- a/sshd_config.5 98--- a/sshd_config.5
99+++ b/sshd_config.5 99+++ b/sshd_config.5
100@@ -531,6 +531,11 @@ or 100@@ -531,6 +531,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index ebf5d23bc..be6d7df30 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -39,7 +39,7 @@ Patch-Name: debian-config.patch
39 6 files changed, 77 insertions(+), 9 deletions(-) 39 6 files changed, 77 insertions(+), 9 deletions(-)
40 40
41diff --git a/readconf.c b/readconf.c 41diff --git a/readconf.c b/readconf.c
42index 50349e23..efcf2d62 100644 42index 50349e238..efcf2d628 100644
43--- a/readconf.c 43--- a/readconf.c
44+++ b/readconf.c 44+++ b/readconf.c
45@@ -1916,7 +1916,7 @@ fill_default_options(Options * options) 45@@ -1916,7 +1916,7 @@ fill_default_options(Options * options)
@@ -52,7 +52,7 @@ index 50349e23..efcf2d62 100644
52 options->forward_x11_timeout = 1200; 52 options->forward_x11_timeout = 1200;
53 /* 53 /*
54diff --git a/ssh.1 b/ssh.1 54diff --git a/ssh.1 b/ssh.1
55index f8fc26d2..8a03db95 100644 55index f8fc26d2a..8a03db952 100644
56--- a/ssh.1 56--- a/ssh.1
57+++ b/ssh.1 57+++ b/ssh.1
58@@ -768,6 +768,16 @@ directive in 58@@ -768,6 +768,16 @@ directive in
@@ -91,7 +91,7 @@ index f8fc26d2..8a03db95 100644
91 Send log information using the 91 Send log information using the
92 .Xr syslog 3 92 .Xr syslog 3
93diff --git a/ssh_config b/ssh_config 93diff --git a/ssh_config b/ssh_config
94index bcb9f153..1b676fb2 100644 94index bcb9f153d..1b676fb2c 100644
95--- a/ssh_config 95--- a/ssh_config
96+++ b/ssh_config 96+++ b/ssh_config
97@@ -17,9 +17,10 @@ 97@@ -17,9 +17,10 @@
@@ -114,7 +114,7 @@ index bcb9f153..1b676fb2 100644
114+ HashKnownHosts yes 114+ HashKnownHosts yes
115+ GSSAPIAuthentication yes 115+ GSSAPIAuthentication yes
116diff --git a/ssh_config.5 b/ssh_config.5 116diff --git a/ssh_config.5 b/ssh_config.5
117index ca052884..ed6e5d02 100644 117index ca0528842..ed6e5d026 100644
118--- a/ssh_config.5 118--- a/ssh_config.5
119+++ b/ssh_config.5 119+++ b/ssh_config.5
120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more 120@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -155,7 +155,7 @@ index ca052884..ed6e5d02 100644
155 from stealing or tampering with data belonging to trusted X11 155 from stealing or tampering with data belonging to trusted X11
156 clients. 156 clients.
157diff --git a/sshd_config b/sshd_config 157diff --git a/sshd_config b/sshd_config
158index 86263d71..de9cc9fe 100644 158index 86263d713..de9cc9fe2 100644
159--- a/sshd_config 159--- a/sshd_config
160+++ b/sshd_config 160+++ b/sshd_config
161@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys 161@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -204,7 +204,7 @@ index 86263d71..de9cc9fe 100644
204 # Example of overriding settings on a per-user basis 204 # Example of overriding settings on a per-user basis
205 #Match User anoncvs 205 #Match User anoncvs
206diff --git a/sshd_config.5 b/sshd_config.5 206diff --git a/sshd_config.5 b/sshd_config.5
207index 44b91846..4c7ee425 100644 207index 44b918463..4c7ee4254 100644
208--- a/sshd_config.5 208--- a/sshd_config.5
209+++ b/sshd_config.5 209+++ b/sshd_config.5
210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes 210@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 0ba825f4e..6c2ebf173 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -18,7 +18,7 @@ Patch-Name: dnssec-sshfp.patch
18 3 files changed, 21 insertions(+), 6 deletions(-) 18 3 files changed, 21 insertions(+), 6 deletions(-)
19 19
20diff --git a/dns.c b/dns.c 20diff --git a/dns.c b/dns.c
21index ff1a2c41..82ec9719 100644 21index ff1a2c41c..82ec97199 100644
22--- a/dns.c 22--- a/dns.c
23+++ b/dns.c 23+++ b/dns.c
24@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, 24@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
@@ -51,7 +51,7 @@ index ff1a2c41..82ec9719 100644
51 verbose("DNS lookup error: %s", dns_result_totext(result)); 51 verbose("DNS lookup error: %s", dns_result_totext(result));
52 return -1; 52 return -1;
53diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c 53diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
54index dc6fe053..e061a290 100644 54index dc6fe0533..e061a290a 100644
55--- a/openbsd-compat/getrrsetbyname.c 55--- a/openbsd-compat/getrrsetbyname.c
56+++ b/openbsd-compat/getrrsetbyname.c 56+++ b/openbsd-compat/getrrsetbyname.c
57@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, 57@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
@@ -79,7 +79,7 @@ index dc6fe053..e061a290 100644
79 79
80 /* make query */ 80 /* make query */
81diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h 81diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
82index 1283f550..dbbc85a2 100644 82index 1283f5506..dbbc85a2a 100644
83--- a/openbsd-compat/getrrsetbyname.h 83--- a/openbsd-compat/getrrsetbyname.h
84+++ b/openbsd-compat/getrrsetbyname.h 84+++ b/openbsd-compat/getrrsetbyname.h
85@@ -72,6 +72,9 @@ 85@@ -72,6 +72,9 @@
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index 86f3a1fc4..599b8c0f6 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -13,7 +13,7 @@ Patch-Name: doc-hash-tab-completion.patch
13 1 file changed, 3 insertions(+) 13 1 file changed, 3 insertions(+)
14 14
15diff --git a/ssh_config.5 b/ssh_config.5 15diff --git a/ssh_config.5 b/ssh_config.5
16index 84dcd52c..ca052884 100644 16index 84dcd52cc..ca0528842 100644
17--- a/ssh_config.5 17--- a/ssh_config.5
18+++ b/ssh_config.5 18+++ b/ssh_config.5
19@@ -784,6 +784,9 @@ Note that existing names and addresses in known hosts files 19@@ -784,6 +784,9 @@ Note that existing names and addresses in known hosts files
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 2959854e4..3a4a5c896 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -12,7 +12,7 @@ Patch-Name: gnome-ssh-askpass2-icon.patch
12 1 file changed, 2 insertions(+) 12 1 file changed, 2 insertions(+)
13 13
14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c 14diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
15index 535a6927..e37a1338 100644 15index 535a69274..e37a13382 100644
16--- a/contrib/gnome-ssh-askpass2.c 16--- a/contrib/gnome-ssh-askpass2.c
17+++ b/contrib/gnome-ssh-askpass2.c 17+++ b/contrib/gnome-ssh-askpass2.c
18@@ -211,6 +211,8 @@ main(int argc, char **argv) 18@@ -211,6 +211,8 @@ main(int argc, char **argv)
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index a67ebced0..d47b0a796 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -21,37 +21,37 @@ Last-Updated: 2017-10-04
21 21
22Patch-Name: gssapi.patch 22Patch-Name: gssapi.patch
23--- 23---
24 ChangeLog.gssapi | 113 +++++++++++++++++++ 24 ChangeLog.gssapi | 113 ++++++++++++++++
25 Makefile.in | 3 +- 25 Makefile.in | 3 +-
26 auth-krb5.c | 17 ++- 26 auth-krb5.c | 17 ++-
27 auth.c | 96 +--------------- 27 auth.c | 96 +-------------
28 auth2-gss.c | 49 +++++++- 28 auth2-gss.c | 49 ++++++-
29 auth2.c | 2 + 29 auth2.c | 2 +
30 canohost.c | 93 +++++++++++++++ 30 canohost.c | 93 +++++++++++++
31 canohost.h | 3 + 31 canohost.h | 3 +
32 clientloop.c | 15 ++- 32 clientloop.c | 15 ++-
33 config.h.in | 6 + 33 config.h.in | 6 +
34 configure.ac | 24 ++++ 34 configure.ac | 24 ++++
35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++++++++- 35 gss-genr.c | 275 +++++++++++++++++++++++++++++++++++++-
36 gss-serv-krb5.c | 85 ++++++++++++-- 36 gss-serv-krb5.c | 85 +++++++++++-
37 gss-serv.c | 184 +++++++++++++++++++++++++++--- 37 gss-serv.c | 184 ++++++++++++++++++++++++--
38 kex.c | 19 ++++ 38 kex.c | 19 +++
39 kex.h | 14 +++ 39 kex.h | 14 ++
40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 40 kexgssc.c | 338 +++++++++++++++++++++++++++++++++++++++++++++++
41 kexgsss.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++++ 41 kexgsss.c | 295 +++++++++++++++++++++++++++++++++++++++++
42 monitor.c | 115 +++++++++++++++++-- 42 monitor.c | 115 ++++++++++++++--
43 monitor.h | 3 + 43 monitor.h | 3 +
44 monitor_wrap.c | 47 +++++++- 44 monitor_wrap.c | 47 ++++++-
45 monitor_wrap.h | 4 +- 45 monitor_wrap.h | 4 +-
46 readconf.c | 43 +++++++ 46 readconf.c | 43 ++++++
47 readconf.h | 5 + 47 readconf.h | 5 +
48 servconf.c | 26 +++++ 48 servconf.c | 26 ++++
49 servconf.h | 2 + 49 servconf.h | 2 +
50 ssh-gss.h | 41 ++++++- 50 ssh-gss.h | 41 +++++-
51 ssh_config | 2 + 51 ssh_config | 2 +
52 ssh_config.5 | 32 ++++++ 52 ssh_config.5 | 32 +++++
53 sshconnect2.c | 131 ++++++++++++++++++++- 53 sshconnect2.c | 131 +++++++++++++++++-
54 sshd.c | 112 +++++++++++++++++- 54 sshd.c | 112 +++++++++++++++-
55 sshd_config | 2 + 55 sshd_config | 2 +
56 sshd_config.5 | 10 ++ 56 sshd_config.5 | 10 ++
57 sshkey.c | 3 +- 57 sshkey.c | 3 +-
@@ -63,7 +63,7 @@ Patch-Name: gssapi.patch
63 63
64diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi 64diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi
65new file mode 100644 65new file mode 100644
66index 00000000..f117a336 66index 000000000..f117a336a
67--- /dev/null 67--- /dev/null
68+++ b/ChangeLog.gssapi 68+++ b/ChangeLog.gssapi
69@@ -0,0 +1,113 @@ 69@@ -0,0 +1,113 @@
@@ -181,7 +181,7 @@ index 00000000..f117a336
181+ (from jbasney AT ncsa.uiuc.edu) 181+ (from jbasney AT ncsa.uiuc.edu)
182+ <gssapi-with-mic support is Bugzilla #1008> 182+ <gssapi-with-mic support is Bugzilla #1008>
183diff --git a/Makefile.in b/Makefile.in 183diff --git a/Makefile.in b/Makefile.in
184index 04e1c8e5..6f3f042b 100644 184index 04e1c8e53..6f3f042b1 100644
185--- a/Makefile.in 185--- a/Makefile.in
186+++ b/Makefile.in 186+++ b/Makefile.in
187@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 187@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
@@ -202,7 +202,7 @@ index 04e1c8e5..6f3f042b 100644
202 sftp-server.o sftp-common.o \ 202 sftp-server.o sftp-common.o \
203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ 203 sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
204diff --git a/auth-krb5.c b/auth-krb5.c 204diff --git a/auth-krb5.c b/auth-krb5.c
205index a5a81ed2..38e7fee2 100644 205index a5a81ed2e..38e7fee21 100644
206--- a/auth-krb5.c 206--- a/auth-krb5.c
207+++ b/auth-krb5.c 207+++ b/auth-krb5.c
208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) 208@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -253,7 +253,7 @@ index a5a81ed2..38e7fee2 100644
253 return (krb5_cc_resolve(ctx, ccname, ccache)); 253 return (krb5_cc_resolve(ctx, ccname, ccache));
254 } 254 }
255diff --git a/auth.c b/auth.c 255diff --git a/auth.c b/auth.c
256index 63366768..76d586e3 100644 256index 63366768a..76d586e31 100644
257--- a/auth.c 257--- a/auth.c
258+++ b/auth.c 258+++ b/auth.c
259@@ -396,7 +396,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) 259@@ -396,7 +396,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
@@ -367,7 +367,7 @@ index 63366768..76d586e3 100644
367 * Return the canonical name of the host in the other side of the current 367 * Return the canonical name of the host in the other side of the current
368 * connection. The host name is cached, so it is efficient to call this 368 * connection. The host name is cached, so it is efficient to call this
369diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
370index 589283b7..fd411d3a 100644 370index 589283b72..fd411d3a7 100644
371--- a/auth2-gss.c 371--- a/auth2-gss.c
372+++ b/auth2-gss.c 372+++ b/auth2-gss.c
373@@ -1,7 +1,7 @@ 373@@ -1,7 +1,7 @@
@@ -455,7 +455,7 @@ index 589283b7..fd411d3a 100644
455 "gssapi-with-mic", 455 "gssapi-with-mic",
456 userauth_gssapi, 456 userauth_gssapi,
457diff --git a/auth2.c b/auth2.c 457diff --git a/auth2.c b/auth2.c
458index e0034229..c34f58c4 100644 458index e0034229a..c34f58c45 100644
459--- a/auth2.c 459--- a/auth2.c
460+++ b/auth2.c 460+++ b/auth2.c
461@@ -72,6 +72,7 @@ extern Authmethod method_passwd; 461@@ -72,6 +72,7 @@ extern Authmethod method_passwd;
@@ -475,7 +475,7 @@ index e0034229..c34f58c4 100644
475 #endif 475 #endif
476 &method_passwd, 476 &method_passwd,
477diff --git a/canohost.c b/canohost.c 477diff --git a/canohost.c b/canohost.c
478index f71a0856..404731d2 100644 478index f71a08568..404731d24 100644
479--- a/canohost.c 479--- a/canohost.c
480+++ b/canohost.c 480+++ b/canohost.c
481@@ -35,6 +35,99 @@ 481@@ -35,6 +35,99 @@
@@ -579,7 +579,7 @@ index f71a0856..404731d2 100644
579 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 579 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
580 { 580 {
581diff --git a/canohost.h b/canohost.h 581diff --git a/canohost.h b/canohost.h
582index 26d62855..0cadc9f1 100644 582index 26d62855a..0cadc9f18 100644
583--- a/canohost.h 583--- a/canohost.h
584+++ b/canohost.h 584+++ b/canohost.h
585@@ -15,6 +15,9 @@ 585@@ -15,6 +15,9 @@
@@ -593,7 +593,7 @@ index 26d62855..0cadc9f1 100644
593 int get_peer_port(int); 593 int get_peer_port(int);
594 char *get_local_ipaddr(int); 594 char *get_local_ipaddr(int);
595diff --git a/clientloop.c b/clientloop.c 595diff --git a/clientloop.c b/clientloop.c
596index 7bcf22e3..ef803e98 100644 596index 7bcf22e38..ef803e985 100644
597--- a/clientloop.c 597--- a/clientloop.c
598+++ b/clientloop.c 598+++ b/clientloop.c
599@@ -112,6 +112,10 @@ 599@@ -112,6 +112,10 @@
@@ -628,7 +628,7 @@ index 7bcf22e3..ef803e98 100644
628 client_process_net_input(readset); 628 client_process_net_input(readset);
629 629
630diff --git a/config.h.in b/config.h.in 630diff --git a/config.h.in b/config.h.in
631index 57208740..4c9545c7 100644 631index 572087407..4c9545c78 100644
632--- a/config.h.in 632--- a/config.h.in
633+++ b/config.h.in 633+++ b/config.h.in
634@@ -1746,6 +1746,9 @@ 634@@ -1746,6 +1746,9 @@
@@ -652,7 +652,7 @@ index 57208740..4c9545c7 100644
652 #undef USE_SOLARIS_PRIVS 652 #undef USE_SOLARIS_PRIVS
653 653
654diff --git a/configure.ac b/configure.ac 654diff --git a/configure.ac b/configure.ac
655index 663062be..1cd5eab6 100644 655index 663062bef..1cd5eab6c 100644
656--- a/configure.ac 656--- a/configure.ac
657+++ b/configure.ac 657+++ b/configure.ac
658@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) 658@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -687,7 +687,7 @@ index 663062be..1cd5eab6 100644
687 AC_CHECK_DECL([AU_IPv4], [], 687 AC_CHECK_DECL([AU_IPv4], [],
688 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) 688 AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
689diff --git a/gss-genr.c b/gss-genr.c 689diff --git a/gss-genr.c b/gss-genr.c
690index 62559ed9..0b3ae073 100644 690index 62559ed9e..0b3ae073c 100644
691--- a/gss-genr.c 691--- a/gss-genr.c
692+++ b/gss-genr.c 692+++ b/gss-genr.c
693@@ -1,7 +1,7 @@ 693@@ -1,7 +1,7 @@
@@ -1038,7 +1038,7 @@ index 62559ed9..0b3ae073 100644
1038+ 1038+
1039 #endif /* GSSAPI */ 1039 #endif /* GSSAPI */
1040diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c 1040diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
1041index 795992d9..fd8b3718 100644 1041index 795992d9f..fd8b37183 100644
1042--- a/gss-serv-krb5.c 1042--- a/gss-serv-krb5.c
1043+++ b/gss-serv-krb5.c 1043+++ b/gss-serv-krb5.c
1044@@ -1,7 +1,7 @@ 1044@@ -1,7 +1,7 @@
@@ -1164,7 +1164,7 @@ index 795992d9..fd8b3718 100644
1164 1164
1165 #endif /* KRB5 */ 1165 #endif /* KRB5 */
1166diff --git a/gss-serv.c b/gss-serv.c 1166diff --git a/gss-serv.c b/gss-serv.c
1167index 6cae720e..967c6cfb 100644 1167index 6cae720e5..967c6cfbc 100644
1168--- a/gss-serv.c 1168--- a/gss-serv.c
1169+++ b/gss-serv.c 1169+++ b/gss-serv.c
1170@@ -1,7 +1,7 @@ 1170@@ -1,7 +1,7 @@
@@ -1435,7 +1435,7 @@ index 6cae720e..967c6cfb 100644
1435 1435
1436 /* Privileged */ 1436 /* Privileged */
1437diff --git a/kex.c b/kex.c 1437diff --git a/kex.c b/kex.c
1438index 15ea28b0..6cc2935f 100644 1438index 15ea28b07..6cc2935fe 100644
1439--- a/kex.c 1439--- a/kex.c
1440+++ b/kex.c 1440+++ b/kex.c
1441@@ -54,6 +54,10 @@ 1441@@ -54,6 +54,10 @@
@@ -1486,7 +1486,7 @@ index 15ea28b0..6cc2935f 100644
1486 free(kex->server_version_string); 1486 free(kex->server_version_string);
1487 free(kex->failed_choice); 1487 free(kex->failed_choice);
1488diff --git a/kex.h b/kex.h 1488diff --git a/kex.h b/kex.h
1489index 01bb3986..a708e486 100644 1489index 01bb3986a..a708e4868 100644
1490--- a/kex.h 1490--- a/kex.h
1491+++ b/kex.h 1491+++ b/kex.h
1492@@ -99,6 +99,9 @@ enum kex_exchange { 1492@@ -99,6 +99,9 @@ enum kex_exchange {
@@ -1526,7 +1526,7 @@ index 01bb3986..a708e486 100644
1526 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); 1526 const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
1527diff --git a/kexgssc.c b/kexgssc.c 1527diff --git a/kexgssc.c b/kexgssc.c
1528new file mode 100644 1528new file mode 100644
1529index 00000000..10447f2b 1529index 000000000..10447f2b0
1530--- /dev/null 1530--- /dev/null
1531+++ b/kexgssc.c 1531+++ b/kexgssc.c
1532@@ -0,0 +1,338 @@ 1532@@ -0,0 +1,338 @@
@@ -1870,7 +1870,7 @@ index 00000000..10447f2b
1870+#endif /* GSSAPI */ 1870+#endif /* GSSAPI */
1871diff --git a/kexgsss.c b/kexgsss.c 1871diff --git a/kexgsss.c b/kexgsss.c
1872new file mode 100644 1872new file mode 100644
1873index 00000000..38ca082b 1873index 000000000..38ca082ba
1874--- /dev/null 1874--- /dev/null
1875+++ b/kexgsss.c 1875+++ b/kexgsss.c
1876@@ -0,0 +1,295 @@ 1876@@ -0,0 +1,295 @@
@@ -2170,7 +2170,7 @@ index 00000000..38ca082b
2170+} 2170+}
2171+#endif /* GSSAPI */ 2171+#endif /* GSSAPI */
2172diff --git a/monitor.c b/monitor.c 2172diff --git a/monitor.c b/monitor.c
2173index c68e1b0d..868fb0d2 100644 2173index c68e1b0d9..868fb0d2d 100644
2174--- a/monitor.c 2174--- a/monitor.c
2175+++ b/monitor.c 2175+++ b/monitor.c
2176@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); 2176@@ -158,6 +158,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
@@ -2371,7 +2371,7 @@ index c68e1b0d..868fb0d2 100644
2371 #endif /* GSSAPI */ 2371 #endif /* GSSAPI */
2372 2372
2373diff --git a/monitor.h b/monitor.h 2373diff --git a/monitor.h b/monitor.h
2374index d68f6745..ec41404c 100644 2374index d68f67458..ec41404c7 100644
2375--- a/monitor.h 2375--- a/monitor.h
2376+++ b/monitor.h 2376+++ b/monitor.h
2377@@ -65,6 +65,9 @@ enum monitor_reqtype { 2377@@ -65,6 +65,9 @@ enum monitor_reqtype {
@@ -2385,7 +2385,7 @@ index d68f6745..ec41404c 100644
2385 2385
2386 struct monitor { 2386 struct monitor {
2387diff --git a/monitor_wrap.c b/monitor_wrap.c 2387diff --git a/monitor_wrap.c b/monitor_wrap.c
2388index 9666bda4..e749efc1 100644 2388index 9666bda4b..e749efc18 100644
2389--- a/monitor_wrap.c 2389--- a/monitor_wrap.c
2390+++ b/monitor_wrap.c 2390+++ b/monitor_wrap.c
2391@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) 2391@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
@@ -2449,7 +2449,7 @@ index 9666bda4..e749efc1 100644
2449 #endif /* GSSAPI */ 2449 #endif /* GSSAPI */
2450 2450
2451diff --git a/monitor_wrap.h b/monitor_wrap.h 2451diff --git a/monitor_wrap.h b/monitor_wrap.h
2452index 76233270..0970d1f8 100644 2452index 762332704..0970d1f87 100644
2453--- a/monitor_wrap.h 2453--- a/monitor_wrap.h
2454+++ b/monitor_wrap.h 2454+++ b/monitor_wrap.h
2455@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, 2455@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
@@ -2465,7 +2465,7 @@ index 76233270..0970d1f8 100644
2465 2465
2466 #ifdef USE_PAM 2466 #ifdef USE_PAM
2467diff --git a/readconf.c b/readconf.c 2467diff --git a/readconf.c b/readconf.c
2468index 88051db5..c8e79299 100644 2468index 88051db57..c8e792991 100644
2469--- a/readconf.c 2469--- a/readconf.c
2470+++ b/readconf.c 2470+++ b/readconf.c
2471@@ -160,6 +160,8 @@ typedef enum { 2471@@ -160,6 +160,8 @@ typedef enum {
@@ -2558,7 +2558,7 @@ index 88051db5..c8e79299 100644
2558 options->password_authentication = 1; 2558 options->password_authentication = 1;
2559 if (options->kbd_interactive_authentication == -1) 2559 if (options->kbd_interactive_authentication == -1)
2560diff --git a/readconf.h b/readconf.h 2560diff --git a/readconf.h b/readconf.h
2561index f4d9e2b2..f469daaf 100644 2561index f4d9e2b26..f469daaff 100644
2562--- a/readconf.h 2562--- a/readconf.h
2563+++ b/readconf.h 2563+++ b/readconf.h
2564@@ -42,7 +42,12 @@ typedef struct { 2564@@ -42,7 +42,12 @@ typedef struct {
@@ -2575,7 +2575,7 @@ index f4d9e2b2..f469daaf 100644
2575 * authentication. */ 2575 * authentication. */
2576 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 2576 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
2577diff --git a/servconf.c b/servconf.c 2577diff --git a/servconf.c b/servconf.c
2578index 0f0d0906..cbbea05b 100644 2578index 0f0d09068..cbbea05bf 100644
2579--- a/servconf.c 2579--- a/servconf.c
2580+++ b/servconf.c 2580+++ b/servconf.c
2581@@ -123,8 +123,10 @@ initialize_server_options(ServerOptions *options) 2581@@ -123,8 +123,10 @@ initialize_server_options(ServerOptions *options)
@@ -2667,7 +2667,7 @@ index 0f0d0906..cbbea05b 100644
2667 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); 2667 dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
2668 dump_cfg_fmtint(sKbdInteractiveAuthentication, 2668 dump_cfg_fmtint(sKbdInteractiveAuthentication,
2669diff --git a/servconf.h b/servconf.h 2669diff --git a/servconf.h b/servconf.h
2670index 37a0fb1a..5dfc9bc0 100644 2670index 37a0fb1a3..5dfc9bc02 100644
2671--- a/servconf.h 2671--- a/servconf.h
2672+++ b/servconf.h 2672+++ b/servconf.h
2673@@ -130,8 +130,10 @@ typedef struct { 2673@@ -130,8 +130,10 @@ typedef struct {
@@ -2682,7 +2682,7 @@ index 37a0fb1a..5dfc9bc0 100644
2682 * authentication. */ 2682 * authentication. */
2683 int kbd_interactive_authentication; /* If true, permit */ 2683 int kbd_interactive_authentication; /* If true, permit */
2684diff --git a/ssh-gss.h b/ssh-gss.h 2684diff --git a/ssh-gss.h b/ssh-gss.h
2685index 6593e422..919660a0 100644 2685index 6593e422d..919660a03 100644
2686--- a/ssh-gss.h 2686--- a/ssh-gss.h
2687+++ b/ssh-gss.h 2687+++ b/ssh-gss.h
2688@@ -1,6 +1,6 @@ 2688@@ -1,6 +1,6 @@
@@ -2786,7 +2786,7 @@ index 6593e422..919660a0 100644
2786 2786
2787 #endif /* _SSH_GSS_H */ 2787 #endif /* _SSH_GSS_H */
2788diff --git a/ssh_config b/ssh_config 2788diff --git a/ssh_config b/ssh_config
2789index c12f5ef5..bcb9f153 100644 2789index c12f5ef52..bcb9f153d 100644
2790--- a/ssh_config 2790--- a/ssh_config
2791+++ b/ssh_config 2791+++ b/ssh_config
2792@@ -24,6 +24,8 @@ 2792@@ -24,6 +24,8 @@
@@ -2799,7 +2799,7 @@ index c12f5ef5..bcb9f153 100644
2799 # CheckHostIP yes 2799 # CheckHostIP yes
2800 # AddressFamily any 2800 # AddressFamily any
2801diff --git a/ssh_config.5 b/ssh_config.5 2801diff --git a/ssh_config.5 b/ssh_config.5
2802index 71705cab..66826aa7 100644 2802index 71705cabd..66826aa70 100644
2803--- a/ssh_config.5 2803--- a/ssh_config.5
2804+++ b/ssh_config.5 2804+++ b/ssh_config.5
2805@@ -727,10 +727,42 @@ The default is 2805@@ -727,10 +727,42 @@ The default is
@@ -2846,7 +2846,7 @@ index 71705cab..66826aa7 100644
2846 Indicates that 2846 Indicates that
2847 .Xr ssh 1 2847 .Xr ssh 1
2848diff --git a/sshconnect2.c b/sshconnect2.c 2848diff --git a/sshconnect2.c b/sshconnect2.c
2849index 1f4a74cf..83562c68 100644 2849index 1f4a74cf4..83562c688 100644
2850--- a/sshconnect2.c 2850--- a/sshconnect2.c
2851+++ b/sshconnect2.c 2851+++ b/sshconnect2.c
2852@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) 2852@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
@@ -3063,7 +3063,7 @@ index 1f4a74cf..83562c68 100644
3063 3063
3064 int 3064 int
3065diff --git a/sshd.c b/sshd.c 3065diff --git a/sshd.c b/sshd.c
3066index fd95b681..e88185ef 100644 3066index fd95b681b..e88185efa 100644
3067--- a/sshd.c 3067--- a/sshd.c
3068+++ b/sshd.c 3068+++ b/sshd.c
3069@@ -123,6 +123,10 @@ 3069@@ -123,6 +123,10 @@
@@ -3225,7 +3225,7 @@ index fd95b681..e88185ef 100644
3225 kex->client_version_string=client_version_string; 3225 kex->client_version_string=client_version_string;
3226 kex->server_version_string=server_version_string; 3226 kex->server_version_string=server_version_string;
3227diff --git a/sshd_config b/sshd_config 3227diff --git a/sshd_config b/sshd_config
3228index 3109d5d7..86263d71 100644 3228index 3109d5d73..86263d713 100644
3229--- a/sshd_config 3229--- a/sshd_config
3230+++ b/sshd_config 3230+++ b/sshd_config
3231@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys 3231@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -3238,7 +3238,7 @@ index 3109d5d7..86263d71 100644
3238 # Set this to 'yes' to enable PAM authentication, account processing, 3238 # Set this to 'yes' to enable PAM authentication, account processing,
3239 # and session processing. If this is enabled, PAM authentication will 3239 # and session processing. If this is enabled, PAM authentication will
3240diff --git a/sshd_config.5 b/sshd_config.5 3240diff --git a/sshd_config.5 b/sshd_config.5
3241index e3c7c393..c4a3f3cb 100644 3241index e3c7c3936..c4a3f3cb2 100644
3242--- a/sshd_config.5 3242--- a/sshd_config.5
3243+++ b/sshd_config.5 3243+++ b/sshd_config.5
3244@@ -636,6 +636,11 @@ The default is 3244@@ -636,6 +636,11 @@ The default is
@@ -3266,7 +3266,7 @@ index e3c7c393..c4a3f3cb 100644
3266 Specifies the key types that will be accepted for hostbased authentication 3266 Specifies the key types that will be accepted for hostbased authentication
3267 as a comma-separated pattern list. 3267 as a comma-separated pattern list.
3268diff --git a/sshkey.c b/sshkey.c 3268diff --git a/sshkey.c b/sshkey.c
3269index 7712fba2..08887286 100644 3269index 7712fba23..088872860 100644
3270--- a/sshkey.c 3270--- a/sshkey.c
3271+++ b/sshkey.c 3271+++ b/sshkey.c
3272@@ -122,6 +122,7 @@ static const struct keytype keytypes[] = { 3272@@ -122,6 +122,7 @@ static const struct keytype keytypes[] = {
@@ -3287,7 +3287,7 @@ index 7712fba2..08887286 100644
3287 if (!include_sigonly && kt->sigonly) 3287 if (!include_sigonly && kt->sigonly)
3288 continue; 3288 continue;
3289diff --git a/sshkey.h b/sshkey.h 3289diff --git a/sshkey.h b/sshkey.h
3290index 155cd45a..4e89049f 100644 3290index 155cd45ae..4e89049f1 100644
3291--- a/sshkey.h 3291--- a/sshkey.h
3292+++ b/sshkey.h 3292+++ b/sshkey.h
3293@@ -63,6 +63,7 @@ enum sshkey_types { 3293@@ -63,6 +63,7 @@ enum sshkey_types {
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 68fa28e5c..b75b82068 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch
26 3 files changed, 34 insertions(+), 4 deletions(-) 26 3 files changed, 34 insertions(+), 4 deletions(-)
27 27
28diff --git a/readconf.c b/readconf.c 28diff --git a/readconf.c b/readconf.c
29index 1f1be778..7f2b5c17 100644 29index 1f1be7789..7f2b5c172 100644
30--- a/readconf.c 30--- a/readconf.c
31+++ b/readconf.c 31+++ b/readconf.c
32@@ -174,6 +174,7 @@ typedef enum { 32@@ -174,6 +174,7 @@ typedef enum {
@@ -72,7 +72,7 @@ index 1f1be778..7f2b5c17 100644
72 options->server_alive_count_max = 3; 72 options->server_alive_count_max = 3;
73 if (options->control_master == -1) 73 if (options->control_master == -1)
74diff --git a/ssh_config.5 b/ssh_config.5 74diff --git a/ssh_config.5 b/ssh_config.5
75index 66826aa7..32c3632c 100644 75index 66826aa70..32c3632c7 100644
76--- a/ssh_config.5 76--- a/ssh_config.5
77+++ b/ssh_config.5 77+++ b/ssh_config.5
78@@ -247,8 +247,12 @@ Valid arguments are 78@@ -247,8 +247,12 @@ Valid arguments are
@@ -119,7 +119,7 @@ index 66826aa7..32c3632c 100644
119 connections will die if the route is down temporarily, and some people 119 connections will die if the route is down temporarily, and some people
120 find it annoying. 120 find it annoying.
121diff --git a/sshd_config.5 b/sshd_config.5 121diff --git a/sshd_config.5 b/sshd_config.5
122index c4a3f3cb..1a1c6dd0 100644 122index c4a3f3cb2..1a1c6dd09 100644
123--- a/sshd_config.5 123--- a/sshd_config.5
124+++ b/sshd_config.5 124+++ b/sshd_config.5
125@@ -1495,6 +1495,9 @@ This avoids infinitely hanging sessions. 125@@ -1495,6 +1495,9 @@ This avoids infinitely hanging sessions.
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index 542b42ae9..95c235b32 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -14,7 +14,7 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
14 1 file changed, 8 insertions(+), 1 deletion(-) 14 1 file changed, 8 insertions(+), 1 deletion(-)
15 15
16diff --git a/sshconnect.c b/sshconnect.c 16diff --git a/sshconnect.c b/sshconnect.c
17index 8ab01c0e..58f9eac8 100644 17index 8ab01c0ef..58f9eac8a 100644
18--- a/sshconnect.c 18--- a/sshconnect.c
19+++ b/sshconnect.c 19+++ b/sshconnect.c
20@@ -1141,9 +1141,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, 20@@ -1141,9 +1141,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch
index f6646ca20..c7b57a428 100644
--- a/debian/patches/no-openssl-version-status.patch
+++ b/debian/patches/no-openssl-version-status.patch
@@ -23,7 +23,7 @@ Patch-Name: no-openssl-version-status.patch
23 2 files changed, 4 insertions(+), 3 deletions(-) 23 2 files changed, 4 insertions(+), 3 deletions(-)
24 24
25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c 25diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
26index 259fccbe..aaa953f2 100644 26index 259fccbec..aaa953f2d 100644
27--- a/openbsd-compat/openssl-compat.c 27--- a/openbsd-compat/openssl-compat.c
28+++ b/openbsd-compat/openssl-compat.c 28+++ b/openbsd-compat/openssl-compat.c
29@@ -34,7 +34,7 @@ 29@@ -34,7 +34,7 @@
@@ -49,7 +49,7 @@ index 259fccbe..aaa953f2 100644
49 lfix = (libver & 0x000ff000) >> 12; 49 lfix = (libver & 0x000ff000) >> 12;
50 if ( (headerver & mask) == (libver & mask) && lfix >= hfix) 50 if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
51diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c 51diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
52index 5d019b59..58474873 100644 52index 5d019b598..58474873d 100644
53--- a/openbsd-compat/regress/opensslvertest.c 53--- a/openbsd-compat/regress/opensslvertest.c
54+++ b/openbsd-compat/regress/opensslvertest.c 54+++ b/openbsd-compat/regress/opensslvertest.c
55@@ -35,6 +35,7 @@ struct version_test { 55@@ -35,6 +35,7 @@ struct version_test {
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index a9e8aac29..89bd0a3bd 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -22,7 +22,7 @@ Patch-Name: openbsd-docs.patch
22 5 files changed, 13 insertions(+), 15 deletions(-) 22 5 files changed, 13 insertions(+), 15 deletions(-)
23 23
24diff --git a/moduli.5 b/moduli.5 24diff --git a/moduli.5 b/moduli.5
25index ef0de085..149846c8 100644 25index ef0de0850..149846c8c 100644
26--- a/moduli.5 26--- a/moduli.5
27+++ b/moduli.5 27+++ b/moduli.5
28@@ -21,7 +21,7 @@ 28@@ -21,7 +21,7 @@
@@ -44,7 +44,7 @@ index ef0de085..149846c8 100644
44 .Sh SEE ALSO 44 .Sh SEE ALSO
45 .Xr ssh-keygen 1 , 45 .Xr ssh-keygen 1 ,
46diff --git a/ssh-keygen.1 b/ssh-keygen.1 46diff --git a/ssh-keygen.1 b/ssh-keygen.1
47index 3525d7d1..39767e62 100644 47index 3525d7d17..39767e621 100644
48--- a/ssh-keygen.1 48--- a/ssh-keygen.1
49+++ b/ssh-keygen.1 49+++ b/ssh-keygen.1
50@@ -176,9 +176,7 @@ key in 50@@ -176,9 +176,7 @@ key in
@@ -88,7 +88,7 @@ index 3525d7d1..39767e62 100644
88 The file format is described in 88 The file format is described in
89 .Xr moduli 5 . 89 .Xr moduli 5 .
90diff --git a/ssh.1 b/ssh.1 90diff --git a/ssh.1 b/ssh.1
91index 0ef7c170..54e21d88 100644 91index 0ef7c1709..54e21d88a 100644
92--- a/ssh.1 92--- a/ssh.1
93+++ b/ssh.1 93+++ b/ssh.1
94@@ -846,6 +846,10 @@ implements public key authentication protocol automatically, 94@@ -846,6 +846,10 @@ implements public key authentication protocol automatically,
@@ -103,7 +103,7 @@ index 0ef7c170..54e21d88 100644
103 .Pp 103 .Pp
104 The file 104 The file
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index c8299d5e..378aeb9f 100644 106index c8299d5e5..378aeb9f5 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -65,7 +65,7 @@ over an insecure network. 109@@ -65,7 +65,7 @@ over an insecure network.
@@ -133,7 +133,7 @@ index c8299d5e..378aeb9f 100644
133 .Xr sshd_config 5 , 133 .Xr sshd_config 5 ,
134 .Xr inetd 8 , 134 .Xr inetd 8 ,
135diff --git a/sshd_config.5 b/sshd_config.5 135diff --git a/sshd_config.5 b/sshd_config.5
136index 45044a70..44b91846 100644 136index 45044a70f..44b918463 100644
137--- a/sshd_config.5 137--- a/sshd_config.5
138+++ b/sshd_config.5 138+++ b/sshd_config.5
139@@ -383,8 +383,7 @@ then no banner is displayed. 139@@ -383,8 +383,7 @@ then no banner is displayed.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index db144f505..c95f06568 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -19,7 +19,7 @@ Patch-Name: package-versioning.patch
19 3 files changed, 8 insertions(+), 3 deletions(-) 19 3 files changed, 8 insertions(+), 3 deletions(-)
20 20
21diff --git a/sshconnect.c b/sshconnect.c 21diff --git a/sshconnect.c b/sshconnect.c
22index 58f9eac8..15d8b807 100644 22index 58f9eac8a..15d8b807e 100644
23--- a/sshconnect.c 23--- a/sshconnect.c
24+++ b/sshconnect.c 24+++ b/sshconnect.c
25@@ -638,7 +638,7 @@ send_client_banner(int connection_out, int minor1) 25@@ -638,7 +638,7 @@ send_client_banner(int connection_out, int minor1)
@@ -32,7 +32,7 @@ index 58f9eac8..15d8b807 100644
32 strlen(client_version_string)) != strlen(client_version_string)) 32 strlen(client_version_string)) != strlen(client_version_string))
33 fatal("write: %.100s", strerror(errno)); 33 fatal("write: %.100s", strerror(errno));
34diff --git a/sshd.c b/sshd.c 34diff --git a/sshd.c b/sshd.c
35index 6d911c19..9a7f5495 100644 35index 6d911c19a..9a7f5495c 100644
36--- a/sshd.c 36--- a/sshd.c
37+++ b/sshd.c 37+++ b/sshd.c
38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) 38@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
@@ -45,7 +45,7 @@ index 6d911c19..9a7f5495 100644
45 options.version_addendum); 45 options.version_addendum);
46 46
47diff --git a/version.h b/version.h 47diff --git a/version.h b/version.h
48index ea52b26f..a3fa6e0b 100644 48index ea52b26f5..a3fa6e0b9 100644
49--- a/version.h 49--- a/version.h
50+++ b/version.h 50+++ b/version.h
51@@ -3,4 +3,9 @@ 51@@ -3,4 +3,9 @@
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index 2e680f5ce..366c41655 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -18,7 +18,7 @@ Patch-Name: restore-authorized_keys2.patch
18 1 file changed, 2 insertions(+), 3 deletions(-) 18 1 file changed, 2 insertions(+), 3 deletions(-)
19 19
20diff --git a/sshd_config b/sshd_config 20diff --git a/sshd_config b/sshd_config
21index de9cc9fe..31e14a4f 100644 21index de9cc9fe2..31e14a4f0 100644
22--- a/sshd_config 22--- a/sshd_config
23+++ b/sshd_config 23+++ b/sshd_config
24@@ -36,9 +36,8 @@ 24@@ -36,9 +36,8 @@
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
index 4132937da..fccd130b8 100644
--- a/debian/patches/restore-tcp-wrappers.patch
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -22,13 +22,13 @@ Last-Update: 2014-10-07
22 22
23Patch-Name: restore-tcp-wrappers.patch 23Patch-Name: restore-tcp-wrappers.patch
24--- 24---
25 configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 25 configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
26 sshd.8 | 7 +++++++ 26 sshd.8 | 7 +++++++
27 sshd.c | 25 +++++++++++++++++++++++++ 27 sshd.c | 25 +++++++++++++++++++++++
28 3 files changed, 89 insertions(+) 28 3 files changed, 89 insertions(+)
29 29
30diff --git a/configure.ac b/configure.ac 30diff --git a/configure.ac b/configure.ac
31index 1cd5eab6..3e23e60d 100644 31index 1cd5eab6c..3e23e60d6 100644
32--- a/configure.ac 32--- a/configure.ac
33+++ b/configure.ac 33+++ b/configure.ac
34@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey], 34@@ -1566,6 +1566,62 @@ AC_ARG_WITH([skey],
@@ -103,7 +103,7 @@ index 1cd5eab6..3e23e60d 100644
103 echo " libedit support: $LIBEDIT_MSG" 103 echo " libedit support: $LIBEDIT_MSG"
104 echo " libldns support: $LDNS_MSG" 104 echo " libldns support: $LDNS_MSG"
105diff --git a/sshd.8 b/sshd.8 105diff --git a/sshd.8 b/sshd.8
106index 968ba66b..c8299d5e 100644 106index 968ba66bb..c8299d5e5 100644
107--- a/sshd.8 107--- a/sshd.8
108+++ b/sshd.8 108+++ b/sshd.8
109@@ -845,6 +845,12 @@ the user's home directory becomes accessible. 109@@ -845,6 +845,12 @@ the user's home directory becomes accessible.
@@ -128,7 +128,7 @@ index 968ba66b..c8299d5e 100644
128 .Xr moduli 5 , 128 .Xr moduli 5 ,
129 .Xr sshd_config 5 , 129 .Xr sshd_config 5 ,
130diff --git a/sshd.c b/sshd.c 130diff --git a/sshd.c b/sshd.c
131index e88185ef..4ed0364f 100644 131index e88185efa..4ed0364f2 100644
132--- a/sshd.c 132--- a/sshd.c
133+++ b/sshd.c 133+++ b/sshd.c
134@@ -127,6 +127,13 @@ 134@@ -127,6 +127,13 @@
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index d969d5e8e..18c7155e4 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch
17 1 file changed, 10 insertions(+), 2 deletions(-) 17 1 file changed, 10 insertions(+), 2 deletions(-)
18 18
19diff --git a/scp.c b/scp.c 19diff --git a/scp.c b/scp.c
20index 31e6709f..2bbf6938 100644 20index 31e6709fb..2bbf6938e 100644
21--- a/scp.c 21--- a/scp.c
22+++ b/scp.c 22+++ b/scp.c
23@@ -198,8 +198,16 @@ do_local_cmd(arglist *a) 23@@ -198,8 +198,16 @@ do_local_cmd(arglist *a)
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
index 293322e9c..be4921ae4 100644
--- a/debian/patches/seccomp-getuid-geteuid.patch
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -20,7 +20,7 @@ Patch-Name: seccomp-getuid-geteuid.patch
20 1 file changed, 12 insertions(+) 20 1 file changed, 12 insertions(+)
21 21
22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
23index 6e7de311..e86aa2c9 100644 23index 6e7de3114..e86aa2c91 100644
24--- a/sandbox-seccomp-filter.c 24--- a/sandbox-seccomp-filter.c
25+++ b/sandbox-seccomp-filter.c 25+++ b/sandbox-seccomp-filter.c
26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { 26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
index 030d8f417..b62d0195c 100644
--- a/debian/patches/seccomp-s390-flock-ipc.patch
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -22,7 +22,7 @@ Patch-Name: seccomp-s390-flock-ipc.patch
22 1 file changed, 6 insertions(+) 22 1 file changed, 6 insertions(+)
23 23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index ca75cc71..6e7de311 100644 25index ca75cc719..6e7de3114 100644
26--- a/sandbox-seccomp-filter.c 26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c 27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { 28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
index 77606886d..dd0f6510c 100644
--- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -19,7 +19,7 @@ Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
19 1 file changed, 2 insertions(+) 19 1 file changed, 2 insertions(+)
20 20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c 21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index e86aa2c9..98062f15 100644 22index e86aa2c91..98062f152 100644
23--- a/sandbox-seccomp-filter.c 23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c 24+++ b/sandbox-seccomp-filter.c
25@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = { 25@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 5662207cd..5c0bad093 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -31,7 +31,7 @@ Patch-Name: selinux-role.patch
31 15 files changed, 97 insertions(+), 30 deletions(-) 31 15 files changed, 97 insertions(+), 30 deletions(-)
32 32
33diff --git a/auth.h b/auth.h 33diff --git a/auth.h b/auth.h
34index 23ce67ca..15ba7073 100644 34index 23ce67caf..15ba7073e 100644
35--- a/auth.h 35--- a/auth.h
36+++ b/auth.h 36+++ b/auth.h
37@@ -65,6 +65,7 @@ struct Authctxt { 37@@ -65,6 +65,7 @@ struct Authctxt {
@@ -43,7 +43,7 @@ index 23ce67ca..15ba7073 100644
43 /* Method lists for multiple authentication */ 43 /* Method lists for multiple authentication */
44 char **auth_methods; /* modified from server config */ 44 char **auth_methods; /* modified from server config */
45diff --git a/auth2.c b/auth2.c 45diff --git a/auth2.c b/auth2.c
46index c34f58c4..be5e9f15 100644 46index c34f58c45..be5e9f15f 100644
47--- a/auth2.c 47--- a/auth2.c
48+++ b/auth2.c 48+++ b/auth2.c
49@@ -218,7 +218,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) 49@@ -218,7 +218,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
@@ -81,7 +81,7 @@ index c34f58c4..be5e9f15 100644
81 if (auth2_setup_methods_lists(authctxt) != 0) 81 if (auth2_setup_methods_lists(authctxt) != 0)
82 packet_disconnect("no authentication methods enabled"); 82 packet_disconnect("no authentication methods enabled");
83diff --git a/monitor.c b/monitor.c 83diff --git a/monitor.c b/monitor.c
84index 868fb0d2..ed37458f 100644 84index 868fb0d2d..ed37458fb 100644
85--- a/monitor.c 85--- a/monitor.c
86+++ b/monitor.c 86+++ b/monitor.c
87@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *); 87@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *);
@@ -158,7 +158,7 @@ index 868fb0d2..ed37458f 100644
158 buffer_put_int(m, 1); 158 buffer_put_int(m, 1);
159 buffer_put_cstring(m, s->tty); 159 buffer_put_cstring(m, s->tty);
160diff --git a/monitor.h b/monitor.h 160diff --git a/monitor.h b/monitor.h
161index ec41404c..4c7955d7 100644 161index ec41404c7..4c7955d7a 100644
162--- a/monitor.h 162--- a/monitor.h
163+++ b/monitor.h 163+++ b/monitor.h
164@@ -68,6 +68,8 @@ enum monitor_reqtype { 164@@ -68,6 +68,8 @@ enum monitor_reqtype {
@@ -171,7 +171,7 @@ index ec41404c..4c7955d7 100644
171 171
172 struct monitor { 172 struct monitor {
173diff --git a/monitor_wrap.c b/monitor_wrap.c 173diff --git a/monitor_wrap.c b/monitor_wrap.c
174index e749efc1..7b2d06c6 100644 174index e749efc18..7b2d06c65 100644
175--- a/monitor_wrap.c 175--- a/monitor_wrap.c
176+++ b/monitor_wrap.c 176+++ b/monitor_wrap.c
177@@ -331,10 +331,10 @@ mm_auth2_read_banner(void) 177@@ -331,10 +331,10 @@ mm_auth2_read_banner(void)
@@ -219,7 +219,7 @@ index e749efc1..7b2d06c6 100644
219 int 219 int
220 mm_auth_password(struct ssh *ssh, char *password) 220 mm_auth_password(struct ssh *ssh, char *password)
221diff --git a/monitor_wrap.h b/monitor_wrap.h 221diff --git a/monitor_wrap.h b/monitor_wrap.h
222index 0970d1f8..492de5c8 100644 222index 0970d1f87..492de5c85 100644
223--- a/monitor_wrap.h 223--- a/monitor_wrap.h
224+++ b/monitor_wrap.h 224+++ b/monitor_wrap.h
225@@ -43,7 +43,8 @@ int mm_is_monitor(void); 225@@ -43,7 +43,8 @@ int mm_is_monitor(void);
@@ -233,7 +233,7 @@ index 0970d1f8..492de5c8 100644
233 char *mm_auth2_read_banner(void); 233 char *mm_auth2_read_banner(void);
234 int mm_auth_password(struct ssh *, char *); 234 int mm_auth_password(struct ssh *, char *);
235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c 235diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
236index 8c5325cc..8a3e5c68 100644 236index 8c5325cc3..8a3e5c68d 100644
237--- a/openbsd-compat/port-linux.c 237--- a/openbsd-compat/port-linux.c
238+++ b/openbsd-compat/port-linux.c 238+++ b/openbsd-compat/port-linux.c
239@@ -27,6 +27,12 @@ 239@@ -27,6 +27,12 @@
@@ -314,7 +314,7 @@ index 8c5325cc..8a3e5c68 100644
314 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 314 /* XXX: should these calls fatal() upon failure in enforcing mode? */
315 315
316diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h 316diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
317index 3c22a854..c8812942 100644 317index 3c22a854d..c88129428 100644
318--- a/openbsd-compat/port-linux.h 318--- a/openbsd-compat/port-linux.h
319+++ b/openbsd-compat/port-linux.h 319+++ b/openbsd-compat/port-linux.h
320@@ -19,8 +19,8 @@ 320@@ -19,8 +19,8 @@
@@ -329,7 +329,7 @@ index 3c22a854..c8812942 100644
329 void ssh_selinux_setfscreatecon(const char *); 329 void ssh_selinux_setfscreatecon(const char *);
330 #endif 330 #endif
331diff --git a/platform.c b/platform.c 331diff --git a/platform.c b/platform.c
332index 18c7751d..380ee3a4 100644 332index 18c7751de..380ee3a41 100644
333--- a/platform.c 333--- a/platform.c
334+++ b/platform.c 334+++ b/platform.c
335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) 335@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
@@ -351,7 +351,7 @@ index 18c7751d..380ee3a4 100644
351 } 351 }
352 352
353diff --git a/platform.h b/platform.h 353diff --git a/platform.h b/platform.h
354index ea4f9c58..60d72ffe 100644 354index ea4f9c584..60d72ffe7 100644
355--- a/platform.h 355--- a/platform.h
356+++ b/platform.h 356+++ b/platform.h
357@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid); 357@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
@@ -364,7 +364,7 @@ index ea4f9c58..60d72ffe 100644
364 char *platform_krb5_get_principal_name(const char *); 364 char *platform_krb5_get_principal_name(const char *);
365 int platform_sys_dir_uid(uid_t); 365 int platform_sys_dir_uid(uid_t);
366diff --git a/session.c b/session.c 366diff --git a/session.c b/session.c
367index 58826db1..ff301c98 100644 367index 58826db16..ff301c983 100644
368--- a/session.c 368--- a/session.c
369+++ b/session.c 369+++ b/session.c
370@@ -1322,7 +1322,7 @@ safely_chroot(const char *path, uid_t uid) 370@@ -1322,7 +1322,7 @@ safely_chroot(const char *path, uid_t uid)
@@ -413,7 +413,7 @@ index 58826db1..ff301c98 100644
413 /* Set window size from the packet. */ 413 /* Set window size from the packet. */
414 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 414 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
415diff --git a/session.h b/session.h 415diff --git a/session.h b/session.h
416index 54dd1f0c..8535ebce 100644 416index 54dd1f0ca..8535ebcef 100644
417--- a/session.h 417--- a/session.h
418+++ b/session.h 418+++ b/session.h
419@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); 419@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
@@ -426,7 +426,7 @@ index 54dd1f0c..8535ebce 100644
426 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); 426 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
427 427
428diff --git a/sshd.c b/sshd.c 428diff --git a/sshd.c b/sshd.c
429index 4ed0364f..6d911c19 100644 429index 4ed0364f2..6d911c19a 100644
430--- a/sshd.c 430--- a/sshd.c
431+++ b/sshd.c 431+++ b/sshd.c
432@@ -679,7 +679,7 @@ privsep_postauth(Authctxt *authctxt) 432@@ -679,7 +679,7 @@ privsep_postauth(Authctxt *authctxt)
@@ -439,7 +439,7 @@ index 4ed0364f..6d911c19 100644
439 skip: 439 skip:
440 /* It is safe now to apply the key state */ 440 /* It is safe now to apply the key state */
441diff --git a/sshpty.c b/sshpty.c 441diff --git a/sshpty.c b/sshpty.c
442index 4da84d05..676ade50 100644 442index 4da84d05f..676ade50e 100644
443--- a/sshpty.c 443--- a/sshpty.c
444+++ b/sshpty.c 444+++ b/sshpty.c
445@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 445@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -461,7 +461,7 @@ index 4da84d05..676ade50 100644
461 461
462 if (st.st_uid != pw->pw_uid || st.st_gid != gid) { 462 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
463diff --git a/sshpty.h b/sshpty.h 463diff --git a/sshpty.h b/sshpty.h
464index 9ec7e9a1..de7e000a 100644 464index 9ec7e9a15..de7e000ae 100644
465--- a/sshpty.h 465--- a/sshpty.h
466+++ b/sshpty.h 466+++ b/sshpty.h
467@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t); 467@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
diff --git a/debian/patches/series b/debian/patches/series
index e409902b5..9f89f7347 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@ restore-authorized_keys2.patch
24seccomp-s390-flock-ipc.patch 24seccomp-s390-flock-ipc.patch
25seccomp-getuid-geteuid.patch 25seccomp-getuid-geteuid.patch
26seccomp-s390-ioctl-ep11-crypto.patch 26seccomp-s390-ioctl-ep11-crypto.patch
27upstream-relax-checking-of-authorized_keys-environme.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 638d348f2..92fc0026a 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
16 1 file changed, 2 insertions(+), 2 deletions(-) 16 1 file changed, 2 insertions(+), 2 deletions(-)
17 17
18diff --git a/sshconnect.c b/sshconnect.c 18diff --git a/sshconnect.c b/sshconnect.c
19index 3805d35d..8ab01c0e 100644 19index 3805d35d9..8ab01c0ef 100644
20--- a/sshconnect.c 20--- a/sshconnect.c
21+++ b/sshconnect.c 21+++ b/sshconnect.c
22@@ -239,7 +239,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, 22@@ -239,7 +239,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port,
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index b7cd10dd1..add4d5115 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -13,7 +13,7 @@ Patch-Name: ssh-agent-setgid.patch
13 1 file changed, 15 insertions(+) 13 1 file changed, 15 insertions(+)
14 14
15diff --git a/ssh-agent.1 b/ssh-agent.1 15diff --git a/ssh-agent.1 b/ssh-agent.1
16index 83b2b41c..7230704a 100644 16index 83b2b41c8..7230704a3 100644
17--- a/ssh-agent.1 17--- a/ssh-agent.1
18+++ b/ssh-agent.1 18+++ b/ssh-agent.1
19@@ -206,6 +206,21 @@ environment variable holds the agent's process ID. 19@@ -206,6 +206,21 @@ environment variable holds the agent's process ID.
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 2539fa8ed..eb830e4cb 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -18,7 +18,7 @@ Patch-Name: ssh-argv0.patch
18 1 file changed, 1 insertion(+) 18 1 file changed, 1 insertion(+)
19 19
20diff --git a/ssh.1 b/ssh.1 20diff --git a/ssh.1 b/ssh.1
21index 54e21d88..f8fc26d2 100644 21index 54e21d88a..f8fc26d2a 100644
22--- a/ssh.1 22--- a/ssh.1
23+++ b/ssh.1 23+++ b/ssh.1
24@@ -1571,6 +1571,7 @@ if an error occurred. 24@@ -1571,6 +1571,7 @@ if an error occurred.
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 34ff8a497..4d6f3e151 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch
17 2 files changed, 2 insertions(+) 17 2 files changed, 2 insertions(+)
18 18
19diff --git a/readconf.c b/readconf.c 19diff --git a/readconf.c b/readconf.c
20index c8e79299..1f1be778 100644 20index c8e792991..1f1be7789 100644
21--- a/readconf.c 21--- a/readconf.c
22+++ b/readconf.c 22+++ b/readconf.c
23@@ -189,6 +189,7 @@ static struct { 23@@ -189,6 +189,7 @@ static struct {
@@ -29,7 +29,7 @@ index c8e79299..1f1be778 100644
29 { "useroaming", oDeprecated }, 29 { "useroaming", oDeprecated },
30 { "usersh", oDeprecated }, 30 { "usersh", oDeprecated },
31diff --git a/servconf.c b/servconf.c 31diff --git a/servconf.c b/servconf.c
32index cbbea05b..3fff3d53 100644 32index cbbea05bf..3fff3d531 100644
33--- a/servconf.c 33--- a/servconf.c
34+++ b/servconf.c 34+++ b/servconf.c
35@@ -576,6 +576,7 @@ static struct { 35@@ -576,6 +576,7 @@ static struct {
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 897433408..1b41b0801 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -21,7 +21,7 @@ Patch-Name: syslog-level-silent.patch
21 2 files changed, 2 insertions(+), 1 deletion(-) 21 2 files changed, 2 insertions(+), 1 deletion(-)
22 22
23diff --git a/log.c b/log.c 23diff --git a/log.c b/log.c
24index 99450dd1..1559091d 100644 24index 99450dd12..1559091da 100644
25--- a/log.c 25--- a/log.c
26+++ b/log.c 26+++ b/log.c
27@@ -93,6 +93,7 @@ static struct { 27@@ -93,6 +93,7 @@ static struct {
@@ -33,7 +33,7 @@ index 99450dd1..1559091d 100644
33 { "FATAL", SYSLOG_LEVEL_FATAL }, 33 { "FATAL", SYSLOG_LEVEL_FATAL },
34 { "ERROR", SYSLOG_LEVEL_ERROR }, 34 { "ERROR", SYSLOG_LEVEL_ERROR },
35diff --git a/ssh.c b/ssh.c 35diff --git a/ssh.c b/ssh.c
36index d3619fe2..e36debf6 100644 36index d3619fe29..e36debf6a 100644
37--- a/ssh.c 37--- a/ssh.c
38+++ b/ssh.c 38+++ b/ssh.c
39@@ -1252,7 +1252,7 @@ main(int ac, char **av) 39@@ -1252,7 +1252,7 @@ main(int ac, char **av)
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index a0e733f1b..982085c4c 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -14,7 +14,7 @@ Patch-Name: systemd-readiness.patch
14 2 files changed, 33 insertions(+) 14 2 files changed, 33 insertions(+)
15 15
16diff --git a/configure.ac b/configure.ac 16diff --git a/configure.ac b/configure.ac
17index 3e23e60d..eac143b4 100644 17index 3e23e60d6..eac143b4d 100644
18--- a/configure.ac 18--- a/configure.ac
19+++ b/configure.ac 19+++ b/configure.ac
20@@ -4496,6 +4496,29 @@ AC_ARG_WITH([kerberos5], 20@@ -4496,6 +4496,29 @@ AC_ARG_WITH([kerberos5],
@@ -56,7 +56,7 @@ index 3e23e60d..eac143b4 100644
56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" 56 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
57 echo " BSD Auth support: $BSD_AUTH_MSG" 57 echo " BSD Auth support: $BSD_AUTH_MSG"
58diff --git a/sshd.c b/sshd.c 58diff --git a/sshd.c b/sshd.c
59index 1d645a17..3a86e66e 100644 59index 1d645a170..3a86e66e7 100644
60--- a/sshd.c 60--- a/sshd.c
61+++ b/sshd.c 61+++ b/sshd.c
62@@ -85,6 +85,10 @@ 62@@ -85,6 +85,10 @@
diff --git a/debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch b/debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch
new file mode 100644
index 000000000..251b9a3ca
--- /dev/null
+++ b/debian/patches/upstream-relax-checking-of-authorized_keys-environme.patch
@@ -0,0 +1,40 @@
1From 60256f28189c3d0650a78e737eb0ca4753478a4b Mon Sep 17 00:00:00 2001
2From: "djm@openbsd.org" <djm@openbsd.org>
3Date: Fri, 6 Apr 2018 04:15:45 +0000
4Subject: upstream: relax checking of authorized_keys environment="..."
5
6options to allow underscores in variable names (regression introduced in
77.7). bz2851, ok deraadt@
8
9OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
10
11Original-Author: Damien Miller <djm@mindrot.org>
12Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=40f5f03544a07ebd2003b443d42e85cb51d94d59
13Bug-Ubuntu: https://bugs.launchpad.net/bugs/1771011
14Last-Update: 2018-06-28
15Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
16
17Patch-Name: upstream-relax-checking-of-authorized_keys-environme.patch
18---
19 auth-options.c | 4 ++--
20 1 file changed, 2 insertions(+), 2 deletions(-)
21
22diff --git a/auth-options.c b/auth-options.c
23index b528c197a..ef57ebf43 100644
24--- a/auth-options.c
25+++ b/auth-options.c
26@@ -1,4 +1,4 @@
27-/* $OpenBSD: auth-options.c,v 1.78 2018/03/14 05:35:40 djm Exp $ */
28+/* $OpenBSD: auth-options.c,v 1.79 2018/04/06 04:15:45 djm Exp $ */
29 /*
30 * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
31 *
32@@ -394,7 +394,7 @@ sshauthopt_parse(const char *opts, const char **errstrp)
33 goto fail;
34 }
35 for (cp = opt; cp < tmp; cp++) {
36- if (!isalnum((u_char)*cp)) {
37+ if (!isalnum((u_char)*cp) && *cp != '_') {
38 free(opt);
39 errstr = "invalid environment string";
40 goto fail;
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index a7201b318..712620843 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -19,7 +19,7 @@ Patch-Name: user-group-modes.patch
19--- 19---
20 auth-rhosts.c | 6 ++---- 20 auth-rhosts.c | 6 ++----
21 auth.c | 3 +-- 21 auth.c | 3 +--
22 misc.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- 22 misc.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-----
23 misc.h | 2 ++ 23 misc.h | 2 ++
24 readconf.c | 3 +-- 24 readconf.c | 3 +--
25 ssh.1 | 2 ++ 25 ssh.1 | 2 ++
@@ -27,7 +27,7 @@ Patch-Name: user-group-modes.patch
27 7 files changed, 63 insertions(+), 13 deletions(-) 27 7 files changed, 63 insertions(+), 13 deletions(-)
28 28
29diff --git a/auth-rhosts.c b/auth-rhosts.c 29diff --git a/auth-rhosts.c b/auth-rhosts.c
30index ecf956f0..4dccd5e6 100644 30index ecf956f06..4dccd5e6a 100644
31--- a/auth-rhosts.c 31--- a/auth-rhosts.c
32+++ b/auth-rhosts.c 32+++ b/auth-rhosts.c
33@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, 33@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
@@ -51,7 +51,7 @@ index ecf956f0..4dccd5e6 100644
51 pw->pw_name, buf); 51 pw->pw_name, buf);
52 auth_debug_add("Bad file modes for %.200s", buf); 52 auth_debug_add("Bad file modes for %.200s", buf);
53diff --git a/auth.c b/auth.c 53diff --git a/auth.c b/auth.c
54index 76d586e3..68b9fe79 100644 54index 76d586e31..68b9fe795 100644
55--- a/auth.c 55--- a/auth.c
56+++ b/auth.c 56+++ b/auth.c
57@@ -468,8 +468,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, 57@@ -468,8 +468,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
@@ -65,7 +65,7 @@ index 76d586e3..68b9fe79 100644
65 "bad owner or modes for %.200s", 65 "bad owner or modes for %.200s",
66 pw->pw_name, user_hostfile); 66 pw->pw_name, user_hostfile);
67diff --git a/misc.c b/misc.c 67diff --git a/misc.c b/misc.c
68index 874dcc8a..75c4113f 100644 68index 874dcc8a2..75c4113f0 100644
69--- a/misc.c 69--- a/misc.c
70+++ b/misc.c 70+++ b/misc.c
71@@ -57,8 +57,9 @@ 71@@ -57,8 +57,9 @@
@@ -156,7 +156,7 @@ index 874dcc8a..75c4113f 100644
156 "bad ownership or modes for directory %s", buf); 156 "bad ownership or modes for directory %s", buf);
157 return -1; 157 return -1;
158diff --git a/misc.h b/misc.h 158diff --git a/misc.h b/misc.h
159index cdafea73..51943db9 100644 159index cdafea735..51943db90 100644
160--- a/misc.h 160--- a/misc.h
161+++ b/misc.h 161+++ b/misc.h
162@@ -168,6 +168,8 @@ char *read_passphrase(const char *, int); 162@@ -168,6 +168,8 @@ char *read_passphrase(const char *, int);
@@ -169,7 +169,7 @@ index cdafea73..51943db9 100644
169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 169 #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) 170 #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
171diff --git a/readconf.c b/readconf.c 171diff --git a/readconf.c b/readconf.c
172index 7f2b5c17..50349e23 100644 172index 7f2b5c172..50349e238 100644
173--- a/readconf.c 173--- a/readconf.c
174+++ b/readconf.c 174+++ b/readconf.c
175@@ -1741,8 +1741,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, 175@@ -1741,8 +1741,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
@@ -183,7 +183,7 @@ index 7f2b5c17..50349e23 100644
183 } 183 }
184 184
185diff --git a/ssh.1 b/ssh.1 185diff --git a/ssh.1 b/ssh.1
186index b4078525..0ef7c170 100644 186index b4078525b..0ef7c1709 100644
187--- a/ssh.1 187--- a/ssh.1
188+++ b/ssh.1 188+++ b/ssh.1
189@@ -1471,6 +1471,8 @@ The file format and configuration options are described in 189@@ -1471,6 +1471,8 @@ The file format and configuration options are described in
@@ -196,7 +196,7 @@ index b4078525..0ef7c170 100644
196 .It Pa ~/.ssh/environment 196 .It Pa ~/.ssh/environment
197 Contains additional definitions for environment variables; see 197 Contains additional definitions for environment variables; see
198diff --git a/ssh_config.5 b/ssh_config.5 198diff --git a/ssh_config.5 b/ssh_config.5
199index 32c3632c..84dcd52c 100644 199index 32c3632c7..84dcd52cc 100644
200--- a/ssh_config.5 200--- a/ssh_config.5
201+++ b/ssh_config.5 201+++ b/ssh_config.5
202@@ -1818,6 +1818,8 @@ The format of this file is described above. 202@@ -1818,6 +1818,8 @@ The format of this file is described above.